I currently have the sip ALG disabled on my SRX. I was thinking about enabling to allow the sip automatic pinholes to work with Microsoft UM. I have read some past posts about the sip ALG not really working well. I am wondering what the current state is like. I haven't found much information that is current.
I am running two clusters in two different locations. One version is 12.3X48-D75 and the other is 15.1X49-D90. Any recommendations would be appreciated.
I have recently installed a pair of SRX1500 firewalls in a cluster. Running Junos 15.1X49-D150.2.
I've discovered that the firewalls seem to be responsible for dropping tcp traffic to/from certain destinations on the Internet. At first I thought this was due to some kind of asymmetrical routing issue, but I think I've mostly ruled that out. Traffic between the firewall and the Internet always happen on the same reth interface, so asymmetric routing shouldn't be an issue afaik.
ICMP works, so I think it's only tcp traffic that's affected. For example, a client on the inside can ping www.somedomain.com, but browsing (tcp 80/443 to the same domain just times out. Some other websites work, but seem a bit slow.
Both firewalls are connected to an upstream switch. I have several other servers and firewalls directly connected to the same switch, all work flawlessly when communicating upstream with my routers. This points to a problem or misconfiguration in the SRX1500 cluster.
I've run flow traceoptions, but there's a lot of info to read and I haven't found anything that looks suspicious.
I've attached a diagram:
Relevant config looks like this:
version 15.1X49-D150.2;
chassis {
cluster {
control-link-recovery;
reth-count 5;
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
/* to-ex4200 */
redundancy-group 1 {
node 0 priority 254;
node 1 priority 1;
interface-monitor {
xe-0/0/16 weight 255;
xe-7/0/16 weight 255;
}
}
/* to-ex9200 */
redundancy-group 5 {
node 0 priority 254;
node 1 priority 1;
interface-monitor {
ge-0/0/12 weight 255;
ge-7/0/12 weight 255;
}
}
}
}
security {
address-book {
global {
address dc-hosts-v4nat-dbs 10.33.15.0/24;
}
}
alg {
dns disable;
}
nat {
source {
pool src-nat-pool {
address {
X.X.X.4/32 to X.X.X.30/32;
}
address-pooling paired;
}
rule-set vl-dbs-to-internet {
from zone vl-dbs;
to zone internet;
rule vl-dbs-nat {
match {
source-address-name dc-hosts-v4nat-dbs;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-pool;
}
}
}
}
}
}
}
policies {
from-zone vl-dbs to-zone internet {
policy permit-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone internet {
interfaces {
reth4.62 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
}
}
security-zone vl-dbs {
interfaces {
reth0.515 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
}
}
}
}
interfaces {
ge-0/0/12 {
gigether-options {
redundant-parent reth4;
}
}
xe-0/0/16 {
gigether-options {
redundant-parent reth0;
}
}
ge-7/0/12 {
gigether-options {
redundant-parent reth4;
}
}
xe-7/0/16 {
gigether-options {
redundant-parent reth0;
}
}
fab0 {
fabric-options {
member-interfaces {
xe-0/0/18;
xe-0/0/19;
}
}
}
fab1 {
fabric-options {
member-interfaces {
xe-7/0/18;
xe-7/0/19;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.22.240/32;
}
}
}
reth0 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 515 {
vlan-id 515;
family inet {
address 10.33.15.1/24;
}
}
}
reth4 {
description internet;
vlan-tagging;
redundant-ether-options {
redundancy-group 5;
}
unit 62 {
description "Main Source NAT Pool";
vlan-id 62;
family inet {
address X.X.X.4/27;
address X.X.X.5/27;
address X.X.X.6/27;
address X.X.X.7/27;
address X.X.X.8/27;
address X.X.X.9/27;
address X.X.X.10/27;
address X.X.X.11/27;
address X.X.X.12/27;
address X.X.X.13/27;
address X.X.X.14/27;
address X.X.X.15/27;
address X.X.X.16/27;
address X.X.X.17/27;
address X.X.X.18/27;
address X.X.X.19/27;
address X.X.X.20/27;
address X.X.X.21/27;
address X.X.X.22/27;
address X.X.X.23/27;
address X.X.X.24/27;
address X.X.X.25/27;
address X.X.X.26/27;
address X.X.X.27/27;
address X.X.X.28/27;
address X.X.X.29/27;
address X.X.X.30/27;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop X.X.X.1;
}
router-id 192.168.22.240;
}
Any ideas? 
Hi guys,
I would like to limit the J-web access to only two interfaces ge-0/0/1.0 and ge-0/0/6.0.
