Hi,

i have an ipsec tunnel between a srx and end device using route based vpn. I am using ebgp to advertise this end device IP address to the rest of the network. So what i want to achieve is to create a routing policy to export exact static routes to the bgp neighbour, this now the static route via the tunnel. Problem  i am facing is when the ipsec  tunnel  is down the  st0 interface stays up, therefore the static route stays active and the routes keeps on being advertised via bgp. Can anyone explain this behaviour and what is a possible solution.

thanks

This Branch series SRX logging via cluster issue.

The goal is to use stream logging AND have the backup node send syslog simultaneously, though all solutions I've seen ignore the backup RG0 node's syslog, and none that I've seen are valid including the cluster best practices document. 

Syslog is received by both nodes via FXP0 when a backup-router statement is configured pointing traffic to the mgmt network gateway. RG0 active node uses inet.0 routing table, and the backup router uses the backup-router statement. Each syslogs from it's own FXP0 address using groups and node config.

The problem comes into play when trying to configure stream mode logging, which must use a revenue port (although I do see data plane logs via FXP0 when I configure security log mode stream, but I assume this is still using the control plane). I have a routing instance with a rethX.X port that can reach the syslog server, but a next-table route to this routing-instance will break the backup RG0 node's syslog, though the active node will successfully send control + data via the revenue port. 

The only solution I can think of is abandoning the fxp port altogether (or at least for logging) and configuring a gig port as the management port with the backup router statements via management vlan gateway on the gig port. 

Has anyone else run into this and have an alternate solution (backup node must send syslog).

Abandoning the FXP interface altogether or configuring 2 management interfaces for every device do not seem like great solutions. 

Topology

MikroTik router----------Trunk----------Juniper SRX (fe-0/0/1)----------computer (fe-0/0/3)

VLAN's on trunk: 16,101

Problem

I cannot see the computer plugged into fe-0/0/3 from the MikroTik router.

I have tried two different configurations, both below (config 1 and config 2).

Using configuration 1) I can ping 192.168.16.1 from a the MikroTik router, but I cannot ping a computer plugged into fe-0/0/3.

If I put two computers into fe-0/0/3 and fe-0/0/4 they can ping each other so I know the security policy is working.

I thought all I would need to do is to add fe-0/0/1.16 to the same zone (trust), seems this is not the case.

Using configuration 2)  I cannot even ping 192.168.16.1 from the MikroTik.

Clearly missing something obvious, just not sure what it is. Any ideas?

Thanks.

Configuration 1)

interfaces {
    fe-0/0/1 {
        vlan-tagging;
        unit 16 {
            vlan-id 16;
            family inet {
                address 192.168.16.1/24;
            }
        }
        unit 101 {
            vlan-id 101;
            family inet {
                address 10.1.1.1/29;
            }
        }
    }
	fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
}

vlans {
    transit {
        vlan-id 101;
    }
    vlan-trust {
        vlan-id 16;
    }
}

security {
    policies {  
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
	
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/1.16;
                fe-0/0/2.0;
                fe-0/0/3.0;
                fe-0/0/4.0;
            }
        }
    }
}

Configuration 2)

interfaces {
    fe-0/0/1 {
        vlan-tagging;
        unit 16 {
            vlan-id 16;
        }
        unit 101 {
            vlan-id 101;
        }
    }
	fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
	vlan {
        unit 16 {
            family inet {
                address 192.168.16.1/24;
            }
        }
    }
}

vlans {
    transit {
        vlan-id 101;
    }
    vlan-trust {
        vlan-id 16;
        l3-interface vlan.16;
    }
}

security {
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/1.16;
                vlan.16;
            }
        }
    }
}

Hi, I was trying to make a BoM for SRX 1500, but in the datasheet for SRX1500 (which is just 4 pages) there are is no parts info like in other SRX datasheets. Kindly please help regarding this, need to find all the parts info for SRX 1500 to make the BoM. I am attaching the data sheet for SRX1500 for referance.

