I have an SRX100 that does not boot up. When I plug it in with the console attached nothing is shown on console. All the LEDs light up and stay on. I have tried changing the little CR2032 battery inside but this has had no effect. The unit looks in very good physical condition both externally and internally.
Does anyone have any ideas before I throw it out? It seems a shame to dispose of it 
.
HI,
I've got setup a brand new Cradlepoint IBR650, which when tested externally, works perfectly fine on the VLANs it has configured for the interface setup, essnetially a port trunk of 2x VLANs on the single physical interface, if i tag traffic from another system (ie. my laptop) with the right vlan id, everything works as expected.
When plugging into my SRX240H2, however... even though i've had an almost identical setup with a CX111 previously, for some reason, it does not seem to work.
I can see the Admin & Link are up for the VLAN, and i can see the vlan's interfaces with the * next to them indicating it should be fine, yet even a simple ping from the SRX forcing it via the VLAN interface using a bypass-routing, doesn't get a reply.
Here's what's setup:
2x VLANs, VLAN 2, and 3900
VLAN 2 is setup as a DHCP client for IP Passthrough mode from the IBR650.
VLAN 3900 is the management interface setup with a static IP (although also could be a DHCP client if i wanted) but for now it's statically assigned to 192.168.0.2
Here's a copy/paste of the interface configuration:
@SRX240H-DC> show configuration interfaces ge-0/0/5
description "4G [100Mbps] (ext-cx-data & ext-cx-management)";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ CX-Data CX-Management ];
}
native-vlan-id CX-Data;
}
}
---
@SRX240H-DC> show configuration interfaces vlan
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 2 {
description "Transit: 4G [100Mbps] (ext-cx-data)";
family inet {
dhcp;
}
}
unit 3900 {
description "4G [100Mbps] (ext-cx-management)";
family inet {
address 192.168.0.2/24;
}
}
---
@SRX240H-DC> show interfaces vlan.3900 terse
Interface Admin Link Proto Local Remote
vlan.3900 up up inet 192.168.0.2/24
@SRX240H-DC> show interfaces vlan.2 terse
Interface Admin Link Proto Local Remote
vlan.2 up up inet
From a physical perspecitive it's simply SRX240H (ge-0/0/5) <-- [Cat 5e Cable] --> IBR650 (Port 0)
Any assistance would be appreciated, as from what i can see, it appears to be configured correctly, but obviously something isn't quiet working.
Hi,
I am trying to limit both upload and download speeds for a specific host to 1Mbps. This is my configuration for rate-limiting using a firewall filter:
firewall {
family inet {
filter output-limit {
term 0 {
from {
source-address {
192.168.1.66/32;
}
}
then {
policer policer-1mb;
accept;
}
}
}
}
policer policer-1mb {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 625k;
}
then discard;
}
}
vlan {
unit 0 {
family inet {
filter {
input output-limit;
output output-limit;
}
address 192.168.1.1/24;
}
}
However, not only is the rate-limiting not working, it brings down the entire vlan.0. All the devices on the vlan loses connectivity, I can not even ping 192.168.1.1 anymore from any device on the vlan.
Can someone please tell me what I am doing wrong?
Thanks!
Hi,
We use 2 Juniper SRX220 firewalls.
One is active and one is passive.
I want to use SNMP V3.
The next configuration is entered.
