Hi All,

Could someone please help me with this issue. I have  2 SRX340 to cluster, however I have setup a lab on EVE to configure and test before configuring the SRX340.

I'm unable to ping from the PC on my Trusted zone to the Router on the Untrusted zone. I'm not sure if I'm missing something. Any help will be appreciated

JUNOS 17.3R1.10 

I have attached the topology

To confirm all chasis interfaces are up and I have run all the necessary command to make sure the cluster is fine.

PC - 10.10.10.5/24 - Trusted Zone

Router - 10.10.10.1/24 - Untrusted Zone.

Below is the config :

set groups node0 system host-name srx-a
set groups node0 interfaces fxp0 unit 0 family ethernet-switching interface-mode access
set groups node0 interfaces fxp0 unit 0 family ethernet-switching vlan members vlan-254
set groups node0 interfaces irb unit 0 family inet address 192.168.254.53/24

set groups node1 system host-name srx-b
set groups node1 interfaces fxp0 unit 0 family ethernet-switching interface-mode access
set groups node1 interfaces fxp0 unit 0 family ethernet-switching vlan members vlan-254
set groups node1 interfaces irb unit 0 family inet address 192.168.254.54/24
set apply-groups "${node}"

set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100

set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-7/0/1
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/2 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth1

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family ethernet-switching interface-mode access
set interfaces reth0 unit 0 family ethernet-switching vlan members vlan-10

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family ethernet-switching interface-mode access
set interfaces reth1 unit 0 family ethernet-switching vlan members vlan-10

set security zones security-zone Trusted
set security zones security-zone Untrusted

set security zones security-zone Trusted host-inbound-traffic system-services all
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match source-address any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match destination-address any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust match application any
set security policies from-zone Trusted to-zone Untrusted policy trust-untrust then permit

set vlans vlan-10 vlan-id 10
set vlans vlan-254 vlan-id 254
set vlans vlan-254 l3-interface irb.254

set routing-options static route 0.0.0.0/0 next-hop 192.168.254.254

===================================================

SW3- config : Just layer 2

!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 10
switchport mode access
!
interface Ethernet0/3
!

===================

SW3- config : Just layer 2

!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 10
switchport mode access

I loaded a config in Notepad++ and cut/paste into the terminal and got:

> test configuration terminal
[Type ^D at a new line to end input]

## Last changed: 2019-08-30 05:57:27 GMT-8
version 12.1X44-D35.5;
...

terminal:359:(9) error recovery ignores input until this point: }
  [edit security zones security-zone data43]
    '}'
      error recovery ignores input until this point
    policies {
        from-zone core to-zone Internet {
            policy All_core_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
...
    phone44 {
        vlan-id 442;
    }
}
terminal:551:(1) error recovery ignores input until this point: }
  [edit security]
    '}'
      error recovery ignores input until this point
terminal:551:(0) syntax error: }
  [edit security]
    ''
      syntax error
error: configuration syntax failed

Seemingly I have an error with a curly bracket, or is it something else? I tried replacing tabs with spaces. I'm pasting into a Mac terminal using screen.

Hello everyone!! 

I have a SRX210 here in my office, and I just setup a cluster of SRX340's at a client network.  I setup a tunnel between them, using a working config example, and the IKE and IPSEC security associations come 'UP' and show good, but no traffic will go across the tunnel.  I cannot ping either side from either side.  I have the host-inbound with ping, and tracerout, but still nothing (and no routing across it).  I can look at the ST interfaces and see that (during ping operations) the outbound packets count is going up, but on my 210 at MY end, no session builds, and no traffic passes.  I have been pouring over the config all day, and am tired of looking at it.  It should just work.  Any ideas? help?  whatever you can see?  

