hi all,
I have a problem in phase2 when I trying SSG550M (screenos 6.2) as hub and srx100 (junos12.1) as spokes. The message is there was preexisting session from the same peer. Spokes (SRX100H2) are behind the NAT devices with dyanmic IP. The first two tunnels (one spoke ssg5 and the other srx100) come up but third tunnel with third spokes srx100 P1 come up but P2 fail. I also change soft life time buffer time in ssg side but the same error. How can I solve it?
Hi all,
I'm trying to convert from an ISG to an SRX however I'm having a problem. Active/Active on an ISG is done via virtual system whereas the SRX does it by port group. So to replicate it I'm trying to do a combination of Reth interfaces and routing-instances but regardless of what way I think about it I can't replicate the functionality correctly.
The only option I can think of is doubling up the ports - Convert the old devices into routing-instances and then have Reth's on both sides. This won't work for them unfortunetly...
Surely someone has ran into this problem before no?? Any help/thoughts?
Thanks in advance!
Hello,
I have one SRX650 with only 4 build-in port. I want to bundle interface to connect to my core switch. But I can not create LAG ae0 from 2 build-in port: ge-0/0/2 and ge-0/0/3 and run LACP.
I see KB15455
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15455&actp=search
but it's from 08 Nov 2012. Anyone know any update?
Thanks.
I am reading some VPN examples from the O'Reily Juniper SRX Series book. One thing I'm not clear on, and I've been unable to find additional information in the Junos documentation, is the full behavior of the permit tunnel security policy action. In particular I'm looking at an example of a policy-based VPN configuration that includes the policy:
[edit security policies from-zone untrust to-zone trust policy Remote-Client]
match {
source-address any;
destination-address 10.0.0.8/8;
application any;
} then {
permit {
tunnel {
ipsec-vpn Remote-Client;
}
}
}I keep looking at this policy and thinking somehow it will be interpreted as permit all traffic from all sources, using the tunnel if possible... I know that's wrong but I can't shake the idea.
Is it correct (or at least reasonable) to view the permit tunnel action as being both an action and a match condition? In other words can the above policy be described as "Allow all traffic from the Remote-Client tunnel traveling from untrust to trust through."
Thanks
Hellow
i have srx3400 chassis cluster and i want to add new configuration but i can't user mode configure.
this error from node :
warning: Clustering enabled; using private edit
Users currently editing the configuration:
root terminal p0 (pid 78400) on since 2016-04-28 09:46:58 UTC, idle 01:43:08
private [edit]
error: shared configuration database modified
Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'
what should i do?
Thanks,
Hi,
For the past few hours I've been struggling with a weird issue in my SRX1400 cluster (running Junos 12.1X46-D40.2) and now I think I've found a bug in Junos. I'd be grateful if someone could confirm this, or show me what I did wrong. :-)
The scenario is really simple. I have a bunch of Windows desktops in one firewall zone, and a Microsoft Active Directoy server in another zone. I only want to permit Active Directoy traffic (Microsoft has a few really good KB articles about this - this is not the issue). So I built an application-set that matches everything that Microsoft wants you to permit between your desktop computers and your Active Directory server. I applied the changes and watched the hit-counts after 1 hour had passed:
> show security policies hit-count from-zone desktops to-zone servers node0: -------------------------------------------------------------------------- Logical system: root-logical-system Index From zone To zone Name Policy count 1 desktops servers permit-msad 164931 2 desktops servers permit-all 24
Great! Almost no hits on the permit-all policy, so almost everything is actually hitting my Active Directory policy (permit-msad). This is what the rest of the relevant config looks like:
> show configuration security policies from-zone desktops to-zone servers
policy permit-msad {
match {
source-address any;
destination-address [ microsoft-dc-server ];
application jd-msad-combined;
}
then {
permit;
}
}
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}> show configuration applications application-set jd-msad-combined application jd-msad-ntp; application jd-msad-kerberosauth; application jd-msad-dcops; application jd-msad-netbios; application jd-msad-ldap; application jd-msad-smb; application jd-msad-kerberospasswd; application jd-msad-gc; application jd-msad-dynamic-rpc; application jd-msad-dns;
> show configuration applications application jd-msad-dynamic-rpc term t1 protocol tcp destination-port 49152-65535; term t2 protocol udp destination-port 49152-65535;
So, lots of hits on the policy which permits active directory traffic, but almost no traffic hits the permit-all rule. This is good, so my active directory rules is probably working and I can probably disable the permit-all rule soon.
