Hi All,

Is there any limitation in SRX5800 chassis cluster setup with Logical System to add more than 8 ip address in source address in security nat stanza. I'm look this url http://forums.juniper.net/t5/SRX-Services-Gateway/NAT-rules-limitation-on-SRX/m-p/38317 but it's look like due to junos version. But my junos is 15.1.X49-D70. Appreciate someone feedback

{primary:node0}[edit security nat source rule-set NAT-SRC rule NAT-SRC-10]
test@SRX5800:LSYS-06# show
match {
    ##
    ## Warning: number of elements exceeds limit of 8
    ##
    source-address [ 192.168.1.0/24 192.168.20.0/24 192.168.40.0/24 192.168.80.0/24 192.168.90.0/24 192.168.150.0/24 192.168.110.0/24 192.168.123.0/24 192.168.240.0/24 ];
    destination-address [ 10.168.14.0/24 10.168.15.0/24 10.168.16.0/24 10.168.17.0/24 ];
}
then {
    source-nat {
        pool {
            LSYS-6;
        }
    }
}

Hi ,

We have two SRX box in HA. Our primary box had issues it was not healthy we had to do RMA to that box.

I want to check the logs to find out when the failover happened becuase we got to know on 16 july 2017 that device is failed but our monitoring team is saying that device was down since 12 july 2017. Is there any logs file which have this information (when which device was primary and when which device was secondary and when failover happened).

Regards,

Pankaj Kumar

when i say that DH group5 is 1536 bits ....

1) Doesn that means that the generated key (session key) is 1536 bits ?

Or

2) It means that the private key size is 1536 bits  (at the beginner each side generate public & private key ) 

I tried to switch L2 to L3 and reboot like:

set protocols l2-learning global-mode switching

then tried a commit check and found:

[edit security zones security-zone BT interfaces]
  'ge-0/0/0.0'
    Referenced interface must not be ethernet-switching interface of switching mode
[edit security zones security-zone PA interfaces]
  'ge-0/0/1.0'
    Referenced interface must not be ethernet-switching interface of switching mode
[edit interfaces ge-0/0/0 unit 0 family]
  'ethernet-switching'
    In switching mode, ethernet-switching interface must not be in security zone.
[edit interfaces ge-0/0/1 unit 0 family]
  'ethernet-switching'
    In switching mode, ethernet-switching interface must not be in security zone.
error: configuration check-out failed: (statements constraint check failed)

So I thought I need to assign an IP to ge-0/0/0.0 like:

set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24

and I tried to switch:

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access

and put it in a security zone like:

set security zones security-zone untrust
set security zones security-zone untrust interfaces ge-0/0/0

But then I get the same error about not being in a security zone and also ethernet-switching

[edit security zones security-zone untrust interfaces]
  'ge-0/0/0.0'
    Referenced interface must not be ethernet-switching interface of switching mode
[edit interfaces ge-0/0/0 unit 0 family]
  'ethernet-switching'
    In switching mode, ethernet-switching interface must not be in security zone.

What am I doing wrong? I'm new to JunOS, I'm used to the old SSG boxes, so trying to learn. I've read a bunch of docs and can't get it. I want to put ge-0/0/0 in untrust public static 1.2.3.4/24 and ge-0/0/1 in trust1 5.6.7.8/24 and CGNAT between the two zones.

1- Does the proposal sent in message 1 & 2 is in plain text or secured ?? if secure, how ?

Hello community, 

I am setting some policy-based IPSec from a SRX220 running [12.1X46-D65.4] I have a total of 7 Tunnels and 4 of them have Phase 1 UP, However When I checked the commando: "show security ipsec inactive-tunnels" I am seeing the following:

Total inactive tunnels: 3
Total inactive tunnels with establish immediately: 3
ID Port Nego# Fail# Flag Gateway Tunnel Down Reason
7 500 0 0 600829 111.11.11.11 SA not initiated
4 500 0 0 600829 222.22.22.22 SA not initiated
6 500 0 0 600829 333.33.33.33 SA not initiated

Any idea Why this reason is showing Up?