Hi everyone :

Today, SRX650[12.1X46-D40.2] firewall configuration Qos and limit bandwidth for vpn. commit configuration, find,all vpn gateway state is down.rollback configuration, Main mode, vpn up.aggressive mode,vpn down.Configuration command "no-nat-traversal",aggressive mode,VPN returned to normal, but the business address is not. delete "no-nat-t",vpn down。

Qos configuration:

root@srx-01# show interfaces reth1 | display set 
set interfaces reth1 per-unit-scheduler
set interfaces reth1 unit 100 family inet filter output TRE
set interfaces reth1 unit 100 family inet address 100.100.100.1/24

set class-of-service virtual-channels TR-100m
set class-of-service virtual-channels IN-10m
set class-of-service virtual-channel-groups TRE TR-100m scheduler-map TR-100m
set class-of-service virtual-channel-groups TRE TR-100m shaping-rate 100m
set class-of-service virtual-channel-groups TRE IN-10m scheduler-map IN-10m
set class-of-service virtual-channel-groups TRE IN-10m shaping-rate 10m
set class-of-service virtual-channel-groups TRE IN-10m default
set class-of-service interfaces reth1 unit 100 virtual-channel-group TRE
set class-of-service interfaces reth1 unit 100 rewrite-rules inet-precedence default
set class-of-service scheduler-maps TR-100m forwarding-class expedited-forwarding scheduler TR-100m
set class-of-service scheduler-maps IN-10m forwarding-class assured-forwarding scheduler IN-10m
set class-of-service schedulers TR-100m shaping-rate 100m
set class-of-service schedulers IN-10m shaping-rate 10m

set firewall family inet filter TRE term 1 from destination-address 100.100.100.2/32
set firewall family inet filter TRE term 1 from protocol esp
set firewall family inet filter TRE term 1 then virtual-channel TR-100m
set firewall family inet filter TRE term 1 then accept
set firewall family inet filter TRE term 2 then virtual-channel IN-10m
set firewall family inet filter TRE term 2 then accept

    So far,VPN is normal, but the business address can not be normal communication,delete NAT-T.VPN will be interrupted, the tunnel interface down.Why ?

    show security flow session: In a session that is sent out, there is no incoming conversation.

    

.1. What is the connection between the aggressive mode and the NAT traversal?

 2. Qos affected the establishment of VPN? [Another site is normal, the same configuration]

When the NAT configuration is removed, the log is shown below:

  ike_st_o_private: Start
  Construction NHTB payload for  local:X.X.X.X, remote:X.X.X.X IKEv1 P1 SA index 11282220 sa-cfg VPN-Bank_GZNongShang
  Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg VPN-Bank_GZNongShang, p1_sa=11282220
  ike_policy_reply_private_payload_out: Start
  ike_st_o_encrypt: Marking encryption for packet
  ike_encode_packet: Start, SA = { 0x88d97030 3e707be3 - 34381a74 90e4160c } / 7e5ba586, nego = 0
  ike_finalize_qm_hash_1: Hash[0..20] = 3d16970e ee814f27 ...
  ike_send_packet: Start, send SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500,  routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
  ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
  ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
  ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
  ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
  ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
  ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
  ike_retransmit_callback: Isakmp query retry limit reached, deleting<none>:500 (Initiator) <-> X.X.X.X:4500 { 88d97030 3e707be3 - 34381a74 90e4160c [0] / 0x7e5ba586 } QM; Error = Timeout (8197)
  ike_send_notify: Private notification, do not send notification
  ike_delete_negotiation: Start, SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
  ike_free_negotiation_qm: Start, nego = 0
  ike_free_negotiation: Start, nego = 0
  ike_free_id_payload: Start, id type = 4
  ike_free_id_payload: Start, id type = 1
  IPSec negotiation failed for SA-CFG VPN-Bank_GZNongShang for local:X.X.X.X, remote:X.X.X.X IKEv1. status: Timed out
     P2 ed info: flags 0x8c2, P2 error: Error ok
  iked_pm_check_p2_failure_num: Phase2 failed 1/3 times for P1 SA 11282220
    IKEv1 Error : Timeout
  ssh_ike_connect: Start, remote_name = X.X.X.X:500, xchg = 4, flags = 00040000
  ike_sa_allocate: Start, SA = { ff57fda1 10f2c29c - 00000000 00000000 }
  ike_init_isakmp_sa: Start, remote = X.X.X.X:500, initiator = 1
  ssh_ike_connect: SA = { ff57fda1 10f2c29c - 00000000 00000000}, nego = -1

   thanks very much ！

Hi everybody.

Today I wanted implement ssh authentication ssh-rsa configuring my rsa-key. After that, ssh didn't work and I decided to rollback the config. After the rollbacl I'm not able to access to the firewal via ssh as before. I receive the message "Connection refused by remote host".This is my conf. Any suggestion?

set system services ssh root-login allow

[...]

set security address-book YOTI-OFFICE address YOTI-1 77.89.191.176/29
set security address-book YOTI-OFFICE address YOTI-2 80.169.112.24/29
set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-1
set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-2
set security address-book YOTI-OFFICE attach zone untrust
set security address-book global address LAN 172.16.0.0/24
set security address-book global address RASPI 172.16.0.2/32

[...]

