Hi,
I've been having a read of the following document:
And to be honest, it just is not working....
I have an SRX340 that will have ethernet as it's primary link, but I want the DSL to be back up if the primary fails....
Anyone got a basic config I can use for ppp connectivity over ADSL to an LNS?
We currently have other branch devices clustered over layer 2 network.
Now, with a newer cluster based on SRX340 and recommended JunOS, the cluster worked fine with direct cable, but once connected to layer 2 network it wont work.
We have EX-switches between them.
I can see the arp/mac-addresses for the control link.
I can see traffic statistics that the is incoming and outgoing on the interface. But the control link wont come logical up and it says it doesnt see the other cluster member.
Any ideas?
The layer 2 network is configed with jumbo-frames, and as access ports (same setup as other branch devices with older JunOS)
//Rob
HI All,
i have a question about DPD. As i know, DPD is used to monitor the reachability of VPN Peers, right? Ok, i have one vpn tunel established with Peer A, and the client will include a new internet connection in the same vpn gateway. They ask to us to include a secondary Peer in the vpn configuration. But now, i would like to know if Peer A turn down, the Peer B will be considered and the vpn should be established with Peer B, normaly. Ok this is expected. But, and about the Peer A back to UP? Will automatically, the vpn be established with the Peer A again? DPD is preemptive?
Sorry, for my english. 
Thanks,
João Victor
I have a SRX with policy "from-zone TRUST to-zone UNTRUST" which allow any source-address, desination-address and application.
Now I have initiated a ping from TRUST zone to UNTRUST zone.
My doubt is why ping is successfully happening?
My expectation is that as there is not policy that allows traffic from UNTRUST to TRUST. ICMP reply message from UNTRUST zone should be dropped by SRX.
Correct me if my understanding is wrong.
Hi everyone,
I have a problem that I configure PPPoE client on Juniper SRX210he with username and password provided by radius server, but I show that SRX210 didn't receive IP WAN from BRAS but I used that username and password to connect PPPoE to BRAS from another device such as Draytek vigor or Laptop, It worked. I showed log on BRAS MX80.
Dec 21 09:34:17.019428 ###################################################################
Dec 21 09:34:17.019459 ########################### TERMINATE REQ RCVD #########################
Dec 21 09:34:17.019489 ###################################################################
Dec 21 09:34:17.019519 Auth-FSM: Trigger Acct-Stop, Save off client-msg-cookie. session-id:16191
Dec 21 09:34:17.019556 authd_auth_aaa_msg_destroy: removing msg from recv queue
Dec 21 09:34:17.019595 authd_auth_aaa_msg_destructauth_aaa_msg: 0x22b9b64
Dec 21 09:34:17.019632 doPersistedDataUpdates
Dec 21 09:34:17.019665 doPersistedDataUpdates
Dec 21 09:34:17.019696 Special (undelivered) terminate response for session-id:16191 to keep outstanding messages below quota. Actual response could be delayed depending on timeouts and configured values.
Dec 21 09:34:18.231051 RadiusServer: server[0] used for last request - 192.168.10.5 no timeout
Dec 21 09:34:18.292599 RadiusServer: 192.168.10.5 timeout (g:5, r:60)
Dec 21 09:34:18.292689 RadiusServer: marking current time for initial timeout for 192.168.10.5
Dec 21 09:34:18.292751 Radius result is CLIENT_REQ_TIMEOUT
Dec 21 09:34:18.292786 authd_radius_acctg_callback Result is 
CLIENT_REQ_TIMEOUT) reply_code(null)) 0 session-id:16191
Dec 21 09:34:18.292843 ======= Accounting RESPONSE Received ==============
Dec 21 09:34:18.292899 AccFsm::current state=Acc-Stop-Sent(4) event=2 session-id:16191
Dec 21 09:34:18.292935 ACC-FSM
rocessAccStartRsp_a2 for session-id:16191
Dec 21 09:34:18.292973 persistOnlyPrivateData m_inFlight
Dec 21 09:34:18.293042 accFsmExecute::new state=Acc-Stop-Sent(4)
Dec 21 09:34:18.293079 doPersistedDataUpdates
Dec 21 09:34:18.293285 RadiusServer: server[0] used for last request - 192.168.10.5 no timeout
Dec 21 09:34:18.293324 RadiusServer: 192.168.10.5 request timeout. Seconds since first request timeout: 0 (g:5, r:60). Not DEAD yet
Dec 21 09:34:18.293366 Radius result is CLIENT_REQ_TIMEOUT
Dec 21 09:34:18.293398 authd_radius_acctg_callback Result is CLIENT_REQ_TIMEOUT) reply_code(null)) 0 session-id:16191
Dec 21 09:34:18.293440 ======= Accounting RESPONSE Received ==============
Dec 21 09:34:18.293479 AccFsm::current state=Acc-Stop-Sent(4) event=7 session-id:16191
Dec 21 09:34:18.293513 ACC-FSMrocessAccInterimRsp_a5 for session-id:16191
Dec 21 09:34:18.293548 persistOnlyPrivateData m_inFlight
Dec 21 09:34:18.293594 accFsmExecute::new state=Acc-Stop-Sent(4)
Dec 21 09:34:18.293630 doPersistedDataUpdates
Dec 21 09:34:28.915962 RadiusServer: server[0] used for last request - 192.168.10.5 no timeout
Dec 21 09:34:28.916047 RadiusServer: 192.168.10.5 request timeout. Seconds since first request timeout: 10. Change server state.
