Hi All,

I'm facing the entire FPC reboot itself on both node in cluster. Below is the log. Currently i'm already configured RE protect (tcp) by using policer. Is there any way to protect it also from udp or broadcast storm that can make the FPC CPU high?

{secondary:node1}

test@node2> ...ch "Sep 15" | match "FPC" | match "cpu"

Sep 15 14:06:22.606 2017  node1 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 13 PIC 0 CPU utilization exceeds threshold, current value=99

Sep 15 14:06:27.838 2017  node1 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 12 PIC 0 CPU utilization exceeds threshold, current value=99

Sep 15 14:06:28.511 2017  node1 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 13 PIC 0 CPU utilization exceeds threshold, current value=88

Sep 15 14:06:33.093 2017 node1 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 13 PIC 0 CPU utilization exceeds threshold, current value=91

Sep 15 14:06:56.145 2017  node1 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 15 PIC 3 CPU utilization exceeds threshold, current value=86

Sep 15 14:06:58.377 2017  node1 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 15 PIC 3 CPU utilization exceeds threshold, current value=85

{primary:node0}

test@node0> show log messages.3.gz | match "Sep 15" | match "FPC" | match "cpu"

Sep 15 14:05:34.638 2017  node0 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 1 CPU utilization exceeds threshold, current value=99

Sep 15 14:05:39.562 2017  node0 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 1 CPU utilization exceeds threshold, current value=99

Sep 15 14:05:42.497 2017  node0 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 1 PIC 0 CPU utilization exceeds threshold, current value=99

Sep 15 14:05:43.667 2017  node0 PERF_MON: %USER-2-RTPERF_CPU_THRESHOLD_EXCEEDED: FPC

Thanks and appreciate any feedback

Hello,

We just moving from SRX210HE (JunOS 12.1X46-D65) to SRX300 (JunOS 15.1X49-D90) & unfortunately found out that addresses set as 'dns-name' are not correctly used/recognized inside security polices, e.g.

root@SRX300-1> show configuration security zones security-zone untrust address-book
address TEST-SourceAddress {
    dns-name www.juniper.net;
}

Interesting thing is that listing this policy by general information this 'problematic' address is reported, but listing with detail there is no mention about it

root@SRX300-1> show security policies policy-name TEST
From zone: untrust, To zone: trust
  Policy: TEST, State: enabled, Index: 23, Scope Policy: 0, Sequence number: 6
    Source addresses: TEST-SourceAddress
    Destination addresses:TEST-DestinationAddress
    Applications: any
    Action: permit

root@SRX300-1> show security policies policy-name TEST detail
Policy: TEST, action-type: permit, State: enabled, Index: 23, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 6
  From zone: untrust, To zone: trust
  Destination addresses:
    TEST-DestinantionAddress: 192.168.0.100/32
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

TEST-SourceAddress of course is correctly resolved on SRX300 device, is also present in local dns-cache

root@SRX300-1> show security dns-cache
DNS Name: www.juniper.net
DNS entry number: 1

---
Best Regards

I'm trying to configure my SRX and finding issues with UDP flood warnings from Gooogle and my voip providor.  I have already raised the threshhold to 5000 and am still seeing issues.   Doing some research is appears Google is using a protocol called QUIC (https://en.wikipedia.org/wiki/QUIC) which uses UDP 443 to deliver youtube.  Is there a way I can whitelist traffic from the screen?  I want to be able to whitelist QUIC traffic and traffic from my VoIP providor.

I'm fairly new to Juniper and was tasked to configure our FW to use SNMPv3.  We have SNMP configured, and we're using Cacti on a Linux host to monitor graphs and to collect SNMP data.  However, it's been reported that SNMP has been generating an unnecessary amount of log data, and I've now been tasked to "reduce" it by disabling or limiting some portion of it, and I was under the assumption that the data was being pulled by the management SNMP server rather than the device sending the data.  From the Cacti config point of view on the SNMP server/monitor, you basically enter the device IP, login info and version.  Could it be OID value?  I'm not sure what I'm looking for and some guidance would be appreciated.

