Upon uploading a configuration to an SRX320 running 15.1X49-D190.2 I received the following error:

Enabling on-box reporting on the built-in eUSB storage may reduce the life of the storage

On 15.1X49-D170.4, I received no such error.

The error relates to the 'report' bit of this config:

security {
        log {
	    mode stream;
	    report;
	}
}

Can anyone comment on this please? Should I be removing the report line? I don't actually stream off logs, so should I just remove the whole log section?

Hello All,

Have a SRX550M currently running 15.1 that I'd like to get upgraded to the recommended version of 18.2.  Do I need to first jump to 17.4 

Hi All,

I have a SRX 340 that I performed a 15-second factory reset on.  When I try to login, the root password is not blank. Has anyone else experienced this issue?  I can't recover the root password because the recovery configuration is not there.

Much appreciated.

I am trying to set up a DHCP server on an SRX 345 device. The DHCP server should send back some options (bootfile, router, domain-names...). The DHCP is involved in the boot process so a static dhcp binding is used where every mac address has a mapped IP in the pool. The dhcp client requests the DHCP server for the first time during the pxe boot, it gets the correct IP that was mapped to it's mac so the client will use the TFTP-server option specified in the DHCP offer and download the boot file, kernel and the initramd 

	Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
	  Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
	  Device Interface Index Extension TLV #1, length 2, value: 35072
	  Logical Interface Index Extension TLV #4, length 4, value: 74
	-----original packet-----
	PFE proto 2 (ipv4): (tos 0x0, ttl  20, id 1, offset 0, flags [none], proto: UDP (17), length: 576) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:6c:06, length 548, xid 0x6b476c06, secs 4, Flags [Broadcast] (0x8000)
	  Client-Ethernet-Address ac:1f:6b:47:6c:06
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Parameter-Request Option 55, length 36:
	      Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
	      IEN-Name-Server, Domain-Name-Server, RL, Hostname
	      BS, Domain-Name, SS, RP
	      EP, RSZ, TTL, BR
	      YD, YS, NTP, Vendor-Option
	      Requested-IP, Lease-Time, Server-ID, RN
	      RB, Vendor-Class, TFTP, BF
	      Option 128, Option 129, Option 130, Option 131
	      Option 132, Option 133, Option 134, Option 135
	    MSZ Option 57, length 2: 1260
	    GUID Option 97, length 17: 0.0.0.0.0.0.0.0.0.0.0.172.31.107.71.108.6
	    ARCH Option 93, length 2: 0
	    NDI Option 94, length 3: 1.2.1
	    Vendor-Class Option 60, length 32: "PXEClient:Arch:00000:UNDI:002001"

Here it is fine we got the correct Ip that is mapped to the mac. Then, the client starts to download the root filesystem, at that time a new request is sent to the DHCP server (a new option 61: client identifier is specified). The problem occurs here the DHCP server assigns another address from the dynamic range to the client despite the static binding for that mac address is specified. 

09:47:47.388131  In
	Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
	  Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
	  Device Interface Index Extension TLV #1, length 2, value: 35072
	  Logical Interface Index Extension TLV #4, length 4, value: 74
	-----original packet-----
	PFE proto 2 (ipv4): (tos 0x10, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:69:e4, length 300, xid 0xeec66346, secs 5, Flags [none] (0x0000)
	  Client-Ethernet-Address ac:1f:6b:47:69:e4
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 19: hardware-type 255, 6b:47:69:e4:00:01:00:01:25:4c:13:ef:ac:1f:6b:47:69:e4
	    Parameter-Request Option 55, length 21:
	      RN, RB, Subnet-Mask, BR
	      MTU, Classless-Static-Route, Default-Gateway, Static-Route
	      Hostname, Option 119, Domain-Name, Domain-Name-Server
	      YD, YS, NTP, RP
	      Option 85, Option 86, Option 87, PRTR
	      MDHCP
	    MSZ Option 57, length 2: 1500
09:47:47.846931 Out
	Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
	  Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
	  Device Interface Index Extension TLV #1, length 2, value: 35072
	  Logical Interface Index Extension TLV #4, length 4, value: 74
	-----original packet-----
	58:00:bb:af:e7:42 > ac:1f:6b:47:69:e4, ethertype IPv4 (0x0800), length 321: (tos 0x0, ttl  64, id 35562, offset 0, flags [none], proto: UDP (17), length: 307) 10.22.102.1.bootps > 10.22.102.214.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 279, xid 0xeec66346, Flags [none] (0x0000)
	  Your-IP 10.22.102.214
	  Server-IP 10.22.100.11
	  Client-Ethernet-Address ac:1f:6b:47:69:e4
	  file "pxelinux.0"
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Offer
	    Lease-Time Option 51, length 4: 86400
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    Server-ID Option 54, length 4: 10.22.102.1
	    Default-Gateway Option 3, length 4: 10.22.102.1
	    Domain-Name-Server Option 6, length 8: 1.1.1.1,1.0.0.1

