Hi all,
i would like to know if the SRX240H2, can support IDP license to be installed, and if is still possible to buy license to IDP to this plataform.
Thanks,
↧
SRX240H2 - IDP License.
↧
CoS/QoS dual IPSec tunnels
Hi,
Wonder if someone can point me in the right direction with this. Despite much googling and experimenting with iPerf, I am not really getting anywhere with it.
What we have is dual WAN links with two IPSec tunnels per WAN link, so 4 tunnels in total.
In normal operation, video traffic uses the secondary WAN link IPSec tunnel and the branch traffic uses the primary WAN link. In the event of a WAN link failure, video and branch traffic will be using the same WAN link.
I really need a QoS/CoS policy which will restrict the video traffic IPSec tunnel to 10Mbps and the branch IPSec tunnel to 5Mbps. However, if the WAN links are operating normally, I would like the video traffic to use the full bandwidth of the secondary WAN link and similarly for the branch traffic to use the full available bandwidth of the primary link.
Is this possible using SRX320s?
Many Thanks in advance for advice.
↧
↧
Split tunnelling in remote access vpn.
Hi to all,
I have configured a remote access VPN with NCP client on a SRX345. It's working fine, from the remote client I can access the internal network through VPN access, but all the traffic is being encrypted ... Is there any way to make a tunnel divided?
I mean, Internet traffic goes directly from the client to anywhere and only traffic to internal networks is encrypted.
Thanks in advance!!
David.
↧
Issue with login class - Configuration couldn't be un-locked.
Hi experts!
I have created a custom login class 'WEB1" to restrict the commands and the configuration changes to be made by a particular user. The commands work exactly as expected when the user logs in using CLI but when we try to execute/ configure the same commands on J-Web we are getting a permission denied error message.
Below is the login class I created for the user pavan :
====================================
set system login class WEB1 permissions configure
set system login class WEB1 permissions interface
set system login class WEB1 permissions interface-control
set system login class WEB1 permissions security
set system login class WEB1 permissions system
set system login class WEB1 allow-commands "(ping .*)|(traceroute .*)|(show .*)|(configure .*)|(exit)|(commit)|(rollback .*)|(request system .* .* .*)"
set system login class WEB1 allow-configuration "(system name-server .*) | (interfaces ge-0/0/0.0 .* .* .* .* .* .*) | (routing-options static route .* .* .* .*)"
set system login class WEB1 deny-configuration .*
I am basically allowing a bunch of show-commands and giving the user an explicit ability to modify the interface ge-0/0/0.0 , change the DNS server IP and set the default static route.
Except the reboot command all of these are successfully done on CLI but when we try to implement the same on GUI, it says permission denied.
Example :
I try to set the IP address of ge-0/0/0.0 on CLI using the command :
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/29
it worked fine without a problem and I was able to commit. I tried implementing the same on J-Web, it says "permission denied."
The "request system reboot" gives me the below error when requested from CLI :
pavan@xx> request system reboot
Reboot the system ? [yes,no] (no) yes
mgd: unable to execute /sbin/shutdown: Permission denied
Please help.
Thanking you.
Regards,
Pavan Katakam
↧
Does local-address in the IKE gateway work with a preferred address out of a different subnet?
Hello all.
Trying to create a VPN using an external interface that has two inet addreses. I know about the local-address knob and I am using it. IKE is failing, but only on the side with dual IPs. On the side with only a single IP on the external interface the ike sa reports as up, but it never reports up on the side with the two addresses. Two more details: the two addresses on the external interface are out of different subnets, and this is a chassis cluster. However, the external interface is not a reth interface. This is a standard deployment where two fixed interfaces (one on each node) do BGP upstream and have reth interfaces on the inside zones only.
As I say, the single IP side shows the ike SA up and the initator and responder cookies match on both sides.
The side with the two addresses, which doesn't ever show the ike SA up or down, has this log entry, for which I can find no info:
"IKE negotiation failed with error: Negotiation failed as negotiation completed on backup HA node."
At that exact instant in the traceoptions log there was this:
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ike_send_notify: Connected, SA = { c069074a bb502581 - fa965fa7 4043960d}, nego = -1
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ike_sa_delete: Start, SA = { c069074a bb502581 - fa965fa7 4043960d }
So it looks to me as though the IKE is completing on both sides, but due to this mysterious "negotation colmpletion" issue, it immediately drops on the side with the two IPs. But why? Anyone have a clue?
Let me know if/what more information would help. Want to keep it lean to start with.
One last thing, I have made the address I'm peering with both primary and preferred.