Here is the config of both sides (in set statements):

My SRX 210:
set interfaces st0 unit 102 description "Tunnel to Client Network"
set security ike policy ike-pol-Client-Network mode main
set security ike policy ike-pol-Client-Network proposal-set standard
set security ike policy ike-pol-Client-Network pre-shared-key secret
set security ike gateway ike-gate-Client-Network ike-policy ike-pol-Client-Network
set security ike gateway ike-gate-Client-Network address 2.2.2.2
set security ike gateway ike-gate-Client-Network external-interface lo0
set security ipsec policy ipsec-pol-Client-Network proposal-set standard
set security ipsec vpn ipsec-vpn-Client-Network bind-interface st0.102
set security ipsec vpn ipsec-vpn-Client-Network ike gateway ike-gate-Client-Network
set security ipsec vpn ipsec-vpn-Client-Network ike ipsec-policy ipsec-pol-Client-Network
set security ipsec vpn ipsec-vpn-Client-Network establish-tunnels immediately
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match source-address My-LAN
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match destination-address any
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match application any
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network then permit
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match source-address any
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match destination-address My-LAN
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match application any
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust then permit
set security zones security-zone Client-Network host-inbound-traffic system-services ping
set security zones security-zone Client-Network host-inbound-traffic system-services traceroute
set security zones security-zone Client-Network interfaces st0.102

set interfaces st0 unit 102 description "Tunnel to Client"
set interfaces st0 unit 102 family inet address 10.1.1.6/30

Remote SRX340 Cluster:
set security ike policy ike-pol-My-Network mode main
set security ike policy ike-pol-My-Network proposal-set standard
set security ike policy ike-pol-My-Network pre-shared-key ascii-text secret
set security ike gateway ike-gate-My-Network ike-policy ike-pol-My-Network
set security ike gateway ike-gate-My-Network address 1.1.1.1
set security ike gateway ike-gate-My-Network external-interface reth0
set security ipsec policy ipsec-pol-My-Network proposal-set standard
set security ipsec vpn ipsec-vpn-My-Network bind-interface st0.10
set security ipsec vpn ipsec-vpn-My-Network ike gateway ike-gate-My-Network
set security ipsec vpn ipsec-vpn-My-Network ike ipsec-policy ipsec-pol-My-Network
set security ipsec vpn ipsec-vpn-My-Network establish-tunnels immediately
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match source-address any
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match destination-address My-LAN
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match application any
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network then permit
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match source-address My-LAN
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match destination-address any
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match application any
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust then permit
set security zones security-zone My-Network host-inbound-traffic system-services ping
set security zones security-zone My-Network host-inbound-traffic system-services traceroute
set security zones security-zone My-Network interfaces st0.10
set interfaces st0 unit 10 description "Tunnel to My Network"

set interfaces st0 unit 10 family inet address 10.1.1.5/30

The 210 is:

Model: srx210he2
JUNOS Software Release [12.1X46-D40.2]

The 340 cluster:

node0:
--------------------------------------------------------------------------
Hostname: MDF-SRX340-0
Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

node1:
--------------------------------------------------------------------------
Hostname: MDF-SRX340-1
Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

Any help would be greatly appreciated!

Thank you!

Sean Garland

Garland Tech, Inc.

Hi SRX users,

I just upgrade from junos-15.1X49-D150 to junos-18.2R3.  after upgrade & boot.  I get this boot error message:

Mounted junos package on /dev/md1...

O

Automatic reboot in progress...

Verified jboot signed by PackageProductionEc_2019 method ECDSA256+SHA256

Verified junos signed by PackageProductionEc_2019 method ECDSA256+SHA256

veriexec: cannot update veriexec for /var/jailetc/php_mod.ini: No such file or directory

veriexec: cannot update veriexec for /var/jailetc/mime.types: No such file or directory

veriexec: cannot update veriexec for /usr/lib/libpsu.so.3: Too many links

veriexec: cannot update veriexec for /usr/lib/libyaml.so.3: Too many links

veriexec: cannot update veriexec for /usr/lib/libext_db.so.3: Too many links

veriexec: cannot update veriexec for /usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory

Verified junos-18.2R3-S1.7 signed by PackageProductionEc_2019 method ECDSA256+SHA256

And the SRX300 have a lot of the configure issue.  Any idea how to fix it !?

HI, I am trying to upgrade a dual site SRX650  A/P cluster from 12.1x44-d35.5 to 12.3x48-d85 and would like some advice on the incremental steps required? Any help geatly appreciated.

