Hello All, I have weird issues going on with my SRX300-[15.1X49-D170.4] .. I have a user login 'admin' that can log in fine through the PUBLIC interface, but not the internal interface.. This configuration came from a SRX240 for which I just replaced. I changed all the configuration that it didn't like such as vlan.X to irb.X and all the DHCP changes. Plug the device in and all the rules and tunnels came up find. The only thing that doesn't work is logging in via ssh to an internal interface in my trust zone. Not sure how the SSH login process differs based on the interface your logging into? 

Everything I've seen has been related to root access. I have the same issue with that account as in the above example as well. I did noticed that updated passwords had a longer hash key, so I updated the password on the admin account to match. Still have same issue. I haven't rebooted the device with fear of it locking out all accounts on all interfaces. I have checked:

show system login lockout
User accounts not locked

>>>>>> Logging to the device via internal IP address

Using username "admin".
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
pam_unix: pam_sm_authenticate: UNIX authentication refused

Access denied
Using keyboard-interactive authentication.
Password:

>>>>>> Logging to the device via external public IP.

Using username "admin".
Using keyboard-interactive authentication.
Password:
Last login: Tue Mar 5 05:59:13 2019 from XX.XX.XX.XX
--- JUNOS 15.1X49-D170.4 built 2019-02-22 22:34:42 UTC
admin@XXXXX.SRX300>

I can log into the web interface internally fine with the same admin account as well. Not sure what to look out to be honest. 

Hello,

I am in the process of setting up RADIUS authentication for a dynamic VPN.  Unfortunately, it is not working.  I have tracing turned on for authentication, and am getting this error message:

Mar 5 18:34:16.479967 Local : authd_local_lite_auth: got params profile=ad01-cg-radius, username=dramage
Mar 5 18:34:16.479973 Local : start authd_local_lookup
Mar 5 18:34:16.479978 Local : profile ad01-cg-radius NOT found

This confuses me, becausethat profile exists:

ec2-user@VSRX2> show configuration access
profile ad01-cg-radius {
address-assignment {
pool Corios-VPN;
}
radius {
authentication-server 10.1.10.40;
accounting-server 10.1.10.40;
}
radius-server {
10.1.10.40 {
port 1812;
secret "BIG IMPORTANT SECRET HERE"; ## SECRET-DATA
timeout 15;
retry 2;
source-address 172.16.101.6;
routing-instance vpn_gateway;
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
}
}

Here's where I have it applied to the IKE gateway:

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 2;
ike-user-type shared-ike-id;
}
dead-peer-detection;
local-identity inet XXX.XXX.XXX.XXX;
external-interface ge-0/0/1.0;
aaa {
access-profile ad01-cg-radius;
}
version v1-only;
tcp-encap-profile NCP;
}

I should also mention that I have no connectivity problems if I switch over to local authentication.

Thanks in advance for your help.

Hi all,

Kindly need advise from someone that has exprience setup IPSEC VPN using SRX5k series with CA server. For example i have 3000 site / tunnel connected to SRX5800. So i want to know the complexitiy this kind of setup between CA Server with SRX5k series. Also what kind of CA server needed such as Windows / Linux and other requirement.

Thanks and appreciate any feedback

I am having an issue with the 'show ntp associations' command not working. (I have a firewall filter applied to the loopback to restrict management access)

I get the below output:

user@srx> show ntp associations
localhost: timed out, nothing received
***Request timed out

I have seen the following article and followed it's advice:

https://forums.juniper.net/t5/Day-One-Tips/TIP-not-able-to-check-NTP-status/m-p/64545#M140

I have set my ntp source address to a specific address:
set system ntp source-address 10.99.99.1

Below is my loopback config:

user@srx# show interfaces lo0
unit 0 {
family inet {
filter {
input MGMT_TRAFFIC;
}
}
}

Here is the last section of my firewall filter allowing that IP:

term NTP-SERVERS {
from {
address {
10.99.99.1/32;
}
protocol udp;
destination-port ntp;
}
then accept;
}
term DENY_OTHER_TRAFFIC {
then {
log;
discard;
}
}

When I run a 'monitor traffic interface lo0'  I can see the ntp requests coming from the correct source address.

