Hello Juniper Experts,

I hope you can help me out.

I have the following issue :
When i am using routing-instances for multiple isp connections the routing will fail

when i create a very simple config like below it is functioning perfectly. I can ping without any issue to some test ip addresses out of the srx through gateway 1.1.1.6

set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.1/29
set interfaces fe-0/0/1 unit 0 family inet address 2.2.2.1/29
set interfaces fe-0/0/5 unit 0 family inet address 192.168.10.254/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.6
set routing-options static route 0.0.0.0/0 qualified-next-hop 2.2.2.6 metric 100
set security nat source rule-set SR_SET_1 from zone Internal
set security nat source rule-set SR_SET_1 to zone Ziggo
set security nat source rule-set SR_SET_1 rule rule1 match source-address 192.168.10.0/24
set security nat source rule-set SR_SET_1 rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set SR_SET_1 rule rule1 then source-nat interface
set security policies default-policy permit-all
set security zones security-zone Ziggo interfaces fe-0/0/0.0
set security zones security-zone Dsl interfaces fe-0/0/1.0
set security zones security-zone Internal interfaces fe-0/0/5.0 host-inbound-traffic system-services all

When i rebuild this configuration to the one below i cannot ping and resolve any addresses anymore from zone Internal.

set system root-authentication encrypted-password "$1$6PIUAbCK$9dE2nK8ISxPzk/GbNhdw30"
set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.1/29
set interfaces fe-0/0/1 unit 0 family inet address 2.2.2.1/29
set interfaces fe-0/0/5 unit 0 family inet address 192.168.10.254/24
set routing-options interface-routes rib-group inet isp
set routing-options rib-groups isp import-rib inet.0
set routing-options rib-groups isp import-rib isp1.inet.0
set routing-options rib-groups isp import-rib isp2.inet.0
set security nat source rule-set SR_SET_1 from zone Internal
set security nat source rule-set SR_SET_1 to zone Ziggo
set security nat source rule-set SR_SET_1 rule rule1 match source-address 192.168.10.0/24
set security nat source rule-set SR_SET_1 rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set SR_SET_1 rule rule1 then source-nat interface
set security policies default-policy permit-all
set security zones security-zone Ziggo interfaces fe-0/0/0.0
set security zones security-zone Dsl interfaces fe-0/0/1.0
set security zones security-zone Internal interfaces fe-0/0/5.0 host-inbound-traffic system-services all
set routing-instances isp1 instance-type virtual-router
set routing-instances isp1 interface fe-0/0/0.0
set routing-instances isp1 routing-options static route 0.0.0.0/0 next-hop 1.1.1.6
set routing-instances isp1 routing-options static route 192.168.10.0/24 next-table inet.0
set routing-instances isp2 instance-type virtual-router
set routing-instances isp2 interface fe-0/0/1.0
set routing-instances isp2 routing-options static route 0.0.0.0/0 next-hop 2.2.2.6
set routing-instances isp2 routing-options static route 192.168.10.0/24 next-table inet.0

Do you have any idea and/or suggestions ?

Regards,

Robbert

Hello,  

Can someone make some clarification for me regarding new SRX3xx licensing scheme which after weird separate hardware from software appeared in Juniper:

 JSB vs JSE

JSE adds "NGFw" features

Application Security Services:

• Application visibility and control

• Application-based firewall

• Application QoS

• SSL inspection   (SSL proxy to "see" encrypted SSL traffic?) 
if buy this I will get permanent (?) license for above functionality

And

"Offered as advanced security services subscription licenses"

Threat Defense and Intelligence Services:

• Intrusion prevention (IPS)

• Antivirus

• Antispam

• Category/reputation-based URL filtering

• Spotlight Secure threat intelligence

above features are licensed as per year(s) subscription -but is this available as a bundle only or I can purchase separate licenses?

