There is plently of documentation regarding this subject using the CLI, however, I have been unable to locate any on Port Forwarding Using Only the J-Web interface.

Could someone point me in the right direction?

I am in the process of configuring SRX100 for one of my clients and I am experiencing intermittent Internet connectivity issue. Here is my setup so far:

BT ADSL line:

BT Home Hub 3 – Hub is configured with public IP address of xyz.36.246.89/29 and it handles authentication. Internal LAN1 interface assigned with 192.168.0.2 address. Then LAN1 interface of the hub is connected to fe-0/0/0 interface of SRX100. I thought it will be simpler to leave BT to handle authentication because BT support tend to be fussy when you call them asking to check the line or the router in the event of Internet connectivity problems. They refuse to touch the router if it’s not their product hence having SRX100 as a router may cause problems in future while calling BT support for assistance. If there are any security concerns arising from having BT Hub 3 handling the authentication and SRX10 acting as firewall (as opposed to having only SRX100 acting as router and firewall) please let me know.

SRX100 – fe-0/0/0 interface is assigned with xyz.36.246.90/29 ip address and fe-0/0/1 is assigned with 192.168.0.1 address. And I have static route added as below:

routing-options {

   static {

       route 0.0.0.0/0 {

           next-hop xyz.36.246.89;

           metric 1;

Full SRX100 configuration file attached.

The SRX100 seems to be connected to internet and the traffic flows but when pinging any internet address from my LAN I am receiving response for 20 seconds and then pings drops for a minute or two and then it comes back online again and so on. When I connect my laptop directly to BT Hub the Internet connection is stable which makes me think that problem is with SRX100 configuration. Here is the outcome of my troubleshooting so far:

show interfaces fe-0/0/0

Physical interface: fe-0/0/0, Enabled, Physical link is Up

Interface index: 134, SNMP ifIndex: 508

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,

Source filtering: Disabled, Flow control: Disabled

Device flags   : Present Running

Interface flags: SNMP-Traps Internal: 0x0

CoS queues     : 8 supported, 8 maximum usable queues

Current address: cc:e1:7f:b3:ba:xyz, Hardware address: cc:e1:7f:b3:ba:xyz

Last flapped   : 2016-02-17 14:13:33 GMT (00:01:35 ago)

Input rate     : 712 bps (1 pps)

Output rate   : 2440 bps (4 pps)

Active alarms : None

Active defects : None

Interface transmit statistics: Disabled

Logical interface fe-0/0/0.0 (Index 71) (SNMP ifIndex 511)

   Flags: SNMP-Traps 0x0 Encapsulation: ENET2

   Input packets : 542

   Output packets: 442

   Security: Zone: Internet

   Allowed host-inbound traffic : dhcp tftp http https ike ssh

   Protocol inet, MTU: 1500

     Flags: Sendbcast-pkt-to-re, Is-Primary

     Addresses, Flags: Is-Default Is-Preferred Is-Primary

       Destination: xyz.36.246.88/29, Local: xyz.36.246.90,

       Broadcast: xyz.36.246.95

@SRX100 > show route 8.8.8.8

inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0         *[Static/5] 00:02:10, metric 1

                   > to xyz.36.246.89 via fe-0/0/0.0

@SRX100> ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8): 56 data bytes

^C

--- 8.8.8.8 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

@SRX100> ping xyz.36.246.89

PING xyz.36.246.89 (xyz.36.246.89): 56 data bytes

^C

--- xyz.36.246.89 ping statistics ---

4 packets transmitted, 0 packets received, 100% packet loss

@SRX100> ping xyz.36.246.90

PING xyz.36.246.90 (xyz.36.246.90): 56 data bytes

64 bytes from xyz.36.246.90: icmp_seq=0 ttl=64 time=1.618 ms

64 bytes from xyz.36.246.90: icmp_seq=1 ttl=64 time=0.389 ms

64 bytes from xyz.36.246.90: icmp_seq=2 ttl=64 time=0.367 ms

64 bytes from xyz.36.246.90: icmp_seq=3 ttl=64 time=0.367 ms

64 bytes from xyz.36.246.90: icmp_seq=4 ttl=64 time=0.365 ms

64 bytes from xyz.36.246.90: icmp_seq=5 ttl=64 time=0.369 ms

64 bytes from xyz.36.246.90: icmp_seq=6 ttl=64 time=0.361 ms

^C

--- xyz.36.246.90 ping statistics ---

7 packets transmitted, 7 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.361/0.548/1.618/0.437 ms

