Hi all,

My SRX300 fails to make working a USB Key SanDisk 16G usb2.0.

Here is the message displayed :

root@jeyniper06# umass1: SanDisk' Cruzer Fit, rev 2.00/1.00, addr 2
xhci_activate_xfer+0x154 (0xc80c9800,0,0x80a79770,0x7590c000) ra 0x8018d58c sz 72
xhci_xfer_scheduler+0x274 (0xc80c9800,0,0x80a79770,0x7590c000) ra 0x801e4738 sz 72
fork_exit+0x230 (0xc80c9800,0,0x80a79770,0x7590c000) ra 0x80a60ba0 sz 40
MipsNMIException+0x34 (0xc80c9800,0,0x80a79770,0x7590c000) ra 0 sz 0
pid 2175, process: udev-sched-1.1
cpu:0-Trap cause = 2 (TLB miss (load or instr. fetch) - kernel mode)
badvaddr = 0xc, pc = 0x8018c028, ra = 0x8018d58c, sr = 0x5080ffa3
panic: trap
cpuid = 0
KDB: stack backtrace:
SP 0: not in kernel
uart_sab82532_class+0x0 (0,0,0,0) ra 0 sz 0
pid 2175, process: udev-sched-1.1
Uptime: 7m10s
Cannot dump. No dump device defined.
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...

Any help would be appreciated !

Best Regards,

Jeremie

Device: SRX1500 JunOS 19.3

I am confused how to send both "control plane" and "data plane" related logs  to the same syslog server as I can't seem to get both at the same time.

If I enable "data plane (security log)" logging, then I receive firewall related flow logs, but not other types of syslogs.
If I enable "control plane (system log)" logging, then I receive other types of syslogs, but not firewall logs.
If I have both types of logging present in my configuration, then I only receive firewall logs.
Logs are being sent with a source of lo0.0 and out an normal data plane interface (i.e. ge-0/0/0.0)

How can I send both control plane and data plane syslogs to the same syslog server?

###################
# Example Security log configuration
###################

security {
  log {

    mode stream;
    stream SYSLOG_SERVER {
      format syslog;
      category all;
      host {
        <syslog server ip address>
      }
    }
  }
}

I receive only these types of events on my syslog server:
Facility: RT_FLOW
Event Types:
RT_FLOW_SESSION_CREATE
RT_FLOW_SESSION_CLOSE
RT_FLOW_SESSION_DENY

###################
# Example System log configuration
###################
system {
  syslog {
    host <syslog server ip address>
      any info;
    }
  }

}

I receive all events (facilities user, kernel, sshd, etc) on my syslog server, EXCEPT RT_FLOW.

i would like to ask about a VPN connection for SRX320, i want for the user in external access office resources I need to buy which License? and use which PulseSecure?NCP?

SRX-RAC-5-LTU or SRX-RA1-5?

Hi all,

First of all may i know the SRX5k series have similar feature like this url https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server . I'm see on MX960 & MX480 based this url https://www.juniper.net/documentation/en_US/junos/topics/concept/tdf-tlb-overview.html it supported if use SPC3. Is it the SPC3 on MX and SRX5k its same card?

Thanks and appreciate any feedback

Hi Team,

We are trying to configure SNMP traps on all devices. Traps are working fine when the devices are below SRX 240 firewall (trust zone or same network).

But the issue comes when edge devices initiate a trap from untrust to trust zone.

snmp configuration on Edge devices : 

*consider following example

trap-options {
source-address 14.x.x.1;
}
trap-group Zabbix-trap {
version v2;
destination-port 162;
categories {
authentication;
remote-operations;
configuration;
}
targets {
14.x.x.2;
}
}

configuration on core firewall :

set security nat destination pool Zabbix_Trap address 192.168.10.2/32
set security nat destination pool Zabbix_Trap address port 162

set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-address 14.x.x.2/32
set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-port 162
set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap then destination-nat pool Zabbix_Trap

set security policies from-zone untrust to-zone trust policy Zabbix_Trap match source-address 14.x.x.1
set security policies from-zone untrust to-zone trust policy Zabbix_Trap match destination-address Zabbix
set security policies from-zone untrust to-zone trust policy Zabbix_Trap match application SNMP
set security policies from-zone untrust to-zone trust policy Zabbix_Trap then permit
set security policies from-zone untrust to-zone trust policy Zabbix_Trap then log session-init
set security policies from-zone untrust to-zone trust policy Zabbix_Trap then count

But when we are trying to configure traps on edge devices we have configured destination nat pool on the core firewall (SRX 240) and we have given the same target ip which we have given for snmp configuration on edge devices.