18:13:16.183247 In IP 10.99.99.1.51295 > 10.99.99.1.ntp: NTPv2, Reserved, length 12
18:13:16.185393 In IP 10.99.99.1.ntp > 10.99.99.1.51295: NTPv2, Reserved, length 20

The command still fails though.. When I remove the firewall filter, it works. I even tried changing the filter to just allow udp but it still failed. 

Any help appreciated.

Thanks

Originally asked this in another thread but I don't think people are answering as it has accepted answer already (to a different question)

I have configured 2 SRXs as switches participating in a L2 RSTP ring, and want to use the SRXs to Route between VLANs in the ring and to route some traffic to external networks.  I am currently playing around with the equipment in the lab.

At the moment I have two SRX 340 firewalls.  I have created irb interfaces on each SRX for each VLAN and provided L3 addresses on each.  THe two SRXs are connected together via a vlan trunk (on all vlans).  There is a Maintenance vlan configured that should be routable to some of the other vlans and VRRP is enabled between the SRXs to provide redundancy for this routing.  I have created the security zones and rules for this routing.

I have a laptop configured attached on SRX2 to the maintenance VLAN and another attached to SRX1 on a VLAN I call NetworkManagement.  WHen on the laptop connected to the maintenance vlan I am able to ping the Maintenance L3 interface on SRX2 as well as all the L3 interfaces for all the other VLANs on SRX2, but none of the interfaces on SRX1 except the Maintenance IP that I am pinging at layer two as I am on the same subnet.

Same for the laptop connected to SRX1.  I can ping the NetworkManagement L3 address on SRX 1 and the Maintenance VLAN L3 address on SRX1 but none of the VLAN addresses on SRX2.

It seems like my irb interfaces are routing, but only to the interfaces on the local box and not back onto the VLAN.   I can ping the VRRP address when both SRXs are the master.

Configs are below.

SRX1

set version 15.1X49-D160.2
set system host-name OPS-KOC-A
set system time-zone GMT
set system root-authentication encrypted-password "$5$jAAwwN6v$Cd4FbXRkBh4d4hK2LxLyzUQE3DRf5HuDuXZUO936fr5"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system login user admin uid 2002
set system login user admin class super-user
set system login user admin authentication encrypted-password "$5$trBTfuvQ$fkkoVuImv1MC3mI6cH0EfsRmpkX5KmX8JdB2DRMu7Q."
set system services ssh
set system services telnet
set system services dhcp-local-server group g1 interface irb.20
set system services web-management http interface fxp0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match source-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match destination-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match application any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM then permit
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match source-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match destination-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match application any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM then permit
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match source-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match destination-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match application any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM then permit
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match source-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match destination-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match application any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM then permit
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match source-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match destination-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match application any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA then permit
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match source-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match destination-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match application any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA then permit
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM description "NetworkManagement to NetworkManagement"
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM match source-address any
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM match destination-address any
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM match application any
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM then permit
set security policies default-policy deny-all
set security zones security-zone NetworkManagement host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic protocols all
set security zones security-zone Maintenance host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic protocols all
set security zones security-zone IonMeters host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic protocols all
set security zones security-zone GeneralDeviceManagement host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic protocols all
set security zones security-zone EngineeringAccess host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic protocols all
set security zones security-zone DFR host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic protocols all
set security zones security-zone Internal
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members NetworkManagement
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/2 unit 0 family inet
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet
set interfaces ge-0/0/5 unit 0 family inet
set interfaces ge-0/0/6 unit 0 family inet
set interfaces ge-0/0/7 unit 0 family inet
set interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set interfaces irb unit 9 family inet address 10.207.10.3/23
set interfaces irb unit 10 family inet address 10.207.8.3/24
set interfaces irb unit 13 family inet address 10.207.50.3/23
set interfaces irb unit 14 family inet address 10.207.48.3/23
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 virtual-address 10.207.22.1
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 priority 200
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 accept-data
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 track interface irb.20 priority-cost 200
set interfaces irb unit 21 family inet address 10.207.24.3/21
set routing-options static route 0.0.0.0/0 next-hop 10.207.22.3
set protocols l2-learning global-mode switching
set access address-assignment pool p1 family inet network 10.207.22.0/24
set access address-assignment pool p1 family inet range r1 low 10.207.22.101
set access address-assignment pool p1 family inet range r1 high 10.207.22.125
set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool p1 family inet dhcp-attributes name-server 10.207.22.1
set access address-assignment pool p1 family inet dhcp-attributes router 10.207.22.1
set vlans Corp vlan-id 30
set vlans Corp l3-interface irb.30
set vlans DFR vlan-id 14
set vlans DFR l3-interface irb.14
set vlans Engineering vlan-id 21
set vlans Engineering l3-interface irb.21
set vlans GeneralDeviceManagement vlan-id 9
set vlans GeneralDeviceManagement l3-interface irb.9
set vlans Ion vlan-id 13
set vlans Ion l3-interface irb.13
set vlans Maintenance vlan-id 20
set vlans Maintenance l3-interface irb.20
set vlans NetworkManagement vlan-id 10
set vlans NetworkManagement l3-interface irb.10
set vlans Phones vlan-id 31
set vlans Phones l3-interface irb.31
set vlans VHF vlan-id 16
set vlans VHF l3-interface irb.16
set vlans Video vlan-id 32
set vlans Video l3-interface irb.32

