Hello everyone, after many failed attempts, I think I am very close to pinging two virtual routers connected through a virtual switch, I would greatly appreciate your help, thank you very much.
My configuration is:

root@NewJuniper# show routing-instances
VR1 {
instance-type virtual-router;
interface ge-0/0/4.0;
}
VR2 {
instance-type virtual-router;
interface ge-0/0/5.0;
}
MyVirtualSwitch {
instance-type virtual-switch;
interface ge-0/0/3.0;
bridge-domains {
TestBridgeVS {
domain-type bridge;
vlan-id none;
}
}
}

[edit]
root@NewJuniper# show interfaces

ge-0/0/4 {
unit 0 {
family inet {
address 192.168.2.2/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}

This should work, right? have i missed something? Thanks again

I am looking for a creative solution to help automate a unique usecase within the company I work for.

Be warned I am a Junior Network Analyst, only passing my JNICA 2 months ago. 

I have no experience with APIs.  

I have a report being generated on a schedule. The report compares a configuration template against a device. 

Unfortunately with this type of job there is no way to automatically export the results, which is what i'd like to do.

This is so that it can be consumed by a Dashboard BI tool so we can quickly gauge what devices are in/out of compliance with certain patches/rollouts. 

From job management i can easily do the following:

- Right Click completed job

- View Job Details

- Export

And this gives me an XML of the report, altough i would prefer to get a CSV, this isn't a deal breaker, we can always convert it.

I was advised by one of our reps that via RestAPI we can do pretty much anything the GUI can do, automagically. 

I'd like to do the above and then save it to a specific directory, preferrably as a csv file. 

How can I go about starting this and building it. Any tips and assistance is appreciated.

Thank you

(apologies i see this is in the SRX Services Gateway discussion, not sure how to relocate)

Hello everyone, hoping someone can help me out. We recently had to disable the FTP ALG and I have been trying to enable it with a custom application on a couple of security policies.

Most of the documentation I have seen is for when you are hosting the FTP server. In my case we are the FTP client. 

How do I need to go about enabling the ALG here? 

  SRX320 JUNOS Software Release [15.1X49-D45]

I am trying to connect Juniper SRX to local internet provider which requires PPPoE.

On providers side there is a Mikrotik which acts as pppoe server and in between numerous networking devices including UBNT client device which works in bridge mode.

SRX sends PADI frame with "host-uniq" set as 0x0000 and it expects to receive a PADO frame in return which never arrives.

Local internet provider has carried out analysis in their network and found that Mikrotik responds correctly with PADO frame which correctly includes 0x0000 in "host-uniq" field. Then UBNT client device working in bridge mode receives that PADO frame and sadly never passes it to SRX.  This seems to happen only for frames which have 0x0000 in "host-uniq" field.

Is there a way to define in SRX what is going to be sent in "host-uniq" field for PADI frame in pppoe ? 

Any other ideas how to resolve this ?

Here is the configuration I am running:

https://pastebin.com/raw/At14arwX

Currently on JUNOS 12.3X48-D75.4

Unable to load 12.3X48-D85.1

I did upgrade once, and it booted, but a subsequent boot reverted to the backup partition.  (still running D75).   I have tried to load the newer firmware, copying it to /cf/var/tmp using WinSCP and then running the upgrade command:

  request system software add /var/tmp/junos-srxsme-12.3X48-D85.1-domestic.tgz partition no-copy 

I also did a request system storage cleanup before I started.

I have a copy of my config, so is there a way to start again, both partitions running this newer firmware?  (I don't have access to D90, as this is a home router, and I don't have a service agreement).

NOTICE: Validating configuration against junos-srxsme-12.3X48-D85.1-domestic.tgz .
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/ad0s1a)...
/dev/ad0s1a: 629.5MB (1289196 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 157.38MB, 10072 blks, 20224 inodes.
super-block backups (for fsck -b #) at:
32, 322336, 644640, 966944
saving package file in /var/sw/pkg ...
Checking compatibility with configuration
Initializing...
Using junos-12.3X48-D85.1-domestic from /altroot/cf/packages/install-tmp/junos-1 2.3X48-D85.1-domestic
Copying package ...
mkdir: /cf/var/validate/chroot/tmp: No such file or directory
mount_nullfs: /cf/var/validate/chroot/tmp: No such file or directory
cd: can't cd to /cf/var/validate/chroot/tmp/junos
/usr/libexec/ui/validate-config: cannot create /cf/var/validate/chroot/tmp/junos /+INSTALL.x: No such file or directory
chroot: /bin/sh: No such file or directory
ERROR: validate-config: /cf/var/validate/chroot/tmp/junos/+INSTALL fails
WARNING: Current configuration not compatible with /altroot/cf/packages/install- tmp/junos-12.3X48-D85.1-domestic

Currently we are using a number of SRX550s running 12.1X47-D40.1 and use the vlan interface in a security zone:

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VLAN1

set interfaces vlan unit 1 family inet address 192.168.0.1/24

set security zones security-zone VLAN1 interfaces vlan.1

This works fine and we can use the security zone in policies, routing traffic from the vlan to L3 interfaces.

