Quantcast
Channel: SRX Services Gateway topics
Viewing all 3959 articles
Browse latest View live

SRX5400 cluster upgrade or downgrade

$
0
0

Hi Team,

What can we call the process of changing my software version from Junos: 18.4R1-S4.1 to junos 18.2R3-S1.

It is an upgrade or downgrade.

BR


Deny all PSIPHON traffic

$
0
0

Hi Everyone,

 

We are having challenges on blocking the PSIPHON traffic. We tried to follow the instructions from this topic https://forums.juniper.net/t5/SRX-Services-Gateway/How-to-block-the-psiphon-application-in-juniper-srx/td-p/468433  but to no avail, the Juniper SRX security policy is bypassed everytime a PSIPHON initiates a connection.

We are using the following units:

  1. Model: srx345 | Junos: 15.1X49-D180.2 | JUNOS Software Release [15.1X49-D180.2]
  2. Model: srx320 |  Junos: 19.1R1.6 | JUNOS Software Release [19.1R1.6]

Hope we could got more and valuable answers from anyone on this group.

 

DHCP relay on SRX firewall not working

$
0
0

Hi all,

 

I am using an srx240 with junos version 12.3X48-D45.6. 

Can someone point me in the direction of how to correctly set up dhcp relay on this device. I've tried various methods none of which work. i.e. I've tried the guides on these pages:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15755&actp=METADATA

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dhcp-option-82-using.html

 

My setup is relatively simple... I have a network switch connected to the trust zone on one interface of the SRX where the dhcp clients are and the dhcp server also on the the trust zone of the SRX on a different interface.

I've tried the bootp/helper method

i've tried the dhcp-relay method allowing option 82.

icmp connectivity from the client to the dhcp server works fine (using static routes) 

I'm quite sure the client side switch has been configured with dhcp relay correctly on the vlan interface.

 

Any suggestions would be appreciated

SRX security traffic log for spacific duration

$
0
0

i have srx5600 so i want to show the traffic "log traffic" from 1::00 to 2 :00 - 2 day before .

 

another way to question :- 

 

how can i show old traffic using security log traffic 

 

how could i make this 

Configuration saving query

$
0
0

Hi All,

 

I attempted running the below command and came out from the mode but till date the firewall keeps showing a message that configuration was not saved ? If i commit the confinguration then will it get overwrited with the blank input ? Now every time i go the config mode it keeps asking me to save the config. I am worried that the below "access-profile" blank input will overwrite the existing access-profile ? Should i just proceed to commit the config ?  (Note :  I am the only user having admin rights to the firewall). Please guide.

 

configure
Entering configuration mode
Users currently editing the configuration:
root terminal u0 (pid 68040) on since 2019-05-30 10:50:09 EST, idle 17w4d 20:31
[edit]

[edit]
FW-01# edit acc
^
'acc' is ambiguous.
Possible completions:
> access Network access configuration
> access-profile Access profile for this instance
> accounting-options Accounting data configuration
[edit]
FW-01# edit access-profile ?
Possible completions:
<[Enter]> Execute this command
| Pipe through a command
[edit]
FW-01# edit access-profile

[edit access-profile]
FW-01# exit

[edit]
FW-01# exit
The configuration has been changed but not committed
Exit with uncommitted changes? [yes,no] (yes) yes

Exiting configuration mode

 

 

Unable to save config

$
0
0

Hi All, I am not sure what i am doing wrong : 

 

The requirement is to allow port 8084 in an existing policy which looks like below: 

I added the below commands from the config mode but each time i try to commit the config i see below error messages:

 

Error messages:

JUNFW-01# commit
[edit security policies from-zone untrust to-zone dmz policy MONITORWEB]
'match'
Missing mandatory statement: 'source-address'
[edit security policies from-zone untrust to-zone dmz policy MONITORWEB]
'match'
Missing mandatory statement: 'destination-address'
[edit security policies from-zone untrust to-zone dmz]
'policy MONITORWEB'
Missing mandatory statement: 'then'
error: commit failed: (missing statements)

 