 Any ideas? How to disable the client-id option on the DHCP server? 

I am trying to set up a DHCP server on an SRX 345 device. The DHCP server should send back some options (bootfile, router, domain-names...). The DHCP is involved in the boot process so a static dhcp binding is used where every mac address has a mapped IP in the pool. The dhcp client requests the DHCP server for the first time during the pxe boot, it gets the correct IP that was mapped to it's mac so the client will use the TFTP-server option specified in the DHCP offer and download the boot file, kernel and the initramd.

The packet capture shows

	Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
	  Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
	  Device Interface Index Extension TLV #1, length 2, value: 35072
	  Logical Interface Index Extension TLV #4, length 4, value: 74
	-----original packet-----
	PFE proto 2 (ipv4): (tos 0x0, ttl  20, id 1, offset 0, flags [none], proto: UDP (17), length: 576) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:6c:06, length 548, xid 0x6b476c06, secs 4, Flags [Broadcast] (0x8000)
	  Client-Ethernet-Address ac:1f:6b:47:6c:06
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Parameter-Request Option 55, length 36:
	      Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
	      IEN-Name-Server, Domain-Name-Server, RL, Hostname
	      BS, Domain-Name, SS, RP
	      EP, RSZ, TTL, BR
	      YD, YS, NTP, Vendor-Option
	      Requested-IP, Lease-Time, Server-ID, RN
	      RB, Vendor-Class, TFTP, BF
	      Option 128, Option 129, Option 130, Option 131
	      Option 132, Option 133, Option 134, Option 135
	    MSZ Option 57, length 2: 1260
	    GUID Option 97, length 17: 0.0.0.0.0.0.0.0.0.0.0.172.31.107.71.108.6
	    ARCH Option 93, length 2: 0
	    NDI Option 94, length 3: 1.2.1
	    Vendor-Class Option 60, length 32: "PXEClient:Arch:00000:UNDI:002001"

Here it is fine we got the correct Ip that is mapped to the mac. Then, the client starts to download the root filesystem, at that time a new request is sent to the DHCP server (a new option 61: client identifier is specified). The problem occurs here the DHCP server assigns another address from the dynamic range to the client despite the static binding for that mac address is specified. 