Some details (more can be provided, as needed)

Under SNMP configs, we have:

- v3: with a user using md5 authentication and DES privacy for encryption

- vacm: security-to-group with 'usm' security model and the user above in 'readgroupname'

- the view 'readgroupname' shows it's using 'oid system include' and 'oid .1 include'

- the client-list has this management server IP (and one other)

- trap-group has 'authentication' and 'configuration' categories and targets (the 2 mgmt server IPs)

What can I do to accomplish this?  (I'm currently waiting to get additional details on how the logs are becoming overwhelming, but would like to get ahead of it, if possible)

Similarly, I've been asked to do the same on a Cisco device, and on that, there is an option to select Poll and/or Trap, where polling is the SNMP server pulling SNMP data and Trap is the device sending SNMP data on an event.  No such option is apparent on the SRX.

Hi,

Well basically I am much new to SRX environment and I need to NAT a public Ip to 2 private IP's on different ports.
In Cisco it is quite easy but in JunOS I dont have a clue how it is to be done, anyone can help kinndly with display set configuration.

I am trying to push SCOM agent installation over Juniper SRX firewall.

The process uses, among other ports, a port set defined as DCOM RPC which basically looks like an MS-RPC ALG application (Microsoft software, with high ports defined as 49152-65535).

I thus wrote a policy allowing, among others, the ms-rpc-any application from SCOM server to monitored clients.

Problem

Attempts to push SCOM agent installation return following error:

The management server failed to establish a DCOM connection 
to the remote computer where you are trying to install an agent.

This can happen when there is a firewall or IPSec policy that 
only allows specific ports. Since DCOM uses a dynamic port range, 
you may not be able to remotely install an agent unless an exception 
is added to the firewall policy on the target agent. If you are not 
using a Host based firewall, you may need to add an exception to 
your network-based firewall between the IP Address or host name of 
the target computer (and all computers you want to remotely install 
an agent to) and the management server.

In communication between SCOM and target client, SCOM server never attempts to communicate over TCP 135 to get the RPC endpoint port (which would be a prerequisite for ALG to determine from the response which port from the high range should it open for the SCOM server to reach).

The only connections that are recorded in each agent push sessions are:

1. initially, 8 sessions are created from SCOM server over TCP 445
2. half of these sessions are immediately closed
3. afterwards, SCOM server attempts to connect on RPC endpoint (some high port, which differs between sessions) which are denied (ALG not triggered)
4. finally, other half of TCP 445 sessions are closed

Since there is no other communication involved, I assume target client somehow passes that information over TCP 445 session. But SRX, at least by default, cannot monitor this session for returned RPC endpoint.

Question

1. Is it in any way possible to force SRX ALG to monitor these TCP 445 sessions for endpoint (if protocol is in any way compatible)
2. Alternatively, is it possible to change the way SCOM server performs it's query?

(or maybe it is altogether different issue that you may have stumbled upon?)

Hi all,

May i know whether have hidden command that we can use to login RE1 for chassis cluster on SRX5800 without console physical? I'm using redundancy control link thats why have RE1.

Thanks and appreciate any feedback

Hi All

My SRX650 does´nt boot up!

After plug the energy cable, appear a prompt blinking and nothing after that.

Could you help me?

Thanks in advance

Daniel Dantas

Hi,

I Could someone please clear up a point of confusion for me:

I have configured an "active/active" and also an "active/passive" successfully, but there is one part of the configuration that is confusing me slightly and I am amazed the HA even works because of this:

For the data plane configuration (fab ports) the example (and what I have used) is:

set interfaces fab0 fabric-options member-interfaces xe-0/0/16

set interfaces fab0 fabric-options member-interfaces xe-0/0/17

set interfaces fab0 fabric-options member-interfaces xe-7/0/16

set interfaces fab0 fabric-options member-interfaces xe-7/0/17

This is all good..... but then, it says "For failover use the following ports for the reth and tie to redundancy groups"

set interfaces xe-6/0/0 gigether-options redundant-parent reth0

set interfaces xe-6/1/0 gigether-options redundant-parent reth1

set interfaces xe-18/0/0 gigether-options redundant-parent reth0

set interfaces xe-18/1/0 gigether-options redundant-parent reth1

Why, if these are mentioned as the "failover data ports", are they completely different to the fab ports? I would have expected them to be the same...... My config works, but I want to understand why it works.

