Hi,

We have a setup with a SRX5800 Chassis Cluster and we are doing a Reth LACP setup with Extreme Networks' MLAG.

The connections are as below:

     1. xe-10/1/0 -> Port 1 of Extreme Networks switch #1

     2. xe-11/1/0 -> Port 1 of Extreme Networks switch #2

     3. xe-21/1/0 -> Port 1 of Extreme Networks switch #3

     4. xe-22/1/0 -> Port 1 of Extreme Networks switch #4

The configuration in the SRX is the following:

     reth0 {
         vlan-tagging;
         redundant-ether-options {
                  redundancy-group 1;
                  lacp {
                        passive;
                        periodic slow;

The configuration of the Extreme Network's switch is the default one, i.e., lacp active and periodic fast.

The LACP seems to work fine since we are seeing the reth0 link speed as 20 Gbps (the physical links of the SRX have 10Gbps), but we loose connection with a specific reth0 (reth0.3622) which is connecting to another SRX Cluster. All the other reth connections work fine.

When we disable one of the links of the LAGs - for instance xe-11/1/0 - everything works fine.

Can you please help us on this?

Cheers,

Nuno

Hello I am trying to make the below setup, by using the VDSL2  pim instead of SHDSL one, without using username or password for authentication as there will be point to point IP from the PE to the juniper.

The Sub interface configuration from the PE side and the DSLAM port pvc is configured with VLAN 111 untagged with VPI/VCI 0/35

interface GigabitEthernet0/0/1.111
encapsulation dot1Q 111
ip address 10.0.0.1 255.255.255.252

i need an advice for the juniper SRX configuration



Hi.

It is possible to create tagged and untagged sub-interfaces simultaneously in vSRX?

Something like these:

ge-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.2.100/24;
        }
    }
    unit 1 {
        vlan-id 10;
        family inet {
            address 192.168.1.100/24;
        }
    }
}

I'm configuring a VPN on a SRX550 that sits behind a SRX650.

I *think* I have figured out the config for the VPN NATing out the other firewall.

The piece I'm not sure will work is if I Have traffic coming in reth20 set the route to point to st0.100 to encrypt, then bind the tunnel to reth20 so it goes back out same interface. Will that work?

Hi,

Does anyone of you know which port become SRX340's Control Link (fxp1/em0??)  in Cluster Mode. In need this piece of information to finish the LLD.

Unfortunately neither DataSheet nor TechPub Doc (modified month ago ) doesn't explain that:

http://www.juniper.net/techpubs/en_US/junos15.1x49-d40/topics/reference/general/chassis-cluster-srx-series-node-interface-understanding.html

thx in adv

Hi,

we have a vpn on our srx firewall, and its peer device is a cisco ASA. we are using policy based vpn and there are three subnets/proxy-IDs. we configured 3 sec policy for each subnets, so that each subnets would have its own proxy-id. all 3 local subnets/proxy-ID work at same time in a while but after hours or i think when the life time expires, 2 of the subnets/proxy-IDs drop, only one remain. what we do to bring up the other 2 subnets/proxy-IDs again is to reset the tunnel and ask our peer site to initiate a ping to our local gateway address, then after that all of the 3 subnets/proxy-IDs comes up again. also when we reset the tunnel and we initiate the ping the tunnel is not coming up, but when our peer site is the one to initiate the ping, the tunnel is comming up. i also see on "show security ike sa detail" that our firewall is the responder. 

my question are, how can make our firewall as a initiator, why the other 2 local subnets/proxy-ID drops after hours and the other one remain, and how can we stabilize the other 2 local subnets/proxy-ID. attached is the config of our vpn. please help. thanks

I just inherited a fielded SRX240 and need to run Nessus scans against the device remotely. After talking with colleagues, to get valid scans I need to increase the SSH rate-limit (system services ssh) to 25. However, my device ( running Junos 12.1X44) only allows this value to be set between 1 and 5. Looking through online documentation, I should be able to set this as high as 250. Are there other configuration dependencies that may be capping the value for rate-limit to 5?

