I have some clients that I occassionally reboot but I find that after a reboot, they get another address from the SRX's server. This happens most of the time while their lease has not expired and I would expect them to retain the IP. What option am I missing that tells JDHCP to do what's expected?
My pools have dhcp-attributes: maximum-lease-time 86400 and grace-period 1800. Running 12.1X46-D82.
Thanks!
Hello,
I'm expetimented the following issue when try to do a firewall-authentication pass-through with HTTPS. The same configuration are used in several srx3400 boxes and the same wildcard ssl certificate. With 12.3X48-D55.4 works fine but with 12.3X48-D75.4 and 12.3X48-D80.4 ssl handshake fails:
debug with
openssl s_client -connect domain:443 -debug
from a Linux box and the same happend with google chrome and intenet explorer:
139701596759952:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:s3_pkt.c:1493:SSL alert number 51 139701596759952:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177
I have tried several changes but always happend the same. Local certificate and private key pair are fine.
set security policies from-zone untrust to-zone dmz policy webaccess match source-address any set security policies from-zone untrust to-zone dmz policy webaccess match destination-address webaccess set security policies from-zone untrust to-zone dmz policy webaccess match application junos-https set security policies from-zone untrust to-zone dmz policy webaccess then permit firewall-authentication pass-through access-profile webaccess-profile set security policies from-zone untrust to-zone dmz policy webaccess then permit firewall-authentication pass-through ssl-termination-profile ssldevice
set access profile webaccess-profile client user101 firewall-user password "xxxxxxxxxxxx" set access firewall-authentication pass-through default-profile webaccess-profile
set services ssl termination profile ssldevice server-certificate devicecert
How to work arround about the issue?
Thansk!
Javier
iam looking for the OID for the srx 3600 that show tottal device throuput and only i can found is the bandwidth.
the device is srx3600 with jouns image 12.3X48-D40.5
Hi all,
Off late people complain of unable to connect to vpn with them getting the following error on pulse secure app "error 1468 unable to resolve hostname". And this error is random, same user gets connected fine after trying 2 or 3 times, for some users they keep getting the same error. The VPN configuration on the firewall is fine as other users are able to get connected fine. The OS on Juniper is 12.1X44-D35.5 and pulse secure is version 9.0.4 (1731)
Also, the users who get this error are able to access internet fine so it is not an internet issue on their PC's. Is this some sort of a bug ?
I am struggling with the config to have SRX340 perform gatway and DHCP serverices for 4 VLAN's. VLAN 7, 66, & 3333 are tagged from Unfif controller and AP's. I want to use interface ge0-7 which is internal trusted interface for this purpose. In addition to those VLAN's I want the base network address space of 10.11.12.0/24 for any devices that are not on those VLAN's.
Any help is much appreciated. WG is a guest network which I will ultimately need to isolate they traffic with firewall rules even though the devices are on internal network.