Much appreciated,
dj
↧
↧
Error during the update SRX4600 cluster
Hello
I just wanted to update my new srx4600 cluster
if I have the command request system software in-service-upgrade /var/tmp/junos-srxhe-x86-64-18.4R1.8.tgz reboot
I will follow the output
ode0:
Chassis ISSU Started
node1:
Chassis ISSU Started
ISSU: Validating Image
ISSU: Pre-check.
ISSU: Pre-check failure. Reason: Priority too low
node0:
JSRPD exited in-service-upgrade window
node1:
JSRPD exited in-service-upgrade window
node0:
Chassis ISSU Aborted
node1:
Chassis ISSU Aborted
ISSU: IDLE
[Feb 1 08:48:54]: ISSU aborted and exiting ISSU window.
So the problem comes that the redundancy group 2 both nodes the priorty 0 because the interface is still down?
↧
SRX Intra-area OSPF route filtering
Dear All,
I am trying to find a way to filter intra-area OSPF filtering in a hub and spoke topology.
The objective is to prevent spoke to spoke routing advertisement.
Ospf import/export policies are designed to filter type 5 LSAs - cannot be used in our case.
Ospf network-summary-export policies are designed to filter type 3 LSAs - cannot be used in our case.
Another Alternative way is to utilize the martian address table of the spoke devices.
Do you have any other suggestions?
↧
IPv6 - IPCP on VDSL2-A MPIM
Hi,
I have IPv4 addresses being assigned correcty on the VDSL2-A MPIM but I also need to allow the IPCP IPv6 allocated address to be assigned. Here is the IPv4 configuration that works fine:
set interfaces at-4/0/0 encapsulation atm-pvc
set interfaces at-4/0/0 atm-options vpi 0
set interfaces at-4/0/0 dsl-options operating-mode auto
set interfaces at-4/0/0 unit 0 encapsulation atm-ppp-vc-mux
set interfaces at-4/0/0 unit 0 vci 0.38
set interfaces at-4/0/0 unit 0 ppp-options chap default-chap-secret <Secret>
set interfaces at-4/0/0 unit 0 ppp-options chap local-name "me@me.co.uk"
set interfaces at-4/0/0 unit 0 ppp-options chap passive
set interfaces at-4/0/0 unit 0 ppp-options pap local-name "me@me"
set interfaces at-4/0/0 unit 0 ppp-options pap local-password <Password>
set interfaces at-4/0/0 unit 0 ppp-options pap passive
set interfaces at-4/0/0 unit 0 family inet negotiate-address
I need the IPv6 equivalent please?
↧
VSRX : ge-0/0/x down
Hello.
I'm playing with vSRX (with active service contract) and I am totally stuck with Junos: 18.4R1.8.
1. I exported my configuration file
2. I deployed a brand new VM
3. I put 16Go ram and 8 vpu according the vSRX Deployment Guide
4. I injected the configuration with an iso
The configuration is loaded, I can connect with the fxp0 interface but all ge-0/0/x interfaces are down
The VMware configuration is correct : The VMXNET 3 interfaces are connected
The show interfaces terse commande reports no interface :
user@vSRX-SG-01> show interfaces terse
Interface Admin Link Proto Local Remote
dsc up up
em0 up up
em0.0 up up inet 128.0.0.1/2
em1 up up
em1.32768 up up inet 192.168.1.2/24
em2 up down
fti0 up up
fxp0 up up
fxp0.0 up up inet 192.168.x.x/22
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.0.4 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up down
vtep up up
what should I do to recover my interfaces ?
Thanks
Gilles
↧
↧
AT-1/0/0 interface not showing
Hi
I have recently installed a vDSL card into my 320 (1x VDSL2 mPIM (RoHS)) but I wish to use this for ADSL rather that VDSL. I believe that this card is switchable and indeed is in use as ADSL on other client routers.
However despite having configured said interface as;
set interfaces at-1/0/0 encapsulation atm-pvc
set interfaces at-1/0/0 atm-options vpi 0
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux
set interfaces at-1/0/0 unit 0 vci 0.38
set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret "xxxxxxxxx"
set interfaces at-1/0/0 unit 0 ppp-options chap local-name "xxxxxxxxxxx"
set interfaces at-1/0/0 unit 0 ppp-options chap passive
set interfaces at-1/0/0 unit 0 family inet negotiate-address
And have disabled pt-2/0/0 I cannot see this interface listed on my device. I have reloaded, however is there anything else I need do to switch between PT and AT?
Thanks!