All Tunnels are set in the same way (7 in total) and only these 3 are not getting into an UP State even in phase 1. 

This is the config from one of the tunnels

set security ike proposal CNFL authentication-method pre-shared-keys
set security ike proposal CNFL dh-group group2
set security ike proposal CNFL authentication-algorithm sha1
set security ike proposal CNFL encryption-algorithm 3des-cbc
set security ike proposal CNFL lifetime-seconds 3600
set security ike policy CNFL mode main
set security ike policy CNFL proposals CNFL
set security ike policy CNFL pre-shared-key ascii-text "fevifevefivbivbf"
set security ike gateway CNFL ike-policy CNFL
set security ike gateway CNFL address 111.11.11.11
set security ike gateway CNFL external-interface ge-0/0/0
set security ipsec proposal CNFL protocol esp
set security ipsec proposal CNFL authentication-algorithm hmac-sha1-96
set security ipsec proposal CNFL encryption-algorithm 3des-cbc
set security ipsec proposal CNFL lifetime-seconds 3600
set security ipsec policy CNFL proposals CNFL
set security ipsec vpn CNFL ike gateway CNFL
set security ipsec vpn CNFL ike ipsec-policy CNFL
set security ipsec vpn CNFL establish-tunnels immediately
set security address-book global address CNFL 192.168.17.25/32
set security address-book global address CNFL_PRODUCCION 192.168.17.45/32
set security policies from-zone Internal to-zone Internet policy Internal-to-CNFL match source-address Network-A
set security policies from-zone Internal to-zone Internet policy Internal-to-CNFL match destination-address CNFL
set security policies from-zone Internal to-zone Internet policy Internal-to-CNFL match destination-address CNFL_PRODUCCION
set security policies from-zone Internal to-zone Internet policy Internal-to-CNFL match application any
set security policies from-zone Internal to-zone Internet policy Internal-to-CNFL then permit tunnel ipsec-vpn CNFL
set security policies from-zone Internal to-zone Internet policy Internal-to-CNFL then permit tunnel pair-policy CNFL-to-Internal
set security policies from-zone Internet to-zone Internal policy CNFL-to-Internal match source-address CNFL
set security policies from-zone Internet to-zone Internal policy CNFL-to-Internal match source-address CNFL_PRODUCCION
set security policies from-zone Internet to-zone Internal policy CNFL-to-Internal match destination-address Network-A
set security policies from-zone Internet to-zone Internal policy CNFL-to-Internal match application any
set security policies from-zone Internet to-zone Internal policy CNFL-to-Internal then permit tunnel ipsec-vpn CNFL
set security policies from-zone Internet to-zone Internal policy CNFL-to-Internal then permit tunnel pair-policy Internal-to-CNFL

Thanks for all the help

is there a command that display dropped traffics by SRX 

for example host-inbound traffic for ping is not allowed on the traffic interface and a ping is received ... 

HI, i'm trying to update my configuration on one SRX210 (with VDSL card) for connecting to my FTTC.

Here it is my conf:

version 12.1X46-D55.3;
system {
    host-name JuniperSRX210;
    time-zone Europe/Rome;
    root-authentication {
        encrypted-password "PASSWORD";
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                pki-local-certificate srx210ssl;
                interface vlan.0;
            }
        }
        dhcp {
            pool 192.168.5.0/24 {
                address-range low 192.168.5.60 high 192.168.5.250;
                maximum-lease-time 57600;
                default-lease-time 28800;
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                    80.80.80.80;
                    80.80.81.81;
                }
                router {
                    192.168.5.1;
                }
            }
            static-binding 00:00:00:00:05:09 {
                fixed-address {
                    192.168.5.60;
                }
                host-name qnap-nas;
            }
            static-binding e0:46:9a:a0:b6:bc {
                fixed-address {
                    192.168.5.70;
                }
                host-name netgear-nas;
            }
            static-binding bc:60:a7:79:4f:50 {
                fixed-address {
                    192.168.5.80;
                }
                host-name sony-ps4;
            }
            static-binding 88:75:56:07:5f:0a {
                fixed-address {
                    192.168.5.90;
                }
                host-name cisco-voip;
            }
            static-binding 00:05:cd:2e:da:0b {
                fixed-address {
                    192.168.5.100;
                }
                host-name denon-avr;
            }
            static-binding 10:60:4b:df:13:eb {
                fixed-address {
                    192.168.5.107;
                }
                host-name hp-7500a;
            }
            static-binding 00:ce:40:02:68:e5 {
                fixed-address {
                    192.168.5.110;
                }
                host-name mede8er-mp;
            }
            static-binding bc:5f:f4:54:0a:21 {
                fixed-address {
                    192.168.5.115;
                }
                host-name thx-pc;
            }
            propagate-settings ge-0/0/0.0;
        }
        dynamic-dns {
            client link.dyndns.com {
                server dyndns;
                agent dyndns;
                username USERNAME;
                password "PASSWORD";
                interface pp0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
	    at-1/0/0 {
                vlan-tagging;
vdsl-options {
vdsl-profile auto;
}
        unit 0 {
encapsulation ppp-over-ether;
vlan-id 835;
}
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                pap {
                    default-password "USERl";
                    local-password "PASSWORD";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }
}
security {
    address-book {
        global {
            address server-qnap 192.168.5.60/32;
            address server-netgear 192.168.5.70/32;
            address server-ps4 192.168.5.80/32;
        }
    }
    alg {
        ftp ftps-extension;
        mgcp disable;
        rsh;
        sccp disable;
        sip {
            disable;
            application-screen {
                unknown-message {
                    permit-nat-applied;
                }
            }
            traceoptions {
                flag all;
            }
        }
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1350;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool nat-pool-qnap {
                address 192.168.5.60/32;
            }
            pool nat-pool-netgear {
                address 192.168.5.70/32;
            }
            pool nat-pool-ps4 {
                address 192.168.5.80/32;
            }
            rule-set main-rule-set {
                from zone untrust;
                rule qnap-57532 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 57532;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-qnap;
                            }
                        }
                    }
                }
                rule qnap-3306 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 3306;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-qnap;
                            }
                        }
                    }
                }
                rule netgear-21 {
                    match {
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-netgear;
                            }
                        }
                    }
                }
                rule netgear-1234 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 1234;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-netgear;
                            }
                        }
                    }
                }
                rule netgear-9099 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 9099;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-netgear;
                            }
                        }
                    }
                }
                rule ps4-80 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 80;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
                rule ps4-443 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 443;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
                rule ps4-1935 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 1935;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
                rule ps4-3478 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 3478;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
                rule ps4-3479 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 3479;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
                rule ps4-3480 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 3480;
                        protocol tcp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
                rule ps4-udp-3478 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 3478;
                        protocol udp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
                rule ps4-udp-3479 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 3479;
                        protocol udp;
                    }
                    then {
                        destination-nat {
                            pool {
                                nat-pool-ps4;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy server-access-qnap {
                match {
                    source-address any;
                    destination-address server-qnap;
                    application app-set-qnap;
                }
                then {
                    permit;
                }
            }
            policy server-access-netgear {
                match {
                    source-address any;
                    destination-address server-netgear;
                    application app-set-netgear;
                }
                then {
                    permit;
                }
            }
            policy server-access-ps4 {
                match {
                    source-address any;
                    destination-address server-ps4;
                    application app-set-ps4;
                }
                then {
                    permit;
                }
            }
        }
    }
    traceoptions {
        file flowtrace size 10m world-readable;
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                at-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
applications {
    application app-qnap-57532 {
        protocol tcp;
        destination-port 57532;
    }
    application app-qnap-3306 {
        protocol tcp;
        destination-port 3306;
    }
    application app-netgear-1234 {
        protocol tcp;
        destination-port 1234;
    }
    application app-netgear-9099 {
        protocol tcp;
        destination-port 9099;
    }
    application app-ps4-80 {
        protocol tcp;
        destination-port 80;
    }
    application app-ps4-443 {
        protocol tcp;
        destination-port 443;
    }
    application app-ps4-1935 {
        protocol tcp;
        destination-port 1935;
    }
    application app-ps4-3478 {
        protocol tcp;
        destination-port 3478;
    }
    application app-ps4-3479 {
        protocol tcp;
        destination-port 3479;
    }
    application app-ps4-3480 {
        protocol tcp;
        destination-port 3480;
    }
    application app-ps4-udp-3478 {
        protocol udp;
        destination-port 3478;
    }
    application app-ps4-udp-3479 {
        protocol udp;
        destination-port 3479;
    }
    application-set app-set-qnap {
        application app-qnap-57532;
        application app-qnap-3306;
    }
    application-set app-set-netgear {
        application junos-ftp;
        application app-netgear-1234;
        application app-netgear-9099;
    }
    application-set app-set-ps4 {
        application app-ps4-80;
        application app-ps4-443;
        application app-ps4-1935;
        application app-ps4-3478;
        application app-ps4-3479;
        application app-ps4-3480;
        application app-ps4-udp-3478;
        application app-ps4-udp-3479;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