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

[...]

set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces at-1/0/0.0 host-inbound-traffic system-services ssh

Hi,

I am working on SRX 650 and I have connected two cisco router in transparent mode ( ethernet-switching mode)  with SRX.

How could i block and allow cisco CDP ether-type value in SRX.

Regards,

Tridandi 

our NTP is accting funny, It seems i have to add the loopback to the NTP firewall..... i dont undestand why 

show configuration system ntp
inactive: server 10.1.1.110 version 4;
server 10.0.0.4 version 4;
source-address 10.8.252.63;

term NTP {
from {
source-address {
10.1.1.110/32;
10.0.0.4/32;
}
protocol udp;
port ntp;
}
then accept;

this is what i see 

Name of protocol: UDP, Packet Length: 40, Source address: 10.8.252.63:58568, Destination address: 10.8.252.63:123
Time of Log: 2016-07-20 13:41:19 CDT, Filter: management, Filter action: discard, Name of interface: local
Name of protocol: UDP, Packet Length: 40, Source address: 10.8.252.63:58568, Destination address: 10.8.252.63:123
Time of Log: 2016-07-20 13:41:11 CDT, Filter: management, Filter action: discard, Name of interface: local
Name of protocol: UDP, Packet Length: 40, Source address: 10.8.252.63:50138, Destination address: 10.8.252.63:123

show configuration interfaces lo0
hold-time up 0 down 2000;
unit 0 {
family inet {
no-redirects;
filter {
input management;
}
address 10.8.252.63/32;

why is this doing this, it does not seem right, on other routers we have we do not need to do this. the zones are not blocking i looked at our zone log. 

I tried rebooting the device already, running latest tac code 

Hi juniper experts,

i'am new with this set up. we are having problem on routing in our vpn connection, vpn is up, phase 1 and 2 is up, however host to host connection is not working. set up is LAN--->srx650-->cisco router--->internet---->cisco, vpn terminates on srx650. when we do "show security ipsec security-associations" port shows 500, as what i read with this kind of set up NAT-T, vpn behind nat device, 4500 port should be used. also on the nat device(cisco) would there be additional config particullarly in nat? below is the config of our vpn in srx650(security policy and route to cisco router is correct as verified in "show security flow session")

set security ike proposal ike_ESI_Phase1-Proposal authentication-method pre-shared-keys
set security ike proposal ike_ESI_Phase1-Proposal dh-group group5
set security ike proposal ike_ESI_Phase1-Proposal authentication-algorithm sha-256
set security ike proposal ike_ESI_Phase1-Proposal encryption-algorithm aes-256-cbc
set security ike proposal ike_ESI_Phase1-Proposal lifetime-seconds 86400
set security ike policy ike_pol_ESI_VPN mode main
set security ike policy ike_pol_ESI_VPN proposals ike_ESI_Phase1-Proposal
set security ike policy ike_pol_ESI_VPN pre-shared-key ascii-text "$9$goJjHQF6/A0ZGHqPf3nM8XNwgDiqfT3DjuO"
set security ike gateway gw_ESI_VPN ike-policy ike_pol_ESI_VPN
set security ike gateway gw_ESI_VPN address 2.2.2.2
set security ike gateway gw_ESI_VPN local-identity inet 1.1.1.1
set security ike gateway gw_ESI_VPN external-interface ge-0/0/1.0
set security ike gateway gw_ESI_VPN version v1-only

set security ipsec vpn gw_ESI_VPN ike gateway gw_ESI_VPN
set security ipsec vpn gw_ESI_VPN ike ipsec-policy ipsec_pol_ESI_VPN
set security ipsec vpn gw_ESI_VPN establish-tunnels immediately

thanks

I know this must be simple but it is eluding me.

My remote users need to access a terminal server inside our network, I really prefer not to have 3389 open. I would rather have them connect to <public ip address>:4001 and have the SRX translate that to <server internal ip address>:3389

I tried using the following:
set security nat destination pool test address 192.168.1.1/32
set security nat destination pool test address port 4000
set security nat destination rule-set test rule 1 match destination-address <public-Ip-of-web-server>
set security nat destination rule-set test rule 1 match destination-port 3389
set security nat destination rule-set test rule 1 then destination-nat pool test

commit check
[edit security nat destination]

 'rule-set test'

  missing mandatory statement: 'from'

error: configuration check-out failed: (missing mandetory statements)

I have tried several different examples/setups and none have worked.