Thanks

Hi all,

Anyone face cannot upgrade firmware on srx1500 due to storage space. I'm already clean the storage but still fail.

Appreciate fast feedback because now i'm already at site infront of chassis.

Thanks

Hi

I want to ask what is the best practice to configure redundancy groups.

I am deploying active/passive srx cluster and have 4 links 1xWAN 2xStS connect and 1xLAN.

Should I put every link to seperate redundancy group or all interfaces to one redundancy group.

What is the best approach?

Thanks

Hi everyone,

I am trying to find some docs  to find if SRX copies DF bit from inner packet  into GRE header when doing GRE tunneling.

Also if TTL value of inner packet is copied into GRE header by default.

In Cisco, DF bit and ttl  are not copied into GRE header, just wondering if SRX same way.

I did an upgrade on my SRX and purposely left the old image on the disk - just in case. So now, things look like they are working okay and I was going to snapshot over the old image. Before I do, I have a couple of files that are on there that I need to copy of so I figured I could just reboot and interrupt the boot and tell it to boot from the backup partition but it keeps booting into the updated partition and not the old one.

root@GreatGazoo> show system snapshot media internal
Information for snapshot on       internal (/dev/da0s1a) (backup)
Creation date: Jan 7 06:36:38 2014
JUNOS version on snapshot:
  junos  : 11.4R6.6-domestic
Information for snapshot on       internal (/dev/da0s2a) (primary)
Creation date: Sep 22 14:04:54 2017
JUNOS version on snapshot:
  junos  : 12.1X46-D65.4-domestic

Interrupting the boot and changing the boot.current didn't seem to help either:

loader> show
LINES=24
autoboot_delay=2
autoload=n
baudrate=9600
boot.btsq.len=0x00002000
boot.btsq.start=0x003fa000
boot.current=backup
boot.devlist=nand-flash:usb
boot.env.size=0x00002000
boot.env.start=0x003fe000
boot.status=0x2000a
boot.upgrade.loader=0xbfe00000
boot.upgrade.loader.data=0x00200000
boot.upgrade.loader.hdr=0x002fffc0
boot.upgrade.uboot=0xbfc00000
boot.upgrade.uboot.data=0x00000100
boot.upgrade.uboot.hdr=0x00000030
boot.ver=1.7
bootcmd=cp.b 0xbfe00000 0x100000 0x100000; bootelf 0x100000
bootdelay=1
bootfile=/kernel;/kernel.old
comconsole_speed=9600
console=comconsole
currdev=disk0s2

So basically I want to boot to /dev/da0s1a.

Do I need to change the currdev to disk0s1? I've not seen any reference to changing this parameter and figured before I do and brick my device, I'd ask.

Thanks!!!

Hi, 

Running 2 x SRX1500 that are currently directly connected via the HA Control Port and 2 x FAB ports (Fibre on ge-0/0/12 and ge-0/0/13 and ge-7/0/12 and ge-7/0/13).

Running the command "show chassis cluster status" show us exactly what we expect, and, actually, the config is shown below:

set chassis cluster reth-count 7
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1

set interfaces ge-0/0/14 gigether-options redundant-parent reth0
set interfaces ge-0/0/15 gigether-options redundant-parent reth1

set interfaces ge-7/0/14 gigether-options redundant-parent reth0
set interfaces ge-7/0/15 gigether-options redundant-parent reth1

set interfaces fab0 fabric-options member-interfaces ge-0/0/12
set interfaces fab0 fabric-options member-interfaces ge-0/0/13
set interfaces fab1 fabric-options member-interfaces ge-7/0/12
set interfaces fab1 fabric-options member-interfaces ge-7/0/13

set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.30.1/24
set interfaces reth0 unit 0 family iso

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.20.1/24
set interfaces reth1 unit 0 family iso

set groups node0 system host-name THW-SRX-01
set groups node0 system backup-router 192.168.5.3
set groups node0 system backup-router destination 192.168.5.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.5.1/24
set groups node1 system host-name HEX-SRX-02
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.5.2/24
set apply-groups "${node}"

Now, for the test I unplugged the HA Control port on Unit 0 (Primary)..... Two Fab ports on unit 0 went to Up / Down status and also saw unit 1 as "lost".