Hi all,

I want to rewrite all egress traffic with CoS:4 at ge-0/0/0.34. Here's my configuration:

interfaces {
    ge-0/0/0 {
        per-unit-scheduler;
        vlan-tagging;
        encapsulation flexible-ethernet-services;
        mac xx.xx.xx.xx.xx.xx;          
        unit 34 {                       
            encapsulation vlan-vpls;    
            vlan-id 34;                 
            family vpls;                
        }                               
        unit 35 {                       
            vlan-id 35;                 
            family inet {               
                dhcp {                  
                    client-identifier ascii juniper;
                    vendor-id juniper;  
                }                       
            }                           
        }                               
    }
    ge-0/0/3 {
        flexible-vlan-tagging;
        native-vlan-id 34;
        encapsulation extended-vlan-vpls;
        unit 34 {
            vlan-id 34;
            family vpls;
        }
    }
class-of-service {
    host-outbound-traffic {
        ieee-802.1;
    }
    interfaces {
        ge-0/0/0 {
            unit 34 {
                classifiers {
                    ieee-802.1 default;
                }
                rewrite-rules {
                    ieee-802.1 IPTV-Rewriter vlan-tag outer;
                }
            }
        }
    }
    rewrite-rules {
        ieee-802.1 IPTV-Rewriter {
            import default;
            forwarding-class best-effort {
                loss-priority low code-point 100;
                loss-priority high code-point 100;
            }
            forwarding-class expedited-forwarding {
                loss-priority high code-point 100;
                loss-priority low code-point 100;
            }
            forwarding-class network-control {
                loss-priority low code-point 100;
                loss-priority high code-point 100;
            }                           
            forwarding-class assured-forwarding {
                loss-priority high code-point 100;
            }                           
        }                               
    }                                   
}                                       

I confirmed the VPLS part works, because I can see the DHCP traffic send from a device connected to ge-0/0/3 at ge-0/0/0. But VLAN PRI value of those packets are always 0. It looks like my rewrite rule applied to ge-0/0/0.34 never worked.

I am running 12.3X48-D25.3 on an SRX210 looking to activate DDNS using Google Domains support for DDNS.  Support article from Google can be found here.

My configs:

[edit system services dynamic-dns]
user@My_FW# show
client vpn.XXXXX.org {
    server ddo;
    agent dyndns;
    username ixwKzS82hwFDAI5L;
    password "$9$GGDjk36CtuBCAM8L7bwmf5F9pRESyevik9pBIleLX7NbYgoZ"; ## SECRET-DATA
    interface ge-0/0/0.0;
}

It seems that the only options for server are:

user@MY_FW# set client vpn.XXXXX.org server ?
Possible completions:
  ddo
  dyndns
[edit system services dynamic-dns]
user@MY_FW# set client vpn.XXXXX.org server

Has any one been able to configure a customer server on the SRX?

Hello All,

Earlier I tried to setup ddns on SRX with noip.com; but it never worked out.

Now I've got a DNS hostname from dyndns.org (dyn.com) and I've configured SRX with the details:

[edit system services dynamic-dns]
shyam@SRX100# show
client abc.homeip.net {
    server dyndns;
    username shyam;
    password "$9$-9VYoDi.TF/24JDHkQz9ApuOR"; ## SECRET-DATA
    interface pp0.0;
}

In a way this works and in a way it doesn't.

After configuring, when I ping abc.homeip.net from the Internet, it works fine and I get replies from my pp0.0 IP address.

But when I try to telnet abc.homeip.net, it doesn't work. When I try to access it over HTTP, it doesn't work.

shyam@SRX100> show system services dynamic-dns client detail

Hostname     : abc.homeip.net
Server       : members.dyndns.org
Last response: nochg
Last update  : 2016-04-20 20:38:23 UTC
Username     : shyam
Interface    : pp0.0
Agent        : ddns-0.1 JUNOS [Model #] (Firmware version)

The last response as seen above says nochg. Am I missing something here?