But i've this error on commit

Warning(s):
1) vlan-tagging
2) }

Any suggestions?

Thanks

local & remote identity are used to pecify the IKE-ID as FQDN, UFQDN, DN, IP address .

my question: why under edit security IKE gateway there is : Dynamic option & Remote identity option 

i see that both of them do the same function: specify the remote IKE-ID as FQDN or UFQDN or IP or DN

what is the use of NAT keep-alive in IPSEC VPN ??

i have searched and it said that it maintain the NAT translation between 2 peers but i dont understand what doesn that means

Hi all, 

Please clarify me this circumstance. 
We have the topology with requests like this: 
Topology: [PC]---[SRX]----------[INTERNET]----------[Different vendor's Firewall]----[SERVER]

* In encrypted form, via a site to site VPN, between the 2 SRX devices; as shown in the above diagram.

* In unencrypted form, over the Internet by translating private IP addresses into public IP addresses, via Source NAT.

In normally, we will set source nat off for traffic between PC and Server, it takes precedence over source nat interface go to the Internet. 

However, I do not want to use source nat off configuration. So can I set policy to accept the PC's IP public address access Server's IP address on Different vendor's Firewall and do the same on SRX device? 

Thank all  

Hi all, 

I have a topology like below: 

Client x, y, z -------- SRX --------- Internet

The SRX device operates source NAT (PAT) pool from Client to access the Internet with IP pool is 111.111.111.0/24 for example. 
So the client x. y, z also use the same IP NAT 111.111.111.1 with different port or use different IP NAT: 111,111,111,1 ; 111.111.111.2 ; 111.111.111.3 respectively? 

Thank all  

Topology:

SRX-1 @ Site A  ------------------ SRX-2 @ Site B

ISP A is terminated at Site A and ISP B teminated at site B with each ISP being backup of other site during failover. Site A and B are physically connected via fiber.

The OSPF Routing Issue

When ISP A @ site A fails the traffic from Site A is routed via OSPF to site B and out this only works if ISP B @ site B is configured as default next hop. If Site B is configured with OSPF as default next hop and traffic is to be routed via Site A OSPF does not work but if OSPF is configured as qualified next hop at site B  and deactivating the next hop syntax routes traffic via OSPF.