09:47:47.388131  In
	Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
	  Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
	  Device Interface Index Extension TLV #1, length 2, value: 35072
	  Logical Interface Index Extension TLV #4, length 4, value: 74
	-----original packet-----
	PFE proto 2 (ipv4): (tos 0x10, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:69:e4, length 300, xid 0xeec66346, secs 5, Flags [none] (0x0000)
	  Client-Ethernet-Address ac:1f:6b:47:69:e4
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 19: hardware-type 255, 6b:47:69:e4:00:01:00:01:25:4c:13:ef:ac:1f:6b:47:69:e4
	    Parameter-Request Option 55, length 21:
	      RN, RB, Subnet-Mask, BR
	      MTU, Classless-Static-Route, Default-Gateway, Static-Route
	      Hostname, Option 119, Domain-Name, Domain-Name-Server
	      YD, YS, NTP, RP
	      Option 85, Option 86, Option 87, PRTR
	      MDHCP
	    MSZ Option 57, length 2: 1500
09:47:47.846931 Out
	Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
	  Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
	  Device Interface Index Extension TLV #1, length 2, value: 35072
	  Logical Interface Index Extension TLV #4, length 4, value: 74
	-----original packet-----
	58:00:bb:af:e7:42 > ac:1f:6b:47:69:e4, ethertype IPv4 (0x0800), length 321: (tos 0x0, ttl  64, id 35562, offset 0, flags [none], proto: UDP (17), length: 307) 10.22.102.1.bootps > 10.22.102.214.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 279, xid 0xeec66346, Flags [none] (0x0000)
	  Your-IP 10.22.102.214
	  Server-IP 10.22.100.11
	  Client-Ethernet-Address ac:1f:6b:47:69:e4
	  file "pxelinux.0"
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Offer
	    Lease-Time Option 51, length 4: 86400
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    Server-ID Option 54, length 4: 10.22.102.1
	    Default-Gateway Option 3, length 4: 10.22.102.1
	    Domain-Name-Server Option 6, length 8: 1.1.1.1,1.0.0.1

 Any ideas? How to disable the client-id option on the DHCP server? 

Hi folks,

I have an interesting dilemma that we're trying to get working with Persistent NAT and two internet connections on the SRX110H2.

Each has a static default route; one with higher preference.

x.x.x.x/32 preference 5

y.y.y.y/32 preference 10

Currently there is an internal 3CX host that requries port address mapping from it's internal IP address to the external public IP address. 

The config used is working successfully at the moment; however I'm trying to address if it's possible to timeout the address mapping if the primary internet service goes down; and traffic moves over to the secondary default route which has a different public IP address. 

Of course flow will need to timeout on the inactive public IP route.

The dilemma is how to utilise a failover method with persistent NAT to use the other Public IP and new route.

If I could use interface-nat rather than source nat pools it may work; so I don't have to account for source nat pool processes.

I havent' been able to test the concept as yet; but reading through the documentation it may or may not be possible using 

- source nat inactivity timeout to 60 seconds to re-establish source nat flow mapping with persistent NAT

- using interface-nat rather than source nat pools.

- use target-host-port rather than any-remote-host

Given that were using address-mapping here it seems that can only use source nat pool IP's and not interface-nat IP.

The other thinking is I could maybe? .. use two source pools and two source nat rules dependant on traffic flow on the given active route in inet.0 ?

Use:

rule-set primary-pnat to be from interface irb.30; to interface ge-0/0/1 for PublicIP1

rules-set secondary-pnay to be from interface irb.30; to interface pp0.0 for PublicIP2

Like the below:

pool voip1 {
    address {
        x.x.x.x/32;
    }
    port {
        no-translation;
    }
}

pool voip2 {
    address {
        x.x.x.x/32;
    }
    port {
        no-translation;
    }
}
rule-set 3cx-to-untrust-1{
    from interface irb.30;
    to interface ge-0/0/0.0;
    rule voip {
        match {
            source-address 10.10.20.17/32;
            source-port {
                9000 to 9255;
                5090;
                5060;
                5000;
                3478;
                2528;
                5001;
                5228 to 5230;
            }
        }
        then {
            source-nat {
                pool {
                    voip1;
                    persistent-nat {
                        permit any-remote-host;
                        address-mapping;
                        inactivity-timeout 60;
                        max-session-number 800;
                    }
                }
            }
        }
    }
}

rule-set 3cx-to-untrust-2 {
    from interface irb.30;
    to interface pp0.0;
    rule voip {
        match {
            source-address 10.10.20.17/32;
            source-port {
                9000 to 9255;
                5090;
                5060;
                5000;
                3478;
                2528;
                5001;
                5228 to 5230;
            }
        }
        then {
            source-nat {
                pool {
                    voip2;
                    persistent-nat {
                        permit any-remote-host;
                        address-mapping;
                        inactivity-timeout 60;
                        max-session-number 800;
                    }
                }
            }
        }
    }
}

Below is my current working configuration with just the one internet connection.