Gate@gate-0# edit snmp v3
{primary:node0}[edit snmp v3]
Gate@gate-0# show
usm {
local-engine {
user john {
authentication-md5 {
authentication-key "$9$0SXf1IcvMQb... end so on"; ## SECRET-DATA
}
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name john {
group group_john;
}
}
}
access {
group ALL-ACCESS {
default-context-prefix {
security-model usm {
security-level privacy {
read-view GLOBAL;
write-view GLOBAL;
}
}
}
}
group group_john {
default-context-prefix {
security-model usm {
security-level none {
read-view full-mib;
}
}
}
}
}
}
On a Linux system I execute the snmpwalk (or snmpget) command
$ snmpwalk -v 3 -u john -a md5 -A abc123 192.168.6.1 .1.3.6.1.2.1.1
iso.3.6.1.2.1.1 = No more variables left in this MIB View (It is past the end of the MIB tree)
With SNMP V1 I get the correct output
snmpwalk -v 1 -c public 192.168.6.1 .1.3.6.1.2.1.1
iso.3.6.1.2.1.1.1.0 = STRING: "Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X46-D40.2 #0: 2015-09-26 02:25:28 UTC builder@greteth.juniper.net:/volume/build/junos/12.1/service/12.1X46-D40.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-09-26 04:4"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.2636.1.1.1.2.58
iso.3.6.1.2.1.1.3.0 = Timeticks: (180214609) 20 days, 20:35:46.09
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "Gate-0"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 4
But i had to use SNMP V3.
How can I solve this SNMP V3 "No more variables left......" problem?
Thanks.
I had configured primary public ip address for Dynamic VPN connection on SRX220H2 and it is working now. Right now, I like to user second public ip address for site to site VPN connection. No matter, I use routed base or policy base Site to site vpn, it will not found the second public ip address and kept on primary public ip address. I hope someone can help to check the attached config file and see anything missing. Already try the Identity ID to use second public ip address, it does not have any improvment.
Herer is the error which only found 218.255.187.42 instead of 218.255.187.43
Hi,
We have multiple sites with SRX as a Internet Gateway. All Sites have their own Proxies. We have Address-book at each site have same Address-book name but all have different IP Addresses.
Now I am going to deploy JunosSpace Security Director.
I have one concern, While I am importing Devices in Security Director, may be it will show me conflict on Address-book.
Kindly let me know, how to avoid this conflict. All SRX should retain their own address-book with different IP.
Hello
I am attempting to configure a Site to Site VPN between two separte sites using a Juniper SRX210H and Cisco ASA5550.
I can see that the ASA is able to sucessfully raise the tunnel, however when i attempt to raise the tunnel on the Juniper side it is unsucessful and i see the following errors throught the ASA debug crypto isakmp 255 command:
Nov 27 20:08:47 [IKEv1]: IP = XX.XX.XX.XX, IKE_DECODE RECEIVED Message (msgid=e76bed9e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 216
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, processing hash payload
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, processing SA payload
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, processing nonce payload
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, processing ID payload
Nov 27 20:08:47 [IKEv1 DECODE]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Received remote IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, processing ID payload
Nov 27 20:08:47 [IKEv1 DECODE]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, QM IsRekeyed old sa not found by addr
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, checking map = hdd2vpn, seq = 10...
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, map = hdd2vpn, seq = 10, ACL does not match proxy IDs src:0.0.0.0 dst:0.0.0.0
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, checking map = hdd2vpn, seq = 20...
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, map = hdd2vpn, seq = 20, ACL does not match proxy IDs src:0.0.0.0 dst:0.0.0.0
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, checking map = hdd2vpn, seq = 30...
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, map = hdd2vpn, seq = 30, ACL does not match proxy IDs src:0.0.0.0 dst:0.0.0.0
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, checking map = hdd2vpn, seq = 40...
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Static Crypto Map check, map = hdd2vpn, seq = 40, ACL does not match proxy IDs src:0.0.0.0 dst:0.0.0.0
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface internet_network
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, sending notify message
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, constructing blank hash payload
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, constructing qm hash payload
Nov 27 20:08:47 [IKEv1]: IP = XX.XX.XX.XX, IKE_DECODE SENDING Message (msgid=73f1f907) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 272
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
87 54 54 50 b0 8d 8b
ISAKMP Header
Initiator COOKIE: 87 54 54 50 b0 8d 8b 00
Responder COOKIE: 88 5c 31 46 b7 91 2d c2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 07F9F173
Length: 469762048
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
4b c0 59
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 220
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: INVALID_ID_INFO
SPI:
87 54 54 50 b0 8d 8b 00 88 5c 31 46 b7 91 2d c2
Data:
01 00 0
ISAKMP Header
Initiator COOKIE: 87 54 54 50 b0 8d 8b 00
Responder COOKIE: 88 5c 31 46 b7 91 2d c2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 73F1F907
Length: 284
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, QM FSM error (P2 struct &0x76f64960, mess id 0xe76bed9e)!