We have even configured a policy from untrust to trust zone and  source as public ip ex: 14.x.x.x and destination as private ip of our zabbix server and allowed the application port as 162 for trap.

please find attached network architecture.

Can any one kindly assist in proceeding  further.

Thanks,

Gautam

Hello Friends,

I have an issue which really seems a simple problem but couldn't solve it so far. 

I migrated a Cisco ASA with a Juniper320. All outbound traffic hitting the static NAT are failing while traffic hitting the interface source NAT are working fine. To put it differently return traffic destined to the SRX external interface address is ok but return traffic destined to static NAT public address isn't.

When rolling back to the Cisco ASA everything works fine. Tested the SRX config in lab with a similar setup ... everything is working.

I think the upstream cisco router is the issue but i cannot be sure. ISP confirmed that they have two static routes for the static NAT public range ... one with next-hop FW address and another next-hop interface. See below.

I dont understand why they have redundant routes but i think this is causing my issue. Does anyone agree? 

As this range is not part my ISP interface subnet, i understood i don't need to configure proxy-arp. correct?

My NAT config looks likes this.

set security nat source rule-set Interface_NAT from zone INSIDE
set security nat source rule-set Interface_NAT to zone OUTSIDE
set security nat source rule-set Interface_NAT rule R1 match source-address 192.168.1.0/24
set security nat source rule-set Interface_NAT rule R1 match destination-address 0.0.0.0/0
set security nat source rule-set Interface_NAT rule R1 then source-nat interface

set security nat static rule-set Static_NAT from zone OUTSIDE
set security nat static rule-set Static_NAT rule r1 match destination-address 2.2.2.1/32
set security nat static rule-set Static_NAT rule r1 then static-nat prefix 192.168.1.253/32

Any help is appreciated!

Thanks in advance!

Mohneja

Hi, all

We have an IPsec connection with our partner, due to increasing of traffic, SRX can not handle the encryption/decryption any more, so we decide to migrate to direct connections. I put both st0 interface and physical direct connection interface in the same security zone so I don't have touch exsiting security policies or NAT rules, for the migration, I thought I just deactivate the VPN and lift the BGP import filter so routing to partner side prefix will now go out of physical interface, everything should just work, easy enought right? not so much ... somehow TCP session can not be established from either direction after cutover, security flow session indicates that sessions were created by intitating connections from either side, but there is no return traffic. Here is the diagram

[zone trust ge-1/0/1] ------[SRX]----(zone untrust, interface st0.1, interface ge-1/0/0)

## Here is the show security session interface output when VPN was deactivated

for inbound traffic internal host 172.18.63.122 is statically mapped to 28.8.12.129, for outbound traffic internal host is PAT'd to 28.8.12.135 (if this internal host does not have static NAT address assigned)

Session ID: 115841114, Policy name: allow_inbound/26, State: Active, Timeout: 8, Valid
In: 13.20.21.192/53944 --> 28.8.12.129/25;tcp, Conn Tag: 0x0, If: ge-1/0/0, Pkts: 1, Bytes: 60, CP Session ID: 113526337
Out: 172.18.63.122/25 --> 13.20.21.192/53944;tcp, Conn Tag: 0x0, If: ge-1/0/1, Pkts: 0, Bytes: 0, CP Session ID: 113526337

Session ID: 115842757, Policy name: allow_outbound/25, State: Active, Timeout: 6, Valid
In: 172.18.25.36/54664 --> 13.20.17.137/8051;tcp, Conn Tag: 0x0, If: ge-1/0/1, Pkts: 1, Bytes: 60, CP Session ID: 112611196
Out: 13.20.17.137/8051 --> 28.8.12.135/43157;tcp, Conn Tag: 0x0, If: ge-1/0/0, Pkts: 0, Bytes: 0, CP Session ID: 15897414

Look at the inbound session, obviously SRX received TCP SYNC from partner, but seems that SRX did not receive SYNC-ACK from our internal host, but from the outbound session, SRX received TCP SYNC from internal host, but did not receive SYNC-ACK from partner side.

This is a pure networking layer routing changes, there is no application side configuration changes and both partner and I verifed that routing is correct, but the above two sessions controdict to each other.  By looking at the flow session,  I am not sure which leg is having problem, for example for the inbound session, we can conclude that inbound from partner to SRX works, but how do I know the return session failure is because of our internal host is not sending sync-ack to SRX, or SRX failed to send syn-ack to partner, or partner side received sync-ack but failed to send back to SRX?  I unfortunately don't have the luxury to take my time to do flow trace on my side in production. Where else should I look further?