Ive' excluded other configuration below; as what's below is the crux of the configuration issue with source nat dilemma I'm having.

Has anyone come across a solution to this one?

Thanks

pool voip {
    address {
        x.x.x.x/32;
    }
    port {
        no-translation;
    }
}


rule-set 3cx-to-untrust {
    from interface irb.30;
    to zone untrust;
    rule voip {
        match {
            source-address 10.10.20.17/32;
            source-port {
                9000 to 9255;
                5090;
                5060;
                5000;
                3478;
                2528;
                5001;
                5228 to 5230;
            }
        }
        then {
            source-nat {
                pool {
                    voip;
                    persistent-nat {
                        permit any-remote-host;
                        address-mapping;
                        max-session-number 800;
                    }
                }
            }
        }
    }
}

Hi Juniper Masters,

what is the maximum distance to cluster the 2 SRX1500? thanks!

I am trying to set multiple subnets on SRX device each subnet has its own DHCP pool. I have 5 ports each port is connected to a group of servers. So, I configured 5 pools and 5 groups each group contains an interface. The problem is that hosts are getting addresses from different pools for example: Host1 is linked to interface1 on the router which has an address (10.0.0.1), the address assigned to Host1 should belong to the pool that has the network address(10.0.0.0/24) but it gets an address from a different pool.

these are the pools and the groups:

pools

these are the interfaces:

interfaces

and below is an example of how addresses from wrong pools are assigned to clients

address pools and assignements

I am getting it wrong? A pool is mapped to the interface based on the network address of the interface and the one specified on the DHCP pool configuration?

How to map a group to a pool ? or how to make the SRX gives an IP address that really belongs to the pool that has the same network address as the interface?

Note: The pool match order is set to ip-address-first (default)

[1]: https://i.stack.imgur.com/tKsZb.png
[2]: https://i.stack.imgur.com/jjCrZ.png
[3]: https://i.stack.imgur.com/bcJly.png

I am verifying SRX's PPPoE Server & Client with reference to the following video, but I cannot communicate with PPPoE.

https://www.youtube.com/watch?v=pCyq31UQrtw&list=PLgqQ-gd5fiMYuBUcXzjx5h4D9Vnsb9JFb

Is the setting bad?

■SRX1(PPPoE Server)

set interfaces ge-0/0/0.0 encapsulation ppp-over-ether

edit interfaces pp0.0
set pppoe-options underlying-interface ge-0/0/0.0
set pppoe-options server

set family inet mtu 1454
set family inet address 1.0.0.10/32 destination 1.0.0.1

set ppp-options chap local-name SRX2
set ppp-options chap default-chap-secret SRX2

top

edit security zones security-zone trust
set host-inbound-traffic system-services ping
set interfaces pp0.0

■SRX2(PPPoE Client)

set interfaces ge-0/0/0.0 encapsulation ppp-over-ether

edit interfaces pp0.0
set pppoe-options underlying-interface ge-0/0/0.0
set pppoe-options client
set pppoe-options auto-reconnect 10
set pppoe-options idle-timeout 0

set family inet mtu 1454
set family inet negotiate-address

set ppp-options chap local-name SRX2
set ppp-options chap default-chap-secret SRX2
set ppp-options chap passive

top

edit security zones security-zone untrust
set host-inbound-traffic system-services ping
set interfaces pp0.0

top

set routing-options static route 0.0.0.0/0 next-hop pp0.0

※※※I'm sorry. I solved it, but was it necessary to set one of the hostnames?

Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails with the following errors:

request system software add /var/tmp/junos-srxsme-18.2R3.4.tgz no-copy unlink

NOTICE: Validating configuration against junos-srxsme-18.2R3.4.tgz.

NOTICE: Use the 'no-validate' option to skip this if desired.

Formatting alternate root (/dev/da0s1a)...

/dev/da0s1a: 2510.1MB (5140780 sectors) block size 16384, fragment size 2048

        using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.

super-block backups (for fsck -b #) at:

32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,

3384608, 3760672, 4136736, 4512800, 4888864

Checking compatibility with configuration

Initializing...

Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256

Using junos-18.2R3.4 from /altroot/cf/packages/install-tmp/junos-18.2R3.4

Copying package ...

veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/php_mod.ini: No such file or directory

veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/mime.types: No such file or directory

veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libpsu.so.3: Too many links

veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libyaml.so.3: Too many links

veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libext_db.so.3: Too many links

veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory

Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256

Hardware Database regeneration succeeded

Validating against /config/juniper.conf.gz

Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">

Network security daemon: <source-daemon>nsd</source-daemon>

Network security daemon: <message>certificate 'device': certificate does not exist .</message>

Network security daemon: </xnm:error>

mgd: error: configuration check-out failed

Validation failed

Validating against /config/rescue.conf.gz

Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">

Network security daemon: <source-daemon>nsd</source-daemon>

Network security daemon: <message>certificate 'device': certificate does not exist .</message>

Network security daemon: </xnm:error>

mgd: error: configuration check-out failed

Validation failed

ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-18.2R3.4

Any ideas how to make this work?

Hi,

I have configured chassis cluster srx340 in transparent mode. All interfaces are up as expected however I can't ping from my untrust to trust zone after troubleshoooting, I ran "show interfaces redundancy" and it return the following error 

error: the redundancy-interface-process subsystem is not running

Has any one come acorss this error and how to resolve it.

Thanks

Harry.

Hi  I am using Juniper SRX240 and for last week I find records like this in session table.

Session ID: 668, Policy name: allow-public-mail/11, State: Active, Timeout: -1, Valid
In: 47.74.61.85/60414 --> x.x.x.x/587;tcp, If: reth1.0, Pkts: 1, Bytes: 40
Out: 192.168.200.16/587 --> 47.74.61.85/60414;tcp, If: reth0.994, Pkts: 6, Bytes: 264

This records stay in table forever and I have to make clear session table. Can you please explain me why the timeout is -1 ?

Thanks

I have an SRX300 running version 15.1X49-D150.2

I have it configured for dual-ISP configuration using IP monitoring. This works great.

My problem is when both connections are working, I have a perferred ISP (which we have more bandwidth from) - and I cant figure out how to default it to that ISP

The preferred ISP in the configuration below is called ATT - but if both connections are up - it always goes out the COMCAST

Any suggestions?

services {
    rpm {
        probe COMCAST {
            test GOOGLE {
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 5;
                test-interval 10;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/5.0;
                next-hop 2.2.2.238;
            }
        }
        probe ATT {
            test GOOGLE {
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 5;
                test-interval 10;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/0.0;
                next-hop 1.1.1.97;
            }
        }
    }
    ip-monitoring {
        policy ATT {
            match {
                rpm-probe ATT;
            }
            then {
                preferred-route {
                    routing-instances ATT {
                        route 0.0.0.0/0 {
                            next-hop 2.2.2.238;
                            metric 10;
                        }
                    }
                }
            }
        }
        policy COMCAST {
            match {
               rpm-probe COMCAST;
            }
            then {
                preferred-route {
                    routing-instances COMCAST {
                        route 0.0.0.0/0 {
                            next-hop 1.1.1.97;
                        }
                    }
                }
            }
        }
    }
}
security {
    log {
        mode stream;
        report;
    }
    nat {
        source {
            rule-set LAN-to-COMCAST {
                from zone LAN;
                to zone COMCAST;
                rule NAT-COMCAST {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set LAN-to-ATT {
                from zone LAN;
                to zone ATT;
                rule NAT-ATT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone LAN to-zone COMCAST {
            policy ALL_LAN_COMCAST {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone LAN to-zone ATT {
            policy ALL_LAN_ATT {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone LAN to-zone LAN {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone COMCAST {
            interfaces {
                ge-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            rpm;
                        }
                    }
                }
            }
        }
        security-zone ATT {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            rpm;
                        }
                    }
                }
            }
        }
        security-zone LAN {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
           interfaces {
                irb.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.1.99/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 2.2.2.233/28;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet;
        }
    }
    irb {
        unit 0 {
            family inet {
                filter {
                    input OUTPUT-ISP;
                }
                address 10.128.105.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input ADMIN-FILTER;
                }
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
    static {
        route 0.0.0.0/0 next-table ATT.inet.0;
    }
    rib-groups {
        IMPORT-PHY {
            import-rib [ inet.0 ATT.inet.0 COMCAST.inet.0 ];
        }
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
    rstp {
        interface all;
    }
}
/* ADMIN-IPS are permitted ssh access */
policy-options {
    prefix-list ADMIN-IPS {
        10.128.105.0/24;
        3.3.3.3/32;
            }
}
firewall {
    filter ADMIN-FILTER {
        term BLOCK-NON-ADMIN {
            from {
                source-address {
                    0.0.0.0/0;
                }
                source-prefix-list {
                    ADMIN-IPS except;
                }
                protocol tcp;
                destination-port [ ssh https telnet http ];
            }
            then {
               discard;
            }
        }
        term accept_everything_else {
            then accept;
        }
    }
    filter OUTPUT-ISP {
        term TO-COMCAST {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                routing-instance COMCAST;
            }
        }
        term TO-ATT {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                routing-instance ATT;
            }
       }
    }
}
routing-instances {
    COMCAST {
        instance-type forwarding;
        routing-options {
            static {
               route 0.0.0.0/0 {
                    next-hop 2.2.2.238;
                    metric 10;
                }
            }
        }
    }
    ATT {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/32 next-hop 1.1.1.97;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface irb.0;
    }
}