## Last changed: 2019-12-23 13:15:17 GMT-6
version 20191112.100140_builder.r1067283;
system {
host-name srx1;
root-authentication {
encrypted-password "$6$0cmPxnF6$M75Jt0Cr3p8EWHf6ZKCQxPF6/SCF6NQ2TulDoDtA.PqbpLvlDRp0BGFbdNjU4NuVcU7.ZZQvgQIQkLbYShebe.";
}
services {
ssh {
root-login allow;
}
netconf {
ssh;
}
dhcp-local-server {
group ge07-VLAN-DHCP {
interface ge-0/0/7.0;
interface vlan.7;
interface vlan.66;
interface vlan.3333;
}
}
web-management {
https {
system-generated-certificate;
interface [ ge-0/0/7.0 fxp0.0 ];
}
}
}
time-zone GMT-6;
name-server {
8.8.8.8;
8.8.4.4;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
ge-0/0/7.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
ge-0/0/15.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
dl0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
description LAN;
family inet {
address 10.11.12.1/24;
address 10.3.3.1/24;
address 10.7.7.1/24;
address 10.2.2.1/24;
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family inet;
}
}
cl-1/0/0 {
dialer-options {
pool 1 priority 100;
}
}
dl0 {
unit 0 {
family inet {
negotiate-address;
}
family inet6 {
negotiate-address;
}
dialer-options {
pool 1;
dial-string 1234;
always-on;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.11.2.1/28;
}
}
}
irb {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
unit 1 {
family inet {
address 10.7.7.1/24;
}
}
unit 2 {
family inet {
address 10.3.3.1/24;
}
}
unit 3 {
family inet {
address 10.2.2.1/23;
}
}
}
}
access {
address-assignment {
pool 10-11-12 {
family inet {
network 10.11.12.0/24;
range 10-11-12-100 {
low 10.11.12.100;
high 10.11.12.254;
}
}
}
pool Cams10-3-3 {
family inet {
network 10.3.3.0/24;
range 10-3-3 {
low 10.3.3.6;
high 10.3.3.254;
}
}
}
pool EMWWLAN {
family inet {
network 10.7.7.0/24;
range EMW {
low 10.7.7.6;
high 10.7.7.254;
}
}
}
pool WG {
family inet {
network 10.2.2.0/23;
range WG {
low 10.2.2.7;
high 10.2.3.254;
}
}
}
}
}
vlans {
Cams3333 {
description Cameras;
vlan-id 3333;
l3-interface irb.2;
}
EMW7 {
description "EMW wifi";
vlan-id 7;
l3-interface irb.1;
}
WG66 {
description "Guest VLAN";
vlan-id 66;
l3-interface irb.3;
}
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
Hello experts,
I have the following scenarios related to SRX implementation of traffic selectors vs proxy identities. I am running this experiment using vSRX 12.1X47-D15.4. I am using IKEv1 as for this version only IKEv1 supports multiple traffic selectors and proxy identities.
I have two route-based site-to-site VPN tunnels using ESP. Both endpoints are SRX running same OS.
The encrypted traffic is as follows.
VPN1: 100.100.100.250/32 <-> 10.10.10.101/32
VPN2: 100.100.100.250/32 <-> 10.10.10.102/32
Each VPN has its own st0 tunnel interface. I have experimented two scenarios for each of the VPNs, one using proxy identities and other one using traffic selectors.
Scenario 1: Proxy Identities on both ends.
SRX1:
set security ipsec vpn IPSEC_VPN1 bind-interface st0.101
set security ipsec vpn IPSEC_VPN1 df-bit copy
set security ipsec vpn IPSEC_VPN1 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN1 ike proxy-identity local 100.100.100.250/32
set security ipsec vpn IPSEC_VPN1 ike proxy-identity remote 10.10.10.101/32
set security ipsec vpn IPSEC_VPN1 ike ipsec-policy IPSEC_POL
set security ipsec vpn IPSEC_VPN2 bind-interface st0.102
set security ipsec vpn IPSEC_VPN2 df-bit copy
set security ipsec vpn IPSEC_VPN2 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN2 ike proxy-identity local 100.100.100.250/32
set security ipsec vpn IPSEC_VPN2 ike proxy-identity remote 10.10.10.102/32
set security ipsec vpn IPSEC_VPN2 ike ipsec-policy IPSEC_POL root@SRX1> show route 10.10.10.101/32 10.10.10.101/32 *[Static/5] 1d 01:22:09> via st0.101 root@S2> show route 10.10.10.102/32 10.10.10.102/32 *[Static/5] 01:09:18> via st0.102