Newly added commands

--------------------------------

set security policies from-zone untrust to-zone DMZ policy MONITORWEB match source-address any
set security policies from-zone untrust to-zone DMZ policy MONITORWEB match destination-address monitorweb

set security policies from-zone untrust to-zone DMZ policy MONITORWEB match application tcp-8084
set security policies from-zone untrust to-zone DMZ policy MONITORWEB then permit

 

Existing config:

-----------------------

from-zone untrust to-zone DMZ {
policy MONITORWEB {
match {
source-address any;
destination-address monitorweb;
application [ junos-http junos-https ];
}
then {
permit;

RPM service monitoring in J-Web

$
0
0

Hi, guys,

 

As the weblink below, the rpm test can be viewed in J-WEB:

 

https://www.juniper.net/documentation/en_US/junos/topics/task/operational/security-rpm-probe-monitoring.html

 

 

J-Web provides friendly WUI for monitoring the performance of a WAN link, but the volumn of data collected is too small (max value set to 20 minutes), how I can collect/configure the rpm results  of a  period of a week or a month for reviewing/monitoring ?

 

Or any ways to store these rpm results (RTT value ) into the SRX locally ?

 

Many thanks in advance.

 

 

Chassis cluster - RG0 on one node, and RG1 (with all the reth interfaces) on another

$
0
0

Can this lead to any problem, suboptimal performance etc. , if the RG0 is on the different node then the rest of the redundancy groups? RG0 has no reth interfaces, all the reths are in another group (RG1)  - so there is no Z-traffic / this is purely active/passive... RG0 has only lo0. No tunnels are terminated on  lo0 or anything fancy… But SRX has UTM/IDP features configured.

 

Kind regards,

Pawel Mazurkiewicz


Event-options question ?

$
0
0

Hi, Guys,

 

I create a event-option to record the RPM results every 5 minutes, how could I append all results int the same files ( as the traceoption file, file size, and zipping files ) ?

 

set event-options generate-event ping time-interval 300
set event-options policy Policy1 events ping
set event-options policy Policy1 then execute-commands commands "show service rpm history-results"
set event-options policy Policy1 then execute-commands output-filename RPM_status.txt
set event-options policy Policy1 then execute-commands output-format text
set event-options policy Policy1 then execute-commands destination local-directory
set event-options destinations local-directory archive-sites /var/log/

 

 

Thanks a lot

 

 

 

 

 

 

 

How to assign a common gateway IP to two vlans on an SRX4100? This was easy on MX/EX, seems impossible on SRX!

$
0
0

Hi,

 

We need to assign the same gateway IP for two vlans on the same interface of an SRX4100. Also these two vlans should be isolated i.e. block layer2 (frames) going from one vlan to the other.

 

This was relatively easy to implement on an EX/MX, but we are scratching our heads on how to do this on the SRX4100.  I mean we can't even create a bridge-domain on SRX:

admin@srx4100# set bridge-domains?
No valid completions
{primary:node0}[edit]

 

We tried different layer2 setups e.g. converting SRX interface to layer 2  trunk and allocating vlans to rib, but again we couldn't find a way to allocate a common gateway IP.

 

Please see below an example of a working configuration done on MX/EX with common gateway 10.20.0.1/16 for vlans 111 and vlan 112:

 

admin@MX# show bridge-domains
BRIDGE-MULTIVLAN-CLIENTS-ACCESS {
domain-type bridge;
vlan-id 113;
no-local-switching;
interface xe-0/1/4.111;
interface xe-0/1/4.112;
routing-interface irb.113;

admin@MX# show interfaces irb
unit 113 {
family inet {
no-redirects;
address 10.20.0.1/16;

 

admin@MX# show interfaces xe-0/1/4
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 111 {
encapsulation vlan-bridge;
vlan-id 111;
}
unit 112 {
encapsulation vlan-bridge;
vlan-id 112;
}

 

Note that now the requirement is for two customers and effectively two vlans in our setup. For 100 customers we will need to assign 100 vlans with the same gateway IP.