Good morning, I would like to know if my Juniper SRX550 could support this topology, thanks in advance.

Hi folks,

I am getting the following log message when I try IKEv2 VPN from my iPhone ios 13 to my Juniper SRX 320.

Please note that I can connect to my Juniper using Pulse Secure using my laptop remotely, however looking for connectivity to the Juniper using iPhone standard VPN client. 

IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation.

Nov 4 09:21:39 HOME-SRX kmd[1754]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 2, VPN: Not-Available Gateway: Not-Available, Local: 42.41.232.22/500, Remote: 69.158.246.169/1526, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

I appreciate your help. Please find the running configuration attached.

Hello,

I have a SRX320 with a VDSL card that worked first time to successfully dial out but then after that it suddenly stopped working

My pppoe config is as follows:

show configuration interfaces pt-2/0/0
vlan-tagging;
vdsl-options {
vdsl-profile auto;
}
unit 0 {
encapsulation ppp-over-ether;
vlan-id 101;
}

pp-options {
chap {
default-chap-secret  ## SECRET-DATA
local-name "abcd@xxxx.com";
passive;
}
}
pppoe-options {
underlying-interface pt-2/0/0.0;
client;

VDSL card is attached to fpc slot 2 and I get the following unsure what pt-2/0/0.32767 is ???

pt-2/0/0 up up
pt-2/0/0.0 up up
pt-2/0/0.32767 up up
fxp2 up up
fxp2.0 up up tnp 0x1

traceoptions added but I see the following?

show log pppoed
Nov 5 12:59:19 uifl not found for pt-2/0/0.32767 !
Nov 5 12:59:50 allocated 88 bytes at 0x4e4500
Nov 5 12:59:50 allocated 212 bytes at 0x4f6000
Nov 5 12:59:50 allocated 4 bytes at 0x4e30b0
Nov 5 12:59:50 allocated 4 bytes at 0x4e30c0
Nov 5 12:59:50 allocated 592 bytes at 0x4f8000
Nov 5 12:59:50 allocated 8 bytes at 0x4e30d0
Nov 5 13:00:18 allocated 1510 bytes at 0x4fd000
Nov 5 13:03:16 SIGHUP received

Please can someone guide where potentially the issue could be ?