root@SRX1> show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-256/sha256 2a1b4e14 824/ unlim - root 500 10.10.34.4
>131073 ESP:aes-cbc-256/sha256 8e50e421 824/ unlim - root 500 10.10.34.4
<131074 ESP:aes-cbc-256/sha256 76639d3 830/ unlim - root 500 10.10.34.4
>131074 ESP:aes-cbc-256/sha256 efc0e472 830/ unlim - root 500 10.10.34.4
SRX2:
set security ipsec vpn IPSEC_VPN1 bind-interface st0.1
set security ipsec vpn IPSEC_VPN1 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN1 ike proxy-identity local 10.10.10.101/32
set security ipsec vpn IPSEC_VPN1 ike proxy-identity remote 100.100.100.250/32
set security ipsec vpn IPSEC_VPN1 ike ipsec-policy IPSEC_POL
set security ipsec vpn IPSEC_VPN2 bind-interface st0.2
set security ipsec vpn IPSEC_VPN2 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN2 ike proxy-identity local 10.10.10.102/32
set security ipsec vpn IPSEC_VPN2 ike proxy-identity remote 100.100.100.250/32
set security ipsec vpn IPSEC_VPN2 ike ipsec-policy IPSEC_POL
root@SRX2> show route 100.100.100.250/32
100.100.100.250/32 *[Static/5] 00:39:40> via st0.1
via st0.2
root@SRX2> show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-256/sha256 8e50e421 816/ unlim - root 500 10.10.23.2
>131073 ESP:aes-cbc-256/sha256 2a1b4e14 816/ unlim - root 500 10.10.23.2
<131074 ESP:aes-cbc-256/sha256 efc0e472 822/ unlim - root 500 10.10.23.2
>131074 ESP:aes-cbc-256/sha256 76639d3 822/ unlim - root 500 10.10.23.2
The results is that ping is working both from 100.100.100.250 to 10.10.10.101 and to 10.10.10.102. Ignore the source IP addresses on the router. Both 10.10.10.1 and 10.10.10.2 are PATed to 100.100.100.250 on SRX1. SRX1 is the one initiating the traffic.
R1#ping 10.10.10.101 source 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.101, timeout is 2 seconds: Packet sent with a source address of 10.10.10.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/15/20 ms R1#ping 10.10.10.102 source 10.10.10.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.102, timeout is 2 seconds: Packet sent with a source address of 10.10.10.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 13/19/26 ms
Scenario 2: Proxy identity on SRX1 and Traffic Selectors on SRX2
The configuration on SRX1 remains the same as above. The configuration SRX2 has been changed to include traffic selectors and is now also using ARI.
set security ipsec vpn IPSEC_VPN1 bind-interface st0.1
set security ipsec vpn IPSEC_VPN1 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN1 ike ipsec-policy IPSEC_POL
set security ipsec vpn IPSEC_VPN1 traffic-selector TS1 local-ip 10.10.10.101/32
set security ipsec vpn IPSEC_VPN1 traffic-selector TS1 remote-ip 100.100.100.250/32
set security ipsec vpn IPSEC_VPN2 bind-interface st0.2
set security ipsec vpn IPSEC_VPN2 ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN2 ike ipsec-policy IPSEC_POL
set security ipsec vpn IPSEC_VPN2 traffic-selector TS2 local-ip 10.10.10.102/32
set security ipsec vpn IPSEC_VPN2 traffic-selector TS2 remote-ip 100.100.100.250/32
root@SRX2> show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173315 ESP:aes-cbc-256/sha256 13b8f1bb 3582/ unlim - root 500 10.10.23.2
>268173315 ESP:aes-cbc-256/sha256 6313a8a5 3582/ unlim - root 500 10.10.23.2
<268173316 ESP:aes-cbc-256/sha256 6230bb09 3586/ unlim - root 500 10.10.23.2
>268173316 ESP:aes-cbc-256/sha256 6ef6e192 3586/ unlim - root 500 10.10.23.2
root@SRX2> show route 100.100.100.250/32
inet.0: 10 destinations, 12 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100.100.100.250/32 *[Static/5] 00:03:21
> via st0.1
[Static/5] 00:03:21> via st0.2
[Static/5] 00:57:22> via st0.1
via st0.2
The IPsec SA's are up on both ends same as before. St0.1 is the preffered interface on SRX2 same as before. The only difference now is that the encrypted traffic is not working for VPN2.