However when we try the same configuration on an SRX4100 running 15.1X49-D190 we are forced to use irb interfaces in place of vlan, and these cannot be added to a security zone, when we try the same configuration using irb in place of vlan we get a message similar to:

'irb interfaces cannot be addded to security zone in mixed mode'

How do we mimic the previous functionality of the vlan interface in security zones?

Many Thanks

Hi any one implemented an bandwidth limiter on downlink? I have a policier to limit bandwidth however it is only applied as input as a result only uplink has restricted bandwith. When filter with bandwidth policier is applied as "output" it seems the egress policier drops all traffic and other way to restrict downlink bandwidth other than using app secure.

Evening,

I've been up and running with Dynamic VPN for a couple of months now and I am still ironing out some of the issues my users are seeing. I was finally able to obtain dignostics this evening and wanted to see if anyone had any input on a particular nasty issue I am having.

The issue is totally random and the only solution I have come up with so far is for the user to disconnect and reconnect until the VPN "works."

What I discovered this evening when a user reported the issue was a weird output from show security dynamic-vpn users. The user connected has this output:

User: NULL , User group: NULL , Number of connections: 0
Remote IP: xxx.xxx.xxx.xxx
IKE ID : NULL
IKE Lifetime: 0
IPSEC Lifetime: 0
Status: CONNECTED

I'm connected at the same time and I have the proper data and then some for my user. If the user disconnects and reconnects it will often correct itself, but sometimes it takes 3-4 attempts to connect properly. A quick google search returned one post where someone mentioned this was a bug in some releases, but that was almost 5 years ago.

I am currently on release 15.1X49-D170.4 on a SRX340.

Is there some configuration that can be put in place to prevent this from occuring?

I appreciate the help,

Michael

Hello Everybody,

I have an SRX in transparent mode, and i configured the two zones trust and untrust and all the polices to allow everything.

I have irb.0 which is in VLAN 3 and has an IP of 172.16.4.254. Devices that are connected to the SRX are able to ping each other. however, i can't ping from the SRX(172.16.4.254) any other devices and vice versa.

From the srx if i ping 172.16.4.1 it will not work and even if i do:

root# run show security flow session source-prefix 172.16.4.1 . it doesn't show anything even though that 172.16.4.1 is continuously pinging 172.16.4.41

below is the SRX config:

.

root# show

## Last changed: 2019-11-13 15:09:27 UTC

version 20190829.221548_builder.r1052644;

system {

root-authentication {

encrypted-password "$6$nPgEtVzv$MBDUcWfKFSDG2x3HYBj0A0Sej7xFvV6E1MK7wudzui7jHv.1n/dTS4jUcxu1lWGNt12GEOjnFSKEBUajcoiyZ/"; ## SECRET-DATA

}

services {

ssh;

netconf {

ssh;

}

dhcp-local-server {

group jdhcp-group {

interface fxp0.0;

interface irb.0;

}

}

web-management {

https {

system-generated-certificate;

}

}

}

name-server {

8.8.8.8;

8.8.4.4;

}

syslog {

archive size 100k files 3;

user * {

any emergency;

}

file messages {

any notice;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

}

max-configurations-on-flash 5;

max-configuration-rollbacks 5;

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

}

phone-home {

server https://redirect.juniper.net;

rfc-compliant;

}

}

security {

log {

mode stream;

format syslog;

report;

}

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

timeout 20;

}

land;

}

}

}

policies {

from-zone trust to-zone trust {

policy trust-to-trust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone trust to-zone untrust {

policy trust-to-untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone untrust to-zone trust {

policy UntrusttoTrust {

match {

source-address any;

destination-address any;

application any;

dynamic-application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone untrust to-zone untrust {

policy UntrustToUntrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

}

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

}

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/3.0;

ge-0/0/4.0;

}

}

}

}

interfaces {

ge-0/0/1 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/2 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/3 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/4 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/5 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/6 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/7 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/8 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/9 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/10 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/11 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/12 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/13 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/14 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

cl-1/0/0 {

dialer-options {

pool 1 priority 100;

}

}

dl0 {

unit 0 {

family inet {

negotiate-address;

}

family inet6 {

negotiate-address;

}

dialer-options {

pool 1;

dial-string 1234;

always-on;