Thanks

}
family inet {
negotiate-address;

The IPsec configured is failing at phase 2 with the error "[Nov 5 11:02:00][165.X.X.X <-> 74.X.X.X] Authenticated Phase-2 notification `No proposal chosen’ (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=ac 37 1d 45 16 59 9f a9 f2 c9 a0 54 37 5f 51 75 causes"

on the SRX I have the following:
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;

on the ASA I have the following:
object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0

access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

I assume this should work, but it doesn't fit quit into one of these: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA

I'm a bit stumped here. I have done this before, but its been a while and I don't recall.

detailed srx config:

SRX-01b> show configuration security ike proposal IKE_P1_PROPOSAL_1
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;

SRX-01b> show configuration security ike policy VLTFW_CORE_IKE_POLICY
mode main;
proposals IKE_P1_PROPOSAL_1;
pre-shared-key ascii-text "$9$WfE8NbaJDH.5x7P5Fn7dY2"; ## SECRET-DATA

SRX-01b> show configuration security ike gateway VLTFW_CORE
ike-policy VLTFW_CORE_IKE_POLICY;
address 74.X.X.X;
external-interface reth3;

SRX-01b> show configuration security ipsec proposal IPSEC_P2_PROPOSAL_1
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;

SRX-01b> show configuration security ipsec policy VLTFW_CORE_POLICY
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC_P2_PROPOSAL_1;

SRX-01b> show configuration security ipsec vpn VLTFW_CORE_VPN
bind-interface st0.13;
ike {
gateway VLTFW_CORE;
ipsec-policy VLTFW_CORE_POLICY;
}
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;
}
establish-tunnels immediately;

details ASA config:

crypto ikev1 policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

tunnel-group 165.X.X.X type ipsec-l2l
tunnel-group 165.X.X.X ipsec-attributes
ikev1 pre-shared-key ABCDEFG

object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0

access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
crypto map outside_vpn 60 set pfs group5
crypto map outside_vpn 60 set peer 165.X.X.X
crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
crypto map outside_vpn 60 set security-association lifetime seconds 86400

Hi,

I would like to send a multicast stream from a source connected on one interface to an other interface on an Juniper SRX240 (12.1X46).

Mutlicast source is connected on ge-0/0/3 interface.

Clients are connected on ge-0/0/1 interface.

Here we have the interfaces :

interfaces {
    ge-0/0/1 {
        unit 0 {
            description stb;
            family inet {
                address 172.16.1.254/24;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            description local-stream;
            family inet {
                address 172.16.3.254/24;
            }
        }
    }

IGMP and PIM configuration :

> show configuration protocols
igmp {
    interface all {
        version 2;
    }
}
pim {
    interface all {
        mode dense;
        version 2;
    }
}

To simplify the setup, I put the 2 interfaces in the same secury zone named "trust" :

    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/3.0;
            }

Since all interfaces are in the same zone, I don't need security rules to allow the multicast traffic between source and receiver.

Multicast routing from Multicast source looks good. But When I call stream from a PC I have nothing.

> show multicast route group 232.1.20.2 detail
Instance: master Family: INET

Group: 232.1.20.2
    Source: 172.16.3.1/32
    Upstream interface: ge-0/0/3.0
    Session description: Source specific multicast
    Statistics: 0 kBps, 0 pps, 0 packets
    Next-hop ID: 0
    Upstream protocol: PIM

The show multi route command should display a downstream interface list, containing a least the receiver interface ge/0/0/1.0

Here we can see the IGMP request done by the client :

I have a few rules that show the designation "NA" for the hit count.  This means "not available".  Does anyone know why the hit count would be unavailable for these rules?

Hello everyone, after many failed attempts, I think I am very close to pinging two virtual routers connected through a virtual switch, I would greatly appreciate your help, thank you very much.
My configuration is:

root@NewJuniper# show routing-instances
VR1 {
instance-type virtual-router;
interface ge-0/0/4.0;
}
VR2 {
instance-type virtual-router;
interface ge-0/0/5.0;
}
MyVirtualSwitch {
instance-type virtual-switch;
interface ge-0/0/3.0;
bridge-domains {
TestBridgeVS {
domain-type bridge;
vlan-id none;
}
}
}

[edit]
root@NewJuniper# show interfaces

ge-0/0/4 {
unit 0 {
family inet {
address 192.168.2.2/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}

This should work, right? have i missed something? Thanks again