Hi guys,
I'm facing some issues with the bandwidth usage and it's affecting the performance of the VPN tunnels ending on a SRX240 cluster running JUNOS 12.3X48-D65.1.
We have a symmetric internet line 50Mbps up/down. I wonder if there is a way to reserve say 25Mbps only for the IPSec VPN traffic.
Any help would be much appreciated
Thanks
Hi guys,
This story is coming from here https://forums.juniper.net/t5/SRX-Services-Gateway/Junos-upgrade-fails-on-SRX340-cluster-from-15-1X49-D170-4-to-17/td-p/467752
I was strugling to upgrade a SX340 cluster to a newer Junos version, and finally with the help of some gurus, I made it upgrade to version 18.3R2.7 on both nodes. Now however, sometimes the HA shows fine, but some times it shows amber HA led, and the output of the regular commands shows as below:
root@SPCFW-BRAVO> show chassis firmware node0: -------------------------------------------------------------------------- Part Type Version FPC 0 O/S Version 18.3R2.7 by builder on 2019-05-03 09:17:52 UTC FWDD O/S Version 18.3R2.7 by builder on 2019-05-03 09:17:52 UTC node1: -------------------------------------------------------------------------- Part Type Version FPC 0 O/S Version 18.3R2.7 by builder on 2019-05-03 09:17:52 UTC FWDD O/S Version 18.3R2.7 by builder on 2019-05-03 09:17:52 UTC
root@SPCFW-BRAVO> show chassis cluster information
node0:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: primary, Weight: 255
Time From To Reason
Sep 11 20:57:13 hold secondary Hold timer expired
Sep 11 20:57:22 secondary primary Better priority (200/100)
Redundancy Group 1 , Current State: primary, Weight: 0
Time From To Reason
Sep 11 20:57:13 hold secondary Hold timer expired
Sep 11 20:57:24 secondary primary Remote yield (0/0)
Chassis cluster LED information:
Current LED color: Amber
Last LED change reason: Monitored objects are down
Control port tagging:
Disabled
Failure Information:
Coldsync Monitoring Failure Information:
Statistics:
Coldsync Total SPUs: 1
Coldsync completed SPUs: 0
Coldsync not complete SPUs: 1
Fabric-link Failure Information:
Fabric Interface: fab0
Child interface Physical / Monitored Status
ge-0/0/2 Up / Down
node1:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: secondary, Weight: 0
Time From To Reason
Sep 11 20:57:21 hold secondary Hold timer expired
Redundancy Group 1 , Current State: secondary, Weight: -255
Time From To Reason
Sep 11 20:57:22 hold secondary Hold timer expired
Chassis cluster LED information:
Current LED color: Amber
Last LED change reason: Monitored objects are down
Control port tagging:
Disabled
Failure Information:
Coldsync Monitoring Failure Information:
Statistics:
Coldsync Total SPUs: 1
Coldsync completed SPUs: 0
Coldsync not complete SPUs: 1
Fabric-link Failure Information:
Fabric Interface: fab1
Child interface Physical / Monitored Status
ge-5/0/2 Up / Down
{secondary:node1}root@SPCFW-BRAVO> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring RE Relinquish monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 0
node0 200 primary no no None
node1 0 secondary no no FL
Redundancy group: 1 , Failover count: 0
node0 0 primary yes no CS
node1 0 secondary yes no CS FL root@SPCFW-BRAVO> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA Security
0 fxp1 Up Disabled Disabled
Fabric link status: Down
Fabric interfaces:
Name Child-interface Status Security
(Physical/Monitored)
fab0 ge-0/0/2 Up / Down Disabled
fab0
fab1 ge-5/0/2 Up / Down Disabled
fab1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Down Not configured
reth1 Up 1
reth2 Down Not configured
reth3 Down Not configured
reth4 Down Not configured
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0 It seems that for some reason I can´t understand, fab0 ge-0/0/2 comes up sometimes, and comes down other times.
Any help would be much appreciated
Thanks!
Hi, Guys,
My scenario is below:
1. SRX345 HA structure in our DC, and two ISP internet links for public access.
2. Some hosts in LAN, and some hosts are NATed.
3. Hosts are connected with one LAN cable (only one NIC ).
4. WAN links are default route to ISP gateways.
Any advice to configure the SRX, so hosts understand which WAN link is available/which WAN link is unreachable ( for going out to the public )?