Hi,

I have been trying to set OSPF between 3 devices that are in-line: cisco 6800vss <-->juniperSRX4100 cluster <--> SRX4100 stand alone.

I have an issue across the board.

1. VSS-SRX: vlan interface CAN ping reth0.800. Both have matching mtu (9136), SRX is in a routing-instance. Both have matching timers/ network type. in SRX security zone, all host-inbound prot all temp allowed.

- file attached with debug.

2. SRXcluster-SRXstandalone: error. Can I not run OSPF on the stand alone as it is now?

SRX-SAVVIS-04# show | compare

[edit security zones security-zone COLO interfaces]
      xe-0/0/0.0 { ... }
+     irb.700 {
+         host-inbound-traffic {
+             protocols {
+                 ospf;
+             }
+         }
+     }
[edit routing-options]
+  router-id 10.0.0.10;
[edit protocols]
+   ospf {
+       area 0.0.0.0 {
+           interface irb.700;
+       }
+   }

[edit]
admin@ATL-SRX-SAVVIS-04# commit and-quit 
[edit security zones security-zone COLO]
  'interfaces irb.700'
    Interface irb is not allowed in mix mode
error: configuration check-out failed

Hi, this seems very basic, however, I am needing some clarity on why I cannot peer OSPF between either in the following scenarios:

1. a pair of SRX4100s (one is a Chassis Cluster with reth and one is stand-alone with irb)

According to the diagram, layer 3 in scenario 1 is across a circuit (reth0.700 <--> irb.700)

2. above SRX Cluster and Cisco 6800 switch.

According to the diagram, layer 3 in scenario 2 is between reth0.800 and Vlan800, directly.

All devices show traceoptions/debug sending ospf.

All have matching mtu, and can ping the directly connected interfaces of the other host.

At Layer 2, the link between the SRX firewalls go via the C6800 switch.

We have  a SRX240H2 that has a dhcp configuration to allow mobile devices to connect and is routed via independent ISP. Users are able to connect to the SSID and getting ip and DNS provided by SRX however name resolution does not work and they cannot browse and strangely if a user accesses an unsecured webpage the "insecure page" warning appears but upon accepting the risk the webpage does not load. This was working fine and no changes were made to the network. We tried creating new SSID with new vlan and the results are the same. The configuration on another srx works fine.  Here's my dhcp configuration on the srx routing is ok as the users are able to ping eternal ip address.

set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.5
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.250
set system services dhcp pool 192.168.3.0/24 name-server 4.2.2.2
set system services dhcp pool 192.168.3.0/24 name-server 8.8.8.8
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1

set security zones security-zone Mobile interfaces reth1.399 host-inbound-traffic system-services all
set security zones security-zone Mobile interfaces reth1.399 host-inbound-traffic protocols all

I have restarted DHCP services but that didnt help either...

Hi All

I have a dynamic VPN configuration, and I can connect to my computer but can't access the internet, what's wrong?

Thanks,

my configuration

set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposal-set basic
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text "$9$JdZDH.PTz3/UDCpOBcSoaZj.PfTzF69q.BIRcle"
set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn
set security ike gateway gw_wizard_dyn_vpn dynamic hostname RXS-SRX300
set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50
set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
set security ike gateway gw_wizard_dyn_vpn external-interface ge-0/0/0.0
set security ike gateway gw_wizard_dyn_vpn aaa access-profile remote_access_profile
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set basic
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn

set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 192.168.0.0/16
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.10.10.0/24
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group user admin1
set security dynamic-vpn clients wizard-dyn-group user admin2

set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn

set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.100.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test low 10.10.100.20
set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test high 10.10.100.254
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 192.168.0.11/32

Hello! I have a question about log of SRX. I have cluster of SRXs also I have Junos Space Security Director and Log Collector, can I send all logs to Log Collector? My SRX has a heavy load due to the large number of logs. But I see in my Security Director only Security events, how can I do that my SRX to send all messages logs to Log Collector and I can see all system events in Security Director? 

Hi all,

I am having some issues trying to get a site to site VPN working with certificates. This is in a lab environment on eve-ng I am just trying to get the knowledge for s2s VPN's using PKI, additionally, the VPN has been previously working using preshared keys.

I have created a:

- CA profile (disabled revocation-check), loaded the CA certificate.