Why when I do

show route IPv6:Addr::61

gives me nothing.

but if I do this:

show route IPv6:Addr::61/64

I get some static routes?

I have a remote site that is connected to another site via a site to site tunnel using pki / cert based auth.  My new firewall has the same config, etc., but I had to generate a new cert since the old hardware was dead and I could not export the original cert.

Everything looks good in my cert, but I'm getting an authentication error on the other end.  I'm guessing this may have something to do with it seeing a different cert than it's expecting?  I've deleted the tunnel config on the remote end, committed, and applied it back, hoping it would jar something loose.  Is there some kind of a 'known hosts' type file that I need to clear?

Logs from the remote firewall.  local_ip refers to the IP of this remote firewall:

[Apr 15 00:02:21][local_ip <-> remote_ip]  ikev2_state_error: [da7c00/ae9800] Negotiation failed because of error Authentication failed (24)
[Apr 15 00:02:21][local_ip <-> remote_ip]  IKE negotiation fail for local:local_ip, remote:remote_ip IKEv2 with status: Authentication failed
[Apr 15 00:02:21][local_ip <-> remote_ip]  IPSec negotiation failed for SA-CFG remote_hostname for local:local_ip, remote:remote_ip IKEv2. status: Authentication failed
[Apr 15 00:02:21][local_ip <-> remote_ip]     P2 ed info: flags 0xc2, P2 error: Error ok
[Apr 15 00:02:21][local_ip <-> remote_ip]  IPSec SA done callback. ed ae8028. status: Authentication failed
[Apr 15 00:02:21][local_ip <-> remote_ip]  IPSec SA done callback with sa-cfg NULL in p2_ed. status: Authentication failed

On the local side, everything seems to be working fine.  I'm getting ike + ipsec SA's establishing, then clearing, then establishing, over and over.  But that tells me that the new firewall is okay with the attempts to establish a tunnel by the remote firewall.

I have written a config and checked it inside out.  The SRX220 will not load the config with a "Syntax Error" but me and Notepad ++ cannot find it anywhere.  Any clues?

There is a couple things I'm not getting. 

I found a doc that says to add: set security ike gateway ike-gateway1 local-identity hostname juniper.net;

But I don't know what side to put it on. Or if it goes on both sides.

So if I'm doing this:

FW1 -> FW2 -> INTERNET -> FW3 (where FW 2 is the NAT, and tunnel is configured between 1 and 3)

It would look like this on both sides?:

set security ike proposal ike-Test00-proposal authentication-method pre-shared-keys
set security ike proposal ike-Test00-proposal dh-group group2
set security ike proposal ike-Test00-proposal authentication-algorithm sha1
set security ike proposal ike-Test00-proposal encryption-algorithm aes-128-cbc

set security ike policy ike-Test00-policy mode main
set security ike policy ike-Test00-policy proposals ike-Test00-proposal
set security ike policy ike-Test00-policy pre-shared-key ascii-text elvisike123

set security ike gateway gw-Test00 external-interface <outbound interface>
set security ike gateway gw-Test00 ike-policy ike-Test00-policy
set security ike gateway gw-Test00 address <public ip>

set security ike gateway gw-Test00 local-identity hostname testvpn.fqdn.com

I don't suppose anyone can point me to a doc that shows all of this in 1 place?

Hello ladies & gets,

I am new in Juniper and generally JunOS but I found it easier to learn, so in order to make my first steps with the real deal -SRX- I got firstly vSRX in order to test some things. One of them is IPSec Site to Site VPN.

I ve got to try this with two different home modem - routers...lets say the one in Antartica and the other in Arctic, with VMware Workstation as my platform and I put my VMs on Bridged mode. For testing purposes I supposedly accept my 2 different dynamic IPs as static IPs...