We have a pair of SRX4600s, and I can cluster them when directly connected, but they fail with the clustering is a layer 2 network carried over Cisco 6500 switches.  The configuration looks like

SRX4600 <-> Cisco6500 <-> CIsco6500 <-> Cisco6500 <-> SRX4600

The links for the contol and fabric are dedicated layer 2 VLANs (4 total).  The CIsco to SRX links are access VLAN from the Ciscos.  The links between Ciscos are 4x10G (LACP) trunking multiple VLANs.  The SRX cluster seems to be partialy up, the control link status in 'show chassis cluster interfaces' shows up but the fabric interfaces ate down and only show the interfaces on the same SRX, not showing the other SRX's interfaces.   A 'show chassid fpc' shows the fpcs online on the primary and Empty on the secondary.  If I reboot the primary the secondary detacts that and becomes primary and then it's fpc go online, and when the old primary finishes it is secondary and it's fpcs show empty.  Something must be gettin blocked on the control interfaces, bit I can't tell what specifically. On the CIscos I have disabled cdp, lldp, and doing portfast and bpdufiltering.  I also diasbled spanning tree on the VLANs, and disabled mls verify ip length consistent and mls verify ip checksum.  The MTU is 9216 end to end.

I seem to be at a dead end, but wanted to check if anyone else something like this working and saw anything I was missing.

Hi, could someone help me? I do not clarify, I have looked up and down the documentation of bridge-domains, read whole "help topic bridge-domains bridge-domains" but it is not clear if I could do it or not, from an interface to be able to bridge several virtual routers, thanks

Hi, Guys,

A Layer3 device "A" is connecting another Layer3 device "B".

For A = Cisco Switch  C3750 IP-base service, with the following configuration ( interface fa1/0/5 trunk port, and all IP addresses are configured in device B - just configure device B for inter-VLAN routing ):

      Interface fa1/0/5

            switchport enc dot1q

           switchport mode trunk

Test:

-----------

SW>sh int fa1/0/5 switchport
Name: Fa1/0/5
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

SW#ping 10.10.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
SW#ping 10.83.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.83.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

SW#ping 10.83.5.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.83.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW#

But for A = SRX345 ( JUNOS 151x49-D110.4), switch interfaces (ge-0/0/0 to ge-0/0/13) can not be configured in dot1q trunk:

1. SRX345 ( l2-learning global-mode switch or transparent-brigde ) does not support l3-interface inet, just support l3-interface irb ?

2. SRX345 just supports bridge mode ?

3. SRX345 does not support stacked-vlan-tag ?

4. when show intefaces in SRX345, interface ge-0/0/0.0 is "encapsulation: switch mode"

Any sample configuration for supporting dot1q trunk in SRX345, like the Cisco configuration above,

or How I can configure SRX345 interface as the same above Cisco switch meaning ?

Thanks a lot

Hi we have a requirement

Where 

Vlan x and y are extended from service provider on single WAN port. Vlan x is native vlan. 

On LAN,  requirement is few ports are in private subnet and they are to be natted out from vlan X which looks straight forward and there is  an additional requirement to extend vlan y to one of the port on LAN and also restrict this vlan y BW to 100 Mbs.

How can this be achieved?

Hi all,

I faced a very strange issue. I'm testing ADVPN but only one tunnel between spoke nad hub work at one moment. For example tuneel between spoke-1 works, then I enable tunnel on spoke-2 and it works, but previous tunnel from spoke-1 is down. Could anyone help me? 

SPOKE-1 config

set security ike proposal advpn-proposal authentication-method rsa-signatures
set security ike proposal advpn-proposal dh-group group5
set security ike proposal advpn-proposal authentication-algorithm sha1
set security ike proposal advpn-proposal encryption-algorithm aes-256-cbc
set security ike policy advpn-ike-policy proposals advpn-proposal
set security ike policy advpn-ike-policy certificate local-certificate srx-branch1-id
set security ike gateway advpn-ike-gateway ike-policy advpn-ike-policy
set security ike gateway advpn-ike-gateway address 200.200.200.1
set security ike gateway advpn-ike-gateway local-identity distinguished-name
set security ike gateway advpn-ike-gateway remote-identity distinguished-name wildcard C=NL
set security ike gateway advpn-ike-gateway external-interface ge-0/0/1.0
set security ike gateway advpn-ike-gateway advpn suggester disable
set security ike gateway advpn-ike-gateway advpn partner
set security ike gateway advpn-ike-gateway version v2-only
set security ipsec proposal advpn-ipsec-proposal protocol esp
set security ipsec proposal advpn-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal advpn-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec policy advpn-ipsec-policy perfect-forward-secrecy keys group5
set security ipsec policy advpn-ipsec-policy proposals advpn-ipsec-proposal
set security ipsec vpn advpn-vpn bind-interface st0.0
set security ipsec vpn advpn-vpn ike gateway advpn-ike-gateway
set security ipsec vpn advpn-vpn ike ipsec-policy advpn-ipsec-policy
set security ipsec vpn advpn-vpn establish-tunnels immediately