Just to be safe though, let's check the log server. I log everything that hits the permit-all policy. So I should see 24 hits on the log server.
On the log server, which is running Logstash+Kibana+Elasticsearch, I searched for "permit-all" and I got 1708 matching logs during the last hour when the actual count should be only 24. Hm. Weird. What did I do wrong? Let's check the actual 1708 log entries:
Time src-ip dst-ip dst-port April 29th 2016, 12:32:45.474 10.33.50.34 10.33.12.8 49155 April 29th 2016, 12:32:39.358 10.33.51.241 10.33.12.8 49155 April 29th 2016, 12:32:38.125 10.33.51.69 10.33.12.9 49155 April 29th 2016, 12:32:37.813 10.33.51.165 10.33.12.8 49155 April 29th 2016, 12:32:30.328 10.33.50.152 10.33.12.8 49155 April 29th 2016, 12:32:29.935 10.33.51.148 10.33.12.8 49155 April 29th 2016, 12:32:28.004 10.33.51.122 10.33.12.8 49155 April 29th 2016, 12:32:26.966 10.33.50.134 10.33.12.9 49155 April 29th 2016, 12:32:24.547 10.33.50.245 10.33.12.9 49159 April 29th 2016, 12:32:23.747 10.33.50.197 10.33.12.9 49155 April 29th 2016, 12:32:23.582 10.33.50.215 10.33.12.8 49155 April 29th 2016, 12:32:22.718 10.33.50.239 10.33.12.8 49155 April 29th 2016, 12:32:22.048 10.33.50.82 10.33.12.9 49155 April 29th 2016, 12:32:21.287 10.33.50.62 10.33.12.8 49155 April 29th 2016, 12:32:19.503 10.33.50.194 10.33.12.8 49155 April 29th 2016, 12:32:16.256 10.33.50.214 10.33.12.8 49155 April 29th 2016, 12:32:15.899 10.33.51.240 10.33.12.8 49155 April 29th 2016, 12:32:15.390 10.33.51.45 10.33.12.9 49155 April 29th 2016, 12:32:10.835 10.33.50.207 10.33.12.8 49155 April 29th 2016, 12:32:08.696 10.33.50.87 10.33.12.8 49155 April 29th 2016, 12:32:06.246 10.33.50.156 10.33.12.16 27422 April 29th 2016, 12:32:06.172 10.33.50.156 10.33.12.16 27422 April 29th 2016, 12:32:04.661 10.33.50.64 10.33.12.9 49155 April 29th 2016, 12:31:59.535 10.33.50.138 10.33.12.9 49155 April 29th 2016, 12:31:52.091 10.33.50.73 10.33.12.9 49155 April 29th 2016, 12:31:47.407 10.33.50.105 10.33.12.9 49155 April 29th 2016, 12:31:46.582 10.33.50.97 10.33.12.8 49155 April 29th 2016, 12:31:46.573 10.33.50.97 10.33.12.8 49159 April 29th 2016, 12:31:46.571 10.33.50.97 10.33.12.8 49155 ...
LOTS MORE
...<SNIP>
Woah. What is this? Port 49155 and 49159? Those ports are allowed by the jd-msad-dynamic-rpc application and should never hit the permit-all policy.
So I re-did the search again, this time removing all matching entries with dst-ports in the 49152-65535 range. The number of matching sessions I got now was 24, which is exactly what the permit-all policy hit-count was reporting.
So, something is very wrong here. Hit-counts is reporting one number, but the log server is seeing something else. I see at least two possible bug scenarios:
1. The permit-msad policy isn't working and the traffic is actually hitting the permit-all policy but for some reason the hit-count isn't updated.
2. The permit-msad policy is working and the permit-all hit-count is correct, but for some reason the box sends out logs for sessions in the 49152-65535 range hitting the permit-all policy even though they never really exist.
Please ask if somehing isn't clear. I tried to make this as simple to understand as possible.
Comments appreciated!
Hi,
This is a pretty new product and I'm configuring a Chassis Cluster of it.
I'm running the current recommended version 15.1X49-D40 and I found a problem that if it is a bug it is very bad because it is a very basic stuff that works on the other SRX clusters I have configured during my life.