SRX2 (Almost same as 1 except IP addresses and VRRP different)

set version 15.1X49-D160.2
set system host-name SCC
set system time-zone GMT
set system root-authentication encrypted-password "$5$49q.90sE$fMyWz9qOLJzItFpRwrs6dIzKkNyIRdzVfpt4yXypD64"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "$5$AO4gzXBq$iBIwPMvx7GthLZJzKjBR5TfIEXFZXIFjYBwlgyAult8"
set system services ssh
set system services telnet
set system services dhcp-local-server group g1 interface irb.20
set system services web-management http
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match source-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match destination-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match application any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM then permit
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match source-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match destination-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match application any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM then permit
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match source-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match destination-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match application any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM then permit
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match source-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match destination-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match application any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM then permit
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match source-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match destination-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match application any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA then permit
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match source-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match destination-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match application any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA then permit
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM match source-address any
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM match destination-address any
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM match application any
set security policies from-zone NetworkManagement to-zone NetworkManagement policy NM-NM then permit
set security policies default-policy deny-all
set security zones security-zone Internal
set security zones security-zone NetworkManagement host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic protocols all
set security zones security-zone Maintenance host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic protocols all
set security zones security-zone IonMeters host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic protocols all
set security zones security-zone GeneralDeviceManagement host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic protocols all
set security zones security-zone EngineeringAccess host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic protocols all
set security zones security-zone DFR host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic protocols all
set security zones security-zone trust
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members Maintenance
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/2 unit 0 family inet
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet
set interfaces ge-0/0/5 unit 0 family inet
set interfaces ge-0/0/6 unit 0 family inet
set interfaces ge-0/0/7 unit 0 family inet
set interfaces ge-0/0/9 unit 0 family inet
set interfaces fxp0 unit 0 family inet address 192.168.1.2/24
set interfaces irb unit 9 family inet address 10.207.10.5/23
set interfaces irb unit 10 family inet address 10.207.8.5/24
set interfaces irb unit 13 family inet address 10.207.50.5/23
set interfaces irb unit 14 family inet address 10.207.48.5/23
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 virtual-address 10.207.22.1
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 priority 100
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 accept-data
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 track interface irb.20 priority-cost 100
set interfaces irb unit 21 family inet address 10.207.24.5/21
set routing-options static route 0.0.0.0/0 next-hop 10.207.22.5
set protocols l2-learning global-mode switching
set access address-assignment pool p1 family inet network 10.207.22.0/24
set access address-assignment pool p1 family inet range r1 low 10.207.22.126
set access address-assignment pool p1 family inet range r1 high 10.207.22.150
set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool p1 family inet dhcp-attributes name-server 10.207.22.1
set access address-assignment pool p1 family inet dhcp-attributes router 10.207.22.1
set vlans Corp vlan-id 30
set vlans Corp l3-interface irb.30
set vlans DFR vlan-id 14
set vlans DFR l3-interface irb.14
set vlans Engineering vlan-id 21
set vlans Engineering l3-interface irb.21
set vlans GeneralDeviceManagement vlan-id 9
set vlans GeneralDeviceManagement l3-interface irb.9
set vlans Ion vlan-id 13
set vlans Ion l3-interface irb.13
set vlans Maintenance vlan-id 20
set vlans Maintenance l3-interface irb.20
set vlans NetworkManagement vlan-id 10
set vlans NetworkManagement l3-interface irb.10
set vlans Phones vlan-id 31
set vlans Phones l3-interface irb.31
set vlans VHF vlan-id 16
set vlans VHF l3-interface irb.16
set vlans Video vlan-id 32
set vlans Video l3-interface irb.32

