Hi,
I will be upgrading SRX3600 cluster on version 12.3X48-D85.
If I perform "request system reboot node all", would be there any impact on master while they come online after reboot? Suppose if node 1 comes online compare to node 0 then might be it gets the master role? is that right?
OR
Reboot each node individually is a better option?
current chassis cluster status:
show chassis cluster status
Regards,
CP
I currently have an SRX320 on my FTTC connection at home with a Draytek 2962 acting as an AP.
The wife has decided that the 320 is 'too noisy' 
and so I need to drop the Draytek into bridge mode and swap to an SRX300 instead.
However try as I might, I cannot get this set up to work and would appreciate some assistance if anyone has done similar.
The SRX is running 15.1X49-D130. just for the moment and the config is;
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic protocols all
set interfaces pp0 unit 0 point-to-point
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "xxxxxxxz"
set interfaces pp0 unit 0 ppp-options chap local-name "xxxxxx"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1491
set interfaces pp0 unit 0 family inet negotiate-address
set routing-options static route 0.0.0.0/0 qualified-next-hop pp0.0
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/0 unit 0 vlan-id 101
Is this all in order and the issue is with the Draytek perhaps? Thanks!
Hi
We have a number of clients connected via Dynamic VPN. clients can connect to internal resources OK but we cannot access clients from inside the network. This causes some issues with software deployment tools.
Is this possible to fix this? I saw a post from 2011 that said Dynamic VPN did not support reverse traffic but maybe this has changed in the intervening 9 years?
HI,
i am trying to setup a L3VPN service b/w Juniper and Cisco. but not able to ping from CE-CE. connectivity is as below:-
CE(8.8.8.8)----(isis)---em3.0-PE(Juniper 1.1.1.1)-----(mplsbackbone)-----PE(CISCO 4.4.4.4)----------CE(7.7.7.7)
Problem seems to be at Juniper end. as i have captured the packet, packet is reaching at Juniepr (PE) device with lable 299840 but it is not forwarding towards CE (8.8.8.8) out of em3.0 interface.
configuration and routing table on Juniper device:-
root@R1> show route 7.7.7.7 detail
A.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
7.7.7.7/32 (1 entry, 1 announced)
*BGP Preference: 170/-101
Route Distinguisher: 100:1
Next hop type: Indirect
Address: 0x9334958
Next-hop reference count: 5
Source: 4.4.4.4
Next hop type: Router, Next hop index: 616
Next hop: 12.0.0.2 via em1.0 weight 0x1, selected
Label-switched-path tunnel0
Label operation: Push 407, Push 206(top)
Label TTL action: prop-ttl, prop-ttl(top)
Protocol next hop: 4.4.4.4
Push 407
Indirect next hop: 9484e80 131070
State: <Secondary Active Int Ext>
Local AS: 12 Peer AS: 12
Age: 38:22 Metric: 1010 Metric2: 3001
Task: BGP_12.4.4.4.4+28067
Announcement bits (2): 0-A-OSPF 1-KRT
AS path: ?
Communities: target:100:1
Import Accepted
VPN Label: 407
Localpref: 100
Router ID: 4.4.4.4
Primary Routing Table bgp.l3vpn.0
B.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
7.7.7.7/32 (1 entry, 1 announced)
*BGP Preference: 170/-101
Route Distinguisher: 100:1
Next hop type: Indirect
Address: 0x9334958
Next-hop reference count: 5
Source: 4.4.4.4
Next hop type: Router, Next hop index: 616
Next hop: 12.0.0.2 via em1.0 weight 0x1, selected
Label-switched-path tunnel0
Label operation: Push 407, Push 206(top)
Label TTL action: prop-ttl, prop-ttl(top)
Protocol next hop: 4.4.4.4
Push 407
Indirect next hop: 9484e80 131070
State: <Secondary Active Int Ext>
Local AS: 12 Peer AS: 12
Age: 38:22 Metric: 1010 Metric2: 3001
Task: BGP_12.4.4.4.4+28067
Announcement bits (2): 0-KRT 1-B-IS-IS
AS path: ?