Ah and one last note, our ULL switch doesn't support private vlan, so private vlan on switch level is not an option.

 

Any input/ideas are appreciated. Thanks!

Can SRX get its WAN IP address from dhcp on a irb. fam inet address dhcp ?

$
0
0

Short question.
Can an SRX get its WAN IP address from dhcp on a irb.100 fam inet address dhcp ?
Working just fine on ge-0/0/0 . What am I missing ? Right now im back to ge-0/0/0 for the SRX uplink.

 

#show int ge-0/0/0 | display set
set interfaces ge-0/0/0 unit 0 family inet dhcp

# show interfaces irb.100 | display set
set interfaces irb unit 100 description "used to setup srx internet wan edge"
set interfaces irb unit 100 family inet dhcp force-discover

# show interfaces ge-0/0/1 | display set
set interfaces ge-0/0/1 native-vlan-id 100
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [100 270 370 2000 3000]

# show security zones security-zone trust | display set
set security zones security-zone trust screen trust-screen
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.2000
set security zones security-zone trust interfaces irb.3000
set security zones security-zone trust interfaces irb.270
set security zones security-zone trust interfaces irb.370
set security zones security-zone trust application-tracking

# show security zones security-zone untrust | display set
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone untrust interfaces irb.100 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces irb.100 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces irb.100 host-inbound-traffic system-services ike

 

Long story
Getting my home lab setup and i'm trying to use my srx 320 that I use for a remote access vpn to HQ.
Right now im wanting to start bulding my JNCIP ENT and SP lab up while getting a litte more SRX experiance.
Current setup
ISP--|home ap/router|--SRX320 < Phone/PC/Accesspoint

Wanted setup
 
                                              /-[home ap/router]
ISP -[2300c]--Vlan100 |                                                                         /  Phone
                                          \ -Trunk 100,270,370,2000,3000\--[SRX320]----- Access  point but using MIST EDGE
                                                                                                                   \  PC
My issue.. I want to trunk 100,270,370,2000,30000 to anf from the SRX. The SRX  is root for a  few vlans  in my lab. I tried this a few times  while marking native vlan-id 100 and the SRX would not get a dyn ip from my home router.

Going to lab up is-is/ospf/bgp/igmp/ import/export filters to get read for IP level examms.
I only mention this if anyone can offer any other advice  and understand this is ment to be a little busy of a setup.


100 being untagged from cablemodem to home ap and SRX
270,370 used to make adj for multi area multi AS routing protocols
2000,3000 Company PC and Phone network so I can have resources in other parts of my house.

Need a better COS scheme

$
0
0

I have a basic COS scheme. It only really sets AF.

Because of standard limitations i am limited by

the SRX. The ge-0/0/0 is not the same as the

other interfaces. If you know srx then you know

this. Can someone help me make all the interfaces

like an Enterprise setup which includes all queues.

 

I want an enterprise scheme.

Im on SRX240b2 with 12.1X46-D55.3

 

I have this.

 

class-of-service {
    classifiers {
        dscp MyClassifier {
            forwarding-class best-effort {
                loss-priority low code-points 000000;
            }
            forwarding-class expedited-forwarding {
                loss-priority low code-points 101110;
            }
            forwarding-class assured-forwarding {
                loss-priority low code-points [ 001010 001100 001110 010010 010100 010110 011010 011100 011110 100010 100100 100110 ];
            }
            forwarding-class network-control {
                loss-priority low code-points [ 110000 111000 ];
            }
        }
    }
    drop-profiles {
        MyDropProfile {
            fill-level 100 drop-probability 1;
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/1 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/2 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/3 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/4 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/5 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/6 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/7 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/8 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/9 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/10 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/11 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/12 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/13 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/14 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        ge-0/0/15 {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
        vlan {
            unit 0 {
                forwarding-class assured-forwarding;
                scheduler-map MyScheduler;
            }
        }
    }
    scheduler-maps {
        MyScheduler {
            forwarding-class best-effort scheduler be-scheduler;
            forwarding-class expedited-forwarding scheduler ef-scheduler;
            forwarding-class assured-forwarding scheduler af-4G-scheduler;
            forwarding-class network-control scheduler nc-scheduler;
        }
    }
    schedulers {
        nc-scheduler {
            transmit-rate exact;
            buffer-size exact;
            priority low;
        }
        ef-scheduler {
            transmit-rate 57646000;
            shaping-rate 221576000;
            buffer-size exact;
            priority low;
        }
        be-scheduler {
            transmit-rate 57646000;
            shaping-rate 221576000;
            buffer-size exact;
            priority low;
        }
        af-scheduler {
            transmit-rate 57646000;
            shaping-rate 221576000;
            buffer-size exact;
            priority low;
        }
        af-4G-scheduler {
            transmit-rate 57646000;
            shaping-rate 221576000;
            buffer-size percent 100;
            priority high;
        }
    }
}