Hi,

On the attached, I have a bunch of servers trunking up to a Juniper 4100 SRX. The gateway addresses should reside within VLANs on the Juniper and all servers are should be forced up to the firewall. No server should be able to talk to another server without a rule in place. All these servers should sit within a Zone on Juniper. This will be via 2 interfaces to a couple of switches working in a pair. Are IRB interfaces the best way to do this with VLANs?

The rest of the network will connect into this Juniper, but I have read that you can't have a layer 3 zone talking to a layer 2 zone? 

Now I am wondering how best to connect up these parts of the network? I was going to have a OSPF connection to the rest of the network but this means the 2 zones can't have rules between them which is needed.

Any help greatly appreciated?

Thanks

Hello,

I have configured juniper srx300 with dynamic vpn , so clients using pulse secure can connect and access our local network . However , when a client (I tested on various computeur/clients) start downloading a big file from our network ( more than 200 Mb) then the pulse client loose connection with the juniper device (juniper it's not aware about the disconnection until we get the message :KMD_VPN_DOWN_ALARM_USER: VPN wizard_dyn_vpn from x.x.x.x is down. Local-ip: y.y.y.y, gateway name: gw_wizard_dyn_vpn, vpn name: wizard_dyn_vpn, tunnel-id: 67108865, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: y.y.y.y, Remote IKE-ID: userSRX300, XAUTH username: user, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=192.168.2.0/24), Traffic-selector remote ID: ipv4(any:0,[0..3]=172.16.1.185), SA Type: Static, Reason: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared
)

Any guessing about this ?

Many thanks

Hi All,

On clustered Juniper SRX series. 

I have a current setup of Routing Instance A (contains internet circuits) and Routing Instance B (contains trusted traffic). I have a source NAT in place for both traffic from trust security zone and junos-host security zone destined for untrust zone anywhere (0.0.0.0/0) then NATing to the interface. Security policies are wide open at this point (from-zone trust to untrust is any, junos-host to untrust is permitted by self traffic policy). 

All traffic testing on this device will be sourced from the loopbacks in each routing instance. 

All trusted traffic from behind the device is able to reach the internet without any issue.

Traffic from Routing Instance A is able to reach the internet without any issue.

Traffic from Routing Instance B loopback (in this scenario, IP is 10.1.3.65) is able to reach the internet, flows back to the device, and by all appearances looks to flow successfully:

Session ID: 16895, Policy name: self-traffic-policy/1, State: Active, Timeout: 4, Valid
In: 10.1.3.65/9 --> 8.8.8.8/48805;icmp, If: .local..4, Pkts: 1, Bytes: 84
Out: 8.8.8.8/48805 --> 1.1.1.1/19364;icmp, If: ge-5/0/15.0, Pkts: 1, Bytes: 84

                                             ^^^NAT'd interface

However, I am getting no responses when pinging from Routing Instance B, so I enabled traceoptions on the flow, and I don't think there was anything indicative of a problem in there. One thing potentially stuck out to me:

Mar 8 16:37:26 16:37:26.556467:CID-1:RT: route to 10.1.3.65

Mar 8 16:37:26 16:37:26.556467:CID-1:RT:ha_ifp: ge-5/0/15.0   <----- Not sure why the untrust interface is displayed here after the route lookup for 10.1.3.65

Mar 8 16:37:26 16:37:26.556467:CID-1:RT:session_ha_does_sess_need_sync: Synching is not supported for IP proto: 1.in-ifp: .local..4, out-ifp: ge-0/0/15.0

I can confirm that both Routing Instances A & B have a route installed for the loopback in Routing Instance B:

B.inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.3.65/32 *[Direct/0] 1w0d 21:04:26
> via lo0.0

A.inet.0: 41 destinations, 41 routes (41 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.3.65/32 *[Direct/0] 1w0d 21:04:26
> via lo0.0

At this point, I am at a loss for any reason as to why I am not getting a response. Please advise.