I used as my guide this one:

https://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/ipsec-route-based-vpn-configuring.html

and because I stack in the logic of

I consider reading this:

https://forums.juniper.net/t5/SRX-Services-Gateway/How-to-configure-PPPoE-with-SRX100-10-0R2-10-for-Switzerland/td-p/37702

As necessary in order to continue...Is it really necessary to make this routing from pp0.0 or we can just use the above logic with better configuration?

  I wrote some questions in order to get this better!

*r.s. = real scenario

Hi,everyone.

I have an SRX220 and we're trying to set up an IPsec VPN with SRX650.
On SRX220 IPsec phase 1 failed: on "show security ike sa" - blank.
All VPN related configuration such as encryption algorithm, hash alrorithm, policy are configured correctly.
Certificate are loaded successfully and the certificate are not expired.

In pcap file from WAN interface there is no ipsec traffic between peers.

What could be the problem?

Model: RE-SRX220H2
SW ver: 12.1X46-D50.4

ike\ipsec log:

SRX220 config:

## Last commit: 2016-04-22 11:05:21 UTC by user_adm 
version 12.1X46-D50.4; 
system { 
   host-name SRX; 
   root-authentication { 
       encrypted-password "$1$4CX7J5Yo$fFqfWvaSKQoKuCb6pBkUS0"; ## SECRET-DATA 
   } 
   name-server { 
       208.67.222.222; 
       208.67.220.220; 
   } 
   login { 
       user user_adm { 
           full-name userEN; 
           uid 2000; 
           class super-user; 
           authentication { 
               encrypted-password "$1$6A7.mgsd$gVPIxqG1ATK5eqWDBPDKl1"; ## SECRET-DATA 
           } 
       } 
   } 
   services { 
       ssh { 
           root-login deny; 
       } 
       telnet; 
       xnm-clear-text; 
       web-management { 
           http { 
               interface vlan.0; 
           } 
           https { 
               system-generated-certificate; 
               interface vlan.0; 
           } 
       } 
   } 
   syslog { 
       archive size 100k files 3; 
       user * { 
           any emergency; 
       } 
       file messages { 
           any critical; 
           authorization info; 
       } 
       file interactive-commands { 
           interactive-commands error; 
       } 
   } 
   max-configurations-on-flash 5; 
   max-configuration-rollbacks 5; 
   license { 
       autoupdate { 
           url https://ae1.juniper.net/junos/key_retrieval; 
       } 
   } 
} 
interfaces { 
   ge-0/0/0 { 
       unit 0 { 
           family inet { 
               sampling {               
                   input; 
                   output; 
               } 
               address 82.xxx.xxx.154/30; 
           } 
       } 
   } 
   ge-0/0/1 { 
       unit 0 { 
           family ethernet-switching { 
               vlan { 
                   members vlan-trust; 
               } 
           } 
       } 
   } 
   st0 { 
       unit 0 { 
           family inet { 
               address 10.0.0.83/20; 
           } 
       } 
   } 
   vlan { 
       unit 0 { 
           family inet { 
               address 10.99.95.8/24; 
           } 
       } 
   } 
} 
forwarding-options { 
   packet-capture { 
       file filename pcap files 2 size 10m world-readable; 
       maximum-capture-size 1500; 
   } 
} 
routing-options { 
   static { 
       route 0.0.0.0/0 next-hop 82.xxx.xxx.153; 
       route 192.168.0.0/16 next-hop 10.99.95.1; 
       route 172.16.0.0/12 next-hop 10.99.95.1; 
       route 10.0.0.0/8 next-hop 10.99.95.1; 
   } 
} 
protocols { 
   stp; 
} 
security { 
   pki { 
       ca-profile ca-profile1 { 
           ca-identity DOMAIN.ru; 
           enrollment { 
               url http://scep.DOMAIN.ru/certsrv/mscep/mscep.dll; 
           } 
           revocation-check { 
               disable; 
           } 
       } 
   } 
   ike { 
       traceoptions { 
           file ipsec size 2m files 2; 
           flag all; 
       } 
       proposal AES-MD5 { 
           authentication-method rsa-signatures; 
           dh-group group2; 
           authentication-algorithm md5; 