 

 

route-based VPNs between SRX and ASA with multiple subnets behind SRX and single subnet behind ASA.

$
0
0

I'm trying to set up a config very similar to the one described here:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28198

which is basically: route-based VPN between SRX and ASA with multiple subnets behind SRX and single subnet behind ASA.

Difference in my situation is I need to set up 4 subnets behind the SRX as opposed to 2 in the example. I think that means similar setup to example, but creating 3 virtual-router instances as opposed to 1.

Anyway, I think I understand the example, but I had some questions I hoped someone could answer:

* It seems to me the interface-routes object, the rib-groups object and the policy-statement object are all required to allow the return traffic to 192.168.3.0/24 subnet in its own virtual router.

If that is the case, why does the rib-group import both inet.0 and ASA.inet.0?

Should it not just need import ASA.inet.0 which actually has the route to 192.168.3.0/24?

Secondly, I have some questions about the policy statement:

* In my case, I have 4 subnets behind SRX I want to pass over vpn. Can I just add extra subnets as term 2, term 3, term 4 in the existing policy-statement?

* the route-filter in the policy-statement has an 'exact' suffix after the subnet. Is that required?
In my case, one of the subnets I want to permit over the vpn is a /20 with 16 /24s within. How should I create the route-filter? As a /20 but without the 'exact'? would the 'orlonger' match type be what I should be using?

Why would you put in the 'exact' in any case?

Much thanks in advance for any answers Smiley Happy

Source NAT rules not being installed

$
0
0

Hello,

 

We have some difficulties when configuring Source NAT. All rules are in place, however they seem not to be installed and working.

 

root@SRX1# show security nat                  

source {

    pool src-pool-1 {

        address {

            X.X.X.X/32;

        }

    }

    rule-set rs1 {

        from zone trust;

        to zone untrust;

        rule 1 {

            match {

                source-address 192.168.20.0/24;

                destination-address 0.0.0.0/24;

            }

            then {

                source-nat {

                    pool {

                        src-pool-1;

                    }

                }

            }

        }

    }

}                            

 

But:

 

root@SRX1# run show security nat source rule all           

node0:

--------------------------------------------------------------------------

Total rules: 0

Total referenced IPv4/IPv6 ip-prefixes: 0/0

 

node1:

--------------------------------------------------------------------------

Total rules: 0

Total referenced IPv4/IPv6 ip-prefixes: 0/0

 

{primary:node0}[edit]

 

 

What could be the reason of that?

 

 

 

 

SRX320 VDSL2 mPIM Physical link down

$
0
0

Hi,

 

I'm installing and configuring a VDSL2 mPIM at a remote site. We need to setup the mPIM for ADSL. Both the ADSL line and config are new (this is a first install). Our technician at the remote site has installed the mPIM card and booted the SRX. He connected the port to the telco outlet. Although the interface is configured no LEDs are On or Blinking. Telco claims they have successfully delivered the ADSL connection. I need to determine if this is a problem with our connection from the Telco, a hardware problem or a misconfiguration. See several outputs of the SRX below. I would kindly ask to verify the config, give troubleshooting tips. Any help is appriciated.