For example, I have a reth interface running LACP and composed of interfaces ge-0/0/0-1 and ge-7/0/0-1 configured like this:
show configuration interfaces reth0
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
minimum-links 1;
lacp {
active;
}
}
unit 40 {
vlan-id 40;
family inet {
address 1.1.1.1/24;
}
}
unit 100 {
vlan-id 100;
family inet {
address 192.168.21.1/24;
}
}
where I have just created vlan 40. The other interfaces were already there and working.
I commited the configuration and noticed that the interface was not working.
I used the command show interfaces terse, and this is what I get:
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.100 up up aenet --> reth0.100
...
ge-0/0/1 up up
ge-0/0/1.100 up up aenet --> reth0.100
...
ge-7/0/0 up up
ge-7/0/0.100 up up aenet --> reth0.100
...
ge-7/0/1 up up
ge-7/0/1.100 up up aenet --> reth0.100
...
reth0.40 up down inet 1.1.1.1/24
reth0.100 up up inet 192.168.21.1/24
...
As you can see the reth0.40 was created but the interfaces that are part of the reth0 do not have the logical interface .40
I tried commiting again, rollbakc, everything but no results.
When I failover RG0 to the other node, I issue a show interfaces terse and there they are:
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.40 up up aenet --> reth0.40
ge-0/0/0.100 up up aenet --> reth0.100
...
ge-0/0/1 up up
ge-0/0/1.40 up up aenet --> reth0.40
ge-0/0/1.100 up up aenet --> reth0.100
...
ge-7/0/0 up up
ge-7/0/0.40 up up aenet --> reth0.40
ge-7/0/0.100 up up aenet --> reth0.100
...
ge-7/0/1 up up
ge-7/0/1.40 up up aenet --> reth0.40
ge-7/0/1.100 up up aenet --> reth0.100
As you might imagine, it is not very nice having to failover RG0, with all the consequences that it brings, to add a new logical interface to the firewall.
This happens also when I delete an interface.
Looks like some failure of talking between CP and DP.
Does anyone have experience with this?
I'm tempted to make a regression to the previous version but since it is a v1, not very fond of the idea.
I'll open a case but the serial numbers are not yet loaded in the support so I'm asking here if anyone might have some idea.
Thanks
Paulo
| Software Version: | JUNOS Software Release [12.1X46-D35.1] | |
| Bios Version: | 1.9 |
I have configured dhcp client on ge-0/0/0.0 as described on this site. I have also troubleshooted using all tips on this site.
Basically adding dhcp to the interface and adding dhcp to the trust zone.
My interface does not get an IP address, and using monitor does not ever appear to put out a discover. Renew command does not help. Is DHCP client broken in this release or am I missing something?
admin# run show system services dhcp client
Logical Interface name ge-0/0/0.0
Hardware address 00:24:dc:df:81:40
Client status init
Address obtained 0.0.0.0
Update server enabled
can i configure an ip base qos on SRX 240
I consult the configuration guide
class must be DSCP/IP PR/TOS
Hello,
I'm quite new with junos and I have set up a SRX100 and configured a VPN betweenSRX and ISG1000
The VPN is UP and traffic is ok from the PC behind the srx to the other LAN, but it's not working from the LAN before the ISG1000 to the SRX trust orloopback.
Here are my logs, and i can "see packet dropped, no way(tunnel) out"
I've heard that error is because there are 2 VPNs set up on the same interface, but I have only one VPN
Also, something strange is that I have 2 SA on my monitor...
fw1-cg13(M)-> get db stream
**st: <Trust|ethernet3/1|Root|0> 48286c0: 3f3a:10.1.222.230/1->10.224.124.237/7565,1,60
****** 8317225.0: <Trust/ethernet3/1> packet received [60]******
ipid = 16186(3f3a), @048286c0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet3/1:10.1.222.230/30053->10.224.124.237/1,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet3/1>, out <N/A>
chose interface ethernet3/1 as incoming nat if.
IP classification from non-shared src if : vsys Root
flow_first_routing: in <ethernet3/1>, out <N/A>
search route to (ethernet3/1, 10.1.222.230->10.224.124.237) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 94.route 10.224.124.237->192.168.254.249, to ethernet3/2
routed (x_dst_ip 10.224.124.237) from ethernet3/1 (ethernet3/1 in 0) to ethernet3/2
IP classification from non-shared dst if : vsys Root
Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:0
policy search from zone 2-> zone 1004
policy_flow_search policy search nat_crt from zone 2-> zone 1004
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.224.124.237, port 55285, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/183/0x9
Permitted by policy 3
No src xlate choose interface ethernet3/2 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet3/2
vsd 0 is active
no loop on ifp ethernet3/2.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet3/1>, out <ethernet3/2>
existing vector list 20-24b9f464.