Many thanks in advance.
Benson LEI
Hello, guys!
I have a problem during upgrading software. Here logs:
Using junos-12.1X46-D40.2-domestic from /altroot/cf/packages/install-tmp/junos-12.1X46-D40.2-domestic
Copying package ...
Verified manifest signed by PackageProductionRSA_2015
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
Network security daemon: warning: You have changed mpls flow mode.
Network security daemon: You have to reboot the system for your change to take effect.
Network security daemon: If you have deployed a cluster, be sure to reboot all nodes.
Network security daemon: warning: Inet flow mode has been changed to packet-based mode for mpls mode modification.
Network security daemon:
Network security daemon: warning: You must reboot the system for your change to take effect.
Network security daemon: If you have deployed a cluster, be sure to reboot all nodes.
Connectivity fault management process: rtslib: ERROR kernel does not support all messages: expected 102 got 98,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 216,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg residx: expected 98 got 95,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg unknown: expected 98 got 6,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: commit complete
Validation succeeded
Validating against /config/rescue.conf.gz
Network security daemon: warning: You have changed mpls flow mode.
Network security daemon: You have to reboot the system for your change to take effect.
Network security daemon: If you have deployed a cluster, be sure to reboot all nodes.
Network security daemon: warning: Inet flow mode has been changed to packet-based mode for mpls mode modification.
Network security daemon:
Network security daemon: warning: You must reboot the system for your change to take effect.
Network security daemon: If you have deployed a cluster, be sure to reboot all nodes.
Connectivity fault management process: rtslib: ERROR kernel does not support all messages: expected 102 got 98,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 216,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg residx: expected 98 got 95,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg unknown: expected 98 got 6,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: commit complete
Validation succeeded
Should I skip this warnings and reboot srx for upgrade?
May be i should upgrade SRX to any other version?
i have a diagram bellow:
PCs in Server can ping to Internal zone and access internet. but PCs in Internal cannot ping to PCs in Server zone.
my config:
version 15.1X49-D45;
system {
host-name SRX300;
time-zone GMT;
root-authentication {
encrypted-password "$5$8kb6Dbns$HzBuge65ChSgNudUNDDmfhLQ/0Qr44i7NJcG6rf8Wa2"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
router {
192.168.1.1;
}
}
pool 192.168.2.0/24 {
address-range low 192.168.2.2 high 192.168.2.254;
router {
192.168.2.1;
}
}
propagate-settings ge-0/0/0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Server-nat {
from zone Server;
to zone Internet;
rule Server-nat1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Server to-zone Internet {
policy Server-Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Server {
policy Internet-Server {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
ping;
}
}
}
}
}
security-zone Server {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/2.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
}how can i fix that problem? thank you!
Hi,
My VOIP system allows customers to set an sip destination they wish and all works great. My system is setup on the SRX as a static NAT, but I have come across an issue where if the B leg of the call ends the call the BYE is not received by our VOIP system. I believe that the issue is UDP timeout.
So on the initial SIP signalling, all is ok as my system initiates the communications via an INVITE to the external system. NAT is allowing them to respond. But for calls that are exceeding the timeout when that external server sends a BYE maybe 20+ minutes later to close the call the Juniper has long since closed that ability off.
What do people do in this instance, set the UDP timeout for 3 hours or so? Adding the customers IP into my firewall isn't an option as these are done on the fly by the customer and can change at any time.
Thanks
Hello,
I would like to setup ipsec connection between SRX340 and Cisco asa firewall. Inside my network i have SRX directly connected via interconnect supplier (datacenter network) towards ISP. We are using their dedicated servers/srx/switches also we received a public range of 5.200.5.80/29. The firewall has reth0.100 as "internet" interface and the firewall itself has 5.200.5.81 as IP address. Then interfaces ge-0/0/7.1409 and ge-5/0/7.2409 are directly connected towards datacenter with private range. Also within my network i have different zones ot-application, ap-application etc... .