Getting the answer in the form of CLI would be great.

Hello all,

Really hoping someone can help me out, as my exposure to Junos is limited. 

I have a customer running an SRX210 HA pair runniung 12.1X44-D20.3. They have recently connected up a 40Mbps fibre service which is subjected to a very policer. I would like to ensure all egress traffic is shaped as opposed to rate-limited and dropped if exceeded, but can't seem to find the right example. Most of my research leads me to creating class scheduler groups and firewall filters/

I have achieved the same thing in the past on Cisco IOS by creating a class map, appling the class to a policy then the service policy to an interface like this:

!
class-map match-any CLASS_40
 match any
!
!
policy-map POLICY_40
 class CLASS_40
  shape average 40000000
!

!
interface GigabitEthernet0/1

  service-policy output POLICY_40

!

This seems like it should be a straightforward thing to configure, especially since I'm not seeking to alter throughput for different subnets or traffic types.I have found a few examples of setting a shape average on a physical interface in Junos, but that command doesn't appear to be available in a reth group. 

Would a configuration such as below be what I'm after? I'd prefer not to be discarding though:

set firewall policer 40M-POLICER if-exceeding bandwidth-limit 40m
set firewall policer 40M-POLICER if-exceeding burst-size-limit 625k
set firewall policer 40M-POLICER then discard

set firewall filter 40M-OUTBOUND-FILTER term SOURCE-ANY from source-address 0.0.0.0/0
set firewall filter 40M-OUTBOUND-FILTER term SOURCE-ANY then policer 40M-POLICER
set firewall filter 40M-OUTBOUND-FILTER term SOURCE-ANY then accept
set firewall filter 40M-OUTBOUND-FILTER term END-POLICY then accept

set firewall filter 40M-INBOUND-FILTER term SOURCE-ANY from source-address 0.0.0.0/0
set firewall filter 40M-INBOUND-FILTER term SOURCE-ANY then policer 40M-POLICER
set firewall filter 40M-INBOUND-FILTER term SOURCE-ANY then accept
set firewall filter 40M-INBOUND-FILTER term END-POLICY then accept

set interfaces reth-0 unit 0 family inet filter input 40M-INBOUND-FILTER
set interfaces reth-0 unit 0 family inet filter output 40M-OUTBOUND-FILTER

Any assistance greatly appreciated.

Is it possible to run an ipsec vpn between a private static WAN ip address at the HQ and a public WAN static ip address at the branch office?

Hello,

We have a problem with proxy-arp.
Currently I use multiple IP on interface ge0/0/0 with proxy ARP, each IP have src and dst NAT.
From external I can ping these IP and I access to open port, but if I ping one IP (in proxy) from LAN/DMZ we haven't response...
It's very strange because if I ping IP from Juniper SSH i have "ping: sendto: Can't assign requested address".
Alone IP interface responds of ping from LAN.

So to resolve this problem I think to add route to other interface with other gateway but I have same problem.
Yet I view route with show route and if I ping IP (proxy) from WAN backup I have a response...

Have you an idea to resolve this problem ?
Best regards.
Charlie

Hi,

I'm trying to configure a juniper srx 220 in order to proxy IPTV multicast traffic between two interfaces. For that i've added the following configuration:

show protocols

igmp {

    traceoptions {

        file igmp_trace;

        flag all;

    }

    interface ge-0/0/0.0 {

        version 3;

    }

    interface vlan.21 {

        version 3;

    }

}

pim {

    traceoptions {

        file pim_trace;

        flag all;

    }

    interface ge-0/0/0.0 {

        mode dense;

    }

    interface vlan.21 {

        mode dense;

    }

}

In the traceoptions files i can see the following messages:

RCV IGMP V3 Report len 32 from 192.168.1.67 intf ge-0/0/0.0

   Records 3

   Group 232.16.1.13, type IS_EX, aux_len 0, sources 0

   Group 232.0.8.8, type IS_EX, aux_len 0, sources 0

   Group 239.255.255.250, type IS_EX, aux_len 0, sources 0

RPD_IGMP_SSM_REPORT_MODE_INVALID: Interface ge-0/0/0.0: Group record with invalid mode for SSM group 232.16.1.13 ignored

Jul 23 02:36:05.393278 RPD_IGMP_SSM_REPORT_MODE_INVALID: Interface ge-0/0/0.0: Group record with invalid mode for SSM group 232.0.8.8 ignored

I cannot understand what should i change in order to be able to proxy those multicast addresses, can you point me in the right direction?

