Hello Guys,
We have a deny all policy,based on internal customer requests ports are opened for applications from trust to untrust and in some cases to specific destination IPs sourcing our internal subnet, the issue is attempts to open additional ports no longer work using the same configuration which worked previously.
hi,
I have here a setup with srx1500 in paketmode. If I try to enable ECMP with ipv6 all runs finex except Clients that runs Windows Server > 2012. I found out that Windows Server Systems have ECN default enabled since Server 2012.
If I disable ECN on the Windows Client all runs fine. Linux Clients with ECN enabled run fine also.
without ECN:
SYN: Client – Router – > SERVER A
SYN ACK: SERVER A – Router –> Client
ACK: Client – Router –> SERVER A
With ECN on Windows > 2012
SYN: Client – Router – > SERVER A
SYN ACK: SERVER A – Router –> Client
ACK: Client – Router –> SERVER B
Does anyone have any sort of idea of whats wrong or how to prevent this?
hi all,
i want to install dynamic vpn license in srx1500. which command is used for it..pls share
Hi Guys,
We are having issue while sending logs to syslog server. SRX 3400's configuration is attached with this thread.
Logs are not forwarding to SYSLOG server and when I try to open any file like accepted-traffic, kmd or policy_session it gives me error
"Feb 25 06:03:42 FW_HOSTNAME newsyslog[4601]: logfile turned over due to -F request"
Whats the issue here and solution plz
Hi,
I need to use 2 trunk interfaces from one (same) srx to one ex4300.
ge-0/0/0 : routing-instance VR0 : trunk mode, VLAN 100, 101 => ex4300, ethernet switching/trunk interface
ge-0/0/1 : routing-instance VR1 : trunk mode, VLAN100,101 => same ex4300, ethernet switching/trunk interface
After reading the doc, I think I need to put ge-0/0/0 and ge-0/0/1 in family ethernet-switching to be able to use them as 802.1q trunk, and then configure vlans interfaces 100 and 101 as family inet with ipv4 addresses.
But I fear that if I configure ge-0/0/0 and ge-0/0/1 with "family ethernet-swiching", the SRX will then switch between those ports, hence creating a ethernet loop with the EX4300.
What I wnat is to use ge-0/0/0 and ge-0/0/1 as *routed* ports with VLAN sub-interfaces. I don't want any ethernet switching at this level on the SRX.
Is it possible or impossible with Juniper SRX ?
I suppose that if it works with ge interfaces, the behavior is the same with reth interfaces ?
Thanks,
Hi all,
I've seen some brute force attempts to login in to my VPN.
Due to very large passwords and usernames, they could not log in.
I would like to know, how i can limit these attempts for login for VPN?
thanks!
PS:
set system login retry-options tries-before-disconnect 5
set system login retry-options backoff-threshold 3
set system login retry-options backoff-factor 10
set system login retry-options lockout-period 4
This is already done but for local accounts i guess?
I am migrating from an SRX200 to a SRX300 and I have everything up and working except for the trunk port to my wireless access point (Ruckus). I'm not finding a way to get the access point to come up. I can plug back into the OLD SRX200 and everything works fine.
I have the following configured items:
set interfaces ge-0/0/4 description "Ruckus AP"
set interfaces ge-0/0/4 unit 0 description "Ruckus AP"
set interfaces ge-0/0/4 native-vlan-id 4
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/4 unit 0 family ethernet-switching inner-vlan members vlan-Guest
set interfaces ge-0/0/4 unit 0 family ethernet-switching inner-vlan members vlan-worstations
set vlans vlan-Guest vlan-id 200
set vlans vlan-Guest l3-interface irb.200
set vlans vlan-worstations vlan-id 4
set vlans vlan-worstations l3-interface irb.4
set access address-assignment pool guestwifi family inet network 192.168.200.0/24
set access address-assignment pool guestwifi family inet range guest-range low 192.168.200.100
set access address-assignment pool guestwifi family inet range guest-range high 192.168.200.199
set access address-assignment pool guestwifi family inet dhcp-attributes domain-name ****.com
set access address-assignment pool guestwifi family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool guestwifi family inet dhcp-attributes router 192.168.200.1
set access address-assignment pool guestwifi family inet dhcp-attributes propagate-settings irb.200
set security zones security-zone Guest-Wireless interfaces irb.200 host-inbound-traffic system-services ping
set security zones security-zone Guest-Wireless interfaces irb.200 host-inbound-traffic system-services dhcp
set security zones security-zone workstations interfaces irb.4 host-inbound-traffic system-services all
~~~~~~~~~~~~~~~~~~~~~~
.irb200 is only on interface ge-0/0/4 so it is up/down
Anyone have any ideas?