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, IKE QM Responder FSM error history (struct &0x76f64960) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, sending delete/delete with reason message
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Removing peer from correlator table failed, no match!
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, IKE SA MM:46315c88 rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, IKE SA MM:46315c88 terminating: flags 0x01010002, refcnt 0, tuncnt 0
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, sending delete/delete with reason message
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, constructing blank hash payload
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, constructing IKE delete payload
Nov 27 20:08:47 [IKEv1 DEBUG]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, constructing qm hash payload
Nov 27 20:08:47 [IKEv1]: IP = XX.XX.XX.XX, IKE_DECODE SENDING Message (msgid=141a8205) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
87 54 54 50 b0 8d 8b 00 88 5c 31 46 b7 91 2d c2 | .TTP.....\1F..-.
08 10 05 00 05 82 1a 14 1c 00 00 00 0c 00 00 18 | ................
39 a3 02 fb 16 4b 04 f6 8d df 2f 5a 10 20 57 16 | 9....K..../Z. W.
8c ea 5e d4 00 00 00 1c 00 00 00 01 01 10 00 01 | ..^.............
87 54 54 50 b0 8d 8b 00 88 5c 31 46 b7 91 2d c2 | .TTP.....\1F..-.
ISAKMP Header
Initiator COOKIE: 87 54 54 50 b0 8d 8b 00
Responder COOKIE: 88 5c 31 46 b7 91 2d c2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 05821A14
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
39 a3 02 fb 16 4b 04 f6 8d df 2f 5a 10 20 57 16
8c ea 5e d4
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
87 54 54 50 b0 8d 8b 00 88 5c 31 46 b7 91 2d c2
ISAKMP Header
Initiator COOKIE: 87 54 54 50 b0 8d 8b 00
Responder COOKIE: 88 5c 31 46 b7 91 2d c2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 141A8205
Length: 92
Nov 27 20:08:47 [IKEv1]: Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, Session is being torn down. Reason: crypto map policy not found
Nov 27 20:08:47 [IKEv1]: Ignoring msg to mark SA with dsID 13574144 dead because SA deleted
XX.XX.XX.XX being the external IP of the Juniper device.
Any help or adive would be much appreciated.
Thanks
Andrew
Hi
I've enabled jflow v5 on our Juniper v12.1X46
The jflow packets contain a bunch of interface IDs that i can cross-reference from the ifindex values in snmp. no problem.
However there is one interface "Interface 0" which is not represented in snmp.
Any ideas what this interface is?
attached below is the part of the raw jflow packet that i can show you (decoded in wireshark)
Hi,
In our old office we had a Watchguard that provided users to connect to a windows server running pptp vpn.
We now have a srx and i have been tasked with getting it working, i think i am nearly there but am a bit confused.
set security nat static rule-set Static_NAT from zone untrust
set security nat static rule-set Static_NAT rule r1 match destination-address "public_ip_of_the_srx/32"
set security nat static rule-set Static_NAT rule r1 then static-nat prefix "DC5_address"/32
set security nat proxy-arp interface ge-0/0/5.0 address "public_ip_of_the_srx/32"
set security policies from-zone untrust to-zone Servers policy VPN_PPTP match source-address any
set security policies from-zone untrust to-zone Servers policy VPN_PPTP match destination-address DC5
set security policies from-zone untrust to-zone Servers policy VPN_PPTP match application junos-pptp
set security policies from-zone untrust to-zone Servers policy VPN_PPTP match application junos-gre
set security policies from-zone untrust to-zone Servers policy VPN_PPTP then permit
DC5 is the windows server hosting the vpn and i have a rule allowing that access to untrust
Ok, so I got my first SRX345 today. I was going through my standard process of setting it up for the lab. I noticed that the alarm light was red. Normal issue on a new device is that I have nothing plugged into the management port. So, I ran the standard command:
root@srx# set chassis alarm management-ethernet link-down ignore
root@srx# commit
root@srx# show chassis
alarm {
##
## Warning: configuration block ignored: unsupported platform (srx345)
##
management-ethernet {
link-down ignore;
}
}
Well that's not what I wanted to see. I did a few things to see if I can get this cleared, even deleting the interface. My thought - no interface the device can't complain....wrong. I had to disable the fxp0 interface for the alarm light to go away.