Configuration


Site A

set protocols ospf traceoptions flag all
set protocols ospf export OSPF-Export
set protocols ospf area 0.0.0.0 interface reth1.34 interface-type p2p
set protocols ospf area 0.0.0.0 interface reth1.34 neighbor 10.1.40.130
set policy-options policy-statement OSPF-Export term 0 from interface reth1.400
set policy-options policy-statement OSPF-Export term 0 from interface reth1.401
set policy-options policy-statement OSPF-Export term 0 from interface reth1.402
set policy-options policy-statement OSPF-Export term 0 from interface reth1.404
set policy-options policy-statement OSPF-Export term 0 from interface reth1.441
set policy-options policy-statement OSPF-Export term 0 from interface reth1.450
set policy-options policy-statement OSPF-Export term 0 from interface reth1.451
set policy-options policy-statement OSPF-Export term 0 from interface reth1.452
set policy-options policy-statement OSPF-Export term 0 then accept
set policy-options policy-statement OSPF-Export term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement OSPF-Export term 1 then accept
set policy-options policy-statement OSPF-Export term 2 then reject

set routing-options static route 0.0.0.0/0 next-hop ISP A
set routing-options static route 0.0.0.0/0 qualified-next-hop 10.1.40.130 preference 8

Site B

set policy-options prefix-list OSPF-IMPORT 10.1.0.0/16
set policy-options policy-statement Inet-Import term 1 from protocol ospf
set policy-options policy-statement OSPF-Export term 0 from interface reth1.320
set policy-options policy-statement OSPF-Export term 0 from interface reth1.330
set policy-options policy-statement OSPF-Export term 0 from interface reth1.340
set policy-options policy-statement OSPF-Export term 0 from interface reth1.350
set policy-options policy-statement OSPF-Export term 0 then accept
set policy-options policy-statement OSPF-Export term 1 from protocol static
set policy-options policy-statement OSPF-Export term 1 from tag 150
set policy-options policy-statement OSPF-Export term 1 then metric 170
set policy-options policy-statement OSPF-Export term 1 then accept
set policy-options policy-statement OSPF-Export term 2 then reject
set routing-instances O1-O2-Int protocols ospf traceoptions flag all
set routing-instances O1-O2-Int protocols ospf export OSPF-Export
set routing-instances O1-O2-Int protocols ospf area 0.0.0.0 interface reth0.34 interface-type p2p
set routing-instances O1-O2-Int protocols ospf area 0.0.0.0 interface reth0.34 neighbor 10.1.40.129


set routing-options static route 0.0.0.0/0 next-hop ISP B ---- Currently working
set routing-options static route 0.0.0.0/0 qualified-next-hop 10.1.40.129 preference 8 --- failover to OSPF


If the above 2 syntax are interchanged and OSPF route is made as a primary for Site B so as to be able to route all traffic via site A routing fails.

Hi,
 
Our office internet has been very unstable past few days.  In the past the internet goes down and up, but once the internet comes back up, our SRX100 has connection as well.  Our SRX has been working fine for almost 4 years without a problem with the same configuration, updating the Juno OS when necessary.  The last update was over a year ago. But now I am encountering a very weird problem with our SRX100 at random it loses connection to the internet even if there is internet connection.  I checked the logs but no error messages are displayed. What's most odd is that I can still ping the ISP's gateway, but nothing beyond that (eg. 8.8.8.8).   
 
Only by requesting a system reboot, we are able to access the internet again but randomly (anywhere from 1 hour to 6hours) it will lose connection again and requires another reboot.  Our modem status indicates there is internet connection and we can access the internet when we directly connect a pc to the modem.  I have tried powercycling our modem but it does not change the fact that the SRX can't reach outside.  Only rebooting the SRX fixes this issue.   
 
