I am trying to use an SRX 340 gateway to terminate multiple VLANs coming in from a switch on a VLAN trunk (tagged), and allow routing between two of them but not another.  The SRX does not need to switch the VLANs between any other ports.  I also serve up dhcp on one of the vlan interfaces.

I tried to do this the way I thought it should be done, with irb interfaces but I could not get it working.  I then tried it a different way using vlan sub-interfaces and I was able to get it working.  My understanding is that using sub interfaces is depricated so I want to get it working the proper way.

So my first question is how should I be approaching this.  Is using irb interfaces the right way to do it, or since I don't actually need to switch should I be doing it a different way?  The config I created for irb is as follows and I was not able to see arp requests of anything coming from the switch on any VLANs.

SRX firmware version is junos-srxsme-15.1X49-D160.2

set system host-name TEST_Q
set system time-zone GMT
set system services ssh
set system services telnet
set system services dhcp-local-server group dhcp_maint interface irb.20

set system services web-management http interface fxp0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency

set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security address-book global address NM_SUBNET 10.207.8.0/24
set security address-book global address MAINT_SUBNET 10.207.22.0/24
set security address-book global address CORP_SUBNET 10.205.0.0/16
set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match source-address NM_SUBNET
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match destination-address MAINT_SUBNET
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match application any
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT then permit
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match source-address MAINT_SUBNET
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match destination-address NM_SUBNET
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match application any
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM then permit

set security policies default-policy deny-all

set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ping
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ntp
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ping
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ntp
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services https
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ssh

set security zones security-zone CORP interfaces irb.30 host-inbound-traffic system-services ping
set interfaces fxp0 unit 0 family inet address 192.168.1.1/24

set interfaces ge-0/0/1 unit 0 family inet address 192.168.255.126/31
set interfaces ge-0/0/6 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members all

set interfaces irb unit 10 family inet address 10.207.8.1/24
set interfaces irb unit 20 family inet address 10.207.22.1/24
set interfaces irb unit 30 family inet address 10.207.62.1/24

set access address-assignment pool dhcp_pool_maint family inet network 10.207.22.0/24
set access address-assignment pool dhcp_pool_maint family inet range r1 low 10.207.22.101
set access address-assignment pool dhcp_pool_maint family inet range r1 high 10.207.22.125
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes name-server 10.207.22.1
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes router 10.207.22.1

set vlans Corp vlan-id 30
set vlans Corp l3-interface irb.30
set vlans Maintenance vlan-id 20
set vlans Maintenance l3-interface irb.20
set vlans NetworkManagement vlan-id 10
set vlans NetworkManagement l3-interface irb.10

I have posted multiple times about DHCP lease time on my juniper srx240 router

here is my configuration for DHCP lease time

dhcp {
pool 10.10.0.0/16 {
address-range low 10.10.1.28 high 10.10.255.254;
maximum-lease-time 6048000;
default-lease-time 6048000;
router {
10.10.0.1;
}

but yet when the router restarts, most of the hosts lose their ip address

i am unable to set statis ip and yet DHCP refuse to respect lease time i gave to allow hosts to keep their ips for a very long time

can someone please tell me what am not doing right or if juniper srx240 router is just useless with DHCP?

it is useless if a router can not respect DHCP lease time as it is disastrous everytime a restart happens as i have to remap all ips all over again.

so annoying and it is with anger i am typing this

Hi

I am having an issue passing RTP streams across a site-to-site VPN between an SRX340 and a SRX1500 which I would welcome advice on.

My VPN is established and the routing is good. The network on the 340 can ping the phone system (Avaya) on the LAN of the 1500 and you can call between sites, however there is no speech. The security on both sides is open across the VPN and the ALG status on both is thus;

DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Enabled
SCCP : Disabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Enabled

Any pointers would be welcome!

Hi All,

Need your help on the below concern.

I need to build Hub- Spoke VPN between head-office and branch offices.

SRX is Hub

Cisco and HP routers are Spoke

Can somebody tell me about the method which i need to follow to build Hub and spoke tunnel and majorly i need to stop creating more config from Hub side for all spokes VPN because we have 1000+ spokes.