↧
Migration from SG-300-10 to SRX220 Configurarion notwkirng
Hi, guys thanks for help and your time i have a SG-300-10(Cisco Crap) and i want to migrate to my SRX220H, but when i change the data line to the SRX220 i can ping the IP 10.10.2.25 in the VLAN 100 Interface ge-6, but from the cisco(crap) i can ping the ip 10.10.2.25
Cisco Configuration:
interface vlan 1 ip address 10.0.1 255.255.255.0 no ip address dhcp ! interface vlan 5 name SITE_A ip address 192.168.1.2 255.255.255.0 ! interface vlan 10 name SITE_B ip address 172.16.31.55 255.255.255.0 ! interface vlan 100 name REMOTE_NET_A ip address 10.10.2.26 255.255.255.252 ! interface gigabitethernet1 switchport trunk native vlan 5 ! interface gigabitethernet2 switchport trunk native vlan 5 ! interface gigabitethernet3 switchport trunk native vlan 5 ! interface gigabitethernet4 switchport trunk native vlan 10 ! interface gigabitethernet5 switchport trunk native vlan 10 ! interface gigabitethernet6 switchport trunk native vlan 10 ! interface gigabitethernet7 switchport trunk native vlan 10 ! interface gigabitethernet10 switchport mode access switchport access vlan 100 ! ip default-gateway 10.10.2.25
SRX220
interfaces {
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members SITE_A;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members SITE_A;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members SITE_B;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members SITE_B;
}
}
}
}
ge-0/0/6 {
speed 1g;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members REMOTE_NET_A;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
vlan {
unit 5 {
proxy-arp;
family inet {
address 192.168.1.2/24;
}
}
unit 10 {
proxy-arp;
family inet {
address 172.16.31.55/24;
}
}
unit 100 {
proxy-arp;
family inet {
address 10.10.2.26/24;
}
}
}
}
routing-options {
static {
route 192.168.15.0/24 next-hop 192.168.1.254;
}
}
protocols {
vstp {
vlan 10;
vlan 100;
vlan 5;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone Internal {
interfaces {
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
telnet;
}
}
}
}
}
}
}
vlans {
SITE_A {
vlan-id 5;
l3-interface vlan.5;
}
SITE_B {
vlan-id 10;
l3-interface vlan.10;
}
REMOTE_NET_A {
vlan-id 100;
l3-interface vlan.100;
}
}in my SRX the interfce ge-6 is the interface 10 on the cisco(crap)
↧
SRX650 won't route packets and I have no idea why
I've recently spent way too much time trying to get an SRX650 to properly route packets between two networks without any success. Hopefully someone here can point me in the right direction.
The basic setup is as follows: I have an SRX650 that's conneted via ethernet to an upstream router. Here, I'm using 198.51.100.0/24 instead of my real assigned network address. I've split off a /29 network (198.51.100.248/29) to be used for addressing between the SRX650 and the upstream routers. The uplink is connected to an SFP on ge-2/0/20 which is assigned 198.51.100.253/29. The default upstream router is as 198.51.100.254.
ge-2/0/0 is meant to be connected to clients on my network and is assigned 198.51.100.1/25. For testing purposes, I've also connected a device to ge-2/0/6 and assigned 10.0.0.1/16 to that port.
Packets are properly routed between clients on the 198.51.100.0/25 and 10.0.0.0/16 networks. However, nothing seems to work between 198.51.100.0/25 and 198.51.100.248/29. If I try to ping an external IP (e.g. 8.8.8.8) from the router CLI, everything works as expected and I can run
monitor traffic interface ge-2/0/20 no-resolve size 1500
to see the ICMP echo requests and replies leave and arrive on the interface. However, if I instead run
ping 8.8.8.8 source 198.51.100.1
nothing works anymore. The same applies when I try to send traffic to and from clients on that network (e.g. 198.51.100.10). Running the same monitor traffic command as above now shows ICMP echo requests leaving the interface, but none coming back. Initially, I suspected that the upstream router was dropping incoming or outgoing packets, but I checked with the administrator of the upstream router and he confirmed (and showed me) that it's indeed configured to route the entire 198.51.100.0/24 network to 198.51.100.253.
Another curuous circumstance is that disabling ge-2/0/0 in the configuration or physically removing the network cable will cause the SRX to return "destination unreachable" for external ping requests to the 198.51.100.0/25. With the interface active, the same requests will just time out. My interpretation of this is that the upstream router is correctly routing packets to my SRX. None of those packets are displayed when using the monitor traffic command above, however.
I've also tried to set forwarding mode to packet based without any luck. One thing that does work is NAT-ing the 198.51.100.0/25 network, so that all traffic is address translated to 198.51.100.253, but that not really what I want.