SPOKE-2 config:

set security ike proposal advpn-proposal authentication-method rsa-signatures
set security ike proposal advpn-proposal dh-group group5
set security ike proposal advpn-proposal authentication-algorithm sha1
set security ike proposal advpn-proposal encryption-algorithm aes-256-cbc
set security ike policy advpn-ike-policy proposals advpn-proposal
set security ike policy advpn-ike-policy certificate local-certificate srx-cloud3-id
set security ike gateway advpn-ike-gateway ike-policy advpn-ike-policy
set security ike gateway advpn-ike-gateway address 200.200.200.1
set security ike gateway advpn-ike-gateway local-identity distinguished-name
set security ike gateway advpn-ike-gateway remote-identity distinguished-name wildcard C=NL
set security ike gateway advpn-ike-gateway external-interface ge-0/0/1.0
set security ike gateway advpn-ike-gateway advpn suggester disable
set security ike gateway advpn-ike-gateway advpn partner
set security ike gateway advpn-ike-gateway version v2-only
set security ipsec proposal advpn-ipsec-proposal protocol esp
set security ipsec proposal advpn-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal advpn-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec policy advpn-ipsec-policy perfect-forward-secrecy keys group5
set security ipsec policy advpn-ipsec-policy proposals advpn-ipsec-proposal
set security ipsec vpn advpn-vpn bind-interface st0.0
set security ipsec vpn advpn-vpn ike gateway advpn-ike-gateway
set security ipsec vpn advpn-vpn ike ipsec-policy advpn-ipsec-policy
set security ipsec vpn advpn-vpn establish-tunnels immediately

HUB config:

set security ike proposal advpn-proposal authentication-method rsa-signatures
set security ike proposal advpn-proposal dh-group group5
set security ike proposal advpn-proposal authentication-algorithm sha1
set security ike proposal advpn-proposal encryption-algorithm aes-256-cbc
set security ike policy advpn-ike-policy proposals advpn-proposal
set security ike policy advpn-ike-policy certificate local-certificate srx-hq-id
set security ike gateway advpn-ike-gateway ike-policy advpn-ike-policy
set security ike gateway advpn-ike-gateway dynamic distinguished-name wildcard "OU=SRX Dept"
set security ike gateway advpn-ike-gateway dynamic ike-user-type group-ike-id
set security ike gateway advpn-ike-gateway dead-peer-detection
set security ike gateway advpn-ike-gateway local-identity distinguished-name
set security ike gateway advpn-ike-gateway external-interface ge-0/0/3.0
set security ike gateway advpn-ike-gateway advpn suggester
set security ike gateway advpn-ike-gateway advpn partner disable
set security ike gateway advpn-ike-gateway version v2-only
set security ipsec proposal advpn-ipsec-proposal protocol esp
set security ipsec proposal advpn-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal advpn-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec policy advpn-ipsec-policy perfect-forward-secrecy keys group5
set security ipsec policy advpn-ipsec-policy proposals advpn-ipsec-proposal
set security ipsec vpn advpn-vpn bind-interface st0.0
set security ipsec vpn advpn-vpn ike gateway advpn-ike-gateway
set security ipsec vpn advpn-vpn ike ipsec-policy advpn-ipsec-policy

Hi

I hope can someone help here as usual. 

I have a Juniper SRX 320 which is working fine with 2 DHCP server pools. I am getting IP on my laptops and also connected devices except the smartphones that we have at home. Please see the attached configuration and any prompt help is really appreciated.

1. Where can I find configuration details of the preconfigured VDSL2 profiles? The only information I can find is associated Data Rates.

2. Is there any way to restart the internet connection e.g. by dropping and reconnecting it or restarting the modem?

3. Where can I check for updated firmware for the module?

Hello guys

My SRX320 was working fine with the attached configuration under JUNOS 15.1X49-D70.3

I decided to upgrade to JUNOS 18.2R3.4 which is recommended JTEC release for SRX 320 and suddenly my PPPOE dropped and I lost internet connectivity. (pp0 is down now)

Would someone please be able to have a look at the attached confioguration and let me know if something needs to be changed under the new JUON version?