Communities: target:100:1
Import Accepted
VPN Label: 407
Localpref: 100
Router ID: 4.4.4.4
Primary Routing Table bgp.l3vpn.0
root@R1>
root@R1> show route advertising-protocol bgp 4.4.4.4 8.8.8.8/32 detail
B.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
* 8.8.8.8/32 (1 entry, 1 announced)
BGP group PE1-PE4 type Internal
Route Distinguisher: 200:2
VPN Label: 299840
Nexthop: Self
Flags: Nexthop Change
MED: 2000
Localpref: 100
AS path: [12] I
Communities: target:100:1
root@R1>
root@R1> show route 8.8.8.8 detail
B.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
8.8.8.8/32 (1 entry, 1 announced)
*IS-IS Preference: 18
Level: 2
Next hop type: Router, Next hop index: 611
Address: 0x93347f0
Next-hop reference count: 3
Next hop: 12.0.0.1 via em3.0, selected
State: <Active Int>
Age: 39:07 Metric: 2000
Task: B-IS-IS
Announcement bits (2): 0-KRT 3-BGP_RT_Background
AS path: I
root@R1>
root@R1> show route table mpls.0
mpls.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 00:39:50, metric 1
Receive
1 *[MPLS/0] 00:39:50, metric 1
Receive
2 *[MPLS/0] 00:39:50, metric 1
Receive
13 *[MPLS/0] 00:39:50, metric 1
Receive
16 *[VPN/0] 00:39:48
to table A.inet.0, Pop
299776 *[LDP/9] 00:39:30, metric 1
> to 12.0.0.2 via em1.0, Pop
299776(S=0) *[LDP/9] 00:39:30, metric 1
> to 12.0.0.2 via em1.0, Pop
299792 *[LDP/9] 00:39:30, metric 1
> to 12.0.0.2 via em1.0, Swap 202
299808 *[LDP/9] 00:39:30, metric 1
> to 12.0.0.2 via em1.0, Swap 203
299824 *[LDP/9] 00:39:30, metric 1
> to 12.0.0.2 via em1.0, Swap 204
299840 *[VPN/170] 00:39:28
> to 12.0.0.1 via em3.0, Pop
root@R1> show route table B.inet.0
B.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
7.7.7.7/32 *[BGP/170] 00:40:14, MED 1010, localpref 100, from 4.4.4.4
AS path: ?
> to 12.0.0.2 via em1.0, label-switched-path tunnel0
8.8.8.8/32 *[IS-IS/18] 00:40:25, metric 2000
> to 12.0.0.1 via em3.0
12.0.0.0/24 *[Direct/0] 00:40:39
> via em3.0
12.0.0.2/32 *[Local/0] 00:40:42
Local via em3.0
77.77.77.77/32 *[BGP/170] 00:40:14, MED 1010, localpref 100, from 4.4.4.4
AS path: ?
> to 12.0.0.2 via em1.0, label-switched-path tunnel0
CE7#ping 8.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
.....
Success rate is 0 percent (0/5)
set routing-instances A protocols ospf export adv_to_ce
set routing-instances A protocols ospf area 0.0.0.0 interface em2.0 interface-type p2p
set routing-instances B instance-type vrf
set routing-instances B interface em3.0
set routing-instances B route-distinguisher 200:2
set routing-instances B vrf-import import_to_A
set routing-instances B vrf-export B_to_PE4
set routing-instances B protocols isis traceoptions file isis
set routing-instances B protocols isis traceoptions file size 10k
set routing-instances B protocols isis traceoptions file files 2
set routing-instances B protocols isis traceoptions flag hello detail
set routing-instances B protocols isis traceoptions flag error detail
set routing-instances B protocols isis traceoptions flag packets
set routing-instances B protocols isis export adv_to_ce
set routing-instances B protocols isis level 2 wide-metrics-only
set routing-instances B protocols isis interface em3.0 level 2 metric 1000
set policy-options policy-statement B_to_PE4 term a from protocol isis
set policy-options policy-statement B_to_PE4 term a then community set export_to_PE4
set policy-options policy-statement B_to_PE4 term a then accept
set policy-options policy-statement adv_to_ce term a from protocol bgp
set policy-options policy-statement adv_to_ce term a then accept
set policy-options policy-statement export_to_PE4 term a from protocol ospf2
set policy-options policy-statement export_to_PE4 term a then community set export_to_PE4
set policy-options policy-statement export_to_PE4 term a then accept
set policy-options policy-statement import_to_A term a from community import_to_A
set policy-options policy-statement import_to_A term a from community import_to_A_2
set policy-options policy-statement import_to_A term a then accept
set policy-options community export_to_PE4 members target:100:1
set policy-options community import_to_A members target:200:1
set policy-options community import_to_A_2 members target:100:1
root@R1> show configuration interfaces em3 | display set
set interfaces em3 unit 0 family inet address 12.0.0.2/24
set interfaces em3 unit 0 family iso address 49.0000.0000.0001.00
Hi everybody,
Pease consider the following set up:
SRX ( NTP Client)--20.20.20.10--------200.20.20.200 -NTP SERVER
1)Above SRX is configured with MD5 key for NTP to ensure SRX will only synch time with authorised NTP server i.e NTP server has to prove to NTP Client ( SRX) that it is legitimate NTP server.