R1#ping 10.10.10.101 source 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.101, timeout is 2 seconds: Packet sent with a source address of 10.10.10.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 18/22/37 ms R1#ping 10.10.10.102 source 10.10.10.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.102, timeout is 2 seconds: Packet sent with a source address of 10.10.10.2 ..... Success rate is 0 percent (0/5) R1#
I know that Juniper explicitly says that this scenario is not supported.
https://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/ipsec-vpn-traffic-selector-overlapping-ip-address-understanding.html#jd0e58
Note: If multiple traffic selectors are configured with the same remote subnetwork and netmask, equal cost routes are added to the routing table. This case is not supported with traffic selectors as the route chosen cannot be predicted |
My question is why traffic for VPN2 not working in the second scenario and it is working in the first ? I'm explicitly asking about the mechanism behind the scenes, so to speak. Does the traffic selector knob also use some sort of data plane filtering for the source and destination IPs which is not the case for the proxy ID ?
Using packet captures I can see that traffic in scenario 2 is egressing from the SRX2 device. It is the return traffic from SRX2 that is having an issue. Furthermore, since both routing and the IPsec SA are up in both scenario 1 and scenario 2, I suspect this is a dataplane issue and not a control plane issue (my suspicion is some sort of traffic filtering). Are there any show commands or traceoptions for me to view this ?
Hi,
We have configured below security policy but we are not getting deny log of source IP
set security policies from-zone External to-zone DMZ policy DenyALL match source-address any-ipv4
set security policies from-zone External to-zone DMZ policy DenyALL match destination-address any
set security policies from-zone External to-zone DMZ policy DenyALL match application any
set security policies from-zone External to-zone DMZ policy DenyALL then deny
set security policies from-zone External to-zone DMZ policy DenyALL then log session-init
set security policies from-zone External to-zone DMZ policy DenyALL then log session-close
set system syslog file Denied-Traffic any any
set system syslog file Denied-Traffic match RT_FLOW_SESSION_DENY
Please suggest which command will help me to get the "deny" logs. in CLI as we Webui.
Please suggest if any additional config is required.
Thanks in advance...
Hi All,
I am beginner in SRX.I got below error in destination NAT.
I want to access my NVR from outside NAT work.I am using destination NAT and allow any application.NAT is working.I can access NVR login page from browser.But when I click play button of NVR in browser,vedio cannot play.when I test with local network ,it is working.
I tried destination NAT CCTV camera directly,it is also working.I can access and play vedio from outside network.Only it is didn't work or can't play with NVR and destination NAT.
I tried static NAT.It is also same issue.
So let me know do I need additional setting in SRX NAT config to see CCTV via outside network?
is it related RTSP AIG?I alo tried this but still it issue.
Hello, I'm trying to setup 2 vsrx version 18.4R2.7 clustered running on esxi 6.5. Following along with vsrx deployment guide and I have yet to get a stable setup. I have verified the the "Exposure HW assist to virtualization to the guest OS" is checked (on by default) and 1 CPU socket is set.
I have setup a separte vSwitch for each nic/adapter configuration but the best I seem is a good cluster but only ge-0/0/0 showing. As soon as they are clusted ge-0/0/1 disappears and even unclusted has yet to regsister adapter 4.