Dec 21 09:34:28.916563 RadiusServer: profile - RADIUS, radius server - 192.168.10.5 status set to UNREACHABLE
Dec 21 09:34:28.919185 Framework : : SNMP trap (jnxAccessAuthServerDisabled, jnxUserAAAServerName = 192.168.10.5) result: <snmp-generate-trap-results xmlns="http://xml.juniper.net/junos/15.1R7/junos-snmp">
<snmp-generate-trap-result>trap sent successfully</snmp-generate-trap-result>
</snmp-generate-trap-results>
Dec 21 09:34:28.919311 Framework : enter - authd_add_server_info_node_to_list
Dec 21 09:34:28.919345 Framework : authd_add_server_info_node_to_list: server info added to list of dead servers
Dec 21 09:34:28.919377 Framework : enter authd_create_and_start_state_timer
Dec 21 09:34:28.919422 Framework : authd_create_and_start_state_timer : started timer for 30 seconds for dead servers, &servers_info 0x0x7295700
Dec 21 09:34:28.919481 Radius result is CLIENT_REQ_TIMEOUT
Dec 21 09:34:28.919515 authd_radius_acctg_callback Result is CLIENT_REQ_TIMEOUT) reply_code(null)) 0 session-id:16191
Dec 21 09:34:28.919569 ======= Accounting RESPONSE Received ==============
Dec 21 09:34:28.919619 AccFsm::current state=Acc-Stop-Sent(4) event=11 session-id:16191
Dec 21 09:34:28.919655 ACC-FSMrocessAccStopRsp_a8 for session-id:16191
Dec 21 09:34:28.919701 AuthFsm::current state=AuthAcctStopAckWait(6) event=26 astEntry=0x2cc85b0 aaa msg=0 session-id:16191
Dec 21 09:34:28.919736 Auth-FSM: Posting a Client-Session-Cleanup-Ack to the client daemon for session-id:16191
Dec 21 09:34:28.919776 ****astEntry:0x2cc85b0 aaaMsg:0 replyOpcode:1 replySubOpcode:20 replyStatus:1
Dec 21 09:34:28.920149 authd_build_aaa_request: Found no dynRequest
Dec 21 09:34:28.920193 SEQ SendClientMsg:jpppd-test-client session-id:16191 reply-code=1 (OK), result-subopcode=20 (CLIENT_SESSION_CLEANUP_ACK), cookie=4, ex_cookie=1357, rply_len=28, num_tlv_blocks=0
Dec 21 09:34:28.920244 authd_auth_aaa_msg_destructauth_aaa_msg: 0x22ba0e0
Dec 21 09:34:28.920286 ###################################################################
Dec 21 09:34:28.920318 ####################### TERMINATE ACK SENT ########################
Dec 21 09:34:28.920348 ###################################################################
Dec 21 09:34:28.920387 Delete session-id:16191
Dec 21 09:34:28.920424 Begin to logout Subscriber
Dec 21 09:34:28.920462 subscriberLogout session-id:16191
Dec 21 09:34:28.920569 UserAccess:test4 session-id:16191 state:log-out -0/0/0.0 reason: aaa shutdown-administrative-reset
Dec 21 09:34:28.920885 doPersistedDataUpdates
Dec 21 09:34:28.920926 doPersistedDataUpdates
Dec 21 09:34:28.920962 findSession AST-Table couldn't find the session-id:16191
Dec 21 09:34:28.920999 findSession AST-Table couldn't find the session-id:16191
Dec 21 09:34:28.921034 accFsmExecute::new state=Acc-Stop-Ackd(6)
Dec 21 09:34:28.921065 doPersistedDataUpdates
Dec 21 09:34:58.920594 RadiusServer: authd_radius_mark_servers_alive: profile - RADIUS, radius server - 192.168.10.5 status set to ALIVE
Dec 21 09:34:58.922043 Framework : : SNMP trap (jnxAccessAuthServerEnabled, jnxUserAAAServerName = 192.168.10.5) result: <snmp-generate-trap-results xmlns="http://xml.juniper.net/junos/15.1R7/junos-snmp">
<snmp-generate-trap-result>trap sent successfully</snmp-generate-trap-result>
</snmp-generate-trap-results>
My config of SRX210he :
interfaces {