 

Thanks in advance for your help,

 

Kind regards,

Dimitry

 

 

root@router>show chassis hardware   

FPC 1 REV 09 750-064612 Serial number FPC PIC 0 1x VDSL2 mPIM (RoHS)

 

root@router>show configuration interface 

et interfaces at-1/0/0 encapsulation ethernet-over-atm
set interfaces at-1/0/0 atm-options vpi 0
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 unit 0 description "To Interconnect ADSL mPIM"
set interfaces at-1/0/0 unit 0 encapsulation ether-over-atm-llc
set interfaces at-1/0/0 unit 0 vci 0.35
set interfaces at-1/0/0 unit 0 family inet address 10.10.10.2/30

 

root@router> show interfaces at-1/0/0
Physical interface: at-1/0/0, Enabled, Physical link is Down
Interface index: 150, SNMP ifIndex: 536
Link-level type: Ethernet-over-ATM, MTU: 1514, Clocking: Internal, ADSL mode, Speed: ADSL,
Loopback: None
Device flags : Present Running Down
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: cc:e1:94:5a:78:2a
Last flapped : 2019-10-15 12:32:53 CEST (6w6d 04:00 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
ADSL alarms : None
ADSL defects : None
ADSL status:
Modem status : Down
DSL mode : Auto Annex A
Last fail code: None
Subfunction : 0x00
Seconds in showtime : 0

 

root@router>show interfaces terse

at-1/0/0 up down
at-1/0/0.0 up down inet 10.10.10.2/30

 


juniper srx650 node 0 hardware failure

$
0
0

Dears,

 

We have a Cluster HA active -passive Juniper SRX650 enviornment(Node 0 was active).

Now the node 0 is down and Node 1 is the primary and everything working fine .

I want to replace the faulty  power adapter and what  are the necessary steps I have to take to replace it  without donwtime.

Notes:

set chassis cluster redundancy-group 1 preempt     /// is enabled

Attached the screenshot of current cluster status

 

Thanks & Regards,

SS

 

 

SRX550 VPN network cannot access internal network

$
0
0

Hi all, I have cluster SRX550 and formed dynamic VPN via J-web VPN Wizard.

Now I can use Pulse Secure to connect this VPN form outside network, after connect VPN I get the ip address 192.168.168.x/24

However,   I cannot access the internal vlan 128 network after connect VPN (fail to ping 172.16.128.1)

 

Please find  SRX550 config below for your reference.


set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 192.168.168.0/24

set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn

set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.168.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32

 

set security zones security-zone Internal interfaces reth1.128 host-inbound-traffic system-services all
set security zones security-zone Internal interfaces reth1.128 host-inbound-traffic protocols all

set interfaces reth1 unit 128 vlan-id 128
set interfaces reth1 unit 128 family inet address 172.16.128.1/24

set vlans vlan128 vlan-id 128

 

May I know is there missed some config (maybe policy or route) ? How can I access the vlan 128 network after connect VPN form outside network? Thanks!!

 

 

SRX series sfp compatability

$
0
0

Juniper 10G sfp SR is working for EX3400 ,but when connecting to SRX ,it is showing UNSUPPORTED.

Setting up NDP proxy on SRX

$
0
0

I have been trying to enable NDP proxy on my SRX340. The official documentation is a bit vauge - https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ndp-proxy-configuring.html

 

I have two interfaces, ge-0/0/0.0 and irb.1 both set to the same IPv6 /64 prefix and using the eui-64 option to generate the SRX's addresses. For example lets say the prefix is 2001Smiley Very HappyB8::/64

 

The ge-0/0/0.0 interface is the egress interface and is in the untrust security zone. It is directly connected to the ISPs upstream router. The default gateway has been configured by the ISP as 2001Smiley Very HappyB8::1 and this is set as the default IPv6 route in the SRX.

 

The irb.1 is a VLAN used by hosts in the trust security zone and has a router advertisement enabled with the prefix 2001Smiley Very HappyB8::/64 so that hosts on the VLAN can use SLAAC to configure their prefix and set the SRX as their default route.

 

At this stage the SRX can ping both the ISP gateway on 2001Smiley Very HappyB8::1 and other public addresses such as 2001:4860:4860::8888. The SRX can also ping hosts on the VLAN.