Dear Geeks , 

I have SRX210HE2 , i need to know bw usage per ip ? is it possible and how ?

BR

Mohammad R.

Good day

I have come across an issue that I'm not yet able to explain.

I have an example of access that's being allowed through the firewall for non vpn tunnel traffic, but it's being allowed by the dyn-vpn security policy.

From the outisde of the firewall, entering via the untrust zone, I can telnet to an IP (X.X.X.X) in the trust zone on a port that is not open, TCP port 49155.

telnet X.X.X.X 49155 connects

 show security match-policies source-ip Y.Y.Y.Y destination-ip X.X.X.X destination-port 49155 protocol tcp from-zone untrust to-zone trust source-port 1
node0:
--------------------------------------------------------------------------
Policy: dyn-vpn-policy, action-type: permit, State: enabled, Index: 208
0
  Policy Type: Configured
  Sequence number: 144
  From zone: untrust, To zone: trust
  Source addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
  Destination addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No
  Tunnel: dyn-vpn, Type: IPSec, Index: 4294967295
  Intrusion Detection and Prevention: enabled
  Unified Access Control: disabled
  Unified Threat Management: enabled

Here's the code for the policy it's matching:

show security policies from-zone untrust to-zone trust policy dyn-vpn-policy | display inheritance no-comments
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    permit {
        tunnel {
            ipsec-vpn dyn-vpn;
        }
        application-services {
            idp;
        }
    }
}

Deactivating this policy means I can no longer connect to X.X.X.X on TCP 49155 from Y.Y.Y.Y

From all the dynamic VPN documentation I've found, the tunnel config works as additional match criteria, so the policy should only apply to traffic that's inside an associated VPN tunnel.

I confirm that at the time I was not connected by VPN to this device, and the behaviour is the same even when there are no dyn vppn users connected.

I set up logging on the dyn-vpn-policy and matched the below when repeating the telnet conenction from the outside:

Mar 10 21:52:37 fw-device RT_FLOW: RT_FLOW_SESSION_CREATE: session created Y.Y.Y.Y/56909->X.X.X.X/49155 junos-ms-rpc-udp Y.Y.Y.Y/56909->X.X.X.X/49155 N/A N/A N/A N/A 6 dyn-vpn-policy untrust trust 127266 N/A(N/A) reth0.202 MSRPC WMI UNKNOWN
Mar 10 21:52:41 fw-device RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: Y.Y.Y.Y/56909->X.X.X.X/49155 junos-ms-rpc-udp Y.Y.Y.Y/56909->X.X.X.X/49155 N/A N/A N/A N/A 6 dyn-vpn-policy untrust trust 127266 4(172) 3(132) 4 MSRPC WMI N/A(N/A) reth0.202 UNKNOWN

Note that the logging references junos-ms-rpc-udp, which is defined as below, yet this telnet is definitely UDP:
application junos-ms-rpc-udp {
term t1 alg ms-rpc protocol udp destination-port 135;
}

This issue is occuring on a SRX550 chassis cluster, running the latest version available for that platform, [12.3X48-D75.4],  (recently upgraded with no change), I don't know how long this issue has existed, it was only discovered recently.
Additionally, this policy has not rendered the firewall useless, it is in fact blocking other traffic, which according to the match-policies command would also only match the same VPN policy.
It's probably also worth mentioning that I have to place the dyn-vpn-policy as the last policy in the untrust to trust context, else it breaks connectivity allowed by policies below it.

I'd appreciate any insight that anyone could provide, this feels like a bug, but I can't be sure.

Hi Everyone

I am having difficulty with inter-vlan routing on VSRX version 18.2R1.9. 

I followed the instructions from this link https://www.juniper.net/documentation/en_US/junos/topics/topic-map/layer-2-interfaces.html to configure my vlans.