ge-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.10.150/24;
}
}
}
pp0 {
unit 0 {
apply-macro "test radius";
ppp-options {
chap {
default-chap-secret "$9$Xru7bsgoJDHq4on/ApB1"; ## SECRET-DATA
local-name test4;
no-rfc2486;
passive;
}
pap {
local-name test4;
no-rfc2486;
local-password "$9$Vbw4aGDi.fTUDtuBIcS"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
idle-timeout 0;
access-concentrator ISP-Local;
service-name ISP-VNTT;
auto-reconnect 5;
client;
}
family inet {
mtu 1492;
negotiate-address;
}
}
}
}
Please help me to solve this, thanks very much.
how can define dynamic address entry or list in srx with out Sky ATP license?
can define thi out this license?
thanks a lot
Anyone know how a packet could have an IPv6 source address and an IPv4 destination address? The example at https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ipv6-nat.html#jd0e880 thinks it is possible:
[edit security nat]
source {
pool myipv4 {
address {
203.0.113.2/32 to 203.0.113.5/32;
}
}
rule-set myipv4_rs {
from interface ge-0/0/1.0;
to interface ge-0/0/2.0;
rule ipv4_rule {
match { source-address 2001:db8::/96;
destination-address 10.1.1.15/30;
}
then {
source-nat {
pool {
myipv4;
}
}
}
}
}
}
Thanks.
Hi there,
I need to establish a IPSec connection between a static and a dynamic IP endpoint. The SRX240H2 has the static IP. I planed to use IKEv2 but then I found out that the software Version 12.3X48-D60.2 installed on the device does not support multiple traffic-selectors in IKEv2. This feature was added in 15.1X49-D100. Is there a Chance that this feature will come to this hardware?
Thanks in advance
Clemens
Wasn't sure if this needed to go through the SRX forum or Junos. Sorry, may be a little long winded.
I wanted to post here to be informative and possibly get some additional help and things that can be done to help track down an issue like this. Since this is personal for home use I don't have support on the SRX300. But I wanted other people here to know as well.
I am running an SRX300 at my house which I use to learn, test, and try new features of Junos on. This SRX300 is connected to gigabit service and performs flawlessly (until 18.4) running as a gateway for 10 security zones, basic firewall functions, and NAT. I can hear what some people are thinking.
It was previusly running 18.3R1.
This helps with my daily job as we work with Junos for SRX/EX/QFX platforms. Still learning the ins/outs of Junos after 2 years.
So I installed the latest 18.4R1.8 that came out 12/21/2018. Upgrade smoothly and everything seemed fine. I was performing some downloads that nearly to saturate the 1Gbps link using multiple sessions. This was done on prior releases with no issues. During this high throughput scenario the throughtut dropped to about 20 Mbps and latency went to 400-1000ms. Performance was suffering.
I check the messages log and saw alerts about CPU threshold crossed and to expect packet loss.
I checked the "show chassis routing-engine" and the CPU looked great. The I found the command "show security monitoring fpc 0" had output that showed the CPU Utilization at 100%. In this case, memory looked good and session flows were what I was expecting based on previous experience.
If I killed the high throughput download everything came back down to normal and all was fine. So I was able to reproduce the drop in throughput and the increase in latency.