I get this error message when I try to ping Google's DNS after losing internet connection on our SRX:
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
 
show route 0
0.0.0.0/0          *[Access-internal/12] 11:25:34
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 06:33:58
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 06:33:58
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 05:39:27
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 05:39:27
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 04:47:02
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 04:47:02
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 03:53:30
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 03:53:30
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
                    [Access-internal/12] 03:00:08
                    > to XXX.XXX.XXX.97 via fe-0/0/0.0
 
Our ISP provides our office with a dynamic ip so I have the untrust interface setup as DHCP. When we lost connection I am still able to get an IP address through dhcp, I am able to release and renew the fe-0/0/0.0 but unable to gain access to internet even after renewing the ip. Restarting the DHCP process does not bring back the internet on the SRX.
 
show system services dhcp client
 
 Logical Interface name         fe-0/0/0.0
        Hardware address        XX:XX:XX:XX:XX:XX
        Client status           bound
        Address obtained        XXX.XXX.XXX.98
        Update server           disabled
        Lease obtained at       2017-07-24 13:54:13 UTC
        Lease expires at        2017-07-24 14:50:54 UTC
 
DHCP options:
    Name: server-identifier, Value: XXX.XXX.XXX.1
    Code: 1, Type: ip-address, Value: 255.255.255.224
    Name: router, Value: [ XXX.XXX.XXX.97 ]
    Name: name-server, Value: [ 208.67.222.222, 208.67.220.220 ]
 
show system services dhcp statistics
Packets dropped:
    Total                      0
 
Messages received:
    BOOTREQUEST                0
    DHCPDECLINE                0
    DHCPDISCOVER               36
    DHCPINFORM                 448
    DHCPRELEASE                0
    DHCPREQUEST                96
 
Messages sent:
    BOOTREPLY                  0
    DHCPOFFER                  36
    DHCPACK                    518
    DHCPNAK                    0
 
I also tried troubleshooting the following but the problem still occurs:  
 
1)changing the interface that connects to the modem, fe-0/0/0 to fe-0/0/1, fe-0/0/2 but the regardless we still get the same problem.
 
2)setup fe-0/0/0/.0 with a static ip and static route, we get connection at first but eventually the problem comes back  
 
3)request system storage cleanup
 
4)Updating the Junos OS to the latest version (12.3X48-D50.6)
 
5)Zeroized the SRX and did a factory reset, problem still occurred using the factory default configuration
 
The SRX is currently using this configuration which is the factory default configuration: 
set version 12.3X48-D50.6
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set protocols stp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

I need release 12.1X44-D35.5 for SRX100H2, but I cannot find it in JunOS downloads.

I already have that release for SRX110, but I'm not sure if I can use that file for SRX100H2 too...

Hi all, 

When to do source and destination NAT translation?
It uses for hiding source & destination IP address and deploys one-way direction, doesn't it? 

Refer configure source and destination NAT: https://www.juniper.net/documentation/en_US/junos/topics/example/nat-security-source-and-destination-nat-translation-configuring.html

Regards, 
Hoang Nguyen Huy

Hi all,

since we had moved to a new archival-site, the commit-on-transfer isn`t working anymore.

But this issue only occures on one SRX (Cluster). The other SRX-Systems are working fine with the new archival-site ...

I have deleted the archival-statement and configured it new.

I also checked, that the ssh-know-hosts was updated.

I can also connect via ssh to the archival-target.

Here is the logoutput: As you can see, there are some configs queued ... maybe too much ??

<27>1 2017-07-25T09:27:00.637+02:00 junipersrx logger - - - transfer-file: file /var/transfer/config/junipersrx_juniper.conf.gz_20170602_133829 not found<27>1 2017-07-25T09:27:05.530+02:00 junipersrx logger - - - transfer-file failed to transfer /var/transfer/config/junipersrx_juniper.conf.gz_20170602_164823<27>1 2017-07-25T09:37:01.780+02:00 junipersrx logger - - - transfer-file failed to transfer /var/transfer/config/junipersrx_juniper.conf.gz_20170602_164823