}

}

}

fxp0 {

unit 0 {

family inet {

address 192.168.1.1/24;

}

}

}

irb {

unit 0 {

family inet {

address 172.16.4.254/16;

}

}

}

}

access {

address-assignment {

pool junosDHCPPool1 {

family inet {

network 192.168.1.0/24;

range junosRange {

low 192.168.1.2;

high 192.168.1.254;

}

dhcp-attributes {

router {

192.168.1.1;

}

propagate-settings ge-0/0/0.0;

}

}

}

pool junosDHCPPool2 {

family inet {

network 192.168.2.0/24;

range junosRange {

low 192.168.2.2;

high 192.168.2.254;

}

dhcp-attributes {

router {

192.168.2.1;

}

propagate-settings ge-0/0/0.0;

}

}

}

}

}

vlans {

vlan-trust {

vlan-id 3;

l3-interface irb.0;

}

}

protocols {

l2-learning {

global-mode transparent-bridge;

}

rstp {

interface all;

}

}

I have a GRE tunnel on a remote SRX to tunnel VLAN 70 traffic across to the local SRX345, where I hope to use a DHCP server to hand out leases across to the remote site computers like:

Is this possible? I want to avoid creating two different subnets on remote/local and double NATing to make it route end-to-end.

Hello,

I have an SRX with two routing instance each with a default static route to different upstream provider, all is working well for traffic coming through LAN interface. With an input filter I choose to which routing instance allocate traffic.

I'm trying to accomplish the same for traffic originating from junos, e.g. license autoupdate, config. backup and other.

To do this I assigned lo0.0 a /32 ip address and this filter to lo0.0 output direction:

term 1 {
from {
source-address {
10.20.6.6/32;
}
destination-address {
10.0.0.0/8 except;
192.168.0.0/16 except;
172.20.0.0/20 except;
0.0.0.0/0;
}
}
then {
routing-instance Upstream-WAN1;
}
}
term 2 {
then accept;
}

Also security policy and source nat rule are in place for this kind of traffic.

If I try a ping from cli:

run ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted

I guess routing information are fine but I miss some security policy.

Does packets originated by SRX go through "junos-host" zone or I have to define a zone with interface lo0.0 ?

Any help is appreciated.

Thanks.

Can I configure my SRX300 to prevent any client computer to input the IP address manually?

I try to use the IP Address binding (MAC address map to IP), however if client input the IP address manually, they still access the untrust network.

How can I control the client computer's IP Address in SRX300 ? Or it must be done in client side?

Thank you so much.

Best Regards

Matthew Ho

We currently have 30 SRX110's in our production network which have been deployed at different times. All are currently running 2 or 3 VLANs (1 for Managment on newer ones, 1 for Users, 1 for VOIP) and we've recently noticed that some network addresses are responding to ICMP while others are not. From everything I've looked at our configs are the same across the different devices so I'm not exactly sure why we're not seeing the same behavior among all of the devices. Is there a setting that would cause a network address to respond to ICMP ? To my limited knowledge network addresses by default do not respond to ICMP the same way a gateway or loopback would. 

hello ,

I have set up dynamic vpn with srx320 .It was working before but now I can get connected via pulse secure but cannot access internal resources.

Srx can ping protected devices but cannot ping dynamic client assigned IP address.

Kindly find attached file and help me to understand where the problem is.

Thank you,

Regards,

hi ,

I have scenario wher Main office and Site office are connected through IPSEC.

where       has (range 10.10.0.0/24)   Main office (other vendor Router) <->  Site office  X  - SRX (which has local ip on same subnet 10.10.0.0/24).

 On Site office X I tried something like on SRX for Natting this but it's not working, any suggestions. 

set security nat static rule-set A-B from routing-instance OrgA
set security nat static rule-set A-B rule A match destination-address 2.2.2.0/24
set security nat static rule-set A-B rule A then static-nat prefix 10.10.0.0/24 routing-instance OrgB
set security nat static rule-set B-A from routing-instance OrgB
set security nat static rule-set B-A rule B match destination-address 1.1.1.0/24
set security nat static rule-set B-A rule B then static-nat prefix 10.10.0.0/24 routing-instance OrgA

set routing-instances OrgA instance-type virtual-router interface ge-0/0/5.0 # have 10.10.0.200 address
set routing-instances OrgB instance-type virtual-router interface st0.254 # other site connected to VPN has 10.10.0.0/24 subnet.

Hello 

What is the correct way to create port-channel between Juniper Srx5400 and for example cisco 2960x?

i have read that ethernet-switching is not supported on srx 4100 and higher but most demo configs go that route.