Session (id:503390) created for first pak 20
flow_first_install_session======>
route to 192.168.254.249
arp entry found for 192.168.254.249
ifp2 ethernet3/2, out_ifp ethernet3/2, flag 00800000, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet3/2, 10.224.124.237->10.1.222.230) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet3/1
[ Dest] 67.route 10.1.222.230->192.168.2.250, to ethernet3/1
route to 192.168.2.250
arp entry found for 192.168.2.250
ifp2 ethernet3/1, out_ifp ethernet3/1, flag 00800001, tunnel ffffffff, rc 1
flow got session.
flow session id 503390
flow_main_body_vector in ifp ethernet3/1 out ifp ethernet3/2
flow vector index 0x20, vector addr 0x24b9f464, orig vector 0x24b9f464
vsd 0 is active
post addr xlation: 10.1.222.230->10.224.124.237.
packet send out to 001b17000114 (cached) through ethernet3/2
**st: <Trust-Int|ethernet1/1|fw-in-cg13|0> 4828840: 3f3a:10.1.222.230/1->10.224.124.237/7565,1,60
****** 8317225.0: <Trust-Int/ethernet1/1> packet received [60]******
ipid = 16186(3f3a), @04828840
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/1:10.1.222.230/30053->10.224.124.237/1,1(8/0)<fw-in-cg13>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <N/A>
chose interface ethernet1/1 as incoming nat if.
IP classification from non-shared src if : vsys fw-in-cg13
flow_first_routing: in <ethernet1/1>, out <N/A>
search route to (ethernet1/1, 10.1.222.230->10.224.124.237) in vr internet-vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.224.124.237
add route 187 for 10.224.124.237 to route cache table
[ Dest] 187.route 10.224.124.237->10.224.131.177, to tunnel.8
routed (x_dst_ip 10.224.124.237) from ethernet1/1 (ethernet1/1 in 0) to tunnel.8
IP classification from non-shared dst if : vsys fw-in-cg13
Cross vsys set nat crt vsys:fw-in-cg13, pak vsys:fw-in-cg13, vsys:fw-in-cg13, result:0
policy search from zone 1003-> zone 1005
policy_flow_search policy search nat_crt from zone 1003-> zone 1005
RPC Mapping Table search returned 0 matched service(s) for (vsys fw-in-cg13, ip 10.224.124.237, port 55285, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 2328/93/0x9
Permitted by policy 2328
No src xlate NHTB entry search not found: vpn none tif tunnel.8 nexthop 10.224.131.177
packet dropped, no way(tunnel) out
I have set up all policy and services in any/any, i really don't know where the problem is.
I join my configuration, if someone can help me a bit
Thanks
Hello all!
I have a setup with 2 SRX220's, in a clustered setup. They have about 25 IP phones/devices, connecting to Vonage Business (Vocalocity) over a dual WAN setup. I have filters, and NAT configued to put the VoIP traffic (separate vlan) on ISP1, which is about 80x60mbps, where I have standard/regular data using ISP2, which is a 100x100mbps connection.
All of a sudden, after a power cycle, VoIP is working horribly. They are gettting dropped calls and tons of one-way audio. SIP ALG is disabled, and I've recently also enabled UDP timeout of 180 seconds. Nothing is working. We had the voice traffic on ISP2 until yesterday, but the problem, which started Thursday, is still happening (coensiding with the power cycle).
Any ideas? I'd also like to get feedback on prioritization. I don't technically need it as my router has 2 ISP connections, and I'm using one for voice, and one for data, so I shouldn't have a contension issue, but I would like to make sure the voice is given every opportunity to survive.
I'm running 12.1X44-D20.3 on both SRX220's. Clustering is working, as is all other traffic inbound and outbound. I have several VPN's for remote sites, and client VPN's, and all is working seemingly correctly. The only thing that is strange, is that phone calls are having issues. This is a fairly high volume sales floor so calls are very important.
Anyway - please give your thoughts, and ideas!
Thanks in advance!