I'm pasting the router configuration below. Thanks in advance for any and all help!
version 12.3X48-D75.4;
system {
host-name r1;
time-zone UTC;
root-authentication {
encrypted-password ## REDACTED
}
name-server {
8.8.8.8;
8.8.4.4;
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
web-management {
http {
interface ge-2/0/0.0;
}
https {
system-generated-certificate;
interface ge-2/0/0.0;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 198.51.100.0/25 {
address-range low 198.51.100.10 high 198.51.100.126;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
198.51.100.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server ntp.se;
}
}
security {
screen {
ids-option untrust-screen {
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone clients to-zone Internet {
policy All_clients_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone clients to-zone clients {
policy client_to_client {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone clients {
policy internet_to_clients {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone clients {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-2/0/0.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
}
}
}
ge-2/0/6.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-2/0/20.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
}
}
}
}
}
interfaces {
ge-2/0/0 {
unit 0 {
family inet {
address 198.51.100.1/25;
}
}
}
ge-2/0/6 {
unit 0 {
family inet {
address 10.0.0.1/16;
}
}
}
ge-2/0/20 {
unit 0 {
family inet {
address 198.51.100.253/29;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 198.51.100.254;
}
}
↧
SRX300- Can't see the RDP session in logs
Morning guys,
I am trying to initiate RDP session on a server that is behind the SRX. However, I don't see any logs associated with the RDP session when I issue the command "show log messages".
Is there any other command which would give the logs for RDP? I see a bunch of options when I hit a '?' after show log ? .
Please let me know.
Thanking you.
Regards,
Pavan Katakam
↧
↧
Site to Site between Cisco (Hub) and SRX 100 (spoke)
Attempting to use SRX100s as spokes for two locations. The tunnel temporarily establishes then bounces. Also I would like to be able to define ike gateway as a ddns address, however when I used fqdn no traffic is generated. Any assistance with making the tunnel stable would be appreciated. And if anyone can offer insight on how to establish the tunnel using the FQDN would be appreciated as well.
set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm md5
set security ike proposal ike-prop encryption-algorithm 3des-cbc
set security ike proposal ike-prop lifetime-seconds 28800
set security ike policy ike-policy mode aggressive
set security ike policy ike-policy proposals ike-prop
set security ike policy ike-policy pre-shared-key ascii-text
set security ike gateway ike-gw ike-policy ike-policy
set security ike gateway ike-gw dynamic hostname 1709.ddns.net
set security ike gateway ike-gw nat-keepalive 15
set security ike gateway ike-gw external-interface fe-0/0/0.0
config that generates traffic:
set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm md5
set security ike proposal ike-prop encryption-algorithm 3des-cbc
set security ike proposal ike-prop lifetime-seconds 28800
set security ike policy ike-policy mode main
set security ike policy ike-policy proposals ike-prop
set security ike policy ike-policy pre-shared-key ascii-text
set security ike gateway ike-gw ike-policy ike-policy
set security ike gateway ike-gw address 148.X.X.X
set security ike gateway ike-gw nat-keepalive 15
set security ike gateway ike-gw external-interface fe-0/0/0.0
set security ike gateway ike-gw general-ikeid
set security ike gateway ike-gw version v1-only
set security ipsec proposal TEST-P2-PROPOSAL protocol esp
set security ipsec proposal TEST-P2-PROPOSAL authentication-algorithm hmac-md5-96
set security ipsec proposal TEST-P2-PROPOSAL encryption-algorithm 3des-cbc
set security ipsec policy TEST-P2-POLICY proposals TEST-P2-PROPOSAL
set security ipsec vpn TEST-VPN bind-interface st0.1
set security ipsec vpn TEST-VPN vpn-monitor
set security ipsec vpn TEST-VPN ike gateway ike-gw
set security ipsec vpn TEST-VPN ike ipsec-policy TEST-P2-POLICY
set security ipsec vpn TEST-VPN establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust address-book address local-net 192.168.2.192/26
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces st0.1
set security zones security-zone untrust address-book address 1709LAN 192.168.2.64/26
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ntp
set security zones security-zone untrust host-inbound-traffic system-services dns
set security zones security-zone untrust interfaces fe-0/0/0.0
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of SKEYID hash[16] = 0x11a77418 75165d15 9f8cad5d 9b19a66d
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of SKEYID_d hash[16] = 0xaa8d6f23 03a84dc4 92f5606f 21d70988
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of SKEYID_a hash[16] = 0x12aa6ccd 95063c68 3364943b 752bbef7
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output SKEYID_e hash[16] = 0x416fa34e e7cd08f1 8917ad0d a09ff458
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Final encryption key[24] = 0x41715d89 06e9a617 bb204d9b 64e2d69c 1e7ea
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_calc_mac: Start, initiator = true, local = true
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:500 (Initiator) <-> 148.X.X.X:500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of HASH_I hash[16] = 0x3343f698 50cb3a81 89358324 777b8f5f
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_st_o_status_n: Start
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_st_o_private: Start
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_policy_reply_private_payload_out: Start
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_st_o_encrypt: Marking encryption for packet
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_state_step: All done, new state = MM final I (7)