and please correct me : to have a FULL security functionality I have to buy JSE + Threat Defense and Intelligence Services bundle - NGFw + IPS / Av?

in SRX1xx I could buy AppSec (IPS + App ID) + A/V separately or whole set sold under SRX1xxx-SMB4 license for all features

also please provide -if possible- the pricing tags to make talking easier with the local seller 

Based on Data sheet : 1000550-004-EN May 2016

Thanks in advance

Rav

I'm busy setting up our new SRX345 firewalls and in honesty it has been a complete nightmare! I finally managed to get the two clustered over our layer2 network with no errors, (by factory reset and doing the exact same config again, step by step). At that point both control and dual fabric links connected and all the subnets serviced via vlans on LACP reth0. everything appeared to be working properly.

The problems are now with failover and fail back.

When I issues shutdown to the port channel on the cisco that node0 connects to it fails over nearly immediately accordiging to 'show log messages' but the continuous ping to the vlan20 interface was lost for between 30 seconds and 10 minutes - normally around 6 minutes. I had preempt set and failback trggered by entering no shutdown on the cisco port channel was considerably quicker only losing pings for about 30-60 seconds.

I still have no idea why failover is taking such a long time and currently no idea on how to start diagnosing it but I now have a worse problem. I collegue suggested I try a more realisting failover and simulate a power cut to node0. This took only a minute to failover to node1 but on restoring the power node0 claims it cannot connect to node1. The cisco reports that LACP is no enabled on the reth and the control and fabric ports do not appear to have initialized - the cisco is behaving as if the ports are all connected to a hub.

In addition node0 is very slow to respond to the CLI on rollover cable and reports the following in the console:-

Message from syslogd@FW01 at Nov 7 17:29:37 ...
FW01 SCHED: Thread 4 (Module Init) ran for 1045 ms without yielding

Message from syslogd@FW01 at Nov 7 17:29:37 ...
FW01 Scheduler Oinker

Message from syslogd@FW01 at Nov 7 17:29:37 ...
FW01 Frame 00: sp = 0x510a68c8, pc = 0x182204e8

Message from syslogd@FW01 at Nov 7 17:29:37 ...
FW01 Frame 01: sp = 0x510a6970, pc = 0x182082e4

'Show interface terse' does not list the physical interfaces on node0

Anyone know what's going on? or how to fix it?

Hi, 

We have the following setup:

** Policy Based VPN between a SRX 1400 and a Palo-Alto.

Extra info on why we are using Policy-Based VPN:

1- We need one phase2 per local/remote network pair (proxy-id).

2- Right now in the SRX side it is one network, but in the future there will be more.

3- Our current JunOS version is just behind the relase that included traffic selectors.

SRX side: 

10.10.10.0/24 (lan_1)

PaloAlto side:

192.168.8.0/24 (vpn_net_1)

192.168.9.0/24 (vpn_net_2)

192.168.10.0/24 (vpn_net_3)

We have the following rules:

[edit security policies from-zone untrust to-zone management-lan]
     policy vpnpolicy-untrust-management-lan-1 {
         match {
             source-address vpn_net_1;
             destination-address lan_1;
             application any;
         }
         then {
             permit {
                 tunnel {
                     ipsec-vpn ipsec-vpn-1;
                     pair-policy vpnpolicy-management-lan-untrust-1;
                 }
             }
         }
     }
     policy vpnpolicy-untrust-management-lan-2 {
         match {
             source-address vpn_net_2;
             destination-address lan_1;
             application any;
         }
         then {
             permit {
                 tunnel {
                     ipsec-vpn ipsec-vpn-1;
                     pair-policy vpnpolicy-management-lan-untrust-2;
                 }
             }
         }
     }
     policy vpnpolicy-untrust-management-lan-3 {
         match {
             source-address vpn_net_3;
             destination-address lan_1;
             application any;
         }
         then {
             permit {
                 tunnel {
                     ipsec-vpn ipsec-vpn-1;
                     pair-policy vpnpolicy-management-lan-untrust-3;
                 }
             }
         }
     }