Thank you very much.

Hi Guy,

The scenario is below:

1. SRX345 ( ge-0/0/0, trunk mode ) is connecting to a layer 3 device  :

2. VLANs are created in SRX345

3. SRX345 is the VLAN gateway

4.  the L3 device has an interface "LAN" and its IP = 10.73.7.1/24

5.  the L3 device also has some sub-interfaces under the interface "LAN":

     10.73.1.1/24; 10.73.3.1/24; 10.73.5.1/24

6.  The L3 device is configured inter-VLAN routing

SRX345 has the following configuration:

------------------------------------------------

root@labtest-fw2> show configuration

...... 
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk

set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 110
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 130
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 150

set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members TEST

set interfaces irb unit 110 family inet address 10.73.1.254/24
set interfaces irb unit 130 family inet address 10.73.3.254/24
set interfaces irb unit 150 family inet address 10.73.5.254/24

set interfaces irb unit 100 family inet address 10.73.7.254/24

set vlans TEST vlan-id 100
set vlans TEST l3-interface irb.100
set vlans TEST1 vlan-id 110
set vlans TEST1 l3-interface irb.110
set vlans TEST3 vlan-id 130
set vlans TEST3 l3-interface irb.130
set vlans TEST5 vlan-id 150
set vlans TEST5 l3-interface irb.150

Test with problems:

1. Ping failed in SRX:

         root@fw2> ping 10.73.1.1
                             PING 10.73.1.1 (10.73.1.1): 56 data bytes
                             ^C
                             --- 10.73.1.1 ping statistics ---
                            4 packets transmitted, 0 packets received, 100% packet loss

        root@fw2> ping 10.73.7.1 count 3
                            PING 10.73.7.1 (10.73.7.1): 56 data bytes

                            --- 10.73.7.1 ping statistics ---
                           3 packets transmitted, 0 packets received, 100% packet loss

2. no arp learned in SRX:

                      root@fw2> show arp

3. show interface

root@labtest-fw2> show ethernet-switching interface ge-0/0/0
Routing Instance Name : default-switch

Logical           Vlan            TAG        MAC         STP         Logical                     Tagging
interface       members                    limit          state        interface flags
ge-0/0/0.0                                       16383                                                       tagged
                      TEST             100        16383      Forwarding                             tagged
                      TEST1           110       16383       Forwarding                             tagged
                      TEST3            130       16383      Forwarding                             tagged
                      TEST5            150       16383      Forwarding                             tagged

Case 2:

If SRX access port (ge-0/0/2) connects to the L3 devices

root@labtest-fw2> show configuration interfaces ge-0/0/2 | display set
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 100

root@labtest-fw2> show arp
MAC Address Address Name Interface Flags
10:56:ca:12:40:90 10.73.7.1 10.73.7.1 irb.100 none

root@labtest-fw2> show ethernet-switching table

Ethernet switching table : 2 entries, 2 learned
Routing instance : default-switch
Vlan                  MAC                          MAC              Age                  Logical           NH            RTR
name                address                     flags                                         interface        Index        ID
100                   00:64:40:a3:86:8e   D                     -                        ge-0/0/2.0   0               0
100                   10:56:ca:12:40:90    D                     -                        ge-0/0/2.0   0               0

Ping test is successful, but arp is only for VLAN100

-----------------------------------------------------------

root@fw2> ping 10.73.1.1 count 2
PING 10.73.1.1 (10.73.1.1): 56 data bytes
64 bytes from 10.73.1.1: icmp_seq=0 ttl=64 time=1.159 ms
64 bytes from 10.73.1.1: icmp_seq=1 ttl=64 time=16.355 ms

root@fw2>ping 10.73.3.1 count 2
PING 10.73.3.1 (10.73.3.1): 56 data bytes
64 bytes from 10.73.3.1: icmp_seq=0 ttl=64 time=0.982 ms
64 bytes from 10.73.3.1: icmp_seq=1 ttl=64 time=1.058 ms

root@fw2> ping 10.73.5.1 count 2
PING 10.73.5.1 (10.73.5.1): 56 data bytes
64 bytes from 10.73.5.1: icmp_seq=0 ttl=64 time=1.092 ms
64 bytes from 10.73.5.1: icmp_seq=1 ttl=64 time=1.230 ms

root@fw2> ping 10.73.7.1 count 2
PING 10.73.7.1 (10.73.7.1): 56 data bytes
64 bytes from 10.73.7.1: icmp_seq=0 ttl=64 time=1.030 ms
64 bytes from 10.73.7.1: icmp_seq=1 ttl=64 time=1.252 ms

root@labtest-fw2> show arp
MAC Address                Address                   Name                      Interface                 Flags
10:56:ca:12:40:90        10.73.7.1                10.73.7.1                 irb.100                    none

Any reason SRX trunk port does not work, thx ?