@SRX100> ping www.google.com

^C

@SRX100> ping xyz.36.246.88

PING xyz.36.246.88 (xyz.36.246.88): 56 data bytes

ping: sendto: Can't assign requested address

ping: sendto: Can't assign requested address

ping: sendto: Can't assign requested address

^C

--- xyz.36.246.88 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

@SRX100> ping 192.168.0.2

PING 192.168.0.2 (192.168.0.2): 56 data bytes

^C

--- 192.168.0.2 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

@SRX100> ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1): 56 data bytes

64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=1.776 ms

64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=1.129 ms

64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.346 ms

^C

--- 192.168.0.1 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.346/1.084/1.776/0.585 ms

@SRX100> traceroute xyz.36.246.90

traceroute to xyz.36.246.90 (xyz.36.246.90), 30 hops max, 40 byte packets

1 xyz.36.246.90 (xyz.36.246.90) 7.469 ms 1.504 ms 1.400 ms

@SRX100> traceroute www.google.com

^C

@SRX100> traceroute 8.8.8.8

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 40 byte packets

1 * * *

2 * * *

3 *^C

Your help will be very much appreciated.

Hi all,

since a few days i´m searching for the reason why the throughput of an SRX240H Cluster is so slow.

additional i debugged and reviewed the whole configuration if there are any problems visible.

Goal: Copy a huge amount of data via VPN to annother Datacenter

Problem:

- Throughput only reaches 90-100 Mbit/s (with Gbit Interface)

(I can see inside monitoring, that the traffic is nearly exact 100 mbit

not many sessions, normal packet count)

- Firewall Internal Traffic is massive delayed (due to high dataplane CPU)

- Checked reth interface VLAN´s

- overall Throughput is roundabout 150 Mbit/s

What i did:

- VPN Tuning (TCP-MSS etc...)

- set low VPN encryption (for testing, no change)

- debugged Flow if there are dropped or anormal packets

- Checked MTU Sizes 1514 (internal)

- Checked Switch Configurations (VLAN, Speed , OK)

- Checked Servers Configuration (Interface Config , Patchlevel, Packettrace, etc. OK) 

- Checked Posrtspeed / Duplex etc. OK

- Disabled Logging

- Disabled ALG

- DIsabled UTM

- man other things additional

all i see is:

FPC 0
PIC 0
CPU utilization : 99 %
Memory utilization : 66 %
Current flow session : 393
Current flow session IPv4: 335
Current flow session IPv6: 58
Max flow session : 102400
Total Session Creation Per Second (for last 96 seconds on average): 16
IPv4 Session Creation Per Second (for last 96 seconds on average): 15
IPv6 Session Creation Per Second (for last 96 seconds on average): 1

additional Informaton: 

last pid: 63117; load averages: 0.54, 0.27, 0.19 up 8+21:13:04 16:51:04
76 processes: 6 running, 69 sleeping, 1 zombie
CPU states: 77.3% user, 0.0% nice, 1.7% system, 0.0% interrupt, 21.1% idle
Mem: 203M Active, 112M Inact, 557M Wired, 70M Cache, 112M Buf, 29M Free
Swap:

PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1442 root 139 0 517M 59204K CPU1 1 676.7H 92.48% flowd_octeon_hm
1442 root 139 0 517M 59204K CPU3 3 676.7H 92.48% flowd_octeon_hm
1442 root 139 0 517M 59204K CPU2 2 676.7H 92.48% flowd_octeon_hm
1442 root 80 0 517M 59204K RUN 0 676.7H 8.98% flowd_octeon_hm
63116 root 81 0 8624K 3264K select 0 0:00 0.73% sshd
63117 sshd 8 0 8116K 1784K nanslp 0 0:00 0.73% sshd
1442 root 76 0 517M 59204K select 0 676.7H 0.00% flowd_octeon_hm
1442 root 76 0 517M 59204K select 0 676.7H 0.00% flowd_octeon_hm
1442 root 8 0 517M 59204K nanslp 0 676.7H 0.00% flowd_octeon_hm
1503 root 76 0 28904K 11808K select 0 522:05 0.00% mib2d
1504 root 76 0 21424K 13916K select 0 286:34 0.00% snmpd
1454 root 76 0 12628K 5868K select 0 28:48 0.00% license-check
1495 root 76 0 10720K 4092K select 0 21:38 0.00% nstraced
1474 root 76 0 20516K 9312K select 0 19:41 0.00% l2ald
1477 root 76 0 28380K 14012K select 0 19:30 0.00% kmd
1444 root 76 0 16024K 3764K select 0 13:40 0.00% shm-rtsdbd
1449 root 76 0 13828K 6424K select 0 12:55 0.00% rtlogd
1484 root 76 0 49544K 14160K select 0 12:25 0.00% authd
1432 root 76 0 115M 18240K select 0 9:58 0.00% chassisd
1433 root 76 0 12824K 5172K select 0 9:35 0.00% alarmd
1502 root 76 0 25680K 9552K select 0 9:19 0.00% pfed
1502 root 76 0 25680K 9552K RUN 0 9:19 0.00% pfed
1096 root 76 0 13052K 5208K select 0 8:49 0.00% eventd
1483 root 76 0 50408K 11408K select 0 7:40 0.00% jdhcpd
1498 root 4 0 9632K 4792K kqread 0 7:28 0.00% mcsnoopd
1445 root 76 0 14204K 6996K select 0 6:39 0.00% jsrpd
1429 root 76 0 3304K 1384K select 0 6:13 0.00% bslockd
1480 root 76 0 11728K 5104K select 0 4:30 0.00% dhcpd
1475 root 76 0 14004K 7020K select 0 4:11 0.00% rmopd
1473 root 4 0 52552K 23244K kqread 0 3:52 0.00% rpd
1496 root 76 0 14472K 7092K select 0 3:32 0.00% fwauthd
1451 root 76 0 14184K 4876K select 0 3:12 0.00% wland

is there anybody who has any Idea how to find the core Issue ?

okok, i understand, the reason why the Load is high is caused by the copy job, but why at 100 Mbit /s ?

is it possible to debug the detailed reason for the high CPU load ?

if yes, how ? 

Regards

Martin

Hi Guys,

I need help to convert the following cisco config to Juniper using the Quad T1/E1 GPIM on SRX550. 

----

controller E1 1/0
framing NO-CRC4
channel-group 1 timeslots 1-16
channel-group 2 timeslots 17-31
!
!
interface Ethernet0/0
description connected to EthernetLAN
ip address 128.x.y.z 255.255.0.0 secondary
ip address 128.a.b.c 255.255.0.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
full-duplex
!
interface Serial1/0:1
ip unnumbered Ethernet0/0
no ip directed-broadcast
ip nat inside
encapsulation ppp
!
interface Serial1/0:2
ip unnumbered Ethernet0/0
no ip directed-broadcast
ip nat inside
encapsulation ppp
!
ip classless
ip route 0.0.0.0 0.0.0.0 128.1.226.105
ip route 128.e.f.g 255.255.255.128 Serial1/0:1
ip route 128.h..i.j 255.255.255.128 Serial1/0:2
ip http server
!

----

Even a guide on how to will be much appreciated.

Hi,

I just configured the SSL proxy and applied to the right security policy.I have followed this link to configure SSL proxy

http://www.juniper.net/documentation/en_US/junos12.3x48/topics/task/configuration/ssl-proxy-workflow-configuring.html

According to the juniper documentation, users' will get Server certification validation error and need to import/trust the certificate.

In my case, users are not getting any Server certification validation error though I can see traffic is matching the proxy as shown below

root@srx-240-h# run show services ssl proxy statistics
PIC:fwdd0 fpc[0] pic[0] ------
sessions matched 207
sessions whitelisted 0
sessions bypassed:non-ssl 0
sessions bypassed:mem overflow 0
sessions created 0
sessions ignored 0
sessions active 0
sessions dropped 0

This is my configuration excerpt:

[edit services ssl proxy]
root@srx-240-h# show
profile SSL_PRFL-1 {
enable-flow-tracing;
preferred-ciphers medium;
trusted-ca 21FEB_GRP;
root-ca 21FEB;
actions {
ignore-server-auth-failure;
log {
all;
sessions-allowed;
}
}
}

Can anyone explain me this strange behavior?

Thanks,

MYN

Hello,

my customer have question for SSH in Juniper SRX3400.

"Guidance for cryptographic algorithm and key lengths when performing remote management of network devices s, (e.g., transition to 2048-bit DH modulus for SSH key agreement and 2048-bit RSA certificates for SSH authentication)."

i not found documentation about it. any have information about it??

Thanks.

Hi there,

Does anybody know the working Juniper/PULSE IPSec VPN client (Win/OSX) version ?

Which exact build works?

THA

Rr

Hi,

probably dumb question but here goes, in a security policy when we match application "any" does that mean all the predefined applications that are included in the SRX?