root@srx# set intface fxp0 disable
root@srx# show interface fxp0
disable;
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
I also went far enough to remove the inet address from the interface. That's just not to confuse the next person messing with this device in the lab:
root@srx# delete interface fxp0.0 family inet address 192.168.1.1/24
root@srx# show interface fxp0
disable;
unit 0 {
family inet;
}
root@srx# commit
All good - no red alarm light. The amber/yellow light still on alarm is just that there's no rescue configuration saved. I'll do that once I get the configuration completed.
root@srx> request system autorecovery state save
Cheers!
I know this worked at some point, but for some reason I can't ping any of my irb interfaces, or Google's name servers, or pretty much anything. I'm not seeing anything being blocked by policy, but maybe I'm missing something. Could someone take a look at my SRX300 and see if I'm missing something?
No Cluster functionality after Upgrade
Hello,
after upgrade (In-Service Software Upgrade ) our Juniper Cluster (Two SRX240) from version 12.1X46-D40 to 12.1X55-D40 our cluster no longer works. No connection between the nodes.
Before upgrade we make a snapshot on a usb stick.
Actualy we boot from one node of the usb stick, this works.
--- JUNOS 12.1X46-D40.2 built 2015-09-26 02:25:28 UTC
---
--- NOTICE: System is running on alternate media device (/dev/da1s1a).
---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Some information of the running cluster:
root@FW> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 254 primary no no None
node1 0 lost n/a n/a n/a
Redundancy group: 1 , Failover count: 1
node0 0 primary no no CS
node1 0 lost n/a n/a n/a
root@FW> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Status Internal-SA
0 fxp1 Down Disabled
Fabric link status: Down
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/2 Up / Down
fab0
root@FW> show chassis cluster statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 135504
Heartbeat packets received: 0
Heartbeat packet errors: 0
Fabric link statistics:
Child link 0
Probes sent: 271216
Probes received: 0
Child link 1
Probes sent: 0
Probes received: 0
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 0 0
DS-LITE create 0 0
Session create 8403648 0
IPv6 session create 0 0
Session close 870398 0
IPv6 session close 0 0
Session change 247087 0
IPv6 session change 0 0
ALG Support Library 3318 0
Gate create 0 0
Session ageout refresh requests 0 0
IPv6 session ageout refresh requests 0 0
Session ageout refresh replies 0 0
IPv6 session ageout refresh replies 0 0
IPSec VPN 0 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
JSF PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0
GPRS SCTP 0 0
GPRS FRAMEWORK 0 0
JSF RTSP ALG 0 0
JSF SUNRPC MAP 0 0
JSF MSRPC MAP 0 0
DS-LITE delete 0 0
JSF SLB 0 0
APPID 0 0
JSF MGCP MAP 0 0
JSF H323 ALG 0 0
JSF RAS ALG 0 0
JSF SCCP MAP 0 0
JSF SIP MAP 0 0
PST_NAT_CREATE 0 0
PST_NAT_CLOSE 0 0
PST_NAT_UPDATE 0 0
JSF TCP STACK 0 0
JSF IKE ALG 0 0
root@FW> show chassis cluster information
node0:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: primary, Weight: 255
Time From To Reason
Nov 27 19:54:44 hold secondary Hold timer expired
Nov 27 19:55:00 secondary primary Only node present
Redundancy Group 1 , Current State: primary, Weight: 0
Time From To Reason
Nov 27 19:54:44 hold secondary Hold timer expired
Nov 27 19:55:00 secondary primary Only node present
Chassis cluster LED information:
Current LED color: Red
Last LED change reason: Peer node: node1 is not present
Control port tagging:
Disabled
Failure Information:
Coldsync Monitoring Failure Information:
Statistics:
Coldsync Total SPUs: 1
Coldsync completed SPUs: 0
Coldsync not complete SPUs: 1
Fabric-link Failure Information:
Fabric Interface: fab0
Child interface Physical / Monitored Status
ge-0/0/2 Up / Down