 

However other public IPv6 addresses can't ping the VLAN hosts. I traced this to the ISP gateway not knowing about a next hop so it instead generates Neighbor Discovery Protocol solicitations for the VLAN host IP on the ge-0/0/0.0 link and of course doesn't get a reply as the host is on a different interface. There is a similar story when VLAN hosts attempt to ping the ISP gateway.

 

However when a VLAN pings another public address it knows from the RA to forward it to the SRX. The SRX then knows to forward this to the ISP gateway and the ping request makes it to the destination, however the reply gets stuck at the ge-0/0/0.0 link.

 

After some Googling I discovered the correct solution to this problem is a NDP proxy. The proxy will listen on both interfaces for NDP solicititations for addresses it knows is on a different interface. The proxy then replies to the solicititation with a advertisement using the SRX's MAC on the interface. This will then cause hosts to forward the traffic to the SRX which can then be correctly routed.

 

According to the SRX documentation at https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ndp-proxy-configuring.html I need to enable "set interfaces interface-name family inet6 ndp-proxy interface-restricted". It doesn't specify if I should do both interfaces, but that is what I have tried along with only enabling it on one or ther other interface.

 

However it appears the NDP proxy doesn't work correctly. I have verified both with the built in SRX packet capture using "monitor traffic" command as well as with Wireshark on the VLAN hosts that the SRX receives the NDP solicitation request, then immediately it sends out another soliciation request for the exact same IP address on the interface it received the solicitation on. Of course there is no reply to either solicitation.

 

It seems as though the SRX should also send a soliciation request for the IP address on the other subnet interface but it doesn't. Thus it never finds the MAC for the IP address. This is even the case when the SRX already knows which interface the IP is on when looking at the "show ipv6 neighbors" command.

 

So far I have tried many different settings but I still can't get the SRX to forward NDP solicitations from one interface to another one when they are both on the same subnet. I am not sure if this is because the interfaces are in different zones and the documentation doesn't mention any reasons for it to not be working.

 

Has anyone managed to enable the IPv6 Neighbor Discovery Protocol proxy on a SRX? If so what configuration did you use?

 

Is this a bug in the SRX?

reth interface binded to xe interfaces not coming up

$
0
0

Hi all,

 

Currently setting up a new pair of SRX 1500's, and running into an issue where the reth16 interface binded to xe-0/0/16 and xe-7/0/16 is not showing as up. Having the exact same issue with the reth17 interface binded to xe-0/0/17 and xe-7/0/17.

 

The reth interfaces seem like they're not working at all, cant ping them, cant use them as gateway, and i can also not ping anything from the firewall to IP's behind these interfaces.

 

My relevant config:

set chassis cluster redundancy-group 1 interface-monitor xe-0/0/16 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-0/0/17 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-0/0/18 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-0/0/19 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-7/0/16 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-7/0/17 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-7/0/18 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-7/0/19 weight 255

set interfaces xe-0/0/16 gigether-options redundant-parent reth16
set interfaces xe-0/0/17 gigether-options redundant-parent reth17
set interfaces xe-0/0/18 gigether-options redundant-parent reth18
set interfaces xe-0/0/19 gigether-options redundant-parent reth19
set interfaces xe-7/0/16 gigether-options redundant-parent reth16
set interfaces xe-7/0/17 gigether-options redundant-parent reth17
set interfaces xe-7/0/18 gigether-options redundant-parent reth18
set interfaces xe-7/0/19 gigether-options redundant-parent reth19

set security zones security-zone trust interfaces reth16.0
set security zones security-zone trust interfaces reth17.0
set security zones security-zone trust interfaces reth18.0
set security zones security-zone trust interfaces reth19.0