Hello everybody, I am new to the Juniper world so apologies if this is something very basic.

I have setup one of the ports on a SRX300 to connect to a fibre optic hub with a static IP. Currently I am using a Draytek and all works fine.

Now, when I plug the network cable in the ge-0/0/0 interface, I get an internet connection straight away. If I unplug the cable, then back in, the connection resumes immediately (and so does the VPN connection).

However, if I connect the cable back to the Draytek for whatever reason, and then back to the Juniper, the internet connection doesn't come back.

If I try to ping 8.8.8.8 I get no reponse, until i clear the arp table. When I do that, internet connection is back but the VPN continues to refuse to connect, until I restart the Juniper then it's all back to normal.

What am I missing? Is this a normal behaviour?

Hello I am pretty new to managing SRX 340 and 300.  I was assigned by my manager to upgrade the SRX 300/340 firmware.  I have a couple questions on upgrading.

Do I need to upgrade the main office first (SRX 340), then upgrade the remote branch (SRX 300)?

Or can I upgrade the remote branch first?  Also, If i upgrade the remote branch SRX will the site to site vpn tunnel still work even though the main office SRX is still on the old firmware. 

Can anyone please help me on where to start and also point me to any documentation on best practice for this? 

Hello!!

I want to measure several ports and vlans on a bridge but at the same time have virtual routers on the same port, is that possible?
I've been trying for several days and looking for information on "bridge domains", I need to have 2 vlans in one port and another vlan in another but it gives me this error:

root@srx# commit check
[edit bridge-domains bd1]
'vlan-id-list'
domain-type can not be specified under vlan-id-list
error: configuration check-out failed: (statements constraint check failed)

[edit]
root@srx#

How can I put 2 vlans or interfaces on the same bridge? He tells me that with vlan-list it is not possible, thanks for your help.

PD: If you need any information do not hesitate to ask me, thank you 

Hi There,

I am trying to access J-Web on my SRX, unfortunately when I try to https browse to it (I have tried Chrome and IE) I am unable to connect. For instance on Chrome I get the error ERR_TUNNEL_CONNECTION_FAILED. If I try to http to the device I get "Could Not Connect, Description: Could not connect to the requested server host." I can ping the device and SSH to it from my machine. I have tried restarting it and restarting the web-management service.

Has anybody seen this before?

Thanks for your Time!

Hi,

I have been looking into URGENT/11 and trying to see if Juniper SRX devices are effected in anyway.

Are SRX devices effected by ay of these CVE's?

If they are would the latest SRX version patch against them?

Problem:

Currently we are using UTM web filtering feature to allow only while list web sites through juniper SRX firewall using “juniper-local”, and it is working fine normally.

If the device is configured to use a proxy server, Juniper UTM does not gets used, i.e. even the sites not allowed through Juniper UTM get accessed.

The expected behaviour that we want: The internal device should use Juniper whitelist feature and if allowed, the request passed to external proxy server to check if requested site is allowed or not, if allowed then web request is successful, and content showed to user. This is kind of double proxy server feature, i.e. if allowed from both then only web content is allowed, else blocked.

Example:

If suppose external proxy server in untrust zone with IP 10.123.113.116 and port 3128, then after applying this proxy into a device inside trust zone Internet explorer -> Internet option -> Connections -> LAN Settings -> Proxy server, (given proxy port is allowed through the security policy), all internet gets allowed, i.e. Juniper white list is not checked. According to the “show security flow session” the internet traffic is passed through port 3128 and not by HTTP/HTTPS.

Even though the relevant security policy includes the proxy port (3128) and the action is permit with application-services -> utm-policy <utm-policy-name>

My expectation was, this should apply the utm policy, but it doesn’t.

Please see the configuration file “Juniper-SRX-Local.conf” section Security -> UTM and Security -> policies -> from-zone Treatment_zone to-zone Hospital_zone -> policy Allow-Mosaiq-Internet, where “Hospital_zone” is only untrust zone and rest all are trust zone.