I have two DHCP sources that I am using that goes through a trunk port to a wireless AP. The DHCP-RELAY is used in conjunction with the windows domain and is used on everything with everything but the guest wifi. I've set it to be the DHCP Relay... I am migrating from a SRX240 where it was configured as such:
"set forwarding-options helpers bootp interface vlan.4 server 192.168.2.2"
How can I or even do I need to declare what interface to use the DHCP-RELAY on?
My related configurations are below:
set forwarding-options dhcp-relay server-group FFFFdhcp 192.168.2.2
set forwarding-options dhcp-relay active-server-group FFFFdhcp
set access address-assignment pool guestwifi family inet range guest-range low 192.168.200.100
set access address-assignment pool guestwifi family inet range guest-range high 192.168.200.199
set access address-assignment pool guestwifi family inet dhcp-attributes domain-name ffff.com
set access address-assignment pool guestwifi family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool guestwifi family inet dhcp-attributes router 192.168.200.1
set access address-assignment pool guestwifi family inet dhcp-attributes propagate-settings irb.200
set access address-assignment pool guestwifi family inet dhcp-attributes option 3 ip-address 192.168.200.1
set interfaces ge-0/0/1 unit 0 description "Unit 0 - EX4200 - FFHA-SW1"
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-servers
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-worstations (irb.4)
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-iscsi
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-mgmt
set interfaces ge-0/0/4 unit 0 description "Ruckus AP"
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/4 unit 0 family ethernet-switching inner-vlan members vlan-Guest (irb.200)
set interfaces ge-0/0/4 unit 0 family ethernet-switching inner-vlan members vlan-worstations (irb.4)
set vlans vlan-worstations vlan-id 4
set vlans vlan-worstations l3-interface irb.4
set vlans vlan-Guest vlan-id 200
set vlans vlan-Guest l3-interface irb.200
Hi,
Can someone help in removing route based & dynamic vpn configuration on SRX so that there are no errors while commiting the configuration.
Thanks,
Kunal Tupe
Hi, PLS can someone take a look and shed some light why SRX is not reply on port 4500 when devices tring to establish VPN. Vyatta perfectly works with other devices been behind NAT, also Juniper works well with outhter parties but not when it behind NAT.
here is security flow :
In: y.y.y.y/4500 --> x.x.x.x/4500;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 20398, Bytes: 7866950,
Out: x.x.x.x/4500 --> y.y.y.y/4500;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,
dont see in debug log sending port 4500:
[Mar 23 20:00:37]ike_send_packet: <-------- sending SA = { b468f4c1 59eefb62 - 00000000 00000000}, len = 288, nego = -1, local ip= x.x.x.x, dst = y.y.y.y:500, routing table id = 0
[Mar 23 20:00:37]ike_send_packet: <-------- sending SA = { df86bb50 971495e5 - 00000000 00000000}, len = 288, nego = -1, local ip= x.x.x.x, dst = y.y.y.y:500, routing table id = 0
========================================
here also Security rule:
From zone: internet, To zone: junos-host
Policy: HOST-ACCESS, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: HOST-ACCESS
Destination addresses: any
Applications: snmp, junos-ssh, junos-ospf, junos-ike, junos-ike-nat, junos-https
Action: permit
Also I can ping remote VPN endpoints without problems
Hi!
I am working for the first time with a Juniper equipment.I am trying to set up my machine (SRX340) as the internal network internet gateway.I do not have any VLANs, I just wish all computers in the internet network could access the internet through this Gateway.
I tried setting up using the Wizard and also searched for materials on the internet, but I did not succeed with any settings. At momento computer can not access the internet, but If I try to access the internet through the equipment via CLI it works (ping works normally).
Could you help me with this setup?
This is my interface configuration:
ge-0/0/0 - ISP Provider
ge-0/0/2 - Gateway for internal network computers
fxp0 - Management interface
static route - Gateway from ISP
Securty conifguration - Internal to Internet - ALL,ALL
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 177.19.201.116/29;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.5.200/23;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.5.3/23;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ 192.168.5.254 177.19.xxx.xxx ];
}
}
Hi!