set interfaces xe-0/0/16 gigether-options redundant-parent reth16
set interfaces xe-0/0/17 gigether-options redundant-parent reth17
set interfaces xe-0/0/18 gigether-options redundant-parent reth18
set interfaces xe-0/0/19 gigether-options redundant-parent reth19
set interfaces xe-7/0/16 gigether-options redundant-parent reth16
set interfaces xe-7/0/17 gigether-options redundant-parent reth17
set interfaces xe-7/0/18 gigether-options redundant-parent reth18
set interfaces xe-7/0/19 gigether-options redundant-parent reth19

set interfaces reth16 mtu 9192
set interfaces reth16 redundant-ether-options redundancy-group 1
set interfaces reth16 unit 0 family inet address 10.18.18.254/24
set interfaces reth17 mtu 9192
set interfaces reth17 redundant-ether-options redundancy-group 1
set interfaces reth17 unit 0 family inet address 10.18.11.254/24
set interfaces reth18 redundant-ether-options redundancy-group 1
set interfaces reth18 unit 0
set interfaces reth19 redundant-ether-options redundancy-group 1
set interfaces reth19 unit 0
> show interfaces terse    
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   aenet    --> reth0.0
gr-0/0/0                up    up
ip-0/0/0                up    up
lt-0/0/0                up    up
ge-0/0/1                up    up
ge-0/0/1.0              up    up   aenet    --> reth1.0
ge-0/0/2                up    up
ge-0/0/2.0              up    up   aenet    --> fab0.0
ge-0/0/3                up    down
ge-0/0/3.0              up    down aenet    --> reth3.0
ge-0/0/4                up    down
ge-0/0/4.0              up    down aenet    --> reth4.0
ge-0/0/5                up    down
ge-0/0/5.0              up    down aenet    --> reth5.0
ge-0/0/6                up    down
ge-0/0/6.0              up    down aenet    --> reth6.0
ge-0/0/7                up    down
ge-0/0/7.0              up    down aenet    --> reth7.0
ge-0/0/8                up    down
ge-0/0/8.0              up    down aenet    --> reth8.0
ge-0/0/9                up    down
ge-0/0/9.0              up    down aenet    --> reth9.0
ge-0/0/10               up    down
ge-0/0/10.0             up    down aenet    --> reth10.0
ge-0/0/11               up    down
ge-0/0/11.0             up    down aenet    --> reth11.0
ge-0/0/12               up    down
ge-0/0/12.0             up    down aenet    --> reth12.0
ge-0/0/13               up    down
ge-0/0/13.0             up    down aenet    --> reth13.0
ge-0/0/14               up    down
ge-0/0/14.0             up    down aenet    --> reth14.0
ge-0/0/15               up    down
ge-0/0/15.0             up    down aenet    --> reth15.0
xe-0/0/16               up    up
xe-0/0/16.0             up    up   aenet    --> reth16.0
xe-0/0/17               up    up
xe-0/0/17.0             up    up   aenet    --> reth17.0
xe-0/0/18               up    down
xe-0/0/18.0             up    down aenet    --> reth18.0
xe-0/0/19               up    down
xe-0/0/19.0             up    down aenet    --> reth19.0
ge-7/0/0                up    up
ge-7/0/0.0              up    up   aenet    --> reth0.0
ge-7/0/1                up    up
ge-7/0/1.0              up    up   aenet    --> reth1.0
ge-7/0/2                up    up
ge-7/0/2.0              up    up   aenet    --> fab1.0
ge-7/0/3                up    down
ge-7/0/3.0              up    down aenet    --> reth3.0
ge-7/0/4                up    down
ge-7/0/4.0              up    down aenet    --> reth4.0
ge-7/0/5                up    down
ge-7/0/5.0              up    down aenet    --> reth5.0
ge-7/0/6                up    down
ge-7/0/6.0              up    down aenet    --> reth6.0
ge-7/0/7                up    down
ge-7/0/7.0              up    down aenet    --> reth7.0
ge-7/0/8                up    down
ge-7/0/8.0              up    down aenet    --> reth8.0
ge-7/0/9                up    down
ge-7/0/9.0              up    down aenet    --> reth9.0
ge-7/0/10               up    down
ge-7/0/10.0             up    down aenet    --> reth10.0
ge-7/0/11               up    down
ge-7/0/11.0             up    down aenet    --> reth11.0
ge-7/0/12               up    down
ge-7/0/12.0             up    down aenet    --> reth12.0
ge-7/0/13               up    down
ge-7/0/13.0             up    down aenet    --> reth13.0
ge-7/0/14               up    down
ge-7/0/14.0             up    down aenet    --> reth14.0
ge-7/0/15               up    down
ge-7/0/15.0             up    down aenet    --> reth15.0
xe-7/0/16               up    up
xe-7/0/16.0             up    up   aenet    --> reth16.0
xe-7/0/17               up    up
xe-7/0/17.0             up    up   aenet    --> reth17.0
xe-7/0/18               up    down
xe-7/0/18.0             up    down aenet    --> reth18.0
xe-7/0/19               up    down
xe-7/0/19.0             up    down aenet    --> reth19.0
dsc                     up    up
em0                     up    up
em0.0                   up    up   inet     129.16.0.1/2    
                                            143.16.0.1/2    
                                   tnp      0x1100001       
em1                     up    up
em1.32768               up    up   inet     192.168.1.2/24  
em2                     up    up
fab0                    up    up
fab0.0                  up    up   inet     30.17.0.200/24  
fab1                    up    up
fab1.0                  up    up   inet     30.18.0.200/24  
fxp0                    up    up
fxp0.0                  up    up   inet     10.18.1.254/24  
                                            192.168.1.1/24  
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
reth0                   up    up
reth0.0                 up    up   inet     10.18.24.254/23 
reth1                   up    up        
reth1.0                 up    up   inet     xxx.xxx.xxx/26
st0                     up    up
st0.0                   up    up   inet     10.10.11.1/24   
swfab0                  up    up
swfab1                  up    up
tap                     up    up
vlan                    up    down
vtep                    up    up