I decided to check "show pfe statistics traffic" which was giving me the current pps. I was sitting around 97k pps during the test. From what I can see I felt like I was still within the limits of the hardware. Someone please correct me if I am wrong and/or interpreting this incorrectly.
From this point I didn't know what else to look at so I decided to roll back Junos versions. I rolled back to Junos 18.3R1 service release S1.4. Re-testing the scenario and everything is working fine. The output of "show security monitoring fpc 0" showed the cpu at less than 70% and the pfe statistics showed the same for pps. Everything was humming along fine, full throughput as expected and no change in latency.
I assume there is some bug in Junos 18.4? Does anyone have any suggestions on additional troubleshooting or other data I could gather to track down what the issue may have been?
all, I have couple different issues going on which I believe are all related to a basic config setting, however I just can't find my error. I've chosen my incomming internet on ge 0/0/0.0 my isp static is xx.xxx.xx.254 with a gateway address ending in .253 the subnet is 255.255.255.252....
I have the same unit with the same basic config at another site with a 5 static ip which works as expected (except for the tunnel)
so what is working - i'm passing traffic to the internet and can browse the internet
what is not working - remote management via any means, a site to site tunnel (no traffic is recieved and times out)
I believe once I get remote management working everything else will fall into place
config below I've attempted to trim out users, logging info, extra interfaces not in use etc... so this may not be a "working code segment"
Ideas? I believe i had this similar issue at this site with a ssg5 (screenos) which if my memory is correct I had to add a gateway address to the internet facing interface. The ssg5 device is currently in use . i swap out until i can get it working in the overnight hours.
## Last changed: 2019-01-15 07:23:12 GMT-6
version 15.1X49-D70.3;
system {
host-name xyz;
time-zone GMT-6;
root-authentication {
encrypted-password "xxx";
}
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
xnm-clear-text;
dhcp-local-server {
group jweb-default-group {
interface irb.0;
}
}
web-management {
http;
https {
system-generated-certificate;
}
session {
idle-timeout 60;
}
}
}
}
}
security {
log {
mode event;
}
ike {
policy ike_pol_vpn_to_headquarters {
mode aggressive;
proposal-set basic;
pre-shared-key ascii-text "xyz";
}
gateway gw_vpn_to_headquarters {
ike-policy ike_pol_vpn_to_headquarters;
address xx.xxx.xx.107;
dead-peer-detection;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy ipsec_pol_vpn_to_headquarters {
perfect-forward-secrecy {
keys group5;
}
proposal-set basic;
}
vpn vpn_to_headquarters {
bind-interface st0.0;
vpn-monitor;
ike {
gateway gw_vpn_to_headquarters;
ipsec-policy ipsec_pol_vpn_to_headquarters;
}
establish-tunnels immediately;
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy policy_out_vpn_to_headquarters {
match {
source-address addr_192_168_0_0_24;
destination-address addr_192_168_3_0_24;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy All_Internal_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy policy_in_vpn_to_headquarters {
match {
source-address addr_192_168_3_0_24;
destination-address addr_192_168_0_0_24;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone Internal {
address-book {
address addr_192_168_0_0_24 192.168.0.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone Internet {
address-book {
address addr_192_168_3_0_24 192.168.3.0/24;
}
host-inbound-traffic {
system-services {
ike;
ssh;
https;
http;
traceroute;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
http;
https;
ssh;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
}
}
}
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address xx.xxx.xx.254/30;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan0;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}
}
}
}
irb {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 192.168.3.0/24 next-hop st0.0;
route 0.0.0.0/0 next-hop xx.xx.xx.253; ##isp gateway address##
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
access {
address-assignment {
pool jweb-default-pool {
family inet {
network 192.168.0.0/24;
range jweb-default-range {
low 192.168.0.2;
high 192.168.0.254;
}
dhcp-attributes {
name-server {
8.8.8.8;
}
router {
192.168.0.1;
}
}
}
}
}
}
vlans {
vlan0 {
vlan-id 2;
l3-interface irb.0;
}
}
Hi All,
We have got 5 remotes offices, 3 are using SRX and 2 are using netscreen. All of the firewalls including HQ (total 6 firewalls) are using default TCP MMS 1500. Pt-to-Pt VPN is formed to HQ at least over a year without any connection issue.