Now i need to setup ipsec, do i need to use policy-based vpn or routing-based vpn?. I know that Cisco asa only support policy-based vpn. So in regarding SRX of having different zones, which one do i need the most to setup ipsec connection?. how do i implement this with combination of different zones?. Also do i need to create NAT exemption to exclude traffic from NAT operation"IPSEC does not work over NAT"?. Anyone has an example how to set this up or idea?.
Zones:
untrust - ge-0/0/7.1409 and ge-5/0/7.2409 towards datacenter interconnect routers have private IP's
trust - reth0.100 internet ("public range", source-NAT ip of the public range)
ot-application - reth1.30
ap-application - reth1.20
i have attached a topology.
thanks
Hello Folks,
I would like to know wether my NAT code are correct or incorrect to migrate from a existing Cisco configuration.
Cisco Code
ip nat outside source static 3.0.34.32 72.16.28.122 ip nat outside source static 3.0.34.33 72.16.28.123
Juniper SNAT Code
set security nat source pool POOL-SNAT-PI address 72.16.28.122/32 set security nat source pool POOL-SNAT-PI port no-translation set security nat source pool POOL-SNAT-TI address 72.16.28.123/32 set security nat source pool POOL-SNAT-TI port no-translation set security nat source rule-set SNAT-TO-UNTRUST from zone LAN set security nat source rule-set SNAT-TO-UNTRUST to zone LAN set security nat source rule-set SNAT-TO-UNTRUST rule PI match source-address 3.0.34.32/32 set security nat source rule-set SNAT-TO-UNTRUST rule PI then source-nat pool POOL-SNAT-PI set security nat source rule-set SNAT-TO-UNTRUST rule TI match source-address 3.0.34.33/32 set security nat source rule-set SNAT-TO-UNTRUST rule TI then source-nat pool POOL-SNAT-TI
Juniper DNAT Code
set security nat source pool POOL-DNAT-PI address 3.0.34.32/32 set security nat source pool POOL-DNAT-PI port no-translation set security nat source pool POOL-DNAT-TI address 3.0.34.33/32 set security nat source pool POOL-DNAT-TI port no-translation set security nat destination rule-set DNAT-TO-TRUST from zone LAN set security nat destination rule-set DNAT-TO-TRUST to zone LAN set security nat destination rule-set DNAT-TO-TRUST rule PI match destination-address 72.16.28.122/32 set security nat destination rule-set DNAT-TO-TRUST rule PI then destination-nat pool POOL-DNAT-PI set security nat destination rule-set DNAT-TO-TRUST rule TI match destination-address 72.16.28.123/32 set security nat destination rule-set DNAT-TO-TRUST rule TI then destination-nat pool POOL-DNAT-TI
I am woundering about the configuration lines between the Cisco code and my Juniper code (if correct?). Cisco is implementing these SNAT and DNAT in two rules while Juniper need 20 lines ;-)
It's possible to shrink my NAT configuration or is the code complety false for my purpose?
Thanks & Best Regards
R.
Trying to get my srx to pull pki certs from cisco ca server. Used the configuration I found for Auto Discovery VPN's. Are the SRX's able to pull from a Cisco CA?
Hi guys,
We have been facing a really weird issue in the last 2 weeks.
We have a branch office with a few users. We have a Dell switch stack with 4 switches, and a Juniper SRX240 firewall cluster with JUNOS 12.3X48-D65.1.
The internet line is a metro line, guarranteed symmetric 50/50Mbps.
Since 2 weeks ago, the upload performance is really bad, which impacts in everything, specially the IPsec tunnels. In the speedtests we run within the ISP ring, it always shows 50-51 Mbps stable in download, but Upload is from 5 to 10Mbps, no more. Obviously if you run the speedtest against a remote server (outside our ISP network) upload speed will be then as poor as 1.8-3Mbps. Terrific.
The thing is that we thought there was a saturation in the upstream, but after many tests and reports, we have checked that the ussage of the line is less than 10%. Average ussage is around 8Mbps out of 50 for download, and around 3,5Mbps out of 50 for upload...
Today we took a laptop and connected it straight to the ISP router, with the same IP as the public one of the firewall and repeated the test. Inmediatelly we got more than 51Mbps in 3 consecutive tests. Then connected the cable back to the switch and the next test, from a pc inside the network, was 8.1Mbps again....