/var/transfer/config/:
total blocks: 1400
-rw-r-----  1 root  wheel      24014 Jun 2  19:53 junipersrx_juniper.conf.gz_20170602_175321
-rw-r-----  1 root  wheel      24018 Jun 2  20:48 junipersrx_juniper.conf.gz_20170602_184849
-rw-r-----  1 root  wheel      24021 Jun 2  21:36 junipersrx_juniper.conf.gz_20170602_193644
-rw-r-----  1 root  wheel      24020 Jun 2  21:39 junipersrx_juniper.conf.gz_20170602_193921
-rw-r-----  1 root  wheel      24024 Jun 2  21:49 junipersrx_juniper.conf.gz_20170602_194901
-rw-r-----  1 root  wheel      24024 Jun 2  21:50 junipersrx_juniper.conf.gz_20170602_195042
-rw-r-----  1 root  wheel      24037 Jun 3  01:04 junipersrx_juniper.conf.gz_20170602_230455
-rw-r-----  1 root  wheel      24042 Jun 3  01:07 junipersrx_juniper.conf.gz_20170602_230757
-rw-r-----  1 root  wheel      24047 Jun 3  01:09 junipersrx_juniper.conf.gz_20170602_230932
-rw-r-----  1 root  wheel      24036 Jun 6  00:44 junipersrx_juniper.conf.gz_20170605_224417
-rw-r-----  1 root  wheel      24044 Jun 6  00:56 junipersrx_juniper.conf.gz_20170605_225640
-rw-r-----  1 root  wheel      24036 Jun 6  07:09 junipersrx_juniper.conf.gz_20170606_050948
-rw-r-----  1 root  wheel      24044 Jun 6  07:32 junipersrx_juniper.conf.gz_20170606_053215
-rw-r-----  1 root  wheel      23987 Jun 6  08:25 junipersrx_juniper.conf.gz_20170606_062553
-rw-r-----  1 root  wheel      23966 Jun 6  08:27 junipersrx_juniper.conf.gz_20170606_062746
-rw-r-----  1 root  wheel      23924 Jun 6  13:33 junipersrx_juniper.conf.gz_20170606_113319
-rw-r-----  1 root  wheel      23937 Jun 13 08:30 junipersrx_juniper.conf.gz_20170613_063052
-rw-r-----  1 root  wheel      23930 Jun 13 08:32 junipersrx_juniper.conf.gz_20170613_063227
-rw-r-----  1 root  wheel      23879 Jun 16 08:37 junipersrx_juniper.conf.gz_20170616_063733
-rw-r-----  1 root  wheel      23880 Jun 16 08:41 junipersrx_juniper.conf.gz_20170616_064135
-rw-r-----  1 root  wheel      23921 Jun 26 14:45 junipersrx_juniper.conf.gz_20170626_124553
-rw-r-----  1 root  wheel      23980 Jul 19 12:45 junipersrx_juniper.conf.gz_20170719_104519
-rw-r-----  1 root  wheel      24022 Jul 21 09:00 junipersrx_juniper.conf.gz_20170721_070044
-rw-r-----  1 root  wheel      24027 Jul 24 11:30 junipersrx_juniper.conf.gz_20170724_093021
-rw-r-----  1 root  wheel      24030 Jul 24 11:31 junipersrx_juniper.conf.gz_20170724_093132
-rw-r-----  1 root  wheel      24146 Jul 25 09:01 junipersrx_juniper.conf.gz_20170725_070105
-rw-r-----  1 root  wheel      24155 Jul 25 09:06 junipersrx_juniper.conf.gz_20170725_070630
-rw-r-----  1 root  wheel      24146 Jul 25 09:16 junipersrx_juniper.conf.gz_20170725_071608
-rw-r-----  1 root  wheel      24146 Jul 25 09:26 junipersrx_juniper.conf.gz_20170725_072624
total files: 29

So, how can I troubleshoot this issue.

Thanks to you all.

Cheers, Christoph.

Does AppID has a separate engine for inspection or it use IPS engine for inspection,,  ????

as i have found that AppID signature database is part of IPS signature database 

when implementing policy based routing to connect with 2 service provder

>There is no gurentee that the return traffic will came from the same outgoing interface.

>How to make sure that return traffic will come from the same outgoing interface or sub-interface ??