           encryption-algorithm aes-256-cbc; 
       } 
       policy DOMAIN {                 
           mode main; 
           proposals AES-MD5; 
           certificate { 
               local-certificate vpn; 
           } 
       } 
       gateway pri-hq-pri { 
           ike-policy DOMAIN; 
           address 212.SRX.650.2; 
           local-identity distinguished-name; 
           remote-identity distinguished-name container DC=headqr.gate.DOMAIN.ru; 
           external-interface ge-0/0/0.0; 
       } 
   } 
   ipsec { 
       traceoptions { 
           flag all; 
       } 
       proposal AES-MD5 { 
           authentication-algorithm hmac-md5-96; 
           encryption-algorithm aes-256-cbc; 
       } 
       policy DOMAIN { 
           perfect-forward-secrecy { 
               keys group2; 
           } 
           proposals AES-MD5; 
       } 
       vpn pri-hq-pri { 
           vpn-monitor; 
           ike { 
               gateway pri-hq-pri; 
               proxy-identity { 
                   local 10.0.0.83/32; 
               } 
               ipsec-policy DOMAIN; 
           } 
           establish-tunnels immediately; 
       } 
   } 
   flow { 
       tcp-mss { 
           ipsec-vpn { 
               mss 1300; 
           } 
       } 
   } 
   screen { 
       ids-option untrust-screen { 
           icmp { 
               ping-death; 
           } 
           ip { 
               source-route-option; 
               tear-drop; 
           } 
           tcp { 
               syn-flood { 
                   alarm-threshold 1024; 
                   attack-threshold 200; 
                   source-threshold 1024; 
                   destination-threshold 2048; 
                   timeout 20; 
               } 
               land; 
           } 
       } 
   } 
   policies { 
       from-zone trust to-zone untrust { 
           policy trust-to-untrust { 
               match { 
                   source-address any; 
                   destination-address any; 
                   application any; 
               } 
               then { 
                   permit; 
               } 
           } 
       } 
       from-zone trust to-zone vpn { 
           policy permit { 
               match { 
                   source-address any; 
                   destination-address any; 
                   application any; 
               } 
               then { 
                   permit; 
               } 
           } 
       } 
       from-zone vpn to-zone trust { 
           policy permit { 
               match { 
                   source-address any; 
                   destination-address any; 
                   application any; 
               } 
               then { 
                   permit; 
               } 
           } 
       } 
   } 
   zones { 
       security-zone trust { 
           host-inbound-traffic { 
               system-services { 
                   all; 
               } 
               protocols { 
                   all; 
               } 
           } 
           interfaces { 
               vlan.0; 
           } 
       } 
       security-zone untrust { 
           interfaces { 
               ge-0/0/0.0 { 
                   host-inbound-traffic { 
                       system-services { 
                           ssh; 
                           ping; 
                           traceroute; 
                           ike; 
                       } 
                   } 
               } 
           } 
       } 
       security-zone vpn { 
           host-inbound-traffic { 
               system-services { 
                   any-service; 
               } 
               protocols { 
                   ospf; 
               } 
           } 
           interfaces { 
               st0.0; 
           } 
       } 
   } 
} 
vlans { 
   vlan-trust { 
       vlan-id 3; 
       l3-interface vlan.0; 
   } 
}

Hi,

I just want to be verified whether my SRX OSPF configuration is correct or not.