TBH I'm running out ouf ideas. There must be "something", either in the firewall or in the switch... We checked the switchports, no errors, no CRCs, no packet loss, CPU in both devices keeps low, etc etc. We performed also a failover of the SRX cluster.... nothing worked.
Any help will be much appreciated
Thanks
Hi all,
Statistics were last cleared 4 days ago. VErison:12.3X48-D35.7....There are 3 non-Ipsec and 1 ipsec link to connect to multiple data centres including aws.
Some questions:
1-) Please see output below.....Where this massive Packets dropped: 20342396 are coming from? Is it routing issue or ACL/firewall filter issue? How to determine the root cause? If you think it needs to be captured some packet for analysis, please provide pcap configuration. Can be also Monitor/tcpdump tool used? If yes, please provide config?
650srx> show security flow statistics
Current sessions: 23729
Packets forwarded: 10808291964
Packets dropped: 20342396-------->>>>>??????
Fragment packets: 6454423-------->>>>>???????
2-) There is also Fragment packets: 6454423 is happening.... As current tcpmss is 1300, Is this from ipsec and non-ipsec links? This mss value is for tcp communications. If this is not happening on tcp communication, is it from udp communications? If it is happening on UDP, why junos hasn't got any mss adjustment value for the udp communications? If it needs to be captured some packets, can you provide firewall filter config and in which interfaces(ipsec, non-ipsec interface)? More further if it is happning on the udp, isn't wrong design to have udp session within ipsec?
3-) Or you are thinking this is Junos software version bug not showing correct statistics?
Thx
A.
Can anyone tell/confirm/deny for me IF it is possible to manage an SRX cluster on a 'revenue'/data port and NOT on the fxp0/mgmt port? I have a very small network, 4 vlans that I am looking to take off of a switch and move 'up' to a firewall which would now be the top layer of the infrastructure and hold all of the gateways at the interface/zone level. I don't have another network with which to use to assign on the MGMT/FXP0 ports so i'd rather not have to use it if i dont need to. All of the traffic here is all internal and there shouldnt even be a need for any routes as everything to/from anything else has to pass the firewal which knows where to route to.
I suppose if a revenue port cannot also be used as a management port I could just configure the fxp0 ports in the groups statements with some random local network and put a dedicated workstation on that subnet to manage it but would obviously prefer not to if I can just use one of the reth interfaces to manage via ssh/jweb
thanks!
Hi, Guys,
Just would like to know if SRX345 supports RPM icmp-ping for IP SLA feature ?
Since the following link mentions :
( On SRX340 devices, the RPM server operation with icmp is not supported. The RPM server works fine with TCP and UDP )
https://www.juniper.net/documentation/en_US/junos/topics/concept/security-rpm-overview.html
If so for testing the IP of ISP gateway with SRX345, which way will be best :
1. ISP does not provide UPD-port and TCP-port for RPM test
2. HTTP is not the common protocol nowadays
Thanks for advice
Benson LEI
Hi all,
There is 80 spokes and 2 hubs. please see configuations:
HUB:
650srxHUB> show configuration | display set | match grp_ike_GW_store-common_parameters
set groups grp_ike_GW_store-common_parameters security ike gateway <*> ike-policy policy-ike
set groups grp_ike_GW_store-common_parameters security ike gateway <*> dead-peer-detection
set groups grp_ike_GW_store-common_parameters security ike gateway <*> external-interface ge-1/0/1.0
set security ike apply-groups grp_ike_GW_store-common_parameters
650srxHUB> show configuration security ike | display set
Set security ike apply-groups grp_ike_GW_store-common_parameters
set security ike proposal proposal_ike authentication-method pre-shared-keys
set security ike proposal proposal_ike dh-group group2
set security ike proposal proposal_ike authentication-algorithm sha1
set security ike proposal proposal_ike encryption-algorithm aes-256-cbc
set security ike proposal proposal_ike lifetime-seconds 86400
set security ike policy policy-ike mode aggressive
set security ike policy policy-ike proposals proposal_ike
set security ike policy policy-ike pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXX"
set security ike gateway gw-ike-store13 dynamic hostname ZZZZZZZ
set security ike gateway gw-ike-store17 dynamic hostname QQQQQQQ
set security ike gateway gw-ike-store25 dynamic hostname WWWWWWW
....