Regards

Dear members;

Has anyone succeded in adding ge-x/x/x interfaces to vSRX 15.....because it seems vSRX does not detect interfaces both in ESXi and KVM...

Regards.

Hi, All.

Do either the SRX300 or SRX1500 devices support both 802.1p and EXP rewrite rules running on a core-facing interface?

- asbestos-muffin

Hi,

I need to configure many SRX 100h2 device at once. I'm thinking to use Autoinstallation. So i created a DHCP and TFTP Server. the dhcp is set to give to each SRX device an IP address. When i plug in the router (the first time) he does not get the ip address. How can in insure that he get one ? or that he's trying to get the ip address ?

dhcp conf :



when i plug another device like a computer or SIP Phone they get their ip address. 

Thanks for help. 

HI All,

I need some guidance.  I have a client we are replacing a Palo Alto single unit with and SRX cluster.  They also have dual ISP's.  The ISP feeds are currently connected to their own Cisco router with BGP that is setup and functioning.

We built the cluster with 3 reth interfaces.  Once for ISP A and one for ISP B and the other for the LAN, then the control anf fabric links.

We had the 2 ISP feeds uplinked from the routers into a Layer 2 swicth so that traffic could flow and when BGP kicked in that ISP B could route that IP subect through reth2.

We went into prodcution and after 2 days they called with issues.  We determined that we were dropping packets every 5 to 10 minutes.

We believe the issue is due to both ISP feeds being in the same VLAN.  When we seperate the ISP feeds and reth into seperate VLANs all works clean expect we don't have any way to route traffic from ISP A to the ISP B reth in a BGP failover situation.

So not sure how to get that traffic to move from ISP A to ISP B in a BGP failover.  Also I considered moving BGP and the ISP feeds into the SRX units and remove the Cisco routers.  But that seems like a bigger undertaking at this point since BGP is working accross the Cisco routers.

Help would be GREATLY apprechiated.

Thanks

Todd

Good Morning All!

I am relatively new to Juniper. My company implemented them about a year ago and I've finally gotten around to working with them and I must say that I thoroughly enjoy the platform! Now that the formalities are out of the way, here is my issue and I'm hoping you all will be able to assist me with what I am over looking:

I have 2 seperate labs: one virtual (4x vSRX) and one physical (3x SRX210's donated to our lab by field technicians). For this issue, I am working in the physical lab. I have set up mpls/ldp across the 3 SRX's with OSPF being the IGP and I have established an LSP between routers 1 and 3 (aptly named JUNOS1 and JUNOS3). Attached to two of the fast ethernet interfaces (fe-0/0/2), I have 2x Cisco ME3400 2CS (donated by field technicians as well) acting as my "clients" with IP addresses configured directly on the connecting interfaces (192.168.254.0/30).

I see my LSP in the inet.3 table, and the "show l2circuit connections extensive" registers the circuit, and the labels assigned to the l2circuit, but I am unable to ping across the interfaces. I have monitored them and I see the input traffic coming from the switches during a continuous ping, so I'm all but postiive the issue is with the configuration of fe-0/0/2.0:

JUNOS3 Configuration:

rsvp {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
mpls {
label-switched-path JUNOS1 {
traceoptions {
file JUNOS3.txt;
flag all;
}
to 192.168.255.0;
install 192.168.255.0/32 active;
record;
fast-reroute;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0;
}
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0 {
passive;
priority 128;
}
ldp {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0;
}
l2circuit {
neighbor 192.168.255.0 {
interface fe-0/0/2.0 {
virtual-circuit-id 1921682540;
encapsulation-type ethernet;
}

fe-0/0/2 {
description to_2CS3;
encapsulation ethernet-ccc;
unit 0 {
family ccc;
}

JUNOS1 Configuration:

rsvp {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
mpls {
label-switched-path JUNOS3 {
traceoptions {
file JUNOS3.txt;
flag all;
}
to 192.168.255.2;
install 192.168.255.2/32 active;
record;
fast-reroute;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0;
}
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0;
interface lo0.0 {
passive;
priority 110;
}
}
}
ldp {
transport-address router-id;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0;
}
l2circuit {
neighbor 192.168.255.2 {
interface fe-0/0/2.0 {
virtual-circuit-id 1921682540;
encapsulation-type ethernet;
}
fe-0/0/2 {
description to_2CS1;
encapsulation ethernet-ccc;
unit 0 {
family ccc;
}

 Any guidance / assistance would be graciously appreciated!

Thanks!!!!!