The settings below seem to produce the best results but what am I missing?
| vSwitch: | MTU | VLAN ID | Promiscuous mode | MAC address | Forged transmits | Teaming | Active Adapters | |
| VM Network | 1500 | 0 | Accept* | Accept | Accept | Route based on orginating vitural port | vmnic0 | network adapter 1 - ge0/0/0, ge-7/0/0 |
| vm_mgmt | N/A | 0 | Accept | Accept | Accept | Route based on IP hash | ||
| vSwitch1 | 1500 | 0 | Accept | Accept | Accept | Route based on IP hash | none | |
| HA Control | 0 | Accept | Accept | Accept | Route based on IP hash | network adapter 2 - ge0/0/1 | ||
| vSwitch2 | 9000 | 0 | Reject | Accept | Accept | Route based on orginating vitural port | none | |
| HA Fabric | N/A | 0 | Reject | Accept | Accept | Route based on IP hash | network adapter 3 - ge0/0/2 | |
| vSwitch3 | 1500 | 0 | Reject | Accept | Accept | Route based on orginating vitural port | none | |
| chassis cluster Reth | N/A | 0 | Reject | Accept | Accept | Route based on IP hash | network adapter 4 - - ge0/0/3 | |
Hello.
I'm struggling with a family inet INPUT filter. It's supposed to send traffic to a different forwarding class.
This is a SRX210 from my lab and it's configured with a public Ipv4 adress on ge-0/0/0 it's not the 10.10.10.1/30 adress in the config below.
Here is my family inet filter
term teams-audio {
from {
protocol [udp tcp];
destination-port 50000-50019;
source-port 50000-50019;
}
then {
log;
forwarding-class assured-forwarding;
accept;
}
}
term teams-video {
from {
protocol [udp tcp];
destination-port 50020-50039;
source-port 50020-50039;
}
then {
log;
forwarding-class expedited-forwarding;
accept;
}
}
term default {
then {
forwarding-class best-effort;
accept;
}
}Uplink port - inet filter applied
ge-0/0/0 {
unit 0 {
family inet {
filter {
input qos-priority;
}
address 10.10.10.1/30;
}
}
}I have been testing the filter and I see 0 hits on the expedited and assured forwarding class
show interfaces ge-0/0/0 extensive
...
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 267340 267082 258
1 expedited-fo 0 0 0
2 assured-forw 0 0 0
3 network-cont 0 0 0PS. When I add destination port https to one of the terms it's working, I do then see that packets gets sent to another queue. Seems like the SRX don't see the udp packets, I have monitored the traffic with wireshark on a computer behind SRX and I see the traffic I have configured in the terms.
Hi, experts,
Just can not fix the RPM issue in icmp-ping test, your expert advice is highly expected:
I am running SRX345 ( but it should not be the hardware and Junos issue, due to two out of 5 SRX345 hardware have the issue ).
As my following RPM configuration ( same configuration for all my network infrastructure scenarios ):
set services rpm probe WW_Line_Test test ISP_100.60.100.209 probe-type icmp-ping-timestamp
set services rpm probe WW_Line_Test test ISP_100.60.100.209 target address 100.60.100.209
set services rpm probe WW_Line_Test test ISP_100.60.100.209 test-interval 5
set services rpm probe WW_Line_Test test ISP_100.60.100.209 destination-interface reth1.100
show service RPM probe-results:
-------------------------------
Owner: WW_Line_Test, Test: ISP_100.60.100.209
Target address: 100.60.100.209, Probe type: icmp-ping-timestamp
Destination interface name: reth1.100
Test size: 1 probes
Probe results:
Request timed out
Mon Dec 30 23:42:59 2019
Mon Dec 30 23:43:02 2019
Results over current test:
Probes sent: 1, Probes received: 0, Loss percentage: 100.00000
Results over last test:
Probes sent: 1, Probes received: 0, Loss percentage: 100.00000
Results over all tests:
Probes sent: 18, Probes received: 0, Loss percentage: 100.00000
RPM log:
Dec 30 23:42:54 PING_TEST_COMPLETED: pingCtlOwnerIndex = WW_Line_Test, pingCtlTestName = ISP_100.60.100.209
Dec 30 23:42:54 RTM_CHANGE gencfg for probe WW_Line_Test, test ISP_100.60.100.209 to state PASS
Dec 30 23:42:54 rmop_calc_jitter: rdiff: 1006358, sdiff: 1006142, jitter: 216
Dec 30 23:42:54 test_done: sent 2, test 840
Many thanks in advance
Hi guys,
I found the traceoption can not archive the file, while the file size is execeeded ( and the file size is keeping increasing ).