Control-link Failure Information:
Link Status: Up
Dual Control Link Status: Unsupported
Interface Physical / Monitored Status
fxp1 Up / Down
root@FW> show chassis hardware
node0:
--------------------------------------------------------------------------
Hardware inventory:
Item Version Part number Serial number Description
Chassis SRX240H
Routing Engine REV 38 750-021793 AAAV6932 RE-SRX240H
FPC 0 FPC
PIC 0 16x GE Base PIC
FPC 1 750-029144 082009700389 FPC
PIC 0 1x ADSL 2/2+ B
Power Supply 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Some information of the second node:
root@FW> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 0
node0 0 lost n/a n/a n/a
node1 1 secondary no no None
Redundancy group: 1 , Failover count: 0
node0 0 lost n/a n/a n/a
node1 0 secondary no no IF CS
root@FW> show chassis cluster statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 134771
Heartbeat packets received: 0
Heartbeat packet errors: 0
Fabric link statistics:
Child link 0
Probes sent: 0
Probes received: 0
Child link 1
Probes sent: 0
Probes received: 0
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 0 0
DS-LITE create 0 0
Session create 0 0
IPv6 session create 0 0
Session close 0 0
IPv6 session close 0 0
Session change 0 0
IPv6 session change 0 0
ALG Support Library 0 0
Gate create 0 0
Session ageout refresh requests 0 0
IPv6 session ageout refresh requests 0 0
Session ageout refresh replies 0 0
IPv6 session ageout refresh replies 0 0
IPSec VPN 0 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
JSF PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0
GPRS SCTP 0 0
GPRS FRAMEWORK 0 0
JSF RTSP ALG 0 0
JSF SUNRPC MAP 0 0
JSF MSRPC MAP 0 0
DS-LITE delete 0 0
JSF SLB 0 0
APPID 0 0
JSF MGCP MAP 0 0
JSF H323 ALG 0 0
JSF RAS ALG 0 0
JSF SCCP MAP 0 0
JSF SIP MAP 0 0
PST_NAT_CREATE 0 0
PST_NAT_CLOSE 0 0
PST_NAT_UPDATE 0 0
JSF TCP STACK 0 0
JSF IKE ALG 0 0
root@FWG> show chassis cluster information
node1:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: secondary, Weight: 255
Time From To Reason
Nov 27 19:09:55 hold secondary Hold timer expired
Redundancy Group 1 , Current State: secondary, Weight: -3315
Time From To Reason
Nov 27 19:09:56 hold secondary Hold timer expired
Chassis cluster LED information:
Current LED color: Red
Last LED change reason: Peer node: node0 is not present
Control port tagging:
Disabled
Failure Information:
Coldsync Monitoring Failure Information:
Statistics:
Coldsync Total SPUs: 1
Coldsync completed SPUs: 0
Coldsync not complete SPUs: 1
Interface Monitoring Failure Information:
Redundancy Group 1, Monitoring status: Failed
Interface Status
ge-5/0/15 Down
ge-5/0/14 Down
ge-5/0/13 Down
ge-5/0/12 Down
ge-5/0/11 Down
ge-5/0/10 Down
ge-5/0/9 Down
ge-5/0/8 Down
ge-5/0/7 Down
ge-5/0/6 Down
ge-5/0/5 Down
ge-5/0/4 Down
ge-5/0/3 Down
Control-link Failure Information:
Link Status: Up
Dual Control Link Status: Unsupported
Interface Physical / Monitored Status
fxp1 Up / Down
root@FW> edit
warning: Clustering enabled; using private edit
error: shared configuration database modified
Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'
root@FW> configure shared
Entering configuration mode
The configuration has been changed but not committed
{secondary:node1}[edit]
root@FW# commit
warning: ISSU in progress, commit disallowed
{secondary:node1}[edit]
root@FW> show chassis hardware
node1:
--------------------------------------------------------------------------
Hardware inventory:
Item Version Part number Serial number Description
Chassis SRX240H
FPC 0 FPC
root@FW> show chassis fpc pic-status
node1:
--------------------------------------------------------------------------
Slot 0 Present FPC
{secondary:node1}
------
It seems that node1 is in the ISSU progress. How can i cancel this? i try this: https://kb.juniper.net/InfoCenter/index?page=content&id=KB26324&cat=JUNOS&actp=LIST&smlogin=true but no success.