So far I can ping to each SRX interface

https://nbctcp.wordpress.com/2016/04/20/ospf-labs/

tq

hi,

I am using srx220h2 at home. srx is connected to router (from ISP) via 1gig link. On srx were configured: VRFs, NAT toward Internet, zones and sec for traffic. One host is conected via other 1gig link. On this host I noticied that youtube performace is very bad. I have to wait (a few min) before film will be started (buffering is very slow). When my host is directly connected to ISP router I dont have this issue. Do you know what is a problem? 

root@srxA-00> show system processes extensive
last pid: 13427;  load averages:  0.11,  0.13,  0.10  up 9+23:53:14    22:41:19
130 processes: 15 running, 102 sleeping, 1 zombie, 12 waiting

Mem: 207M Active, 138M Inact, 1042M Wired, 160M Cache, 112M Buf, 425M Free
Swap:


  PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
 1342 root        5  76    0   996M 63224K select 0 270.2H 98.44% flowd_octeon_hm
   22 root        1 171   52     0K    16K RUN    0 199.7H 81.93% idle: cpu0
   23 root        1 -20 -139     0K    16K WAIT   0 130:31  0.00% swi7: clock
 1325 root        1  76    0   114M 17360K select 0  83:39  0.00% chassisd
 1368 root        1  76    0 12452K  5832K select 0  46:20  0.00% license-check
 1330 root        1  76    0 28252K 10676K select 0  31:53  0.00% mib2d
    5 root        1 -16    0     0K    16K rtfifo 0  30:43  0.00% rtfifo_kern_recv
 1332 root        1  76    0 20300K  8640K select 0  29:12  0.00% l2ald
 1345 root        1  76    0 50332K 15468K select 0  23:22  0.00% jdhcpd
 1353 root        1  76    0 15988K  3684K select 0  21:48  0.00% shm-rtsdbd
 1346 root        1  76    0   118M 86120K select 0  18:11  0.00% authd
 1364 root        1  76    0 17392K  8008K select 0  15:14  0.00% utmd
   25 root        1 -40 -159     0K    16K WAIT   0  15:13  0.00% swi2: netisr 0

root@srxA-00> show chassis routing-engine
Routing Engine status:
    Temperature                 43 degrees C / 109 degrees F
    Total memory              2048 MB Max  1106 MB used ( 54 percent)
      Control plane memory    1088 MB Max   500 MB used ( 46 percent)
      Data plane memory        960 MB Max   614 MB used ( 64 percent)
    CPU utilization:
      User                       4 percent
      Background                 0 percent
      Kernel                     5 percent
      Interrupt                  0 percent
      Idle                      91 percent
    Model                          RE-SRX220H2-POE
    Serial ID                      ACKA2070
    Start time                     2016-04-14 22:48:35 UTC
    Uptime                         9 days, 23 hours, 53 minutes, 24 seconds
    Last reboot reason             0x200:normal shutdown
    Load averages:                 1 minute   5 minute  15 minute
                                       0.05       0.12       0.09

root@srxA-00> show system memory
System memory usage distribution:
       Total memory: 2097152 Kbytes (100%)
    Reserved memory: 1044220 Kbytes ( 49%)
       Wired memory: 1067140 Kbytes ( 50%)
      Active memory:  211716 Kbytes ( 10%)
    Inactive memory:  141504 Kbytes (  6%)
       Cache memory:  163388 Kbytes (  7%)
        Free memory:  435944 Kbytes ( 20%)
Memory disk resident memory:   44972 Kbytes
VM-Kbytes(  %  ) Resident(  %  ) Map-name
   625680(59.67)   138316(00.00) kernel

Our small and medium client often ask about small system to log "user in Internet" activity.
We tested couple solution but none of them meet the expectations.
What we need:
- of course syslog based;
- one device (SRX) support;
- per user statistics (perfectly if based on active-directory-access options from junos);
- user in Internet activity with URL(most imported!);
- of course can be non-free

Please give us some advice about software that can do this.

Hello,

Wondering if you could help. We have a situtation where we need to connect our SRX cluster to two cisco switches (which may or may not be stacked - still awaiting more information from the supplier).

Just trying to get some ideas on how best to go about connecting them up to keep as much resilience as possible ? I thought about created a LAG port from each switch to a some kind of LAG port for the reth of the firewall cluster ?

I'm open to some ideas!

Many Thanks!