2) Cisco router is acting as NTP stratum one server above.
SRX CONFIG:
SRX has synched its clock with NTP source , though NTP server is not configured with any autehentication key
NTP SERVER config:
NTP SERVER#show running-config | begin ntp
ntp master 1
###############
Capture taken on SRX shows SRX ( NTP Client) does send MD5 hash with key number 1:
SRX Version:
####################################################################
Question:
1) As we can see above SRX has synched time with NTP server( which does not have any NTP authentiction configured), though SRX is confgured for NTP authenticaion. Is it a bug?
2) Even when NTP server is configured with mismatched MD5 key, SRX ( NTP client) is still able to synced time:
NTP SERVER (config)#ntp authentication-key 1 md5 KOO
Thanks and have a good weekend!!
Has anyone been successful in configuring a SRX for dynamic VPN using the recent documentation Juniper released? I'm able to establish a VPN connection following the instructions in the link below, but I'm unable to reach anything in the trust zone. My machine is receiving an IP address from the dyn-vpn-address-pool.
set access profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123"
set access profile dyn-vpn-access-profile client client2 firewall-user password "$ABC456"
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 1.1.1.1/32
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC789"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0
set security ike gateway dyn-vpn-local-gw aaa access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user client1
set security dynamic-vpn clients all user client2
Hi Experts,
we have a securiy audit on our SRX w/c is running on 15.1X49-D120.3. by default what is the hash algorthim used for user password stored on srx? and is there a show command to know it?
Dear Team,
We have Site-to-site VPN (Juniper to Cisco).Syslog server is behind the Cisco.Howerver I have the reachability from host to host(private to private).As per my knowledge ,if i run ping from Juniper to syslog server ,it won't ping.In this scenario how to achive logging to external server.
Dear Friends ,
We have juniper SRX650 (12.1X46-D50.4) with HA enabled.
I have attached the cluster status.
show chassis cluster ethernet-switching status & shao chassis cluster status
While I am trying to commit from node1(Primary) which is not synchronizing with node0(Secondary)
It is remote and I am able to connect both nodes from "remote-local-machine" and both routing configuration is different , I want to synchronize node1(Primary) configuration to node0(secondary)
Support will be much appreciated
Thanks & Regards,
Sarath
Hi,
I am having an issue with traffic being forwarded correctly. I have a VRF with a static route pointing to the inet.0 table, as shown below.
set interfaces xe-1/1/2 unit 0 family inet address 192.168.2.1
set routing-instances vrf-2 instance-type virtual-router set routing-instances vrf-2 interface xe-1/1/2.0 set routing-instances vrf-2 routing-options static route 192.168.3.0/24 next-table inet.0
The traffic then gets sent down a ipsec tunnel in inet.0 to the destination.
The problem I am having is inet.0 has no knowledge of the source network 192.168.2.0/24 so when traffic is returned to 192.168.2.1 its being dropped, for example when i do "show route 192.168.2.1" an entry is only shown under vrf-2.inet.0
Is there some configuration I can add to inet.0 so traffic can get back into vrf-2 (192.168.2.0/24), I want this to be as simple as possible and scalable as I add more VRF's.