Thanks.

Good Afternoon

I am seeing an issue where traffic is flowing between R4 and R5 even with it having a metric of 1000. Both of these networks are only bridge so that if R2 fails we still have a backup path to that site but its via a very expensive provider. I was thinking about extending area 0 but we have around 30 routers so far in that area and most links are 3g/adsl type point to point OSPF over IPSEC.

. I understand that route selection based on diffrent areas might be causing my issue. Is there a way to change prefrences between ospf areas?

The setup below has been in place for a while and we only noitced we had an issue when the link went down between R4 and R3

Hello Expert

What is the order of global security policy and zone specific policy? Means first all zone based policies are evaluated and then all global policies will be evaluated?

Anyone here seen the Juniper J-Web GUI for managing Juniper devices?

It is so pre web 2.0 ish and is nothing close the the current web standard of designing new web management GUI for networking devices. Juniper can borrow some texts from Fortinet Fortigate ForiOS web GUI and others like Sophos XG next generation firewall web GUI

I mean Juniper makes so much money, at least i still prefer it hands down than Ciscos, but when will they understand they need to revamp this J-Web?

Employees of Juniper, if you reading htis and agree please forward this as suggestion/request/feedback to your managers.

Thanks

Hi,

My first post on these forums

We have two SRX 100s, we would like a site to site VPN established...

....Here's the catch....

One SRX can have a static address, the other must work dynamically.

Essentially we need one SRX to establish the link (to the other one with a static IP).

Thanks

hai, i have one question, i want to khow capacity total from hardisk on srx3400, i used command "show system storage". but i can read total capacity from hardisk.

node0:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s1a 891M 443M 376M 54% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 515M 515M 0B 100% /junos
/cf 891M 443M 376M 54% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
procfs 4.0K 4.0K 0B 100% /proc
/dev/ad0s1e 99M 142K 91M 0% /config
/dev/ad2s1f 12G 4.6G 6.3G 42% /var
/dev/md1 1006M 1018K 924M 0% /mfs
/dev/md2 17M 17M 0B 100% /cf/packages/mnt/jdiag-ppc-10.4B2.18
/var/jail 12G 4.6G 6.3G 42% /jail/var
/var/log 12G 4.6G 6.3G 42% /jail/var/log
devfs 1.0K 1.0K 0B 100% /jail/dev

node1:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s1a 891M 441M 378M 54% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 515M 515M 0B 100% /junos
/cf 891M 441M 378M 54% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
procfs 4.0K 4.0K 0B 100% /proc
/dev/ad0s1e 99M 134K 91M 0% /config
/dev/ad2s1f 12G 2.3G 8.6G 21% /var
/dev/md1 1006M 1.3M 924M 0% /mfs
/var/jail 12G 2.3G 8.6G 21% /jail/var
/var/log 12G 2.3G 8.6G 21% /jail/var/log
devfs 1.0K 1.0K 0B 100% /jail/dev

? Hello

I was converting ScreenOS config to SRX. I found one application/service MS-RPC-EPM in screen OS, having ports - tcp and udp ports 135. This service/application was not converted by SRX conversion tool automatically. I was checking in SRX, the service junos-ms-rpc-epm and I found below.

#  Microsoft RPC EPM (End Point Mapper)
#
application junos-ms-rpc-epm {
    term t1 protocol tcp uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa;
}
#

Someone can confirm, junos-ms-rpc-epm is equivalent to MS-RPC-EPM in screen OS? also Why there is not ports assign? is it normal

Hi 

I am new in SRX and want to know how to remove address-book from group-address.

Let's say, i have "SERVER" group and there is two entry. 

I want to remove 10.10.150.60 from this "SERVER" group address, what will be best way to remove?

set security zones security-zone tunnel address-book address 10.10.10.60 10.10.10.60/32

set security zones security-zone tunnel address-book address 10.10.10.62 10.10.10.62/32

set security zones security-zone tunnel address-book address-set SERVER address 10.10.10.60
set security zones security-zone tunnel address-book address-set SERVER address 10.10.10.62

Thanks,

2x SRX220H HA cluster

As seen in messages:

Feb 24 16:43:04 SRX220H-HA.miovision.corp PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 3 PIC 0 CPU utilization exceeds threshold, current value=92
Feb 24 16:43:07 SRX220H-HA.miovision.corp PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 3 PIC 0 CPU utilization exceeds threshold, current value=91
Feb 24 16:43:11 SRX220H-HA.miovision.corp PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 3 PIC 0 CPU utilization exceeds threshold, current value=92

and confirmed by show security monitoring fpc (x):