......
........
650srxHUB> show configuration security ipsec | display set
set security ipsec apply-groups grp-ipsec-vpn-common-parameters
set security ipsec vpn-monitor-options interval 2
set security ipsec vpn-monitor-options threshold 3
set security ipsec proposal pro-ipsec protocol esp
set security ipsec proposal pro-ipsec authentication-algorithm hmac-sha1-96
set security ipsec proposal pro-ipsec encryption-algorithm aes-256-cbc
set security ipsec proposal pro-ipsec lifetime-seconds 3600
set security ipsec policy po-ipsec proposals pro-ipsec
set security ipsec vpn ipsec-vpn-dc-to-store13 bind-interface st0.13
set security ipsec vpn ipsec-vpn-dc-to-store13 ike gateway gw-ike-store13
set security ipsec vpn ipsec-vpn-dc-to-store17 bind-interface st0.17
set security ipsec vpn ipsec-vpn-dc-to-store17 ike gateway gw-ike-store17
set security ipsec vpn ipsec-vpn-dc-to-store25 bind-interface st0.25
.....
.......
..........
Spokes:
240srxspoke> show configuration security ike | display set
set security ike proposal proposal_ike authentication-method pre-shared-keys
set security ike proposal proposal_ike dh-group group2
set security ike proposal proposal_ike authentication-algorithm sha1
set security ike proposal proposal_ike encryption-algorithm aes-256-cbc
set security ike proposal proposal_ike lifetime-seconds 86400
set security ike policy policy-ike mode aggressive
set security ike policy policy-ike proposals proposal_ike
set security ike policy policy-ike pre-shared-key ascii-text "XXXXXXXXXXXYYYYYYYYYY"
set security ike gateway gatew-ike-xxx-SecGateHub_001 ike-policy policy-ike
set security ike gateway gatew-ike-xxx-SecGateHub_001 address 10.10.10.148
set security ike gateway gatew-ike-xxx-SecGateHub_001 dead-peer-detection
set security ike gateway gatew-ike-xxx-SecGateHub_001 local-identity hostname XXXXXXXX
set security ike gateway gatew-ike-xxx-SecGateHub_001 external-interface at-1/0/0.0--------->adsl
set security ike gateway gatew-ike-xxx-SecGateHub_002 ike-policy policy-ike
set security ike gateway gatew-ike-xxx-SecGateHub_002 address 10.20.10.149
set security ike gateway gatew-ike-xxx-SecGateHub_002 dead-peer-detection
set security ike gateway gatew-ike-xxx-SecGateHub_002 local-identity hostname kv1095srx001
set security ike gateway gatew-ike-xxx-SecGateHub_002 external-interface at-1/0/0.0-------->adsl
240srxspoke> show configuration security ipsec | display set
set security ipsec vpn-monitor-options interval 2
set security ipsec vpn-monitor-options threshold 3
set security ipsec proposal pr-ipsec protocol esp
set security ipsec proposal pr-ipsec authentication-algorithm hmac-sha1-96
set security ipsec proposal pr-ipsec encryption-algorithm aes-256-cbc
set security ipsec proposal pr-ipsec lifetime-seconds 3600
set security ipsec policy po-ipsec proposals pr-ipsec
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 bind-interface st0.0
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 vpn-monitor optimized
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 ike gateway gatew-ike-xxx-SecGateHub_001
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 ike ipsec-policy po-ipsec
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 establish-tunnels immediately
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 bind-interface st0.1
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 vpn-monitor optimized
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 ike gateway gatew-ike-xxx-SecGateHub_002
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 ike ipsec-policy po-ipsec
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 establish-tunnels immediately
240srxspoke>
Some considerations:
1-) 650srxhub>show log kmd------->the following log constantly occurs. Any idea for troubleshooting?
KMD_INTERNAL_ERROR: iked_ui_event_handler: usp ipc connection for iked show CLI was SHUTDOWN due to error in receiving msg or age out of connection or flowd going down etc. Reconnect to pfe..