I want the devices in vlan 10 (BLUE) and vlan 20 (RED) to communicate and at the same time be able to communicate with my cisco router. I intend vlan 10 users to reach the router through interface ge-0/0/0 and vlan 20 users through interface ge-0/0/5. 

So far, I've only be able to have VPC1 communicate with VPC2 and vice versa. The same is true for VPC3 and VPC4.

VPC1/2 cannot reach VPC3/4; none of the VPCs can reach the cisco router.

Can someone please take a look and tell me what I am doing wrong?

Thanks.

Below is the complete configuration:

root# show
## Last changed: 2019-03-11 04:04:34 UTC
version 18.2R1.9;
system {
root-authentication {
encrypted-password "$6$QxphM7Bl$r/AmactO6LU4ico1eS/OIYnibsYhZNZ9ZS8YYlt0/STizv8KEJnT/U1SpqjUOr3q3Avv9RKBSg0YJrYlc2U3V0"; ## SECRET-DATA
}
services {
ssh {
root-login allow;
protocol-version v2;
}
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
log {
mode stream;
report;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone RED-ZONE to-zone RED-ZONE {
policy RED-to-RED {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone BLUE-ZONE to-zone BLUE-ZONE {
policy BLUE-to-BLUE {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone trust {
tcp-rst;
}
security-zone untrust {
screen untrust-screen;
}
security-zone BLUE-ZONE {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}
}
security-zone RED-ZONE {
interfaces {
ge-0/0/3.0;
ge-0/0/4.0;
}
}
security-zone OUTSIDE-BLUE-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone OUTSIDE-RED-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/5.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.16.0.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members BLUE;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members BLUE;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members RED;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members RED;
}
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 172.16.0.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.10.5/24;
}
}
}
irb {
unit 10 {
family inet {
address 192.16.10.10/24;
}
}
unit 20 {
family inet {
address 172.16.20.20/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.16.0.254;
route 192.16.10.0/24 next-hop 192.16.10.10;
}
}
protocols {
l2-learning {
global-mode transparent-bridge;
}
}
vlans {
BLUE {
vlan-id 10;
l3-interface irb.10;
}
RED {
vlan-id 20;
l3-interface irb.20;
}
}

Hi all,

May i know whether it will have an issue if the setup auto-vpn consists of SRX5k with non-juniper product? This setup together with CA server.

Thanks

Hi all,

Is it possible SRX can do decrypts the IPSEC traffic and view it on wireshark such as url below? If can then can somehow give some url as reference?

https://cookbook.fortinet.com/decrypting-esp-payloads-using-wireshark-56/

Thanks

I have a hard time finding any definitive information on what exact features work / exist in packet mode (set security forwarding-options family mpls mode packet-based).

Security policies / NAT are of course not working, but what about zones? Do they exist? What else is still there? Or better: what is NOT working with packet-based mode?

Regards,

Pawel Mazurkiewicz

Is it possible to convert one of the revenue (ge-) interfaces to fxp0 (management interface) without actually forming a cluster?

I need this kind of interface for secure OOB management. Unfortunately SRX300-SRX320 have no dedicated fxp0.

I know I could:

- use a management zone to emulate fxp behavior -> but the device is in packet-mode... 

- just put the interface in a separater VR and forgetr about it

I am just looking for more elegant solution.

Regards,

Pawel Mazurkiewicz

I recently worked on upgrading a remote SRX210HE2 from 12.1X46-D65 to 12.3X48-D75.  The upgrade itself was successful, but upon reboot management access to the SRX quickly became unavailable and after about an hour, all routing functionality ceased to operate.  After getting console access, I found that show chassis routing-engine reported 100% CPU utilization.  I ran a top -H in shell, but the only thing showing any CPU utilization was two flowd_octeon_hm processes running at about 98% each (one was in a CPU1 state and the other was in a RUN state).  So, something was definitely strange here. 

The SRX210HE2 was rolledback, and I don't have any good output that I saved, but I have a SRX220H2 that is exhibiting the same exact symptoms after going throuhg the same upgrade process.  I'm waiting to console access, but wanted to start a thread to ask folks whether they had any thoughts or suspicions as to what might be the suspect here.  I have access back to the SRX210HE2 and could access log data, if requested or if that might be useful in troubleshooting what might have happened.