Few days ago, one of the office is found an abnormal behaviour. This remote office couldn't access our servers in HQ. Some of the HQ devices also counldn't access this remote site servers. We confirmed the VPN connection is working fine and able to ping both side devices. Finally, Juniper TAC helped to apply this command 'set security flow tcp-mss all-tcp mss 1350'. Both sides service are resumed normal. We suspect there is some TCP MMS changes in some of the Internet connection to this remote office.
1. Should I apply this command 'set security flow tcp-mss all-tcp mss 1350' to other remote offices?
2. How do I know 1350 is the best mms?
Thanks,
Kay
Hello all. I'm trying to configure our SRX3600 cluster to sync with outside NTP servers but I'm not having any luck with this.
I have the following configured on the cluster.
ntp {
boot-server 161.53.160.5;
server 161.53.160.5 prefer;
server 161.53.123.5;
source-address 127.0.0.1;
}
lo0 {
unit 0 {
family inet {
filter {
input CONTROL_PLANE;
}
address 127.0.0.1/32;
}
}
}
NTP relevant part of the firewall filter
term 400_PERMIT_NTP {
from {
source-address {
161.53.160.4/32;
161.53.123.4/32;
127.0.0.1/32;
}
protocol udp;
port ntp;
}
then accept;
}
term 401_DENY_NTP_1 {
from {
protocol udp;
port ntp;
}
then {
discard;
}
}
The routing for the cluster
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.170.1;
retain;
}
route 10.64.8.96/32 next-table internet.inet.0;
route 10.64.8.202/32 next-table internet.inet.0;
route 161.53.160.5/32 next-table internet.inet.0;
route 161.53.123.5/32 next-table internet.inet.0;
route 10.64.20.50/32 next-table internet.inet.0;
}
}
routing-instances {
internet {
instance-type virtual-router;
interface reth0.0;
interface reth1.230;
interface reth1.231;
interface reth1.232;
interface reth1.233;
interface reth1.234;
interface reth1.235;
interface reth1.236;
interface reth1.244;
interface reth1.246;
interface reth1.248;
interface reth1.249;
interface reth1.252;
interface reth1.666;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 193.25.220.1;
retain;
}
route 10.0.0.0/8 {
next-hop 192.168.246.254;
retain;
}
route 192.168.254.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.0.0/16 {
next-hop 192.168.246.254;
retain;
}
route 192.168.234.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.90.0/23 {
next-hop 192.168.246.254;
retain;
}
route 192.168.55.0/24 {
next-hop 192.168.246.254;
retain;
}
}
}
}
}
With all of this configured I get the following results.
> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
161.53.160.5 .INIT. 16 - - 1024 0 0.000 0.000 4000.00
161.53.123.5 .INIT. 16 - - 1024 0 0.000 0.000 4000.00
> show ntp status
status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
version="ntpd 4.2.0-a Mon Sep 3 15:37:16 UTC 2018 (1)",
processor="powerpc", system="JUNOS12.3X48-D75.4", leap=11, stratum=16,
precision=-18, rootdelay=0.000, rootdispersion=309.015, peer=0,
refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 7:28:16.000,
poll=4, clock=dfea239b.a2b2bea1 Wed, Jan 16 2019 22:41:47.635, state=1,
offset=0.000, frequency=0.778, jitter=0.004, stability=0.000
> set date ntp
node0:
--------------------------------------------------------------------------
16 Jan 22:42:22 ntpdate[68700]: no server suitable for synchronization found
node1:
--------------------------------------------------------------------------
16 Jan 22:42:22 ntpdate[70021]: no server suitable for synchronization found
> show log messages | match ntp
Jan 16 22:37:44 SRX xntpd[1381]: NTP Server Unreachable
Jan 16 22:40:56 SRX ntpq: attempt to configure invalid address 127.0.0.1
Jan 16 22:41:47 SRX ntpq: attempt to configure invalid address 127.0.0.1
Jan 16 22:42:22 SRX xntpd[1381]: ntpd 4.2.0-a Mon Sep 3 15:37:16 UTC 2018 (1)
Jan 16 22:42:22 SRX xntpd[1381]: mlockall(): Resource temporarily unavailable
Jan 16 22:42:22 SRX mgd[68688]: UI_CHILD_EXITED: Child exited: PID 68689, status 1, command '/usr/libexec/ui/ntp-date'
Jan 16 22:42:22 SRX xntpd[1381]: attempt to configure invalid address 127.0.0.1
Jan 16 22:42:37 SRX xntpd[1381]: ntpd 4.2.0-a Mon Sep 3 15:37:16 UTC 2018 (1)
Jan 16 22:42:37 SRX xntpd[1381]: mlockall(): Resource temporarily unavailable
Jan 16 22:42:37 SRX mgd[68705]: UI_CHILD_EXITED: Child exited: PID 68706, status 1, command '/usr/libexec/ui/ntp-date'
Jan 16 22:42:37 SRX xntpd[1381]: attempt to configure invalid address 127.0.0.1
I'm lost on what's going on here as I have a similar configuration on MX80 and EX4600 devices that work all right. The logs show a problem with the routing even when I have a route in the intet.0 pointing to the routing instance. Any help ewith this would be appreciated.