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_encode_packet: Start, SA = { 0x93031b76 852f6e4a - 4a2edbe5 775ab4b5 } / 00000000, nego = -1
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_encode_packet: Encrypting packet
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_encode_packet: Final length = 92
[Feb 5 03:55:51][192.168.2.254 <-> 148.X.X.X] ike_send_packet: Start, send SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5}, nego = -1, dst = 148.X.X.X:4500, routing table id = 0
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_sa_find: Found SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 }
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_get_sa: Start, SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 } / 00000000, remote = 148.X.X.X:4500
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_sa_find: Found SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 }
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Packet to old negotiation
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_decode_packet: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_decode_packet: Start, SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5} / 00000000, nego = -1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_decode_packet: Decrypting packet
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Warning, junk after packet len = 40, decoded = 32
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Version = 1.0, Input packet fields = 0024 ID HASH
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_state_step: Current state = MM final I (7)/-1, exchange = 2, auth_method = pre shared key, Initiator
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_encrypt: Check that packet was encrypted succeeded
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_id: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_hash: Start, hash[0..16] = 6c81c9c8 bb1eb6c8 ...
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_calc_mac: Start, initiator = true, local = false
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Output of HASH_R hash[16] = 0x6c81c9c8 bb1eb6c8 d099295f b35e1b61
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_cert: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_i_private: Start
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; dec->enc iv[8] = 0xcdb41e6f f3349c49
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_o_wait_done: Marking for waiting for done
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_st_o_all_done: MESSAGE: Phase 1 { 0x93031b76 852f6e4a - 0x4a2edbe5 775ab4b5 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Initiator, cipher = 3d
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, ciphe
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_state_step: All done, new state = MM done I (9)
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ikev2_fallback_negotiation_free: Fallback negotiation dfb800 has still 1 references
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_send_notify: Connected, SA = { 93031b76 852f6e4a - 4a2edbe5 775ab4b5}, nego = -1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] 192.168.2.254:4500 (Initiator) <-> 148.X.X.X:4500 { 93031b76 852f6e4a - 4a2edbe5 775ab4b5 [-1] / 0x00000000 } IP; Connected
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ike_process_packet: No output packet, returning
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_ike_sa_done: local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] kmd_pm_ike_id_in_range: NOT in the range
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_id_validate id NOT matched.
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] P1 SA 2031101 stop timer. timer duration 30, reason 1.
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] P1 SA 2031101 start timer. timer duration 0, reason 3.
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_ipsec_spi_allocate: local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Added (spi=0x3c7327a8, protocol=0) entry to the spi table
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Parsing notification payload for local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] iked_pm_ipsec_spi_allocate: local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Added (spi=0xa31c7206, protocol=0) entry to the spi table
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Parsing notification payload for local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] Parsing notification payload for local:192.168.2.254, remote:148.X.X.X IKEv1
[Feb 5 03:55:52][192.168.2.254 <-> 148.X.X.X] ikev2_fallback_negotiation_free: Fallback negotiation dfb800 has still 1 references
on the cisco side
R91704Cisco_1921#show crypto session
Crypto session current status
Interface: Virtual-Access2
Profile: VTILABTEST
Session status: UP-ACTIVE
Peer: 69.X.X.X port 4500
Session ID: 0
IKEv1 SA: local 192.168.2.126/4500 remote 69.X.X.X/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Interface: Virtual-Access1
Profile: VTILABTEST
Session status: UP-ACTIVE
Peer: 74.X.X.X port 4500
Session ID: 0
IKEv1 SA: local 192.168.2.126/4500 remote 74.X.X.X/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
*Feb 4 19:50:59.759: ISAKMP-PAK: (1487):received packet from 74.X.X.X dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 4 19:50:59.759: ISAKMP: (1487):set new node 9136541 to QM_IDLE
*Feb 4 19:50:59.763: ISAKMP: (1487)
rocessing HASH payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487)rocessing SA payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487):Checking IPSec proposal 1
*Feb 4 19:50:59.763: ISAKMP: (1487):transform 0, ESP_3DES
*Feb 4 19:50:59.763: ISAKMP: (1487): attributes in transform:
*Feb 4 19:50:59.763: ISAKMP: (1487): authenticator is HMAC-MD5
*Feb 4 19:50:59.763: ISAKMP: (1487): SA life type in seconds
*Feb 4 19:50:59.763: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Feb 4 19:50:59.763: ISAKMP: (1487): encaps is 3 (Tunnel-UDP)
*Feb 4 19:50:59.763: ISAKMP: (1487):atts are acceptable.