Hi All, 

Following this guide: https://www.juniper.net/us/en/local/pdf/app-notes/3500196-en.pdf (starting on page 22), I've been trying to configure a trunk port on my SRX240 that is directly connected to my server. 

I have configured everything according to the other trunk ports I've got working correctly (however, all on the EX series) and it does not seem to be working on on my SRX. These are all RVI's and I can confirm they are assigned to the correct security zone and VRF, there are security policies in place, and the server is configured correctly. 

My physical interface is up:

ge-0/0/1                up    up
ge-0/0/1.0              up    up

VLANs are down:

Interface               Admin Link Proto    Local                 Remote
vlan                    up    up
vlan.1                  up    down inet     10.200.200.254/24
vlan.2                  up    down inet     1.1.1.1/24

Interface is not showing up in ethernet-switching interfaces:

0> show ethernet-switching interfaces

Interface config:

unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members [ vlan-lab-a vlan-lab-b ];
        }
    }
}

VLAN configs:

unit 1 {
    family inet {
        address 10.200.200.254/24;
    }
}
unit 2 {
    family inet {
        address 1.1.1.1/24;
    }
}

vlan-lab-a {
    vlan-id 3966;
    l3-interface vlan.1;
}
vlan-lab-b {
    vlan-id 3967;
    l3-interface vlan.2;
}

Security zones:

host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    ge-0/0/1.0;
    vlan.1;
    vlan.2;
}

At this point I'm not sure where to go. 

Hello team:

I unpacked a brand new SRX1500.

I found the system neither shows nor  "starts" its ethernet interfaces. In fact, the system does not show any physical port.

"show chassis hardware" says nothing about the firewall´s interfaces, as shown below. It seems like the FPC is not starting up properly. ¿ Has anybody experienced this problem? I executed a software upgrade to the recommended release, but nothing changed. 

Any help will be greatly appreciated. Thanks!

Rogelio Alvez

Argentina

root> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis DB0519AK0043 SRX1500
Midplane REV 20 750-066119 BCAM7589 SRX1500
CB 0 REV 12 711-053838 BCAY8628 CPU Board
Routing Engine 0 BUILTIN BUILTIN SRX Routing Engine
FPC 0 REV 11 711-053832 BCAZ2108 FEB
Power Supply 0 REV 03 740-055217 1EDP8450GPS PS 400W 90-264V AC in
Fan Tray 0 SRX1500 0, Front to Back Airflow - AFO
Fan Tray 1 SRX1500 1, Front to Back Airflow - AFO
Fan Tray 2 SRX1500 2, Front to Back Airflow - AFO
Fan Tray 3 SRX1500 3, Front to Back Airflow - AFO

root> show chassis fpc pic-status
Slot 0 Present FEB

root>

root> show interfaces terse
Interface Admin Link Proto Local Remote
dsc up up
em0 up up
em0.0 up up inet 128.0.0.1/2
em1 up up
em1.32768 up up inet 192.168.1.2/24
em2 up up
fxp0 up down
fxp0.0 up down inet 192.168.1.1/24
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.0.4 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up down
vtep up up

root>

Hi 

I had a problem to connect SRX300 mini USB console port to the laptops (WIN7 & WIN10 both not working). Also,I had already installed the SRX300 usb serial console driver .  When i plug in the mini USB cable to my laptop, the window does not pop up any USB detection and i cannot find any changes on device manager. (i am sure the USB port is working on the laptops). 

On the other hand, somebody said it should configure the "system ports auxiliary port-type" to "mini-usb", but there is no port-type for SRX series. PLEASE HELP!!!

Regards

Anthony

Hi All,

I would like to source NAT traffic twice on my device. See the scenario below:

I have two Routing Instances, A and B. My default route for A is to table B. I want all traffic that will take the default route to be NAT'd to an address before it reaches routing instance B. I want routing instance B to only have a route for the source nat pool back to Routing Instance A rather than having to share all of my routes from RI A to routing instance B. 

Is this possible without configuring another Routing Instance that acts as a 'staging instance' or another physical interface interface that acts as the same?