My configuration is the following:
root@labtest-fw2> show configuration event-options | display set
set event-options generate-event ping time-interval 300
set event-options policy WANLinkPingTest events ping
set event-options policy WANLinkPingTest then execute-commands commands "show service rpm history-results | append /var/log/WAN_test.txt"
set event-options policy WANLinkPingTest then execute-commands output-format text
set event-options destinations local-directory archive-sites /var/log/
set event-options traceoptions file WAN_test.txt
set event-options traceoptions file size 300k
set event-options traceoptions file files 10
set event-options traceoptions file world-readable
set event-options traceoptions flag configuration
root@labtest-fw2% ls -l WAN*
-rw-r--r-- 1 root wheel 381348 Jan 2 04:15 WAN_test.txt
root@labtest-fw2% exit
Any recommendation and advice.
Thanks so much for your kind help.
I'm following the Juniper example here for VPLS/IPSEC over GRE tunnel. My remote office SRX220 brings up the tunnel but my local office SRX345 doesn't. For testing, I have the public statics on the WAN both on the same /24 (which Juniper's example does too) The remote office shows:
root@srx220> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway<131073 ESP:3des/sha1 973a7448 3506/ unlim - root 500 1.2.3.4>131073 ESP:3des/sha1 fb08d49a 3506/ unlim - root 500 1.2.3.4<131073 ESP:3des/sha1 fa796c85 3567/ unlim - root 500 1.2.3.4>131073 ESP:3des/sha1 5dfae167 3567/ unlim - root 500 1.2.3.4 root@srx220> show security ipsec statistics ESP Statistics: Encrypted bytes: 425808 Decrypted bytes: 0 Encrypted packets: 2957 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
And I can ping the 10.1.1.2, but not 10.1.1.1 (local office). On the local office SRX345 it shows:
root@srx345> show security ipsec security-associations Total active tunnels: 0
I can ping both WAN interfaces from both units and both units connect to the internet. My config for the non-working local SRX345 looks like:
root@srx345> show configuration | display set set version 15.1X49-D45 set groups test security policies from-zone trust-flow to-zone vpn policy all match source-address any set groups test security policies from-zone trust-flow to-zone vpn policy all match destination-address any set groups test security policies from-zone trust-flow to-zone vpn policy all match application junos-gre set groups test security policies from-zone trust-flow to-zone vpn policy all then permit tcp-options syn-check-required set groups test security policies from-zone trust-flow to-zone vpn policy all then permit tcp-options sequence-check-required set system host-name srx345 set system root-authentication encrypted-password "$" set security idp idp-policy gre-reassembly rulebase-ips rule match-gre match application junos-gre set security idp idp-policy gre-reassembly rulebase-ips rule match-gre then action ignore-connection set security idp active-policy gre-reassembly set security ike policy SRX mode main set security ike policy SRX proposal-set standard set security ike policy SRX pre-shared-key ascii-text "$" set security ike gateway SRX220 ike-policy SRX set security ike gateway SRX220 address 1.2.3.5 set security ike gateway SRX220 external-interface ge-0/0/0.0 set security ipsec policy SRX proposal-set standard set security ipsec vpn SRX220 bind-interface st0.0 set security ipsec vpn SRX220 ike gateway SRX220 set security ipsec vpn SRX220 ike ipsec-policy SRX set security ipsec vpn SRX220 establish-tunnels immediately set security flow tcp-session no-syn-check set security flow tcp-session no-sequence-checkset security policies apply-groups test set security policies from-zone trust-flow to-zone vpn policy gre match source-address any set security policies from-zone trust-flow to-zone vpn policy gre match destination-address any set security policies from-zone trust-flow to-zone vpn policy gre match application junos-gre set security policies from-zone trust-flow to-zone vpn policy gre then permit application-services idp set security policies from-zone vpn to-zone trust-flow policy gre match source-address any set security policies