*Feb 4 19:50:59.763: ISAKMP: (1487)rocessing NONCE payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487)rocessing ID payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487)rocessing ID payload. message ID = 9136541
*Feb 4 19:50:59.763: ISAKMP: (1487):QM Responder gets spi
*Feb 4 19:50:59.763: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 4 19:50:59.763: ISAKMP: (1487)
ld State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Feb 4 19:50:59.763: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Feb 4 19:50:59.763: ISAKMP: (1487)ld State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Feb 4 19:50:59.771: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Feb 4 19:50:59.771: ISAKMP: (1487):Received IPSec Install callback... proceeding with the negotiation
*Feb 4 19:50:59.771: ISAKMP: (1487)
uccessfully installed IPSEC SA (SPI:0x5A613300) on Virtual-Access1
*Feb 4 19:50:59.779: ISAKMP-PAK: (1487):sending packet to 74.X.X.X my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 4 19:50:59.779: ISAKMP: (1487)ending an IKE IPv4 Packet.
*Feb 4 19:50:59.779: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Feb 4 19:50:59.779: ISAKMP: (1487)ld State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Feb 4 19:50:59.879: ISAKMP-PAK: (1487):received packet from 74.X.X.X dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 4 19:50:59.879: ISAKMP: (1487):deleting node 9136541 error FALSE reason "QM done (await)"
*Feb 4 19:50:59.879: ISAKMP: (1487):Node 9136541, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 4 19:50:59.879: ISAKMP: (1487)ld State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
R91704Cisco_1921#
*Feb 4 19:50:59.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R91704Cisco_1921#
*Feb 4 19:51:02.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#.
*Feb 4 19:51:14.879: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#.
*Feb 4 19:51:17.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:29.879: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:32.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:39.719: ISAKMP: (1487)urging node -1754824165
R91704Cisco_1921#
*Feb 4 19:51:44.879: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:47.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:51:49.879: ISAKMP: (1487)urging node 9136541
R91704Cisco_1921#
*Feb 4 19:51:59.879: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:02.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:14.879: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:17.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:29.879: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:32.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:44.879: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:47.651: ISAKMP: (0)ending an IKE IPv4 Packet.
R91704Cisco_1921#
*Feb 4 19:52:49.851: ISAKMP-PAK: (1487):received packet from 74.X.X.X dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 4 19:52:49.851: ISAKMP: (1487):set new node 609811635 to QM_IDLE
*Feb 4 19:52:49.851: ISAKMP: (1487)rocessing HASH payload. message ID = 609811635
*Feb 4 19:52:49.851: ISAKMP: (1487)rocessing DELETE payload. message ID = 609811635
*Feb 4 19:52:49.851: ISAKMP: (1487)eer does not do paranoid keepalives.
*Feb 4 19:52:49.851: ISAKMP: (1487):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x5E7F1F22)
*Feb 4 19:52:49.851: ISAKMP: (1487):deleting node 609811635 error FALSE reason "Informational (in) state 1"
*Feb 4 19:52:49.851: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
R91704Cisco_1921#.
*Feb 4 19:52:49.851: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
↧
SRX300 J-Web Unusable
I am working with a SRX300 running Junos 18.4R1 and the J-Web UI is unusable. I can access the login page, navigate to certain configuration pages, for instance Configure->Security Services->Security Policies->Rules and the page comes up, however any time I expand a rule set it just spins waiting for a response. Eventually it gets there, but its quite a pain. What really makes this unusable is the reporting. Most of the time I cannot get any of the reporting pages to load and if they do most of the blocks in them do not completely render. Is this a known issue with Junos 18.4R1, should I move down to 18.3?
↧
Access to remote VPN site over Dyn VPN
Hi All,
I configured Dyn VPN and I can connect to my local resources but cannot access the resources on remote VPN site.
I have two vpn sites : site A (172.16.4.0/24) and site B(10.36.4.0/24) both connected using route based policy .Clients ( gets IP from 192.168.239.0/24 pool) can connect to site A using Dyn VPN , however they cannot access vpn site B . Added both sites as protected resource for both site A and site B in dynamic vpn configuration . I have only two security zone in my juniper box (internal and internet).
In flow logs, i can see these, but it look like i need to create a policy from Internet to Internet ???