On unit 1 we see the fab ports as Up/Up, but the chassis cluster status command showed unit 0 as lost and unit 1 (itself) as inilegible.... very strange, as I would have expected to see it as the primary.

Anyway, plugging the HA cable back in should have resulted in the HA light on the front going green on both chassis and the "show chassis cluster status" back how it was, but, NO.... the following has happened:

Red light still showing (after 20 minutes) on unit 0 for HA Control port..... all four FAB interfaces show as up.... so, let me show you the output from unit 0 (Primary):

{primary:node0}
root@THW-SRX-01> show chassis cluster status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  100      primary        no      no       None
node1  1        disabled       no      no       None

Redundancy group: 1 , Failover count: 3
node0  100      primary        no      no       None
node1  1        disabled       no      no       None

root@THW-SRX-01> show chassis cluster interfaces
Control link status: Up

Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA
    0       em0         Up                 Disabled

Fabric link status: Up

Fabric interfaces:
    Name    Child-interface    Status
                               (Physical/Monitored)
    fab0    ge-0/0/12          Up   / Up
    fab0    ge-0/0/13          Up   / Up
    fab1    ge-7/0/12          Up   / Up
    fab1    ge-7/0/13          Up   / Up

Redundant-ethernet Information:
    Name         Status      Redundancy-group
    reth0        Down        1
    reth1        Down        1
    reth2        Down        Not configured
    reth3        Down        Not configured
    reth4        Down        Not configured
    reth5        Down        Not configured
    reth6        Down        Not configured

Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0

Absolutely nothing looks right.... it looks like the whole thing is failing.

thanks in advance

I hope I do a descent job explaining this. I want to put my SRX210 between my home lan and the internet. The internet access is controlled through my cable modem. If all the home lan machines were in the same subnet as the internal interface of the modem, all was good - duh! So I figured I would just basically turn one interface of the SRX into a connection between the home lan and the modem by natting all the home lan IPs to an address in the range of the modem internal network. I've attached a basic diagram of the setup.

So what happens is that at some point in time, the internal home-lan machines lose access to the internet. When I try to ping an outside IP address, it times out. If I then ping the modem internal address (172.20.15.1), the ping will typically time out once or twice and then work. After that, that same machine will then have internet access again.

So I figured it was a routing/proxy/arp issue. I've combed through the configuration and removed everything except the parts necessary to make this work. I verfied my proxy-arp and routing tables and all looks good. When I monitor the external interface of the SRX (don't have any control of the ISP modem) I see a lot of arp requests for 172.20.15.x ip's but no replies. Does that mean my proxy isn't working? Do I need to maybe make that a /24 for the full 172.20.15 network?

This is the configuration as it's in the SRX now.

set interfaces ge-0/0/0 description "Trunk to Internet: SRX-210 (ge-0/0/0) to MOTOROLA SBG6580"
set interfaces ge-0/0/0 gigether-options auto-negotiation
set interfaces ge-0/0/0 unit 0 family inet filter input-list FLTR_ALLOW_ALL
set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output
set interfaces ge-0/0/0 unit 0 family inet address 172.20.15.254/24

set interfaces ge-0/0/1 description "SRX-210 (ge-0/0/1) to TP-LINK port 1 : Gateway for HOME_LAN"
set interfaces ge-0/0/1 gigether-options auto-negotiation
set interfaces ge-0/0/1 unit 0 family inet filter input-list FLTR_ALLOW_ALL
set interfaces ge-0/0/1 unit 0 family inet sampling input
set interfaces ge-0/0/1 unit 0 family inet sampling output
set interfaces ge-0/0/1 unit 0 family inet address 10.20.15.254/24