Below is the zone wise mapping of interfaces:
0/0 | UNTRUST-INT (UNTRUST) |
0/1 | (TRUST) |
0/2 | (TRUST) |
0/3 | (TRUST) |
0/4 | (Library) |
0/5 | (TMS) |
0/6 | (TRUST) |
Below is the set config for the web-management :
set system services web-management http interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management https interface ge-0/0/6.0
set system services web-management https interface all
It looks like the SRX is allowing J-web access to all the interfaces in trust. Can anyone shed some light on how to limit J-Web access to particular interface and not to a particular zone ?
Thanking you.
Regards,
Pavan
Need Docs for building new IPSec Tunnel between SRX and Fortinate Firewall using route based policy
I am trying to vpn connect between an SRX240 and a cisco meraki MX60. the MX60 configuration is straight forward I have aes-128 encryption an Authentication of sha1 a Diffie-Hellman at group2 for phase 1. Phase 2 is PFS froup at 2 Authentication sha1 and Encryption at aes-128.
on my SRX I have the same encryption and authentication. I even have it set for ike version 1 as meraki version 2 is not supported.
on the SRX when I do a show security ike security-association it shows as down. looking at the logs I get no responder key. I see it does try to communicate but times-out.
any suggestions.
Hello,
I have this query, i was hoping, i can get some guidance.
Now, there's 2 S2S VPN tunnels, going to 2 different sites, they're running BGP. The BGPs neighbors are the IPs configured on st0 interface in question. So, they're established.
Is there anyway to acomplish traffic fail-over to the other tunnel when the first BGP peer goes down, or viceversa.
I've looked for different options, but i haven't found anything that could acomplish this task.
I've searched
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227<< however, there's primary and backup, but we're talking about 2 active tunnels.
Could this be acomplished with features such ip-monitoring or BFD? at least that's what i had in mind
Regards & thanks,
Was SRX1500 D160 recently pulled from download? It's still up for other platforms.
I'm trying to set up network address translation on my Juniper to redirect all incoming traffic to a proxy server on the LAN. I think I have it set up properly, but I'm obviously missing something. On the monitoring screen, I see the following:
| Name | Action | Sessions (Succ/Failed/Current) |
| ProxyRule | ProxyPool | (0/675/0) |
Obviously something is wrong. So how do I view information about those failures?
I tried setting up some logging using the following command, but when I view the "traffic-log" file in the viewer I don't see anything related to NAT:
set system syslog file traffic-log any any
And this is my policy:
from-zone Internet to-zone Internal {
policy AllowProxy {
match {
source-address any;
destination-address any;
application Proxy;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}Any tips?
I'm trying to set up an SRX240 ([12.1X44-D15.5]) as an internal firewall, and want to use the IPv6 DHCP relay to relay requests/responses to our DHCPv6 server.
I have the IPv6 routing working just fine, and I believe that the firewall rules and services are OK, yet the RESPONSES are not being passed back to the client. In other words, I see Client XID request leave the client. On the server, I see the Request come in, and a response leave (this is using TCPdump). However, the response never makes it back to the client. Thus, I think that the SRX240 is not properly relaying the traffic.
The DHCP relay config looks like this:
dhcpv6 {
group all-interfaces {
interface reth0.3;
interface reth0.21;
interface reth0.22;
}
server-group {
dhcpv6-server {
2001:0428:aa02:0412::50;
}
}
active-server-group dhcpv6-server;
}
server-group {
dhcpv4-server {
192.245.12.221;
}
}
active-server-group dhcpv4-server;
group all-interfaces {
interface reth0.3;
interface reth0.21;
interface reth0.22;
}
(reth0.3 is the "Lab" zone which is what we are concerned with)
The services aspect of the zone looks like this:
system-services {
all;
}
protocols {
all;
}
And the rules are:
policy DHCP-request {
match {
source-address [ any-ipv4 any-ipv6 ];
destination-address [ Lovey.Opus1.COM Lovey.Opus1.COM-IPv6 ];
application [ junos-dhcp-server junos-dhcp-client junos-dhcp-relay DHCPv6-client-server ];
}
then {
permit;
}
}
So what am I missing? Is this supposed to work at this version?
Hi!
I have a srx 240 cluster and want to limit the download speed to one of my server.
Here's how I wanted to do this:
#Policer 50Mbit/s
set firewall policer policer-50mbit if-exceeding bandwidth-limit 50m
set firewall policer policer-50mbit if-exceeding burst-size-limit 128k
set firewall policer policer-50mbit then discard
#Filter
set firewall family inet filter download-limit term wsus-server from source-address 192.168.0.1/32
set firewall family inet filter download-limit term wsus-server then policer policer-50mbit
set firewall family inet filter download-limit term wsus-server then accept
#Configuring policer on the interface the server 192.168.0.1 is connected to
set interfaces reth5.10 family inet filter input download-limit
When this configuration is active, the whole 192.168.0.0/24 subnet is limited to 50Mbit/s. Why`s that?