Next, we tried websense-redirect, where we configured the external proxy server as websense-redirect server host. (Configuration file attached )

If we not including this proxy server in web-browser Internet connection LAN setting, we can see that Juniper web filtering works but then it does not check the external proxy server (i.e. sites allowed at UTM but blocked in external proxy server gets allowed). If we include this proxy server in internet option – connection LAN setting, then Juniper web filtering does not get used.

Is this can be done using Enhanced-web filtering (we haven’t tested it as this is a licensed feature) ?

Hello,

Has anyone had succes with using App-ID signatures to permit Office365 application traffic ? I'm specifically looking at the SRX550 (really hoping it will support this feature and we don't have to replace it! )

What licence would you need to purchase to use this feature ?

Many Thanks!

Nick

Hi, guys,

I have come across some strange issues, when I try to create a vpn tunnel between srx100 and paloalto (tunnel is UP and stable). when I enable source nat  in srx , a client computer behind paloalto can't communicate with client behind srx, But client behind srx can communicate with client behind paloalto. When I remove the source nat everything works fine.But the local clients behind the srx can't access internet as there is no source nat. If I route all the traffic through vpn tunnel then also everything works fine, I will post my configuration below, It would be really helpful if you someone  please point me in the right direction to solve the issue.

(172.18.40.1/27)srx----------intrenet------------paloalto(172.16.0.0/16)

set version 12.1X46-D86
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet address 233.54.23.23/25
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.0.0.1/24
set interfaces vlan unit 0 family inet address 172.18.40.1/27
set routing-options static route 0.0.0.0/0 next-hop 234.38.76.76
set protocols stp
set security ike policy asianet mode main
set security ike policy asianet proposal-set standard
set security ike policy asianet pre-shared-key ascii-text "$9$H.T36/t1RSHqCuOBSy24aJi.QF/tu1ZU/tu0hc"
set security ike gateway ike-asianet ike-policy asianet
set security ike gateway ike-asianet address 233.45.65.75
set security ike gateway ike-asianet external-interface fe-0/0/0
set security ipsec policy asianetvpn proposal-set standard
set security ipsec vpn ike-asianet bind-interface st0.0
set security ipsec vpn ike-asianet ike gateway ike-asianet
set security ipsec vpn ike-asianet ike ipsec-policy asianetvpn
set security ipsec vpn ike-asianet establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match destination-address 172.16.0.0/16
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule then source-nat off
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces st0.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

I have configured a policy based VPN on an SRX5600 with an SPC3. The configuration was previously working on another SRX with SPC-2. The debug shows the message below

 [EXT] [PEER] [xx.xx.xx.xx <-> yy.yy.yy.yy]  peer-schema look-up failed for local-ip xx.xx.xx.xx remote-ip yy.yy.yy.yy vr-id 6

Has anyone experienced this

Strange issue, i must be forgetting something in the config.

Scenario: 

Datacenter<-- |VPN Connection| --> SRX300<---> EX2300-C

*I cannot ping our Datacenter from the SRX300, but i can ping it from the EX switch.

*If i disconnect the switch from the SRX300 i lose connection to the SRX300 completely. Cannot SSH or Ping even though the tunnel is up. I reconnect the switch and everything comes back up.

*Traceroute from the SRX300 shows nothing. Traceroute from EX works correctly.

The switch config is simple. Trunk with all vlans included between the SRX and EX. Native vlan is "1". All ports are configured for one of the three vlans we use.

Config of the SRX:

set version 17.3R2.10
set system host-name SRX300
set system root-authentication encrypted-password "xxxxxx"
set system name-server 8.8.8.8
set system services ssh root-login allow
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group CorpDHCP interface irb.1
set system services dhcp-local-server group CorpWIFI interface irb.24
set system services dhcp-local-server group Guests interface irb.136
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security ike policy corporate mode main
set security ike policy corporate proposal-set standard
set security ike policy corporate pre-shared-key ascii-text "xxxx"
set security ike gateway corp-gw ike-policy corporate
set security ike gateway corp-gw address xx.xx.xx.xx
set security ike gateway corp-gw local-identity inet xx.xx.xx.xx
set security ike gateway corp-gw external-interface ge-0/0/5
set security ipsec policy corp-ipsec-vpn proposal-set standard
set security ipsec vpn corp-vpn bind-interface st0.0
set security ipsec vpn corp-vpn vpn-monitor
set security ipsec vpn corp-vpn ike gateway corp-gw
set security ipsec vpn corp-vpn ike ipsec-policy corp-ipsec-vpn
set security ipsec vpn corp-vpn establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat source rule-set guest-to-untrust from zone GuestiNet
set security nat source rule-set guest-to-untrust to zone untrust
set security nat source rule-set guest-to-untrust rule source-nat-guest match source-address 10.255.7.160/27
set security nat source rule-set guest-to-untrust rule source-nat-guest then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match application any
set security policies from-zone trust to-zone VPN policy trust-to-vpn then permit
set security policies from-zone VPN to-zone trust policy VPN-to-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-to-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-to-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-to-trust then permit
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match source-address any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match destination-address any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match application any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.1 host-inbound-traffic system-services all
set security zones security-zone trust interfaces irb.1 host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.24
set security zones security-zone trust interfaces irb.120 host-inbound-traffic system-services all
set security zones security-zone trust interfaces irb.120 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ping
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services traceroute
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services ping
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services dhcp
set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/0 native-vlan-id 1
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Workstation
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Workstation
set interfaces ge-0/0/5 unit 0 family inet address xx.xx.xx.xx/27
set interfaces ge-0/0/6 unit 0
set interfaces ge-0/0/7 unit 0
set interfaces irb unit 1 family inet address 10.255.7.1/27
set interfaces irb unit 24 family inet address 10.255.7.33/27
set interfaces irb unit 120 family inet address 10.255.7.129/27
set interfaces irb unit 136 family inet address 10.255.7.161/27
set interfaces st0 unit 0 description "Tunnel Interface to ChiDataCenter"
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet mtu 1500
set interfaces st0 unit 0 family inet address 10.250.110.7/24
set routing-options static route 10.0.0.0/8 next-hop 10.250.110.110
set routing-options static route xx.xx.xx.xx/32 next-hop xx.xx.xx.xx
set routing-options static route 0.0.0.0/0 next-hop xx.xx.xx.xx
set routing-options router-id 10.255.7.1
set protocols lldp interface all
set policy-options prefix-list manage-ip 10.0.0.0/8
set access address-assignment pool p1 family inet network 10.255.7.0/27
set access address-assignment pool p1 family inet range r1 low 10.255.7.10
set access address-assignment pool p1 family inet range r1 high 10.255.7.25
set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 28800
set access address-assignment pool p1 family inet dhcp-attributes name-server 10.110.2.20
set access address-assignment pool p1 family inet dhcp-attributes propagate-settings irb.1
set access address-assignment pool CorpWifiPool family inet network 10.255.7.32/27
set access address-assignment pool CorpWifiPool family inet range r1 low 10.255.7.35
set access address-assignment pool CorpWifiPool family inet range r1 high 10.255.7.61
set access address-assignment pool CorpWifiPool family inet dhcp-attributes maximum-lease-time 28800
set access address-assignment pool CorpWifiPool family inet dhcp-attributes name-server 10.110.2.20
set access address-assignment pool CorpWifiPool family inet dhcp-attributes propagate-settings irb.24
set access address-assignment pool GuestWifiPool family inet network 10.255.7.160/27
set access address-assignment pool GuestWifiPool family inet range r1 low 10.255.7.163
set access address-assignment pool GuestWifiPool family inet range r1 high 10.255.7.189
set access address-assignment pool GuestWifiPool family inet dhcp-attributes maximum-lease-time 28800
set access address-assignment pool GuestWifiPool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool GuestWifiPool family inet dhcp-attributes propagate-settings irb.136
set vlans CorpWData vlan-id 24
set vlans CorpWData l3-interface irb.24
set vlans Guest vlan-id 136
set vlans Guest l3-interface irb.136
set vlans Wireless vlan-id 120
set vlans Wireless l3-interface irb.120
set vlans Workstation vlan-id 1
set vlans Workstation l3-interface irb.1

Thank you in advance.

Is it possible to use the supplied USB cable to give console access to an SRX?