Feb 5 03:46:35 03:46:35.403799:CID-0:RT
oing DESTINATION addr route-lookup
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: routed (x_dst_ip 10.36.4.40) from Internet (ge-0/0/0.0 in 0) to st0.7, Next-hop: 10.36.4.40
Feb 5 03:46:35 03:46:35.403799:CID-0:RT:flow_first_policy_search: policy search from zone Internet-> zone Internet (0x0,0xd3240016,0x16)
Feb 5 03:46:35 03:46:35.403799:CID-0:RTolicy lkup: vsys 0 zone(7:Internet) -> zone(7:Internet) scope:0
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: 192.168.239.3/54052 -> 10.36.4.40/22 proto 6
Feb 5 03:46:35 03:46:35.403799:CID-0:RTolicy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: 192.168.239.3/54052 -> 10.36.4.40/22 proto 6
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: app 22, timeout 1800s, curr ageout 20s
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: packet dropped, denied by policy
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: denied by policy default-policy-00(2), dropping pkt
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: packet dropped, policy deny.
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: flow find session returns error.
Feb 5 03:46:35 03:46:35.403799:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50a4ee38 associated with mbuf 0x43568480
Feb 5 03:46:35 03:46:35.403799:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)
Feb 5 03:46:37 03:46:37.204307:CID-0:RT:jsf sess close notify
Feb 5 03:46:37 03:46:37.204307:CID-0:RT:flow_ipv4_del_flow: sess 388946, in hash 32
I would like to know what am i missing ?
Thanks
↧
SRX 320 with 4G
Hi,
I have been working on a config for a 4G service on a SRX320 for a few days now, but I have come across one main things that has me stumped and a few other things that I am scratching my head over.
The first is the the IP address assigned to the 4G service (xxx.xxx.29.191/32) is allocated by the SP (which is me) and is a normal everyday /32 public IP address. The IP address gets assigned, and the service works, but when I look in the SRX's routing table, it sees the netmask as a /25 not a /32 as assigned. So I'm not sure what's going on here...
The default route is also interesting, I configured it as 0.0.0.0/0 nexthop dl0.0 - and the routing table it's nexthop IP address for the default route is xxx.xxx.29.192 - which isn't right to me, but, the funny thing is the service works fine - traffic comes in and traffic goes out normally.
The main problem I have is that I need to run BGP across the 4G service to the SP, but I can not get a session established, but, more worryingly, I can not telnet on port 179 to the SP equipment from th SRX - it just times out. I'm reasonably sure that the filters are setup correctly to allow BGP to establish. From my debug, it states that a socket to the host couldn't be opened - which I'll admit sounds just like a filtering issue, but I've been over and over it, allowing BGP and even all traffic types, but the issue remains. A telnet in the reverse direction (from the SP back into the SRX) connects fine.
I know the SP side of things is fine as I configured and used a Cisco to achieve the desired result with out an issue.
This feels like a bug, but...
Any help would be greatly appreciated.
Luke
↧
↧
SRX 240 CPU_THRESHOLD_EXCEEDED
Hello, somebody help me please with this problem. Avarage CPU load was doubled. First peack on graphic (in attached file) cause is enabled security traceoptions with packet mode logging, after this traceoptions and logging was disabled and cpu loading back to normal. Second peak caused by nothing, were not configuration changes. Reboot device didnt help.
Routing Engine status:
Temperature 47 degrees C / 116 degrees F
CPU temperature 45 degrees C / 113 degrees F
Total memory 2048 MB Max 1044 MB used ( 51 percent)
Control plane memory 976 MB Max 488 MB used ( 50 percent)
Data plane memory 1072 MB Max 557 MB used ( 52 percent)
CPU utilization:
User 19 percent
Background 0 percent
Kernel 42 percent
Interrupt 0 percent
Idle 39 percent
Model RE-SRX240H2
Serial ID ACAL8054
Start time 2019-02-05 20:59:39 MSK
Uptime 15 hours, 50 minutes, 48 seconds
Last reboot reason Router rebooted after a normal shutdown.