set routing-options static route 0.0.0.0/0 next-hop 172.20.15.1

set security log mode stream

set security nat source pool NAT_SRCE_POOL_HOME_LAN description "NAT SOURCE POOL FOR HOME-LAN to INTERNET CONNECTIONS"
set security nat source pool NAT_SRCE_POOL_HOME_LAN address 172.20.15.129/26
set security nat source pool NAT_SRCE_POOL_HOME_LAN host-address-base 10.20.15.129/32
set security nat source rule-set NAT_SRCE_HOME_LAN from zone HOME_LAN
set security nat source rule-set NAT_SRCE_HOME_LAN to zone Internet
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.129/26
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match destination-address 0.0.0.0/0
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet then source-nat pool NAT_SRCE_POOL_HOME_LAN
set security nat proxy-arp interface ge-0/0/0.0 address 172.20.15.129/32 to 172.20.15.191/32

set security policies from-zone Internet to-zone HOME_LAN policy policy_startup_rvpn_HOME_LAN match source-address any
set security policies from-zone Internet to-zone HOME_LAN policy policy_startup_rvpn_HOME_LAN match destination-address any
set security policies from-zone Internet to-zone HOME_LAN policy policy_startup_rvpn_HOME_LAN match application any
set security policies from-zone Internet to-zone HOME_LAN policy policy_startup_rvpn_HOME_LAN then permit tunnel ipsec-vpn startup_rvpn
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet match source-address ADDR_HOME_NAT
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet match source-address any-ipv4
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet match destination-address any
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet match application any
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet then permit
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet then log session-init
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet then log session-close
set security policies from-zone HOME_LAN to-zone Internet policy HOME_LAN-to-Internet then count

set security policies from-zone HOME_LAN to-zone HOME_LAN policy HOME_LAN_HOME_LAN match source-address ADDR_HOME_LAN
set security policies from-zone HOME_LAN to-zone HOME_LAN policy HOME_LAN_HOME_LAN match destination-address ADDR_HOME_LAN
set security policies from-zone HOME_LAN to-zone HOME_LAN policy HOME_LAN_HOME_LAN match application any
set security policies from-zone HOME_LAN to-zone HOME_LAN policy HOME_LAN_HOME_LAN then permit
set security policies default-policy deny-all
set security policies policy-rematch
set security zones security-zone Internet description "SRX-210 (ge-0/0/0) to SBG6580 Port 2: Trunk to internet"
set security zones security-zone Internet tcp-rst
set security zones security-zone Internet screen untrust-screen
set security zones security-zone Internet interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone HOME_LAN description "SRX-210 (ge-0/0/1) to TP-Link Port 1: Trunk for HOME_LAN"
set security zones security-zone HOME_LAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone HOME_LAN interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone HOME_LAN interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone HOME_LAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set firewall family inet filter FLTR_ALLOW_ALL term T-01 from source-address 0.0.0.0/0
set firewall family inet filter FLTR_ALLOW_ALL term T-01 from destination-address 0.0.0.0/0
set firewall family inet filter FLTR_ALLOW_ALL term T-01 then count CNT_ALLOW_ALL
set firewall family inet filter FLTR_ALLOW_ALL term T-01 then log
set firewall family inet filter FLTR_ALLOW_ALL term T-01 then syslog
set firewall family inet filter FLTR_ALLOW_ALL term T-01 then accept

This is repeatable. During the typing of this post, I lost connection to the internet. All I had to do was get on 10.20.15.172 (the home-lan DNS server) and ping 172.20.15.1. The first two timed out and then it work. Immediately internet access was restored.

If it makes a difference, the modem is a motorola SBG6580. The gateway and primary network mode are both set to routed. My intent is that what the motorola should see on it's internal interface is a 172.20.15.x packet as that's the NAT function of the SRX.

If this all makes sense, suggestions? I'm not really expecting anyone to be able to troubleshoot this without hands on the keyboard but I would like suggestions on what I can do to find/troubleshoot more. I've verfied via traceoptions that the packet is actually getting natted and hitting the exit interface of the SRX (ge-0/0/0). What I don't see is it coming back in so I'm thinking it's something on the ISP modem but I can't change that so need to fix it on the inside (SRX) somehow.