The WAN interface is reth0.1 configured with interface NAT.
Kind regards
Andy
Good evening, everyone.
I’ve been reviewing the new documentation on AppQoE, which appears to be supported on the SRX340-345 when running 15.1X49D150.
The guide I’ve been following is located here: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-appqoe.html#jd0e342
However, the example provided doesn’t appear to be complete. The IPs provided in the diagram don’t match up with that’s provided in the example. I’ve done what I can to extrapolate on the information provided, but I can’t seem to get this functional in a lab.
Has anyone deployed AppQoE successfully in the lab or in production yet? If so, I’d greatly appreciate any assistance you could offer.
Edit: I've now uploaded my current configs for both book-ended both SRX in my lab.
The problem I'm seeing, is that I can't ping between 10.10.10.10 and 10.10.20.10 (interfaces on both SRX) without the following statement:
set routing-options static route 10.10.XX.0/24 next-table SDWAN.inet.0
With it in place, I can ping between them. With it removed, I can not. From my understanding of APBR, this traffic should match my rule in the trust security zone and should be sent to the SDWAN route table automatically. So really, I'm trying to get APBR functional before moving on to the AppQoE portion of my test.
Thank you.
Hi
I have two links between two branches (WAN and Internet), and the target is to have the WAN Link primary and the VPN over the internet link as a Backup.
I configured the route preference over WAN link prefered than the route preference over the VPN st0.
And configured RPM to prefer the st0 route if the WAN link goes down.
But I can always see the routes always prefer the st0, although its not the prefered route...
Any ideas...
Thanks
I have a system user with super-user access, currently set to login with a password.
# set system login user testuser authentication encrypted-password "****************************"
I would like to update the existing statement in the configuration to make the same user authenticate using SSH Keys instead of password. Please advise how to update the configuration.
My company is upgrading an old SRX210HE2 Firewall to the newer SRX320 model. My understanding is that the code is not quite the same on the newer device. is there a config translator that I can use to translate the config from the SRX210 to the SRX320 version? Forgive me, if this is silly, im fairly new to juniper and still learning.
Thanks!!
Hi, I could not find a solution to my problem yet. I ve two sites connected over site to site VPN, with SRX240 devices on both end. Local site consist of 1 device and the data centre consists of 2 cluster srx devices. Everyday, i am loosing the connection through the remote site for [2-10 ] minutes.. during this period i can not ping remote site and access it. At the begining, i was thinking it was because of vpn configurations. I ve post the config here and people said it was correct and we ve removed vpn-monitor options from the config. But this still persists and too much annoying. I am attaching the messaging logs during the time of disconnection. Is there a way of debugging this problem.
I am not too much experinced with srx and the remote site fw device config is too much complicated. DOes anybody has any advice about this ?
> show log messages | match down
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT <UpDown> st0.3 index 160 <Broadcast PointToPoint Multicast>
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT UpDown st0.3 index 160 <Broadcast PointToPoint Multicast Localup>
Feb 21 14:08:10 srx240-02a mib2d[1430]: SNMP_TRAP_LINK_DOWN: ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.3
Feb 21 14:08:10 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.3"
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT <UpDown> st0.1 index 120 <Broadcast PointToPoint Multicast>
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT UpDown st0.1 index 120 <Broadcast PointToPoint Multicast Localup>
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT <UpDown> st0.3 index 160 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT UpDown st0.3 index 160 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:10 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.1"
Feb 21 14:08:10 srx240-02a mib2d[1430]: SNMP_TRAP_LINK_DOWN: ifIndex 541, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.1
Feb 21 14:08:10 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.3"
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT <UpDown> st0.5 index 161 <Broadcast PointToPoint Multicast>
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT UpDown st0.5 index 161 <Broadcast PointToPoint Multicast Localup>
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT <UpDown> st0.2 index 158 <Broadcast PointToPoint Multicast>
Feb 21 14:08:10 srx240-02a rpd[1408]: EVENT UpDown st0.2 index 158 <Broadcast PointToPoint Multicast Localup>
Feb 21 14:08:10 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.5"
Feb 21 14:08:10 srx240-02a mib2d[1430]: SNMP_TRAP_LINK_DOWN: ifIndex 702, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.5
Feb 21 14:08:10 srx240-02a mib2d[1430]: SNMP_TRAP_LINK_DOWN: ifIndex 575, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.2
Feb 21 14:08:11 srx240-02a rpd[1408]: EVENT <UpDown> st0.1 index 120 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:11 srx240-02a rpd[1408]: EVENT UpDown st0.1 index 120 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:11 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.2"
Feb 21 14:08:11 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.1"
Feb 21 14:08:11 srx240-02a rpd[1408]: EVENT <UpDown> st0.5 index 161 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:11 srx240-02a rpd[1408]: EVENT UpDown st0.5 index 161 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:11 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.5"
Feb 21 14:08:11 srx240-02a rpd[1408]: EVENT <UpDown> st0.2 index 158 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:11 srx240-02a rpd[1408]: EVENT UpDown st0.2 index 158 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:11 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.2"
Feb 21 14:08:12 srx240-02a rpd[1408]: EVENT <UpDown> st0.0 index 118 <Broadcast PointToPoint Multicast>
Feb 21 14:08:12 srx240-02a rpd[1408]: EVENT UpDown st0.0 index 118 <Broadcast PointToPoint Multicast Localup>
Feb 21 14:08:12 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"
Feb 21 14:08:12 srx240-02a mib2d[1430]: SNMP_TRAP_LINK_DOWN: ifIndex 677, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.0
Feb 21 14:08:13 srx240-02a rpd[1408]: EVENT <UpDown> st0.0 index 118 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:13 srx240-02a rpd[1408]: EVENT UpDown st0.0 index 118 <Up Broadcast PointToPoint Multicast>
Feb 21 14:08:13 srx240-02a srx240-02a IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"
Hi Guys,
I see 'reject' when I issue the 'show route' command for a particular subnet.