Sean Garland
Garland Tech
Hi
Is there a way to setup a Heartbeat tunnel with SixXS PoP in SRX devices (I am it in packet mode to remove complications).
I know a Static Tunnel can be set but I couldn't find any information on a Heartbeat tunnel with SixXS.
Regards
Oscar
Hello,
I have a config with a bunch of ethernet-switching fe-0/0/x interfaces and one vlan.0 interface. The vlan.0 interface runs ssh and some other services. I am trying to access the ssh server running on 192.168.1.1 via an ipsec tunnel into the device.
Question: when all of the fe-0/0/x interfaces are down (no computer plugged into any of them) will the ssh server still be accessible on vlan.0? It seems that the ssh server is running on vlan.0 only when one or more of the fe-0/0/x interfaces are up.
Thank you,
Chris
Interfaces
vlan.0 - family inet w/private ip 192.168.1.1
fe-0/0/1 - family ethernet-switching on vlan-trust
fe-0/0/2 - family ethernet-switching on vlan-trust
vlans
vlans { vlan-trust { vlan-id 4; l3-interface vlan.0; } }
I am unable to get our SRX220 to fully support Skype 4 Business desktop sharing in a branch office. Skype4B calls, internet access etc. works without any problems, only desktop sharing fails 9 of 10 times.
For testing purposes the SRX has a minimum config with NAT between an external zone and internal zone generated by the install wizard.
Under flow I have no-syn-check and no-sequence-check. The SIP ALG is disabled. All other settings are default to keep things simple. No licenses for UTM or IDS are enabled.
I have tried the releases 12.1X45-D50, 12.1X46D45 and even 12.3X48D25 to test the new SIP ALG TCP support.
Replacing the SRX with a cheap consumer router/firewall that does simple NAT and a default config works without problems.
Any suggestions to get the SRX to support Skype4B\Lync working are highly appreciated.
Serial console access is becoming more difficult of late with laptops not including a serial port and usb serial dongles being temperamental. Is there a way to connect via ethernet to an SRX and get an effective console? It would have to be true console which lists booting and allows console commands.
Hello,
The control link of the SRX3600 cluster is are two dark fiber, and the Fabirc/Data Link ist connected with two Cisco Switch (KeepAlive-Switch).The KeepAlive-Switchare also connected with dark filber. The ports for the fabric links are in a VLAN 883.
Hi experts
I got a very weird circumstances going on right now that I can't figure out.
I have destination IP C in zone outside.
I have source IP A in zone inside1.
I have source IP B in zone inside2.
I have default route to D which is a big site router. Because of our setup Router D does not have any routes for C.
I have a static route E on the FW that says for C, go out on interface reth2.2341.
I have a traceroute from source IP A to dest IP C. The traceroute shows it going through the FW and going out of the default route to D configured on the firewall. This obviously does not match my static route.
I also have a traceroute from B to dest IP C. The traceroute shows it going through the FW and going to towards the interface reth2.2341 towards C. This matches my static route.
I don't know why it is behaving this way. I have gone through the routing table it doesn't seem to contain anything that it shouldn't.
Also C can ping A, but A can't ping C.
The necessary policies are already in place.
I am running
Model: srx3400
JUNOS Software Release [12.1X46-D20.5]
Thanks for any insight you guys can provide.
Quick Question (and probably easy, I'm just not finding it)
On a SRX240H2 using JunOS 12.1X44-D45.2
I have 2 VLANs in same zone. (vlan.5 is newly added to this zone. vlan.1 has long been working)
Routing table looks normal.
VLAN.1 is on an AE.0 (untagged). While VLAN.5 is on AE.2 (untagged).
Both VLANs are added to the appropriate zone -- and their interfaces are set to accept all traffic.
The SRX240 can ping devices on both vlans. No problem.
A device on VLAN.1 cannot ping either the FW's .1 address on VLAN.5 or any host on VLAN.5
I remember on ScreenOS, there was a switch for blocking intrazone traffic. Is there something similar for JunOS? If not -- what else am I missing?
Thanks,
-Ben
Hi All,
Currently, we have SRX and do static NAT for 3 servers on DMZ for public access these servers (configuration 1.jpg).
And now, we rent an other lease line to connect SRX firewall, the purpose of this lease line is for specific region user to access 3 servers's service (configuration 2.jpg).
My question is
How to configure SRX to achieve both WAN1 and WAN2 can access the servers?
Thanks
Alex