- Generate a certificate request on each SRX firewall and then applied this on the CA to generate the local-certificate.

- Loaded the local-certificate onto each firewall and then configured the VPN.

Oddly I am seeing ike security associations on one side, but not the other, below is the configuration:

Site-1(SRX):

set security ike traceoptions file size 750k
set security ike traceoptions file files 10
set security ike traceoptions flag policy-manager
set security ike traceoptions flag ike
set security ike traceoptions flag routing-socket
set security ike proposal proposal-1 authentication-method rsa-signatures
set security ike proposal proposal-1 dh-group group19
set security ike proposal proposal-1 authentication-algorithm sha-256
set security ike proposal proposal-1 encryption-algorithm aes-128-cbc
set security ike proposal proposal-1 lifetime-seconds 86400
set security ike policy policy-1 mode main
set security ike policy policy-1 proposals proposal-1
set security ike policy policy-1 certificate local-certificate site-1
set security ike policy policy-1 certificate peer-certificate-type x509-signature
set security ike gateway gateway-1 ike-policy policy-1
set security ike gateway gateway-1 address 172.16.1.2
set security ike gateway gateway-1 no-nat-traversal
set security ike gateway gateway-1 local-identity hostname site-1.test.com
set security ike gateway gateway-1 remote-identity hostname site-2.test.com
set security ike gateway gateway-1 external-interface ge-0/0/0
set security ike gateway gateway-1 version v2-only

show security pki local-certificate
Certificate identifier: site-1
  Issued to: site-1.test.com, Issued by: C = GB, O = Test-Voda, OU = Test-Voda, CN = Test-Voda
  Validity:
    Not before: 02-29-2020 13:15 UTC
    Not after: 02-28-2021 13:15 UTC
  Public key algorithm: rsaEncryption(2048 bits)

show security pki ca-certificate
Certificate identifier: CACERT
  Issued to: Test-Voda, Issued by: C = GB, O = Test-Voda, OU = Test-Voda, CN = Test-Voda
  Validity:
    Not before: 02-29-2020 11:33 UTC
    Not after: 03- 1-2030 11:33 UTC
  Public key algorithm: rsaEncryption(2048 bits)

show security ike security-associations

set security pki ca-profile CACERT ca-identity CAcert
set security pki ca-profile CACERT revocation-check disable

Site-2(SRX):

root@Site-2> show configuration security ike | display set
set security ike traceoptions file size 750k
set security ike traceoptions file files 10
set security ike traceoptions flag policy-manager
set security ike traceoptions flag ike
set security ike traceoptions flag routing-socket
set security ike proposal proposal-1 authentication-method rsa-signatures
set security ike proposal proposal-1 dh-group group19
set security ike proposal proposal-1 authentication-algorithm sha-256
set security ike proposal proposal-1 encryption-algorithm aes-128-cbc
set security ike proposal proposal-1 lifetime-seconds 86400
set security ike policy policy-1 mode main
set security ike policy policy-1 proposals proposal-1
set security ike policy policy-1 certificate local-certificate site-2
set security ike policy policy-1 certificate peer-certificate-type x509-signature
set security ike gateway gateway-1 ike-policy policy-1
set security ike gateway gateway-1 address 172.16.1.1
set security ike gateway gateway-1 no-nat-traversal
set security ike gateway gateway-1 local-identity hostname site-2.test.com
set security ike gateway gateway-1 remote-identity hostname site-1.test.com
set security ike gateway gateway-1 external-interface ge-0/0/0
set security ike gateway gateway-1 version v2-only

root@Site-2> show security pki ca-certificate
Certificate identifier: CACERT
  Issued to: Test-Voda, Issued by: C = GB, O = Test-Voda, OU = Test-Voda, CN = Test-Voda
  Validity:
    Not before: 02-29-2020 11:33 UTC
    Not after: 03- 1-2030 11:33 UTC
  Public key algorithm: rsaEncryption(2048 bits)

root@Site-2> show security pki local-certificate
Certificate identifier: site-2
  Issued to: site-2.test.com, Issued by: C = GB, O = Test-Voda, OU = Test-Voda, CN = Test-Voda
  Validity:
    Not before: 02-29-2020 20:17 UTC
    Not after: 02-28-2021 20:17 UTC
  Public key algorithm: rsaEncryption(2048 bits)

root@Site-2> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
4564959 UP     916652aadcd9e6c9  565fd25a8c3903c7  IKEv2          172.16.1.1

set security pki ca-profile CACERT ca-identity CAcert
set security pki ca-profile CACERT revocation-check disable