pav@XX> show route
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.xx.xx/32 *[Local/0] 1w3d 02:50:10
Reject
Could you please let me know what does Reject mean ?
Thanking you.
Regards,
Pavan Katakam
We have two sides of an environment where we statically NAT ranges of private to public IPs and/or vice versa. On one side of this, we leverage a vSRX (on 15.1X49-D110.4), in which this traffic only lives in the global routing instance.
On the backup link, we have IPSec terminating into a RI (MNO) on an SRX240 (on 12.3X48-D65.1), which then passes traffic into the global RI.
With either path, if I generate traffic from the public to the private, NAT functions as expected. I see an approproate session and translation created within either SRX and away we go.
If I generate traffic from the private to public, I see the vSRX create a reverse NAT as expected, however, the SRX does not.
We route between these RIs on the SRX240 via lt interfaces, and the (truncated) NAT policy is as follows:
set security nat static rule-set MNO_NAT from zone INSIDE
set security nat static rule-set MNO_NAT rule 3_TEST2 match destination-address x.x.79.249/32
set security nat static rule-set MNO_NAT rule 3_TEST2 then static-nat prefix 10.59.15.254/32
set security nat static rule-set MNO_NAT rule 3_TEST2 then static-nat prefix routing-instance MNO
The rule set on the vSRX is identical save the RI statement
My assumption is that it's a configuration issue, however, we did seem to have this working properly when we leveraged rib-groups instead of lt interfaces. The how and why we changed is another conversation for another day. And I'm near the point to revert back to using rib-groups.
While trying to troubleshoot this, I'd created a source NAT rule as per this link to no avail; I'd seen the same behavior.
Taking some traces, I see the following for the failed translation:
And the good side form the vSRX
So I'm at a loss as to why this is occuring. I've attached a sanitized config that's relevant for this setup.
I'm certainly open to suggestions. I do have a JTAC case open, but it's not going to be followed up on until Monday.
We have two sides of an environment where we statically NAT ranges of private to public IPs and/or vice versa. On one side of this, we leverage a vSRX (on 15.1X49-D110.4), in which this traffic only lives in the global routing instance.
On the backup link, we have IPSec terminating into a RI (MNO) on an SRX240 (on 12.3X48-D65.1), which then passes traffic into the global RI.
With either path, if I generate traffic from the public to the private, NAT functions as expected. I see an approproate session and translation created within either SRX and away we go.
If I generate traffic from the private to public, I see the vSRX create a reverse NAT as expected, however, the SRX does not.
We route between these RIs on the SRX240 via lt interfaces, and the (truncated) NAT policy is as follows:
set security nat static rule-set MNO_NAT from zone INSIDE
set security nat static rule-set MNO_NAT rule 3_TEST2 match destination-address x.x.79.249/32
set security nat static rule-set MNO_NAT rule 3_TEST2 then static-nat prefix 10.59.15.254/32
set security nat static rule-set MNO_NAT rule 3_TEST2 then static-nat prefix routing-instance MNO
The rule set on the vSRX is identical save the RI statement
My assumption is that it's a configuration issue, however, we did seem to have this working properly when we leveraged rib-groups instead of lt interfaces. The how and why we changed is another conversation for another day. And I'm near the point to revert back to using rib-groups.
While trying to troubleshoot this, I'd created a source NAT rule as per this link to no avail; I'd seen the same behavior.
Taking some traces, I see the following for the failed translation:
And the good side form the vSRX
So I'm at a loss as to why this is occuring. I've attached a sanitized config that's relevant for this setup.
I'm certainly open to suggestions. I do have a JTAC case open, but it's not going to be followed up on until Monday.