from-zone vpn to-zone trust-flow policy gre match destination-address any set security policies from-zone vpn to-zone trust-flow policy gre match application junos-gre set security policies from-zone vpn to-zone trust-flow policy gre then permit application-services idp set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces lo0.0 set security zones security-zone untrust interfaces lt-0/0/0.2001 set security zones security-zone untrust interfaces gr-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 set security zones security-zone trust-flow host-inbound-traffic system-services all set security zones security-zone trust-flow host-inbound-traffic protocols all set security zones security-zone trust-flow interfaces lt-0/0/0.2000 set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24 set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 0 tunnel source 10.1.1.1 set interfaces gr-0/0/0 unit 0 tunnel destination 10.1.1.2 set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation set interfaces gr-0/0/0 unit 0 family inet mtu 1500 set interfaces gr-0/0/0 unit 0 family inet filter input inet-packet-mode set interfaces gr-0/0/0 unit 0 family mpls mtu 1462 set interfaces gr-0/0/0 unit 0 family mpls filter input mpls-packet-mode set interfaces lt-0/0/0 unit 0 description "VPLS hub port - Interconnect for CCC to SRX220" set interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls set interfaces lt-0/0/0 unit 0 peer-unit 1000 set interfaces lt-0/0/0 unit 1000 description "Stitch to VPLS for CCC to SRX220" set interfaces lt-0/0/0 unit 1000 encapsulation ethernet-ccc set interfaces lt-0/0/0 unit 1000 peer-unit 0 set interfaces lt-0/0/0 unit 1000 family ccc filter input ccc-packet-mode set interfaces lt-0/0/0 unit 2000 encapsulation frame-relay set interfaces lt-0/0/0 unit 2000 dlci 1 set interfaces lt-0/0/0 unit 2000 peer-unit 2001 set interfaces lt-0/0/0 unit 2000 family inet set interfaces lt-0/0/0 unit 2001 encapsulation frame-relay set interfaces lt-0/0/0 unit 2001 dlci 1 set interfaces lt-0/0/0 unit 2001 peer-unit 2000 set interfaces lt-0/0/0 unit 2001 family inet filter input inet-packet-mode set interfaces lt-0/0/0 unit 2001 family inet address 10.1.1.1/32 set interfaces ge-0/0/1 encapsulation ethernet-vpls set interfaces ge-0/0/1 unit 0 set interfaces lo0 unit 0 family inet address 10.2.1.1/32 set interfaces st0 unit 0 multipoint set routing-options static route 10.1.1.2/32 next-hop lt-0/0/0.2001 set routing-options static route 10.2.1.2/32 next-hop gr-0/0/0.0 set routing-options static route 0.0.0.0/0 next-hop 1.2.3.1 set protocols mpls interface gr-0/0/0.0 set protocols ldp interface gr-0/0/0.0 set protocols ldp interface lo0.0 set protocols l2circuit neighbor 10.2.1.2 interface lt-0/0/0.1000 virtual-circuit-id 1 set firewall family inet filter inet-packet-mode term control-traffic from protocol tcp set firewall family inet filter inet-packet-mode term control-traffic from port 22 set firewall family inet filter inet-packet-mode term control-traffic from port 80 set firewall family inet filter inet-packet-mode term control-traffic from port 8080 set firewall family inet filter inet-packet-mode term control-traffic then accept set firewall family inet filter inet-packet-mode term packet-mode then packet-mode set firewall family inet filter inet-packet-mode term packet-mode then accept set firewall family mpls filter mpls-packet-mode term packet-mode then packet-mode set firewall family mpls filter mpls-packet-mode term packet-mode then accept set firewall family ccc filter ccc-packet-mode term all then packet-mode set firewall family ccc filter ccc-packet-mode term all then accept set routing-instances flow-vr instance-type virtual-router set routing-instances flow-vr interface lt-0/0/0.2000 set routing-instances flow-vr interface st0.0 set routing-instances flow-vr routing-options static route 10.1.1.1/32 next-hop lt-0/0/0.2000 set routing-instances flow-vr routing-options static route 10.1.1.2/32 next-hop st0.0 set routing-instances vpls-hub instance-type vpls set routing-instances vpls-hub interface lt-0/0/0.0 set routing-instances vpls-hub interface ge-0/0/1.0
What am I missing?