In Addition no Hardware Information and no network moduls on node1. A problem because of "ISSU mode"?
If you need log files i can send you.
Best regards
Quick Question:
Why is the number of session setup rate low? Low compared to Huawei Eudemon Specifically?
Is this a Junos Software limitation? Or Hardware Limitation?
While I get 150K on Juniper, Huawei will give Twice that for the same capacity firewall. Anyone with first hand experience?
I understand the SRX is by far a preferable platform, but This session set up rate is critical on this specific project.
Any comments/insights?
Hello folks,
I have hosted one web server front ended with SRX firewall and SRX firewall untrust interface has public IP address reachable through internet. Now, how to access from internet the web server from internet?
I understand, we need to enable NAT, but how exactly the IP address on SRX be mapped to Webserver?
Do I need to do anything else?
Please suggest, CLI information would indeed be helpful.
Thanks,
Shirish.
Hi
Trying to configure j-flow Version 8.
I cant really find any documentation for this other than:
http://www.juniper.net/us/en/local/pdf/app-notes/3500204-en.pdf
and
https://kb.juniper.net/InfoCenter/index?page=content&id=kb16677&actp=search
which is extemely light on details.
The manual just says:
Any ideas where i can get more detailed documentation for v8?
Can't use v9 as the device is clustered.
Also, I've noticed i have less fields in the v8 template than i do with the v5 template which is strange...
I am switching ISPs and the new ISP is giving me a WAN IP (/30) and then the rest of my IP block (/29) behind it. I have normally seen ISPs just set the block on my WAN and I would just place a switch in front to direct to my four independent networks and their firewalls.
What I would like to do is set the ge-0/0/0 to the WAN (/30) and the ge-0/0/1-4 to be the /29 subnet that would lead to their respective routers.
How can I set up my SRX to route the /29 subnet behind the /30? Also I would like to disable most of the firewall functionality since each of the networks behind it already have firewalls.
I have never had to route public IPs before, looking for some guidance and suggestions.
Thanks,
David
Hi there,
Just after some advice regarding help with PXE boot.
I have the following set up
set forwarding-options dhcp-relay server-group DHCP-servers 10.64.40.104
set forwarding-options dhcp-relay server-group DHCP-servers 10.64.40.105
set forwarding-options dhcp-relay server-group DHCP-servers 10.64.40.17
set forwarding-options dhcp-relay active-server-group DHCP-servers
set forwarding-options dhcp-relay group DHCP interface vlan.10
Our WDS server is on vlan 40 (10.64.40 subnet) and we want to build machines on vlan 10
Is what i have set up correct? i did try to put in the following command but it doesn't work
set forwarding-options helpers bootp server 10.64.40.17
I get the error
[edit forwarding-options dhcp-relay]
'server-group'
'server-group' statement cannot be included along with 'forwarding-options helpers bootp' statement
Hi.