Hi,

I am trying to upgrade Junos on SRX210HE(EOL)From --> 12.1X44-D45.2 To --> Junos 12.1X46-D86

But i am getting below error. Please suggest correct next upgrade version or how to fix the below issue

Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required
Formatting alternate root (/dev/da0s2a)...
newfs: /dev/da0s2a: failed to open disk for writing
ERROR: Could not format alternate root

-V verify if release based licenses are present
Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: commit complete
Validation succeeded
Validating against /config/rescue.conf.gz

root@SRX> request system software add /var/tmp/junos-srxsme-12.1X46-D86-domestic.tgz no-copy unlink reboot
NOTICE: Validating configuration against junos-srxsme-12.1X46-D86-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da0s2a)...
newfs: /dev/da0s2a: failed to open disk for writing
ERROR: Could not format alternate root

Removing /var/tmp/junos-srxsme-12.1X46-D86-domestic.tgz

Thank in advance..

Hello guys,

1. i would like to know how to make ftp active and passive work with using FTP ALG. what I've configured so far is the following config with policy, but i cant established connection.If I disabled FTP ALG, then ftp active works, but not passive.what am I doing wrong.I have looked at several forums for the same solution but it doesn't seem to work for me.

tried option1:

FTP ALG:

ftp disabled ftps-extension

policy:

policy DATAHUB_TEST {
match {
source-address SRV-DATAHUB-TEST;
destination-address NET_TEST;
application [junos-ftp PASSIVE_FTP_PORTS];
}
then {
permit;

PASV ports:

application PASSIVE_FTP_PORTS {
protocol tcp;
destination-port 1024-65535;

2. I have also tried to do with a ftp-ALGignore and apply it on the policy. when i commit the policy you see that ftp active connection is established only because of  PASSIVE_FTP_PORTS. But when i delete PASSIVE_FTP_PORTS from application then ftp active does not work anymore. I Think, by using this methode i am making a pinholes to permit data channel connections to be established. this means i am opening a gate from outsde?.

tried iption2:

FTP ALG:

ftp ftps-extension

policy:

policy DATAHUB_TEST {
match {
source-address SRV-DATAHUB-TEST;
destination-address NET_TEST;
application [ftp-ALGignore PASSIVE_FTP_PORTS];
}
then {
permit;

PASV ports:

application PASSIVE_FTP_PORTS {
protocol tcp;
destination-port 1024-65535;

FTP ALG ignore:

set applications application ftp-ALGignore application-protocol ignore protocol tcp destination-port 21

thnx

Hi,

Whenever we deploy SRXs we use interface monitors with redundancy groups and reths... this is the first time I've deployed on a SRX345 and also the first time I've had a major problem.

If I pull a cable (simulating an event) the interface monitor will identify there was an event and depending on the weight, move to the other node for that RG or simply subtract the weight from 255.

The issue is when I plug back in the cable, the LED status light is green but the interface shows down in the CLI , if I pull and put back in both interfaces in a RG... neither come back.

Can't replicate it on other SRXs and have never had this issue before. Software - we upgraded to the recommended JTAC version, which has a lot more layer2 default config and functionallity than older junos's so I reverted back to 15.1 which works on SRX 1500 and 4100, 4200's without any issue

show chassis cluster interfaces    
Control link status: Up

Control interfaces: 
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       fxp1        Up                 Disabled      Disabled  

Fabric link status: Up

Fabric interfaces: 
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0    ge-0/0/14          Up   / Up                 Disabled   
    fab0   
    fab1    ge-5/0/14          Up   / Up                 Disabled   
    fab1   

Redundant-ethernet Information:     
    Name         Status      Redundancy-group
    reth0        Down        Not configured   
    reth1        Up          1                
    reth2        Down        2                
    reth3        Down        Not configured   
   
Redundant-pseudo-interface Information: 
    Name         Status      Redundancy-group
    lo0          Up          0                

Interface Monitoring:
    Interface         Weight    Status                    Redundancy-group
                                (Physical/Monitored)
    ge-5/0/12         128       Up  /  Up                 1   
    ge-5/0/11         128       Down  /  Down             1   
    ge-0/0/12         128       Up /  Up                  1   
    ge-0/0/11         128       Up  /  Up                 1   
    ge-5/0/8          255       Down  /  Down             2   
    ge-0/0/8          255       Down  /  Down             2  

set chassis cluster reth-count 4
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 preempt
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/11 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/12 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/11 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/12 weight 128
set chassis cluster redundancy-group 2 node 0 priority 200
set chassis cluster redundancy-group 2 node 1 priority 100
set chassis cluster redundancy-group 2 interface-monitor ge-0/0/8 weight 255
set chassis cluster redundancy-group 2 interface-monitor ge-5/0/8 weight 255

Anyone come across this ?