I am configuring the juniper SRX 340 for the first time.At the moment I was able to configure the access of the entire internal network to the internet, using the juniper as gateway.Now I would like to limit access to all internal network and free access to the internet just for specific IP´s.
Could you help me with what parameters should I configure?
thank you!
Wondering if there is way to block whatsapp audio calls only ( if not I guess total block would be fine)?
Has anyone implemented this successfully? Do I need IDP license etc?
what are the differences between proxy-ID and traffic selector and when to use them ?
Hi, I have a question. As you see the 3 commands results, so many active sessions and failed sessions occures, but we can not get session creation per second, the result is always zero.
Whta is the difference bettween session creation per second and performance session?
show security flow session summary |no-more
node0:
--------------------------------------------------------------------------
Unicast-sessions: 3943
Multicast-sessions: 0
Failed-sessions: 1170507709
Sessions-in-use: 4056
Valid sessions: 3933
Pending sessions: 0
Invalidated sessions: 123
Sessions in other states: 0
Maximum-sessions: 524288
show security monitoring fpc 0 |no-more
node0:
--------------------------------------------------------------------------
FPC 0
PIC 0
CPU utilization : 0 %
Memory utilization : 75 %
Current flow session : 4035
Max flow session : 524288
Session Creation Per Second (for last 96 seconds on average): 0 <--- Why this resut is 0 ??
show security monitoring performance session
node0:
--------------------------------------------------------------------------
fpc 0 pic 0
Last 60 seconds:
0: 188646 1: 191249 2: 188408 3: 191131 4: 188397 5: 191022
6: 190145 7: 191277 8: 192297 9: 191161 10: 193949 11: 191090
12: 193662 13: 190977 14: 193614 15: 190911 16: 193814 17: 190913
18: 193460 19: 190839 20: 193707 21: 190971 22: 193828 23: 191238
24: 194072 25: 191199 26: 194318 27: 191475 28: 194413 29: 191625
30: 194432 31: 191588 32: 193929 33: 191138 34: 193791 35: 190832
36: 193316 37: 190669 38: 193428 39: 190822 40: 193628 41: 190936
42: 193453 43: 190668 44: 193426 45: 190731 46: 193611 47: 191001
48: 193705 49: 190972 50: 193852 51: 191173 52: 193610 53: 190807
54: 193432 55: 190710 56: 193303 57: 190709 58: 193554 59: 190725
Goal:
apple devices would be able to discover the printer (192.168.2.20) in vlan.2 (192.168.2.0/24) from vlan.1(192.168.1.0/24)
With the "policy printer",
From vlan.1 I can ping and see webpage of the printer but I can't discover.
Any suggestion ? anything is missing?
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50 set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254 set system services dhcp pool 192.168.1.0/24 name-server 8.8.8.8 set system services dhcp pool 192.168.1.0/24 router 192.168.1.1 set system services dhcp pool 192.168.1.0/24 propagate-settings vlan.1 set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.50 set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254 set system services dhcp pool 192.168.2.0/24 name-server 8.8.8.8 set system services dhcp pool 192.168.2.0/24 router 192.168.2.1 set system services dhcp pool 192.168.2.0/24 propagate-settings vlan.2 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 1 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan.2 set interfaces vlan unit 1 family inet address 192.168.1.1/24 set interfaces vlan unit 2 family inet address 192.168.2.1/24 set security address-book global address host.192.168.2.20 192.168.2.20/32 set security address-book global address vlan1-network 192.168.1.0/24 set security policies from-zone trust to-zone trust policy printer match source-address vlan1-network set security policies from-zone trust to-zone trust policy printer match destination-address host.192.168.2.20 set security policies from-zone trust to-zone trust policy printer match destination-address host.192.168.2.20 set security policies from-zone trust to-zone trust policy printer match application any set security policies from-zone trust to-zone trust policy printer then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces vlan.1 host-inbound-traffic system-services all set security zones security-zone trust interfaces vlan.2 host-inbound-traffic system-services dhcp set vlans default vlan-id 1 set vlans default l3-interface vlan.1 set vlans vlan.2 vlan-id 2
I have an issue with external link fluctuating while pinging from outside (from other external network to SRX untrust interface), i have checked ping to ISP side it's clear and no ping inturruption.
interface configurations are:
ge-0/0/6 {
gigether-options {
redundant-parent reth2;
!
ge-5/0/6 {
gigether-options {
redundant-parent reth2;
!
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address x.x.x.x/30;
}
Can someone help troubleshooting the issue ?
Regards
Rami