Hello. I'm trying to configure our SRX3600 cluster to send syslog messages to the remote syslog/SIEM server. I have the following configured on the cluster.
syslog {
archive size 128k files 50 world-readable;
user * {
any emergency;
}
host 10.64.20.50 {
any any;
authorization any;
firewall any;
source-address 192.168.246.1;
explicit-priority;
structured-data {
brief;
}
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file interface_logs {
any any;
match UpDown;
}
source-address 192.168.246.1;
}
The routing for the cluster:
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.170.1;
retain;
}
route 10.64.20.50/32 next-table internet.inet.0;
}
}
routing-instances {
internet {
instance-type virtual-router;
#interface commands excluded for brevity
routing-options {
static {
route 0.0.0.0/0 {
next-hop 193.25.220.1;
retain;
}
route 10.0.0.0/8 {
next-hop 192.168.246.254;
retain;
}
route 192.168.254.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.0.0/16 {
next-hop 192.168.246.254;
retain;
}
route 192.168.234.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.90.0/23 {
next-hop 192.168.246.254;
retain;
}
route 192.168.55.0/24 {
next-hop 192.168.246.254;
retain;
}
}
}
}
}
When configured like this I'm not seeing anything being sent to remote server.
The funny thing is that I'm sending screen messages to the same server and they are coming through without a problem with the following configuration:
security {
log {
mode stream;
format sd-syslog;
source-address 192.168.246.1;
stream SIEM_log {
category all;
host {
10.64.20.50;
port 514;
}
}
}
Any help on what I'm missing here would be great.
Hello guys, I have srx240. All of a sudden the SRX240 Web interface is inaccessible and also SSH to the device.
I checked HTTPD logs nothing that seems serious.
When I tried to access SSH, it's not working also.
What could cause this issue?
Any way to prevent this?
Thanks.
Hi all,
just a quick one:
Please let me know of this scenario is supported:
Two SRX345 in Chassis-Cluster + Switched Fabric (swfab).
Create VLAN and L3-IRB-Interface. (lets assume: VLAN:External and vlan-id 10 // and IRB unit 10 family inet address 10.10.10.1/24)
Configure the VLAN on multiple ports on Node0 and Node1.
(Lets assume: Node0 ge-0/0/5 and ge-0/0/6 and Node1 ge-5/0/5 and ge-5/0/6)
And then finally use this IRB as external-interface within ike-gateway.
USE STP for blocking these 3 of this 4 external Ports and make sure that only one /ge-0/0/5 prefered will be used for IPSEC-Termination.
Only in case of failure, the other ports should be chossen by stp for IPSEC_Termination.
Is this a supported feature or are there any known issues with SWFAB + IPSEC on IRB
Best regards, CHristoph.
Hi,
I am not an expert on the SRX240 so maybe this is a weird question.. We need to configure a firewall rule on our SRX240 to allow a specific device. Unfortunately we can not do this based on IP address because it will always change. Does anyone have experience with that? Is this possible at all?
Thanks!!
Wouter
Hi All!
I have a strange issue with SRX550 High Memory.
It is connected to 2 ISPs with BGP (full view filtered /24).