I have a problem .NAT Does not work properly ,i'm trying to set up EBGP in virtual router and use it for internet connections via my PI-Address ,but when i'm tryng to reach internet using NAT i can't reach anything.But From routing Instance i can ping everything ,and BGP working fine....
Juniper Model : srx240h2
Software Version:12.3X48-D35.7
Can someone please tell me what I am doing wrong?
Thanks!
Here is my configuration
set security nat source pool PI-Inet-Address routing-instance vrflite
set security nat source pool PI-Inet-Address address 1.1.1.2/32
set security nat source pool PI-Inet-Address port no-translation
set security nat source pool PI-Inet-Address address-shared
set security nat source rule-set lan-to-ISP-BGP from zone lan
set security nat source rule-set lan-to-ISP-BGP to zone ISP-BGP
set security nat source rule-set lan-to-ISP-BGP rule bgp-source-nat-rule match source-address 10.27.64.14/32
set security nat source rule-set lan-to-ISP-BGP rule bgp-source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set lan-to-ISP-BGP rule bgp-source-nat-rule then source-nat pool PI-Inet-Address
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp match source-address any
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp match destination-address any
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp match application any
set security policies from-zone ISP-BGP to-zone ISP-BGP policy isp-to-isp then permit
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan match source-address any
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan match destination-address any
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan match application any
set security policies from-zone ISP-BGP to-zone lan policy ISP-to-lan then permit
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP match source-address any
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP match destination-address any
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP match application any
set security policies from-zone lan to-zone ISP-BGP policy lan-to-ISP then permit
set security policies from-zone lan to-zone lan policy lan-to-lan match source-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match destination-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match application any
set security policies from-zone lan to-zone lan policy lan-to-lan then permit
set security zones security-zone lan host-inbound-traffic system-services all
set security zones security-zone lan host-inbound-traffic protocols all
set security zones security-zone lan interfaces reth1.0
set security zones security-zone ISP-BGP host-inbound-traffic system-services ping
set security zones security-zone ISP-BGP host-inbound-traffic system-services ssh
set security zones security-zone ISP-BGP host-inbound-traffic system-services ike
set security zones security-zone ISP-BGP interfaces reth3.0 host-inbound-traffic system-services ping
set security zones security-zone ISP-BGP interfaces reth3.0 host-inbound-traffic system-services rpm
set security zones security-zone ISP-BGP interfaces lo0.0 host-inbound-traffic system-services ping
set security zones security-zone ISP-BGP interfaces lo0.0 host-inbound-traffic system-services rpm
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet filter input-list GoToISP
set interfaces reth1 unit 0 family inet address 10.0.1.2/30
set interfaces reth3 redundant-ether-options redundancy-group 3
set interfaces reth3 unit 0 family inet address 1.1.1.2/30
set interfaces lo0 unit 0 family inet address 2.2.2.1/26
set routing-options interface-routes rib-group inet Global
set routing-options static rib-group Secondary
set routing-options rib-groups Global import-rib inet.0
set routing-options rib-groups Global import-rib vrflite.inet.0
set routing-options rib-groups Secondary import-rib inet.0
set routing-options rib-groups Secondary import-rib vrflite.inet.0
set routing-options rib-groups Secondary import-policy static-input
set policy-options policy-statement static-input term filter-default-routes from route-filter 0.0.0.0/0 exact
set policy-options policy-statement static-input term filter-default-routes then reject
set policy-options policy-statement static-input term filter-static-bgp-routes from route-filter 1.1.1.0/26 exact
set policy-options policy-statement static-input term filter-static-bgp-routes then reject
set policy-options policy-statement static-input then accept