Hello,
I have an SRX320 and we are moving to a hosted phone provider. They have asked for the following DHCP Options
DHCP Options
Could the following DHCP options by added to the voice VLAN:
option 66 ascii provision.acuitymt.uk
option 160 ascii http://provision.acuitymt.uk/app/provision/
option 246 ascii upfprofile.address=http://upf.acuityuc.com/provision.xml
option 4 ip 185.192.177.37
option 42 ip 185.192.177.37
I have configured them word for word on the pool but it is working. Can someone please point me in the right direction?
Many thanks
Barry
Dear Everyone,
Anyone encounter issue on Jweb interface with no response when select to display the Zone information after upgrading to firmware version 19.4R1?
Everytime I select Zones (say , neither Trust / Untrust , and/or other zones), the browser will be loading non-stop without zone contents.
Any hint on it?
Thank you so much.
Matthew Ho
Dear Team,
We have Site-to-site VPN (Juniper to Cisco).Syslog server is behind the Cisco.Howerver I have the reachability from host to host(private to private).As per my knowledge ,if i run ping from Juniper to syslog server ,it won't ping.In this scenario how to achive logging to external server.
Hello
I have spotted a strange issue and not sure how to resolve it. Basically i have two routers with many vlans and each vlan have seperate virtual gw with vrrp protocol. Some vlans cross switches that are not mine to manage and i have recived a notice stating that my lan ip (vrrp logical ip) is generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors on switch log. Vrrp itself is working as expected, router A is master and B is bacup.
Exact error message, repeated every minute: Jan 6 14:18:09: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for testaddr=224.0.0.18, prot=51, spi=0XABABABAB(2880154539), srcaddr=10.0.1.253, input interface=GigabitEthernet0/0/9
vrrp config on router a:
unit 999 {
vlan-id 999;
family inet {
address 10.0.1.253/24 {
vrrp-group 14 {
virtual-address 10.0.1.1;
priority 200;
accept-data;
authentication-type md5;
authentication-key "password"; ## SECRET-DATA
track {
interface xe-2/2/0 {
priority-cost 200;
}
}
}
}
}
}vrrp config on router b:
unit 999 {
vlan-id 999;
family inet {
address 10.0.1.254/24 {
vrrp-group 14 {
virtual-address 10.0.1.1;
priority 100;
accept-data;
authentication-type md5;
authentication-key "password"; ## SECRET-DATA
track {
interface xe-2/2/0 {
priority-cost 100;
}
}
}
}
}
}
We have a set up web filtering categories and white lists set up that have worked for years.
Now, I believe I do understand how the web filtering system works and that - at some level - the results are dynamic as web pages appear, disappear and change. So that is not the issue I'm having or I wouldn't bother.
We have loan officers that work in automobile and real estate lending. They need to reach certain web sites just to do their jobs.
When those sites work fine for years and are suddenly blocked, the reasons given seem flimsy.
For example, a real estate broker site (in a small community) works fine. Suddenly it is blocked by "Enhanced_Shopping".
Then, just as suddenly, it is not blocked. My choices are:
- tell the user to just bear with it and hope it comes back (not acceptable)
- put the site in a white list; but the rationale for doing this is because the filtering guys have messed up. Their mistake, our cost.
- report the problem to the filtering guys. How??