I'm having an unusual problem with getting NTP working on my SRX. The first sign was in my logs I get NTP Server Unreachable.

I set system ntp server to time-b-g.nist.gov and allow security-zone untrust host-inbound-traffic ntp system-services.

The problem is "show ntp associations" is always stuck at INIT. But I can issue "set date ntp" and it uses the NTP server. I have no loopback defined. I have one trust to junos-host policy defined and that only allows management IPs access. I added an explicit permit for junos-ntp there but no change.

How can I troubleshoot and resolve?

# run show ntp associations
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 time-b-g.nist.g .INIT.          16 -    - 1024    0    0.000    0.000 4000.00

system {
    ntp {
        server 129.6.15.29;
    }
}

security {
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                vlan.72;
                vlan.82;
                vlan.99;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ike;
                            https;
                            ping;
                            ntp;
                        }
                    }
                }
            }
        }
    }
}

Thanks!

Hello,

I am a new SRX 5600 and the IOC module doesnt show up in show chassis hardware, yet its installed in FPC slot 0

show chassis hardware 

node0:

--------------------------------------------------------------------------

Hardware inventory:

Item             Version  Part number  Serial number     Description

Chassis                                JN12691CDAGB      SRX5600

Midplane         REV 42   760-063936   ACRM2899          Enhanced SRX5600 Midplane

FPM Board        REV 04   760-061988   CALK0126          Front Panel Display

PEM 0            Rev 02   740-063041   QCS1906090P6      PS 1.4-2.6kW; 90-264V AC in

PEM 1            Rev 02   740-063041   QCS1906090C1      PS 1.4-2.6kW; 90-264V AC in

Routing Engine 0 REV 07   740-056658   9016101427        SRX5k RE-1800X4

CB 0             REV 08   750-066337   CALS3925          SRX5k SCB3

FPC 1            REV 29   750-073435   CAMF4023          SPC3

  CPU                     BUILTIN      BUILTIN           SRX5k vCPP Broadwell

Fan Tray                                                 Enhanced Fan Tray

Chassisd log shows the following 

Oct 25 11:52:20 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x2a] -> 0x0)

Oct 25 11:52:20 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x2b] -> 0x0)

Oct 25 11:52:20 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x30] -> 0x0)

Oct 25 11:52:20 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x31] -> 0x0)

Oct 25 11:52:20 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x3f] -> 0x0)

Oct 25 11:52:20 LCC: reading FPC 0 initial state

Oct 25 11:52:20 CHASSISD_FRU_VERSION_MISMATCH: I2CS version mismatch for FPC 0 -- expected 1, got 0

Oct 25 11:52:20 LCC: FPC 0: management bus failed sanity test

Oct 25 11:52:22 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x21] -> 0x0)

Oct 25 11:52:22 LCC: reading FPC 0 initial state

Oct 25 11:52:22 CHASSISD_FRU_VERSION_MISMATCH: I2CS version mismatch for FPC 0 -- expected 1, got 0

Oct 25 11:52:22 LCC: FPC 0: management bus failed sanity test

Oct 25 11:52:22 LCC: reading FPC 0 initial state

Oct 25 11:52:22 CHASSISD_FRU_VERSION_MISMATCH: I2CS version mismatch for FPC 0 -- expected 1, got 0

Oct 25 11:52:22 LCC: FPC 0: management bus failed sanity test

Oct 25 11:52:23 LCC: reading FPC 0 initial state

Oct 25 11:52:23 CHASSISD_FRU_VERSION_MISMATCH: I2CS version mismatch for FPC 0 -- expected 1, got 0