I have downloaded the drivers to enable this but despite playing with the settings in SecureCRT, I am unable to get this functioning.

Does anyone use this method, and if so, what else will I need to do?

After upgrading an SRX100 router to 12.1X46-D86 i cannot log into it through web gui. I can ssh to it with same accounts though.  I installed it because its currently a jtac recommended version.

Hello,

Clients obtaining an IP from the 10.255.7.160 pool cannot connect to the outside world. They obtain an IP. I can ping them from the SRX. I can ping 8.8.8.8 from the SRX. But the clients cannot. What is missing?

If you set a STATIC IP for that network, it works correctly. Users can browse, ping 8.8.8.8, etc.

Example:  10.255.7.180  255.255.255.224     GW: 10.255.7.161

set access address-assignment pool GuestWifiPool family inet network 10.255.7.160/27
set access address-assignment pool GuestWifiPool family inet range r1 low 10.255.7.163
set access address-assignment pool GuestWifiPool family inet range r1 high 10.255.7.189
set access address-assignment pool GuestWifiPool family inet dhcp-attributes maximum-lease-time 28800
set access address-assignment pool GuestWifiPool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool GuestWifiPool family inet dhcp-attributes router 10.255.7.161
set access address-assignment pool GuestWifiPool family inet dhcp-attributes propagate-settings irb.136

set interfaces irb unit 136 family inet address 10.255.7.161/27

set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services traceroute
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services ping
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services dhcp
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic protocols all

set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match source-address any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match destination-address any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match application any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust then permit

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat source rule-set Guest-to-untrust from zone GuestiNet
set security nat source rule-set Guest-to-untrust to zone untrust
set security nat source rule-set Guest-to-untrust rule source-nat-guest match source-address 10.255.7.160/27
set security nat source rule-set Guest-to-untrust rule source-nat-guest then source-nat interface

Thank you in advance.

Hello

The release 11.4R7.5 is not downloadable anymore. Is it possible to extract the firmware release from an existing device?

Model: srx240h
JUNOS Software Release [11.4R7.5]

Could you help me to extract it?

KR,

Dario.

I just upgraded an SRX300 to 18.2R3-S1.7 (as listed on the recommend junos software page) and syslog is filled with:

Oct 17 21:14:07 jnx repd[2078]: sdb_db_init: Failed to init stats db, err:-2DB out of memory
Oct 17 21:14:07 jnx repd[2078]: smid_register: sdb_db_init failed err:-2 for repd, pid:2078

Has anybody seen this error before ? I can't find any details on "repd" process..

thanks!

Good afternoon, can someone tell me why I get ping 192.168.100.10 and 192.168.8.1 no? if they are configured the same and another question, is it possible to add several interfaces to a virtual router? Thanks in advance

root# show
## Last changed: 2019-10-18 12:07:40 UTC
version 12.3X48-D85.1;


interfaces {

ge-0/0/4 {
        vlan-tagging;
        unit 0 {
              family bridge {
                     interface-mode trunk;
                     vlan-id-list [ 2500 3500 ];
              }
         }
  }
ge-0/0/5 {
        vlan-tagging;
        unit 0 {
               family bridge {
                    interface-mode trunk;
                    vlan-id-list [ 2500 3500  ];
                }
           }
    }
irb  {
        unit 2500 {
               family inet {
                      address 192.168.100.10/24;
               }
          }
unit 3500 {
        family inet {
               address 192.168.8.1/24;
        }
  }

routing-instances {
VRPRUEBA {
          instance-type virtual-router;
          interface irb.2500;
}

bridge-domains {
Mybridge {
         vlan-id 2500;
          routing-interface irb.2500;
}
Mybridge2 {
          vlan-id 3500;
          routing-interface irb.3500;
}
}
vlans {
        VLAN2500 {
              vlan-id 2500;
              interface {
                     irb.2500;
           }
              l3-interface irb.2500;
}
VLAN3500 {
        vlan-id 3500;
        interface {
                irb.3500;
      }
l3-interface irb.3500;
}

[edit]
root#

Is it possible to add more than one interface to a virtual router? Thanks again