FPC 0
PIC 0
CPU utilization : 96 %
Memory utilization : 52 %
Current flow session : 5599
Current flow session IPv4: 5599
Current flow session IPv6: 0
Max flow session : 98304
Total Session Creation Per Second (for last 96 seconds on average): 59
IPv4 Session Creation Per Second (for last 96 seconds on average): 59
IPv6 Session Creation Per Second (for last 96 seconds on average): 0

show security flow stat:

node0:
--------------------------------------------------------------------------
Current sessions: 3744
Packets forwarded: 73091
Packets dropped: 33922654
Fragment packets: 2016

node1:
--------------------------------------------------------------------------
Current sessions: 3798
Packets forwarded: 7456433235
Packets dropped: 415022751
Fragment packets: 23532737

show interfaces detail | match "link is Up| bps| pps" | except "0 bps|0 pps":

-nothing outrageous, eg. ~80Mbps total across all ports. 

Any suggestions on what may be causing the high cpu usage?

Thanks!

Hello Experts

I have two SPC in SRX5400 in slot 0 and slot1. What is the recommendation for control port - HA? it should be from slot 0 or slot1?

 Hi,

I have SRX 240 with JUNOS 12.1X46-D40.2 on board.

I need to create gre tunnel with cisco isr 1841.

GRE interface:

gr-0/0/0 {
    unit 0 {
        tunnel {
            source 11.12.13.14;
            destination 21.22.23.24;
        }
        family inet {
            address 10.170.171.2/30;
        }
    }
}

To simplify testing I put Interface gr-0/0/0.0 to untrust security zone.

# show security zones security-zone untrust interfaces
ge-0/0/0.0 {
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
        }
    }
}
ge-0/0/1.0 {
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
            traceroute;
        }
    }
}
vlan.200 {
    host-inbound-traffic {
        system-services {
            ssh;
            ping;
        }
    }
}
gr-0/0/0.0 {
    host-inbound-traffic {
        system-services {
            all;
        }
    }
}

Policy in untrust scurity zone

# show security policies from-zone untrust to-zone untrust
policy BETWEEN_UNTRUST_IFACES {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

Cisco interface config:

interface Tunnel150
 ip address 10.170.171.1 255.255.255.252
 tunnel source 21.22.23.24
 tunnel destination 11.12.13.14
end

When ping 10.170.171.2 (srx) from cisco 10.170.171.1 on srx device:

>show security flow session source-prefix 10.170.171.1
Session ID: 37192, Policy name: self-traffic-policy/1, Timeout: 2, Valid
  In: 10.170.171.1/3 --> 10.170.171.2/684;icmp, If: gr-0/0/0.0, Pkts: 1, Bytes: 100
  Out: 10.170.171.2/684 --> 10.170.171.1/3;icmp, If: .local..0, Pkts: 1, Bytes: 100
Total sessions: 1

When ping from srx to cisco packet counter on tunnel interface is not increase.

SRX Interface status:

> show interfaces gr-0/0/0.0
  Logical interface gr-0/0/0.0 (Index 91) (SNMP ifIndex 547)
    Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 21.22.23.24:11.12.13.14:47:df:64:0000000000000000 Encapsulation: GRE-NULL
    Gre keepalives configured: Off, Gre keepalives adjacency state: down
    Input packets : 162
    Output packets: 163
    Security: Zone: untrust
    Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
    Protocol inet, MTU: 1476
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.170.171.0/30, Local: 10.170.171.2, Broadcast: 10.170.171.3

I also have SRX100 with JUNOS Software Release [10.4R6.5]. Identical (except IP addresses) gre config works fine with same cisco router.

How I can more deep troubleshooting this case?

Thanks.

Rank amateur Alert!

After changing our ISP and getting a new Public IP I added a new default route via the J-Web. However it looks like it retained the old default route so now i have two hops against 0.0.0.0/0 - how can i remove the old next-hop whilst retaining the new next-hop ? I'm pretty sure this will be adversely affecting performance!?

route 0.0.0.0/0 next-hop [ 111.111.111.111 222.222.222.222 ];

I prefer to use the J-Web GUI however Static Routing options do not load on my version so i can't Delete and Edit any existing entries in J-Web - is this a known bug?

Any advice greatly appreciated. .   

We are looking for an SRX/F5 Network Engineer for an onsite position in Alpharetta GA. Must be either US Citizen or Perm Resident. Contact kmiller(at)corus360.com