[edit security policies from-zone management-lan to-zone untrust]

     policy vpnpolicy-management-lan-untrust-1 {
         match {
             source-address lan_1;
             destination-address vpn_net_1;
             application any;
         }
         then {
             permit {
                 tunnel {
                     ipsec-vpn ipsec-vpn-1;
                     pair-policy vpnpolicy-untrust-management-lan-1;
                 }
             }
         }
     }
     policy vpnpolicy-management-lan-untrust-2 {
         match {
             source-address lan_1;
             destination-address vpn_net_2;
             application any;
         }
         then {
             permit {
                 tunnel {
                     ipsec-vpn ipsec-vpn-1;
                     pair-policy vpnpolicy-untrust-management-lan-2;
                 }
             }
         }
     }
     policy vpnpolicy-management-lan-untrust-3 {
         match {
             source-address lan_1;
             destination-address vpn_net_3;
             application any;
         }
         then {
             permit {
                 tunnel {
                     ipsec-vpn ipsec-vpn-1;
                     pair-policy vpnpolicy-untrust-management-lan-3;
                 }
             }
         }
     }

{primary:node0}[edit]

The VPN is established correctly, and traffic works in both directions.

Now, how can you filter specific traffic on that VPN? As we have "application any", all traffic is allowed.

For outgoinf traffic (SRX->PaloAlto) I think it would be enough to just add a deny rule before the tunnel rule. But, how can I filter inbound traffic (PaloAlto->SRX) ? I'm not sure the same approach would work.

If for example, we want remote server 192.168.8.200 to only be able to access 10.10.10.0/24 on port 80/TCP, where should we do it? Or do we have to actually modify the tunnel rule? If so, wouldn't that then create a different phase2 per tunnel rule created?

Thanks for the input!

Best regards.

I would like to configure a SRX 220 for 2 separate (aftermarket) access points. 

Please let me know if anything sticks out that I have missed

1. I haven't tried this configuration yet, but hoped to run it by the100% of you out there that know better than I do.  I'm concerned the propagate-settings portion isn't correct.

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2 high 192.168.1.99
set system services dhcp pool 192.168.1.0/24 maximum-lease-time 86400
set system services dhcp pool 192.168.1.0/24 default-lease-time 86400
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 server-identifier 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings fe-0/0/7

set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2 high 192.168.2.99
set system services dhcp pool 192.168.2.0/24 maximum-lease-time 86400
set system services dhcp pool 192.168.2.0/24 default-lease-time 86400
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
set system services dhcp pool 192.168.2.0/24 server-identifier 192.168.2.1
set system services dhcp pool 192.168.2.0/24 propagate-settings fe-0/0/7

set interfaces interface-range interfaces-trust member ge-0/0/0
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 4 family ethernet-switching vlan members dmz-trust
set interfaces fe-0/0/7 unit 0 description "To Cable Modem"
set interfaces fe-0/0/7 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set interfaces vlan unit 4 family inet address 192.168.2.1/24

set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set vlans dmz-trust vlan-id 4
set vlans dmz-trust l3-interface vlan.4

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

set security nat source rule-set dmz-to-untrust from zone dmz-trust
set security nat source rule-set dmz-to-untrust to zone untrust
set security nat source rule-set dmz-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set dmz-to-untrust rule source-nat-rule then source-nat interface


set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0

set security zones security-zone dmz-trust host-inbound-traffic system-services all
set security zones security-zone dmz-trust host-inbound-traffic protocols all
set security zones security-zone dmz-trust interfaces vlan.4

set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/7.0
set security zones security-zone untrust interfaces fe-0/0/7.0 host-inbound-traffic system-services dhcp

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone dmz-trust to-zone dmz-trust policy default-permit match source-address any
set security policies from-zone dmz-trust to-zone dmz-trust policy default-permit match destination-address any
set security policies from-zone dmz-trust to-zone dmz-trust policy default-permit match application any
set security policies from-zone dmz-trust to-zone dmz-trust policy default-permit then permit
set security policies from-zone dmz-trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone dmz-trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone dmz-trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone dmz-trust to-zone untrust policy trust-to-untrust then permit

P.S.  I do understand some of the challenges users will face with these devices being on a separate network.  I see this more or less as a baby step.