Oct 25 11:52:23 LCC: FPC 0: management bus failed sanity test

Oct 25 11:52:23 LCC: reading FPC 0 initial state

Oct 25 11:52:23 CHASSISD_FRU_VERSION_MISMATCH: I2CS version mismatch for FPC 0 -- expected 1, got 0

Oct 25 11:52:23 LCC: FPC 0: management bus failed sanity test

Oct 25 11:52:23 LCC: reading FPC 0 initial state

Oct 25 11:52:23 CHASSISD_FRU_VERSION_MISMATCH: I2CS version mismatch for FPC 0 -- expected 1, got 0

Oct 25 11:52:23 CHASSISD_MBUS_ERROR: FPC 0: management bus failed sanity test

Oct 25 11:54:02 CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 0 offline: Reset on SPC/SPU failure

Oct 25 11:54:02 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x13] -> 0x0)

Oct 25 11:54:02 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x21] -> 0x0)

Oct 25 11:54:02 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x20] -> 0x0)

Oct 25 11:54:02 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x13] -> 0x0)

Oct 25 11:54:09 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x20] -> 0x0)

Oct 25 11:54:09 CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC 0 ([0x12, 0x20] -> 0x0)

Oct 25 11:54:09 LCC: FPC 0 is requesting power (consumption) 0W, total remaining pwr 3210

Please advise

Hi All

I have an issue configuring SRX-345(18.2R3-S1.7) with QinQ, i receive QinQ(802.1ad) frames from a service provider with two tags (outer 0x88a8.100 inner 0x8100.10)and SRX seems to be completely ignoring those packets, could you please assist me with troubleshooting?

I have already build a GNS3 lab and test QinQ scenario with double 0x8100; that seems to be working just fine.

When I switch to 802.1ad SRX stops responding to ARP requests, funny enough when traffic originates from SRX I can see (on Wireshark) that frames are tagged correctly.

Lab topology in atachment, also I have attached a pcap file with QinQ frames.

My current interface config:

ge-0/0/0 {
    stacked-vlan-tagging;
    gigether-options {
        ethernet-switch-profile {
            tag-protocol-id 0x88a8;
        }
    }
    unit 20 {
        vlan-tags outer 0x88a8.100 inner 0x8100.10;
        family inet {
            address 10.10.1.122/24;
        }
    }
}

I have also tested config with input & output vlan maps to manipulate tagging but it made zero difference.

If i dont specyfy exact tpid.id tags SRX will not send 802.1ad ethertype it will go out as 0x8100 regardless of " ethernet-switch-profile tag-protocol-id 0x88a8" config line on an interface.

Please help as im puuling hair out of my head.

Hi, Guys,

I have read a lot of arcticls about the VLAN.IRB issue in SRX, but no solution is found up to this moment.

I am running SRX345 with the JUNOS "JUNOS 15.1X49-D110.4". no matter the global-mode is "switch" or "transparent-brige",

Trunk port in SRX can not ping to VLAN.IRB interface or VLAN segment in SRX ( SRX345 is gateway ).

Any solution/suggestion, thx ?

I'm trying to tunnel out through a remote site that has a public static /29 over a GRE tunnel so I can assign a public static IP out of a /24 at a local site like:

I *think* I have to create two interfaces, one on the remote end similar to:

gr-0/0/0
   unit 0 {
    tunnel {
        source 192.168.20.20;
        destination 192.168.100.20;
    }
    family inet {
        address 10.0.0.20/24;
    }
}

and on the local end like:

interfaces gr-0/0/0
unit 0 {
    tunnel {
        source 192.168.100.20;
        destination 192.168.20.20;
    }
    family inet {
        address 10.0.0.20/24;
    }
}

But then I get a little lost on the end-to-end routing trying to make the remote site computer on ge-0/0/1.1 route traffic destined for 5.6.7.8/24 network on local site across the tunnel. How should the routing work? Is my approach sane?

I also need to route NAT traffic on ge-0/0/0.0 from the remote site, which is kind of a separate issue I guess.

I'm probably one of the few, but I have (just) 3 widgets configured on the Dashboard of J-Web on about 30 devices. Rarely do all 3 load successfully, often I have to click the Refresh button to kick a given widget into life, and then when the automatic refresh takes place it invariably doesn't refresh or load correctly. Is there a fix for this? I am running 15.1X49-D190.2 and have observed this behaviour for the last 2 year's worth of 15.1X49 software.