2-) Therre is no any manual mtu configuration for the st0 interface. Why is MTU: 9192 there? Does this cause a problem?
3-) It is also there is no any manual "Interface flags" config under the st0 at the hub and all spokes. But output shows "Point-To-Point". Is this correct?
4-) Is there any configuration error? what do you think?
5-) "No route present: XXXX -----> how to troubleshoot this on why it inreases?
6-) "No SA for incoming SPI: XXXXXX -----> how to troubleshoot this on why it inreases?
650srxhub>show interfaces extensive st0
Physical interface: st0, Enabled, Physical link is Up
Interface index: 130, SNMP ifIndex: 503, Generation: 133
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192, Speed: Unspecified
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running
Interface flags: Point-To-Point
Statistics last cleared: Never
Traffic statistics:
Input bytes : 16561729719545 10160800 bps
Output bytes : 33143824397621 58283768 bps
Input packets: 81681946401 9362 pps
Output packets: 85238822440 10482 pps
Thx
A.
I have two SRX Routers on my edge, each to a different ISP.
Router 1 has a 10G internet connection
Router 2 has a 1G internet connection.
Router 1 publishes 0.0.0.0 via OSPF
My campus router see's the published route and the users on the campus use it for internet.
I'd like to publish 0.0.0.0 via OSPF on router 2 as well, but give it a higher administrive distance so that the campus router prefers the 10G internet circut over the 1G.
Is it possible to add AD to a ospf route? Am i going about this all wrong?
Hi everyone . I want to implement Inter Vlan routing on SRX 650 . I used this configuration for Implementation Inter Vlan Routing
Interfaces {
ge-0/0/0 {
vlan-tagging;
unit 10 {
vlan-id 10;
family inet {
address 192.168.10.254/24;
}
}
unit 20 {
vlan-id 20;
family inet {
address 192.168.20.254/24;
}
}
}
but when I commit SRX return this message
'Unit 0 '
VLAN-ID must be specified on tagged ethernet Interfaces
error: configuration check-out failed
I have a cluster of SRX 345’s
Junos version is 15.1X49-D124.3
I manage them via jweb and I just want to know how or where I can go to view the live streaming firewall traffic logs once they have traffic flowing through them. I'm used to utilizing NSM or space for management and viewing the logs there was pretty easy. I cannot seem to find how or where to enable and view this locally and it is a critical troubleshooting tool that I want to be clear on before I put these into production.
Thanks
Are there any sites that verify and set up PPPoE servers and clients between SRXs?
---VPN-------192.168.30.254/24 (Other VPN Router) 192.168.50.0/24
192.168.10.0/24 (SRX) 192.168.20.254/24 ------|
---VPN-------192.168.40.254/24 (Other VPN Router) 192.168.60.0/24
I am trying to create a hub and spoke route based VPN system. 192.168.10.0 subnet needs to talk to 192.168.50.0 and 60.0 subnets, but they do not need to talk to each other. I have not been successful in finding the right examples. The examples I have found all seem to use a multipoint tunnel interface with an IP address. The other VPN routers I am using do not have the functionality to put an IP address on the tunnel interface so I cannot do this. I was able to get a single VPN tunnel working correctly and then I used that config to create the second tunnel, but changed the IKE gateway, proxy IDs and bound it to st0.1 instead of st0.0. Everything else was the same.
I appear to get both tunnels, but they go up and down and I cannot pass traffic on both at the same time. Can anyone point me to an example for this, or possibly may have tried to do the same and run into the same problem?
Hi All ,
Just a small query about NATing .
In 1st site(SSG5) i have MIP a free usable public ip to a server which is on LAN Network & i can do a SSH to this Server remotely but issue is i can not access the web interface of the same server but i have installed same but different server in another different site(SRX320) but here as i did not have enough public ips so i had to do static NAT i.e. using Firewall ip with ports i.e. for SSH 22 & Webinterface access to this server is on Port 8083 & in this scenario the web interface is accessible with Publicip:8083 but when i mapped one full public ip in first scenario i.e. with SSG5 it did not work , any inputs on this please
But when i checked the sessions on the SSG5 i could see there is Creation & Close - TCP RST
Regards
Shaan