Hi 

I want to collect nflows from my srx cluster to nflow collector.I have configured srx as follows

 > show configuration forwarding-options

sampling {
input {
rate 100;
}
family inet {
output {
flow-inactive-timeout 15;
flow-active-timeout 60;
flow-server 10.10.1.252 {
port 9995;
source-address 10.10.1.1;
version 5;
}
}
}
}

> show configuration interfaces reth5

redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
filter {
input from_internet;
}
sampling {
input;
output;
}
address x.x.x.x;
}
}

but the nflow collector show very high values for ingress and egress traffic on all interfaces.This configuration works fine

for non clustered srx240.Is there any workaroudn for chasis cluster ?

thanks

HI, I am using Junos v11.4, becouse of EOS, I am thinking to upgrade OS.

I would like to get the detaile information about the  defference between new version and 11.4. Where can I get it?

Also,  I have never experienced the OS upgrade. Is it dengerous or easy to do?

Thanks,

 Hi,

I have specific requirements to connect two SRX3400 firewalls in cluster and have DMZ  area in place where multiple different DMZ subnets need to be conencted using couple of Cisco stack switches. I am wondering what could be a best solution to deisgn either connect couple of Trunk links between switches and firewalls and have switches do VLAN routing or have Reth interfaces configure between switches and Firewall links and have VLAN defined on SRX with subnet define on as unit configruation?

VLAN segregation is a must in design. could I have multiple Reth L3 interfaces between Firewalls and same switches using VLAN ID and IP address?

Regards

F

Is there a limit for maximum number of CoS Virtual Channels that can be used on an interface (ie. maximum number of virtual channels in one Virtual Channel Group or total number of virtual channels per system etc.)?

I am planning for quite a lot of them, and not sure if it will be possible...

Regards,

Pawel Mazurkiewicz

Hello,

our client have srx100b
JUNOS Software Release [11.4R4.4]

Every day, some time somebody try to download or do something , and traffic has increases to 10Mbps. Then traffic has increased, cpu spikes to 80%-100%. When i tryed to disable security-log (set system processes security-log disable) cpu comes down to normal, but our snmp (PRTG) dont show CPU loud, tempreture and other sensors. I think this traffic is not so big for srx100 to spike cpu to 100%. That can be wrong? Maybe some special packet or defragmentation leads to high cpu?

This is my config and some pictures.

Thank you.

Just out of curiosity (o;

I see lately some SRX240 devices sold as broken with the remark, that changes can't be commited/saved.

Is this just some flash issue which can be solved easily?

OTOH the flash is soldered I assume...

Hi,

I've got two srx5400, each with two SPC cards in a HA cluster.

I am aware srx5400 can have only one RE so only control port 0 (em0) can be used.

All of dual control link configuration references are for srx5600/5800 when two REs are present - when both HA control  port 1 and 0 on the SPC are used.

But what about dual control port 0, from each of the two SPCs?

So currently i've got:

control-ports {
fpc 1 port 0;
fpc 4 port 0;
}

Can i have this?

control-ports {

fpc 0 port 0;
fpc 1 port 0;

fpc 3 port 0;
fpc 4 port 0;
}

Also to note, the FPC0 SPC which isn't connected to its counterpart on the other node doesn't have the HA led ON.

Any reference to documentation explaining this is welcome.

Thanks!