Seeing this in the logs:

Feb 29 21:26:27  Site-1 kmd[1160]: IKE negotiation failed with error: Authentication failed. IKE Version: 2, VPN: secvpn-1 Gateway: gateway-1, Local: 172.16.1.1/500, Remote: 172.16.1.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Feb 29 21:26:27  Site-1 kmd[1160]: KMD_PEER_CERT_VERIFY_FAILED: Failed peer certificate verification for Gateway: gateway-1, Local: 172.16.1.1/500, Remote: 172.16.1.2/500, Local IKE-ID: site-1.test.com, Remote IKE-ID: site-2.test.com, VR id: 

Any suggestions would be appreciated.

Hi,

We have configured below security policy but we are not getting deny log of source IP

set security policies from-zone External to-zone DMZ policy DenyALL match source-address any-ipv4
set security policies from-zone External to-zone DMZ policy DenyALL match destination-address any
set security policies from-zone External to-zone DMZ policy DenyALL match application any
set security policies from-zone External to-zone DMZ policy DenyALL then deny
set security policies from-zone External to-zone DMZ policy DenyALL then log session-init
set security policies from-zone External to-zone DMZ policy DenyALL then log session-close

set system syslog file Denied-Traffic any any
set system syslog file Denied-Traffic match RT_FLOW_SESSION_DENY

Please suggest which command will help me to get the "deny" logs.   in CLI as we Webui.

Please suggest if any additional config is required.

Thanks in advance...

Hello! I have a problem with IPSec on SRX. I need to SRX send logs of VPNs to Security Director, I imported VPNs from SRX to the Security Director, but I don't see data of VPNs, I see only VPNs status down! How can I do to Security Director showing data of VPNs?

Hi All,

I have srx240. When I change any thing in configuration like add user or create new policy, and then commit , the commit not complete and I get a message "the IDP license expired".

Is it necessary to renew the IDP license in order to be able to make any changes to the configuration?

If there is any workaround that can be done to make change in configuration until I renew the license, please provide it to me

Hello Juniper experts

We run a cluster of 2 Juniper SRX1500 and configured 2 reth interfaces (reth1 & reth2) on 4 10G ports :

- xe-0/0/16 and xe-7/0/16 for reth1

- xe-0/0/17 and xe-7/0/17 for reth2

Both reth1 and reth2 shows speed of 10Gbps so are the 4 physical ports used to build reth1 & reth2 :

show interfaces reth1
Physical interface: reth1, Enabled, Physical link is Up
Interface index: 129, SNMP ifIndex: 589
Link-level type: Ethernet, MTU: 1514, Speed: 10Gbps, BPDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1

show interfaces reth2
Physical interface: reth2, Enabled, Physical link is Up
Interface index: 130, SNMP ifIndex: 591
Link-level type: Ethernet, MTU: 1514, Speed: 10Gbps, BPDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
Minimum bandwidth needed: 1bps

Our problem is that all traffic going from reth1 to reth2 or the opposite is capped to 1Gbps :/

Can someone think to something we should check ? No screen involved nor QOS....

Thanks by advance Guys 

Regards

Vincent

Hi, I have a SRX-5400 cluster that has dual SPC2, the Flow/CP sessions are pretty balanced across all 7 flow processing SPUs, but the CPU usage of FPC2 SPU3's CPU usage is constanly 10% more than other SPUs, there is one IPsec tunnel anchored on this SPU but the peak throughput of this IPsec tunnel is less than 50Mbps which is nothing.

What could be wrong?

> show security monitoring node 0
node0:
--------------------------------------------------------------------------
                  Flow session   Flow session     CP session     CP session
FPC PIC CPU Mem        current        maximum        current        maximum
  0   0   0  13              0              0              0              0
  0   1  13   7          21355        6291456          28768        7549747
  0   2  14   7          14625        6291456          28214        7549747
  0   3  13   7          14595        6291456          27989        7549747
  2   0  13   7          14524        6291456          28687        7549747
  2   1  13   7          14334        6291456          28164        7549747
  2   2  13   7          14195        6291456          28113        7549747
  2   3  22   7          15442        6291456          28028        7549747
Total Sessions:         109070       44040192         197963       52848229

I can't seem to find any specific documentation on this but is there any harm in setting the max rollbacks to more than 5 on the SRX300 branch series? The configs on my firewalls are not large, approximately 2000 lines. I can't really see that being a large increase in resources to change it from 5 to 10 for example?

Any info appreciated, thanks.

Thanks