set policy-options policy-statement EBGP-input term allowall then accept
set policy-options policy-statement EBGP-output term out-networks from route-filter 1.1.1.0/24 exact
set policy-options policy-statement EBGP-output term out-networks then accept
set policy-options policy-statement EBGP-output then reject
set firewall family inet filter GoToISP term 3 from source-address 10.27.64.14/32
set firewall family inet filter GoToISP term 3 from destination-address 0.0.0.0/0
set firewall family inet filter GoToISP term 3 from destination-address 172.16.0.0/12 except
set firewall family inet filter GoToISP term 3 from destination-address 192.168.0.0/16 except
set firewall family inet filter GoToISP term 3 from destination-address 10.0.0.0/8 except
set firewall family inet filter GoToISP term 3 then log
set firewall family inet filter GoToISP term 3 then routing-instance vrflite
set routing-instances vrflite instance-type virtual-router
set routing-instances vrflite interface lo0.0
set routing-instances vrflite interface reth3.0
set routing-instances vrflite routing-options interface-routes rib-group inet Global
set routing-instances vrflite routing-options static route 10.27.64.0/24 next-table inet.0
set routing-instances vrflite routing-options router-id 1.1.1.2
set routing-instances vrflite protocols bgp local-as 22222
set routing-instances vrflite protocols bgp group EBGP type external
set routing-instances vrflite protocols bgp group EBGP multipath
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 import EBGP-input
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 export EBGP-output
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 peer-as 11111
set routing-instances vrflite protocols bgp group EBGP neighbor 1.1.1.1 local-as 22222
Also , here is example of Flow session
Session ID: 3253, Policy name: lan-to-ISP/26, State: Active, Timeout: 10, Valid
In: 10.27.64.14/2927 --> 8.8.8.8/4806;icmp, If: reth1.0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/4806 --> 1.1.1.2/2927;icmp, If: reth3.0, Pkts: 0, Bytes: 0
Hello,
I use an SRX100 firewall with zones and policies to isolate several subnets. I do not know what ALG is. All of my policies are "application any".
Why am I getting the error listed below? How do I allow the traffic that is apparently being blocked?
RT_ALT_WRN_CFG_NEED: MSRPC ALG detected packet from x which need extra policy with UUID:x or 'junos-ms-rpc-any' to let is pass-through on ASL session
Thank you,
Chris
Hi,
I have some external workers on site who connect to their own companies VPN
Our SRX doesn't let them connect by default. I read that i need to disable port translation
I see traffic hitting the created rule but when it comes in its hitting another ip that i made for the srx external interface configured with proxy arp
local ip; 1.1.1.1
vpn ip:. 9.9.9.9
main srx ip: 10.10.10.1
proxy arp srx ip: 10.10.10.2
Session ID: 381059, Policy name: mortgage-to-untrust/32, Timeout: 58, Valid
In: "1.1.1.1"/500 --> "9.9.9.9"/500;udp, If: vlan.68, Pkts: 3, Bytes: 1932
Out: "9.9.9.9"/500 --> "10.10.10.2"/500;udp, If: ge-0/0/5.0, Pkts: 0, Bytes: 0
Basically its not coming in on the main public ip of the srx but that proxy arp ip that i set to enable people to vpn into us (this is configured for a different rule / zone )
Here is what i have done
set security nat source pool gre-nat-pool address "10.10.10.1"
set security nat source pool gre-nat-pool port no-translation
set security nat source rule-set mortgage-to-untrust from zone Mortgage-Insurance
set security nat source rule-set mortgage-to-untrust to zone untrust
set security nat source rule-set mortgage-to-untrust rule mortgage-gre-nat match source-address 0.0.0.0/0
set security nat source rule-set mortgage-to-untrust rule mortgage-gre-nat match destination-address "9.9.9.9"
set security nat source rule-set mortgage-to-untrust rule mortgage-gre-nat then source-nat pool gre-nat-pool
set security nat source rule-set mortgage-to-untrust rule mortgage-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set mortgage-to-untrust rule mortgage-nat-rule then source-nat interface
I have read lots about NAT but its still confusing me at the moment, how come they are not allowed to vpn out by default from the srx when all applications etx are enabled as shown below?
show security policies from-zone Mortgage-Insurance to-zone untrust
policy mortgage-to-untrust {
match {
source-address Mortgage-Insurance;
destination-address any;
application any;
}
then {
permit;
}