Hi Guys, 

My first post here. I am trying to figure out how I can route using diverse links at the same ISP via independent SRXes and do load balacing and failover. Is this possible? I talked to the ISP and they are recommending using BGP. We were thinking of using the ISP's managed router. How would I route traffic from the QFX to the SRXes? My thinking was to use per packet load ballancing and use the next qualified hop for failover but I don't think that would work. The SRXes are not in an HA cluster so the only place this whole thing combines is at the QFX5100 cluster. Here is a pic of the layout. We are using SRX550Ms. Any help would be greatly appreciated.

+---------+        +---------+
|     ISP        |         |   ISP       |
+---+-----+       +---+----+
      |                             |
      |                             |
      |                             |
      |                             |
+---+----+     +---+-----+
|    SRX      |       |   SRX       |
+---+----+     +----+----+
    |                                  |
    |                                  |
    |                                  |
    |                                  |

    |      +--------+       |
   +---+   QFX     +--+
           +--------+

Hi 

Having an issue with Route-Based VPN. Traffic is being forwarded in incorrect VPN. 

Setup:

+ Juniper SRX 650 Cluster

+ Two VPN Tunnels towards remote location with Primary/Secondary setup.  

+ Forwarding Routing-Instance (Name: RInstance) configured with default route (st0.3 - primary / st0.1 - secondary) 

+ Both internal network and st0 interfaces were in trust zone with a policy permitting all traffic. 

+ Firewall filter configured to match the internal traffic and pointed to "RInstance"

Issue:

+ Traffic flow between remote end to our local network went unsuccessful.

+  Can see the session installed with incorrect incoming interface. 

+ Traffic received from St0.3 but session table show St0.1

Tunnel Index:

St0.1 - 131074

St0.3 - 131075

Session ID: 92441, Policy name: trust-trust-policy/150, State: Active, Timeout: 2, Valid
In: X.X.4.167/11798 --> X.X.9.5/53764;icmp, If: st0.1, Pkts: 1, Bytes: 60
Out: X.X.9.5/53764 --> X.X.4.167/11798;icmp, If: reth0.0, Pkts: 1, Bytes: 60
Total sessions: 1

Logs where incorrect interface is installed. 

====================================

Nov 11 11:34:36 11:34:36.777192:CID-1:RT: Session (id:92441) created for first pak 10224
Nov 11 11:34:36 11:34:36.777192:CID-1:RT:first pak processing successful
Nov 11 11:34:36 11:34:36.777192:CID-1:RT: flow_first_install_session======> 0x57ae6960
Nov 11 11:34:36 11:34:36.777192:CID-1:RT: nsp 0x57ae6960, nsp2 0x57ae69f0
Nov 11 11:34:36 11:34:36.777192:CID-1:RT: make_nsp_ready_no_resolve()
Nov 11 11:34:36 11:34:36.777349:CID-1:RT:flow_ipv4_rt_lkup success X.X.4.167, iifl 0x55, oifl 0x53

Nov 11 11:34:36 11:34:36.777349:CID-1:RT: route lookup: dest-ip X.X.4.167 orig ifp st0.3 output_ifp st0.1 orig-zone 8 out-zone 8 vsd 0
Nov 11 11:34:36 11:34:36.777349:CID-1:RT: reroute handling for tunnel 20020003

Nov 11 11:34:36 11:34:36.777349:CID-1:RT: Doing IPSec traffic-selector match for X.X.9.5 -> X.X.4.167
Nov 11 11:34:36 11:34:36.777349:CID-1:RT: Did not find traffic-selector enabled nsp_tunnel for st0-ifp st0.1. Finding non-traffic-selector nsp_tunnel
Nov 11 11:34:36 11:34:36.777349:CID-1:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.1
Nov 11 11:34:36 11:34:36.777349:CID-1:RT: Found IPSec nsp_tunnel 0x5e3fac00 for bind-ifp st0.1
Nov 11 11:34:36 11:34:36.777349:CID-1:RT: existing vector list 0x10224-0x4b2da2d0.
Nov 11 11:34:36 11:34:36.777349:CID-1:RT: setting tunnel vector since the routed interface is st0.1
Nov 11 11:34:36 11:34:36.777349:CID-1:RT: route to X.X.4.167
Nov 11 11:34:36 11:34:36.777479:CID-1:RT:ha_ifp: reth0.0

Any Suggestions..