Thanks.
Morning all,
I have to setup a site to site VPN to a cisco and they want my local traffic NAT'd when the traffic is delivered to them. I've setup the tunnel but I need help on how to configure the NAT for this. My local subnet say 10.10.10.1 needs to be NAT'd to 172.10.10.88 for them to talk to me. I have the NAT'd range and their setup in the ipsec portion with a traffic selector so phase 2 for the encryption domain will work fine. Right now I can't get the NAT section to work and at a loss how to configure this. Any help is greatly appreciated.
Hi All,
Hoping someone can provide an answer to an issue I have connecting an LDAP session to the DC. When the connection attempts, it immediately disconnects with an authentication failure. The DC shows a successful connection followed by a disconnect, the SRX shows authentication failure. The username and password have been confirmed multiple times and password set to password for ease in troubleshooting makes no difference.
Using the following commands obviously configured for my environment:
Hi Experts,
we are planning to get license to NCP for 60 client/dynamic vpn connecting to SRX. question is do we still need licenses for dynamic vpn in srx aside from the NCP license or NCP licenses is enough?. many thanks
i am new in SRX and i have create a dynamic vpn with pulse client, the remote users have to use softphones for voice communication.
i have tried the scenario but the remote user cannot communicate each other .
can anyone help ?
I'm trying to configure a trust interface to failover from one ISP on ge-0/0/0 to another on ge-0/0/1, but my trust int only seems to route to one. I am following juniper kb solution here . Here's what I have so far:
interfaces {
ge-0/0/0 {
unit 0 {
description isp1;
family inet {
address 1.1.1.2/24;
}
}
}
ge-0/0/1 {
unit 0 {
description isp2;
family inet {
address 2.2.2.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
description pos;
family inet {
filter {
input F1;
}
address 192.168.8.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
description office;
family inet {
address 192.168.20.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
description publicwifi;
family inet {
address 172.16.30.1/24;
}
}
}
}
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
rib-groups {
IMPORT-PHY {
import-rib [ inet.0 FBF-1.inet.0 FBF-2.inet.0 ];
}
}
}
security {
nat {
source {
rule-set interface-nat {
from zone office;
to zone untrustisp1;
rule rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set pos-nat {
from zone pos;
to zone untrustisp1;
rule rule0 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set wifi-nat {
from zone publicwifi;
to zone untrustisp1;
rule rulewifi {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone pos to-zone untrustisp1 {
policy policy-name {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone office to-zone untrustisp1 {
policy policy-name {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone publicwifi to-zone untrustisp1 {
policy policy-name {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone pos to-zone untrustisp2 {
policy policy-name {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone office to-zone untrustisp2 {
policy policy-name {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone publicwifi to-zone untrustisp2 {
policy policy-name {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrustisp1 {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone untrustisp2 {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone pos {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
dhcp;
ping;
http;
https;
}
}
}
}
}
security-zone office {
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
dhcp;
ping;
rpm;
}
}
}
}
}
security-zone publicwifi {
interfaces {
ge-0/0/4.0 {
host-inbound-traffic {
system-services {
dhcp;
ping;
}
}
}
}
}
}
}
firewall {
filter F1 {
term 1 {
from {
source-address {
192.168.8.100/32;
}
}
then {
routing-instance FBF-2;
}
}
term 2 {
from {
source-address {
0.0.0.0/0;
}
}
then {
routing-instance FBF-1;
}
}
}
}
routing-instances {
FBF-1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
}
}
FBF-2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.1;
}
}
}
}
services {
rpm {
probe Probe-Server {
test testsvr {
target address 1.1.1.1;
probe-count 10;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 10;
total-loss 5;
}
destination-interface ge-0/0/0.0;
next-hop 1.1.1.1;
}
}
probe Probe-Server1 {
test testsvr {
target address 2.2.2.1;
probe-count 10;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 10;
total-loss 5;
}
destination-interface ge-0/0/1.0;
next-hop 2.2.2.1;
}
}
}
ip-monitoring {
policy Server-Tracking {
match {
rpm-probe Probe-Server;
}
then {
preferred-route {
routing-instances FBF-1 {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
}
}
}
}
}
policy Server-Tracking1 {
match {
rpm-probe Probe-Server1;
}
then {
preferred-route {
routing-instances FBF-2 {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
}
}
}
}
}
}
}I don't quite understand what firewall filter F1 and RPM configuration is really trying to do.