After some time as BGP sessions come UP the log show:
Jan 17 22:53:06 srx550-1 fto_new: failed to allocate fto
Jan 17 22:53:06 srx550-1 RT: IPv4:0 - 205.253/16 (RT: Failed to allocate object for flow)
Jan 17 22:53:06 srx550-1 RT-HAL,rt_entry_add_msg_proc,3405: rt_halp_vectors->rt_create failed
Jan 17 22:53:06 srx550-1 RT-HAL,rt_entry_add_msg_proc,3466: proto ipv4,len 16 prefix 205.253/16 nh 1342
Jan 17 22:53:06 srx550-1 RT-HAL,rt_msg_handler,688: route process failed
Jan 17 22:53:06 srx550-1 fto_new: failed to allocate fto
Jan 17 22:53:06 srx550-1 RT: IPv4:0 - 49.40.33/24 (RT: Failed to allocate object for flow)
Jan 17 22:53:06 srx550-1 RT-HAL,rt_entry_add_msg_proc,3405: rt_halp_vectors->rt_create failed
Jan 17 22:53:06 srx550-1 RT-HAL,rt_entry_add_msg_proc,3466: proto ipv4,len 24 prefix 49.40.33/24 nh 1342
Jan 17 22:53:06 srx550-1 RT-HAL,rt_msg_handler,688: route process failed
The commands "show chassis routing-engine", "show security flow" does not returns any suspisious info.
I tried to filter routes with /23 - still the same.
Moreover, another SRX of the same model with same config works like a charm.
I assumed that it is smth wrong with DRAM, so I took DRAM modules from "working" SRX and put them to the "bad" one, but it did not help.
I will really appreciate any help, thank you!
Hi,
Please see below the route process for this issue:
Cust SIP --> ASA --> Outside Stack --> SRX1500 --> Core --> LNS --> CPE --> Other end
The problem is that every now and then, a customers SIP phones fail to register, but then they do. After much troubleshooting I have discovered that the phone is trying toregister against 1 address but fails to get a 200 OK in response... so, it waits, then it goes to another address (Same subnet) and it manages to get a 200 OK and registers.
The Customer, and ourselves, can use another broadband network and it works fine. The only difference is the routing-instances on the SRX (I am pretty sure that's where the issue is).... so, given that the issue can happen randomly, then it is difficult to troubleshoot....
The scurity policies for the zone is an "any any any permit" and so is the other side....
The question I have is:
Where on the SRX, is the best place for a traceoptions so we can examine in wireshark?
Or, whats the best security to flow to look at?
I have already removed the screen IDS options that were assigned, to make sure it was not that.....
I believe that the firewall is closing the session for some reason, but I don't know why and I don't know when either.... so traceoptions is required, but I'm not sure where to get the sip traffic
Hi All,
We have a SRX 3600 running 12.1X46-D25.7 and we are having issues with our DNS servers behind it. We are trying to make sure our DNS servers are EDNS compliant but testing EDNS is showing timeouts on our NS servers that are behind the SRX. We have 4 total NS servers and they are all running the same version of Bind, but 2 of them are behind the SRX and those 2 are fialing so we suspect the SRX is blocking the EDNS packets. My policies allow for udp 53 traffic from any source to the server but the tool we use to check for EDNS is showing a timeout regardless of what rules we configure and we are not using ALGs. What log can be configured to see if this is really happening?
TIA,
Max
Dear team,
Today we tested the features NAT source pool with no PAT. As your mindset, if we have 3 sessions (ssh, telnet, ping), the SRX device will translate to 3 IPs but in realistic, just NAT to 1 IP. It seems NAT with no PAT, the behavior is similar with address-persistent, right?
Session ID: 8420, Policy name: trust-to-untrust/4, Timeout: 1718, Valid
In: 10.10.1.2/59266 --> 172.16.1.2/23;tcp, If: ge-0/0/2.0, Pkts: 11, Bytes: 516
Out: 172.16.1.2/23 --> 172.16.1.4/59266;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 496
Session ID: 8424, Policy name: trust-to-untrust/4, Timeout: 1730, Valid
In: 10.10.1.2/59273 --> 172.16.1.2/22;tcp, If: ge-0/0/2.0, Pkts: 12, Bytes: 2025
Out: 172.16.1.2/22 --> 172.16.1.4/59273;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 2477
Session ID: 8548, Policy name: trust-to-untrust/4, Timeout: 2, Valid
In: 10.10.1.2/2429 --> 172.16.1.2/1;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
Out: 172.16.1.2/1 --> 172.16.1.4/2429;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Thanks,
ThinhND