Load averages: 1 minute 5 minute 15 minute
0.79 0.64 0.64
top -H
last pid: 3123; load averages: 0.65, 0.64, 0.64 up 0+15:52:20 12:51:30
79 processes: 5 running, 72 sleeping, 2 zombie
CPU states: 78.3% user, 0.0% nice, 13.5% system, 0.3% interrupt, 7.9% idle
Mem: 192M Active, 122M Inact, 1162M Wired, 216M Cache, 112M Buf, 281M Free
Swap:
PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1656 root 139 0 1124M 88076K CPU1 1 55.1H 93.95% flowd_octeon_hm
1656 root 139 0 1124M 88076K CPU2 2 55.1H 90.19% flowd_octeon_hm
1656 root 139 0 1124M 88076K CPU3 3 55.1H 90.19% flowd_octeon_hm
1656 root 123 0 1124M 88076K RUN 0 55.1H 51.86% flowd_octeon_hm
1656 root 76 0 1124M 88076K select 0 55.1H 0.00% flowd_octeon_hm
1656 root 76 0 1124M 88076K ucondt 0 55.1H 0.00% flowd_octeon_hm
1656 root 76 0 1124M 88076K select 0 55.1H 0.00% flowd_octeon_hm
1652 root 76 0 18500K 9028K select 0 23:24 0.00% ppmd
1644 root 4 0 60200K 30316K kqread 0 7:58 0.00% rpd
1643 root 76 0 33428K 12196K select 0 7:43 0.00% mib2d
1642 root 76 0 23888K 14672K select 0 4:05 0.00% snmpd
1686 root 76 0 14464K 6140K select 0 3:42 0.00% license-check
1645 root 76 0 22644K 9584K select 0 1:45 0.00% l2ald
1637 root 76 0 128M 19524K select 0 1:30 0.00% chassisd
1669 root 76 0 17792K 4072K select 0 1:22 0.00% shm-rtsdbd
1680 root 76 0 19684K 8292K select 0 1:15 0.00% utmd
1648 root 76 0 30112K 10460K select 0 1:07 0.00% pfed
1649 root 76 0 15888K 7308K select 0 1:06 0.00% rmopd
1688 root 4 0 25920K 13648K kqread 0 0:53 0.00% eswd
1685 root 4 0 11756K 5516K kqread 0 0:49 0.00% mcsnoopd
1651 root 76 0 32812K 15552K select 0 0:46 0.00% kmd
1638 root 76 0 14400K 5464K select 0 0:35 0.00% alarmd
1683 root 8 0 29848K 4640K nanslp 0 0:34 0.00% wmic
1634 root 76 0 3348K 1392K select 0 0:33 0.00% bslockd
1677 root 76 0 78828K 5580K select 0 0:30 0.00% ipfd
1677 root 8 0 78828K 5580K nanslp 0 0:30 0.00% ipfd
1677 root 8 0 78828K 5580K nanslp 0 0:30 0.00% ipfd
1677 root 8 0 78828K 5580K nanslp 0 0:30 0.00% ipfd
1677 root 8 0 78828K 5580K nanslp 0 0:30 0.00% ipfd
1679 root 76 0 15524K 6580K select 0 0:27 0.00% rtlogd
1667 root 76 0 27064K 10000K select 0 0:19 0.00% smid
1654 root 76 0 9196K 3692K select 0 0:14 0.00% irsd
1698 nobody 4 0 10612K 1488K kqread 0 0:13 0.00% webapid
1636 root 76 0 39768K 9000K select 0 0:12 0.00% dcd
1274 root 76 0 15084K 4736K select 0 0:12 0.00% eventd
1672 root 76 0 16928K 6468K select 0 0:10 0.00% pkid
1671 root 76 0 28788K 13248K select 0 0:07 0.00% nsd
1640 root 76 0 7704K 5596K select 0 0:07 0.00% ntpd
FPC 0
PIC 0
CPU utilization : 67 %
Memory utilization : 52 %
Current flow session : 41156
Current flow session IPv4: 41156
Current flow session IPv6: 0
Max flow session : 131072
Total Session Creation Per Second (for last 96 seconds on average): 691
IPv4 Session Creation Per Second (for last 96 seconds on average): 691
IPv6 Session Creation Per Second (for last 96 seconds on average): 0
Hostname:
Model: srx240h2
JUNOS Software Release [12.3X48-D70.3]
From syslog:
PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=87
PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=99
↧
SCTP multi-home support with static NAT
Hi, all,
SRX is to provide static NAT services for a multi-homed SCTP end point in trusted zone, will SRX translate IP header address AND IP address embeded in SCTP header's INIT block?
I could not find a definative answer anywhere in the documentation.
Thanks,
↧
SRX and Virtual Channels
Hello all,
Would anyone be able to clarify something for me?
When using virtual channels with 2 un-shaped channels, so that they share the bandwidth equally, how do you set the bandwidth of the logical interface?
The reason for the query is that the upstream WAN bandwidth is 20Mbps, but the interface is connected to an ISP "modem" at 1Gbps. Is it as simple as saying "set interfaces ge-0/0/0 unit 0 bandwidth 20m" ?
Im guessing it might not be as that just sets the interface speed in the MIB-II "ifspeed" object, however I am hoping that it is just as simple as that.
Many thanks in advance
Martin
↧