 

show interfaces reth0    
Physical interface: reth0  , Enabled, Physical link is Up
  Interface index: 128, SNMP ifIndex: 603
  Link-level type: Ethernet, MTU: 9192, Speed: 1Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Minimum links needed: 1, Minimum bandwidth needed: 1bps
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  Current address: 00:10:db:ff:10:00, Hardware address: 00:10:db:ff:10:00
  Last flapped   : 2019-12-04 17:43:57 UTC (21:29:29 ago)
  Input rate     : 37352 bps (22 pps)
  Output rate    : 40992 bps (25 pps)

  Logical interface reth0.0 (Index 66) (SNMP ifIndex 604)
    Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :        959515         22     127600796        37352
        Output:       1147108         23     644972889        36256
    Adaptive Statistics:
        Adaptive Adjusts:          0
        Adaptive Scans  :          0
        Adaptive Updates:          0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http
    https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp webapi-clear-text
    webapi-ssl tcp-encap sdwan-appqoe
    Protocol inet, MTU: 9178
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.18.24/23, Local: 10.18.24.254, Broadcast: 10.18.25.255

> show interfaces reth16   
error: device reth16 not found
> show route 

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 21:31:29
                    > to 194.165.164.65 via reth1.0
                      via st0.0
10.10.11.0/24      *[Direct/0] 21:29:26> via st0.0
10.10.11.1/32      *[Local/0] 21:29:26
                      Local via st0.0
10.18.1.0/24       *[Direct/0] 21:34:53> via fxp0.0
10.18.1.254/32     *[Local/0] 21:34:53
                      Local via fxp0.0
10.18.24.0/23      *[Direct/0] 21:31:27> via reth0.0
10.18.24.254/32    *[Local/0] 21:34:53
                      Local via reth0.0
172.24.0.0/16      *[Static/5] 21:29:26> via st0.0
192.168.1.0/24     *[Direct/0] 21:34:53> via fxp0.0
192.168.1.1/32     *[Local/0] 21:34:53
                      Local via fxp0.0
xxx.xxx.xxx/26  *[Direct/0] 21:31:29> via reth1.0
xxx.xxx.xxx/32  *[Local/0] 21:34:53
                      Local via reth1.0

Any idea why it's doing this?

Viewing all 3959 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>