Should I be using ECMP for this instead, or something else?
Hi,
Hopefully, I have posted this in the correct forum. ;-)
Could someone please advise me how I would configure an SRX340 with Junos: 19.4R1.10 to do the following:
- I have been assigned a /25 block of IP addresses from our DC
- DC connection is a point-to-point 10.10.10.126/30 on my side connecting to 10.10.10.125 on the DC side. This feed is providing us access to our /25 block of IP's.
- IP assignment 10.10.10.128/25
- Our SRX340 will be the gateway on our side for the 128/25 assignment
- One of the ports will be feeding a load balancer that has a large number of these public IP's assigned to it and handles the translation to the private side. The LB also screens which services and ports are available.
- A few other ports will be connected directly to individual pieces of hardware that are each public.
- I require ports ge-0/0/1 - 0/10 to allow me to plug any piece of hardware into it configured either with a single IP or in the case of our LB, the majority of our public IP's.
- Port ge-0/0/15 will be assigned a private IP and connected to our private network. I would like this port to be able to supply some DHCP addresses to the private 192.168.x.x network.
I have configured ge-0/0/0 with the following for the point-to-point:
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.10.126/30;
}
Not sure what I need to do with the rest of the ports?
I see in the default config, it has two zones, Internal and Internet. Should I also be assigning ports to these zones?
Thanks in advance!
Hi All,
I am running into an issue I just cant wrap my head around at the moment.
At home I have a SRX300 running JUNOS 18.2R3-S2.9 which sits behind the ISP FTTH router, ports 500, 4500 and ESP are forwarded to the SRX.
I am trying to setup a VPN to the lab we have at the office, accessible by two SRX240H's running JUNOS 12.1X46-D86 in cluster mode.
For some reason I can't get the tunnel up and visible on the primary SRX240, yet the SRX300 at home thinks everything is honky dory.
HOME-SRX300:
leon@SRX300> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 8047590 UP a7e26ece934f0485 bf66d83ad27db7b2 IKEv2 a.a.a.a leon@SRX300> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-256/sha256 beec2d48 3590/ unlim - root 4500 a.a.a.a >131073 ESP:aes-cbc-256/sha256 8005bac 3590/ unlim - root 4500 a.a.a.a
LAB-SRX240:
leon@SRX240> show security ike security-associations
node0:
--------------------------------------------------------------------------
{primary:node0}
leon@SRX240> show security ipsec security-associations
node0:
--------------------------------------------------------------------------
Total active tunnels: 0
{primary:node0}
a.a.a.a = LAB public IP address
b.b.b.b = HOME public IP address
Configs and flow sessions are attached.
Any pointers are highly appreciated :-)
how the HE srx5800 End of life is 06/01/2014
and the EOS is related to chassis or the software installed
how to know the EOS of the version 18.2R3
Hi,
I am trying to configure proxy dns/split dns, currently I have the following:
+ dns {
+ dns-proxy {
+ interface {
+ ge-0/0/1.0;
+ }
+ default-domain domain.local {
+ forwarders {
+ 8.8.8.8;
+ }
+ }
+ view domain2 {
+ match-clients 192.168.1.5/32;
+ match-clients 192.168.1.6/32;
+ domain domain2.local {
+ forwarders {
+ 172.16.1.1;
+ }
+ }
+ }
+ }
+ }From what I am aware my current configuration makes 192.168.1.5 and 192.168.1.6 use 172.16.1.1 only, I want clients DNS for 192.168.1.5 and 192.168.1.6 internet traffic to forward via 8.8.8.8 and any traffic destined for 172.16.1.10 (msr.lan.com) to use DNS server 172.16.1.1.
Is there a way to do this and what would the configuration look like.
Thankyou.