Thanks in Advance

Hi Guys, 

hoping someone can help me, I've noticed that if I have a BGP neighbor flap on my SRX210H2's, the device starts a timer and waits just over 30 seconds before trying to establish the BGP session again. 

Is there any way around this? I cant believe this is normal behaviour, but it is happening on all our devices.

All BGP peering's are between our SRX 210's and MX104's

Any ideas or thoughts?

/EDIT/ 

we run BFD on the BGP sessions, so detection time is quick (1.5 seconds), but the time for re-establishment is relatively long

hello champions,

please advise with attached design as

srx-650 with dual isp (BGP failover )

ihave two subnet in lan 10.10.10.0/24 & 20.20.20.0/24

10.10.10.0/24 will routed to ISP-1 & 20.20.20.0/24 will routed to ISP-2

if ISP-1 fail both subnet will routed to ISP-2 and same vice versa.

i will be thankfull to you if you ans with configuration.

Thanks in advance

Dear Friends,

I am facing an issue with Cisco switch- Juniper SRX650 failover
I have 2 Nos 3750 stack switch- connected to  SRX650(2 No's) Juniper devices with Failover

Let me explain the internal switch configuration
We have a stack switch setup (2 * Cisco 3750 hardware )

configuration as

interface Port-channel2
description To Firewall
no switchport
ip address 192.168.50.1 255.255.255.0

interface Port-channel4
description To Firewall
no switchport
ip address 192.168.51.1 255.255.255.0

Interface config###

interface GigabitEthernet1/0/23
description PortChannel to Juniper SRX2
no switchport
no ip address
channel-group 4 mode active
!
interface GigabitEthernet1/0/24
description PortChannel to Juniper SRX2
no switchport
no ip address
channel-group 4 mode active

interface GigabitEthernet2/0/23
description PortChannel to Juniper SRX1
no switchport
no ip address
channel-group 2 mode active
!
interface GigabitEthernet2/0/24
description PortChannel to Juniper SRX1
no switchport
no ip address
channel-group 2 mode active

# Routing #####

ip route 0.0.0.0 0.0.0.0 192.168.50.2
ip route 0.0.0.0 0.0.0.0 192.168.51.2 50

Current Physical Cabling ( While checking failover data traffic is not happening to switch in current setup)

GigabitEthernet2/0/23 & GigabitEthernet2/0/24 -> Juniper 1 (Port channel 2)
GigabitEthernet1/0/23 & GigabitEthernet1/0/24 -> Juniper 2 (Port channel 4)

Proposed physical change I am planning from switch side to Solve this issue (Please advice this will work or not.( Please advice what are the precautions we have to tak ebefore starting this activity, Ex:need to Shut down LACP in switch etc) 

GigabitEthernet1/0/23 & GigabitEthernet2/0/24 -> Juniper 1 (Port channel 4 & Port channel 2)
GigabitEthernet2/0/23 & GigabitEthernet1/0/24 -> Juniper 2 (Port channel 2 & Port channel 4)

Now Channel Group 2 is active , while failover connection will switch to 4, But no traffic is initiating , I think Still the switch is forwarding traffic to channel group 2 interfaces. 

Thanks in Advance

Sarath

Hi, I'm connected to internet with a router and I'm trying to configure a SRX110 behind, then without use the wan port, but something don't works correctly.

It's possible use this device using normal ethernet connectivity or I must have an ADSL/VDSL connection?

If possible, there I can find some examples of configuration; I've follow some guide but no one works for me