Thanks for reading and offering any suggestions!!!

Hello,

Has anyone seen this error before. This is from the KMD.log file.

[Sep 24 02:21:04]KMD_INTERNAL_ERROR: kmd_read_securitycfg: dax_get_object_by_pat
h() returned FALSE, secop: 0x0.
[Sep 24 02:45:10]KMD_INTERNAL_ERROR: kmd_read_securitycfg: dax_get_object_by_pat
h() returned FALSE, secop: 0x0.
[Sep 24 06:06:02]KMD_INTERNAL_ERROR: kmd_read_securitycfg: dax_get_object_by_pat
h() returned FALSE, secop: 0x0.
[Sep 24 09:39:21]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Sep 24 10:37:37]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received

I have a SRX300 and a older Cisco router in which I had a configured a IPSec tunnel btwn them. My tunnel dropped and I started checking all my configurations (IKE and IPSec) on both devices to see what could be wrong.  Configurations have not changed and the tunnel was up before. Is there any DEBUGS that could be done to to see phase 1 negotiations? I can attach configurations if needed.

Thanks

Hi,

I have multipe zones on my SRX5400 and I want to log Accept and Reject packets.

security-zone ZONE1 {
    interfaces {
        reth0.4 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }
}
security-zone ZONE2{
    interfaces {
        reth0.5 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }
}

from-zone ZONE2 to-zone ZONE1 {
    policy PermitAll {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

from-zone ZONE1 to-zone ZONE2 {
    policy PermitAll {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

show configuration system syslog
user * {
    any emergency;
}
file messages {
    any notice;
    authorization info;
}
file interactive-commands {
    interactive-commands any;
}

In my lab, I accept everything. In the future, there will be somes deny rules.

I want to log them. For example, I want From @IP To @IP REJECT match rules T1 ...

I did somes research on internet, juniper.net, but nothing for my case.

Do you have a solution for me ?

A documentation ?

Thank you for your time

Hi All

I have a wired problem when using LACP from a pair of Juniper SRX 1500's and connecting to a Pair of Juniper EX4200 and Extreme Networks Summit  X460-G1 Stacks. 

The problem is when I have both connection from SRX's node0 Reth1 connected to the Extreme Stack 1, web sites that are hosted from windows machines on the 4200 VC have speed issue's and random drops of data which causes the site to display an error message.  If I remove one of the connection, so basically turning it back to a single connection RETH interface everything seems to work perfectly fine.

I installed a Pair of SRX 1500 into a Chassis Cluster a couple of months ago to replace a SRX240 Cluster.  At the time I had the wrong XFP's in the EX4200 Virtual Chassis so I could not connect from the 1500's to the EX4200 at 10GB so had to leave these on 1GB links running LACP.  I have 2 Extreme Network stacks with 3 switches in each stack, 2 X460's and 1X440 per stack.  The X460's have a 10GB module in the back, which I have connect to the 1500's and then setup LACP on both the Firewall’s and the switches.  When I first installed the new Firewall's I connected the node0 to 1 Extreme stack and node 1 to the second stack, when I did this we had the problem I described above so at the time I just dropped the extra connection from the firewall's.  Last night I went into our data centre and replaced the XFP's in the Virtual Chassis and connected up the VC to SRX Cluster with redundant links from the SRX's to the VC and configured LACP.  I also reconnected the redundant links from the SRX's to the Extreme stack's.

I had several users working from home to test the web sites and they all complained of speed issue's and getting error's on the web sites.  As it was getting very late I removed the redundant links for both the EX VC and Extreme Stacks, so basically each firewall is back down to a single connection from the firewall to the switches.

SRX config

Reth1 - connects to Extreme Stacks

Reth1 interfaces xe-0/0/16(Connects to stack1 port 1:30), xe-0/0/17(Connects to stack1 port 2:30), xe-7/0/16(Connects to stack2 port 1:30) and xe-7/0/17(Connects to stack2 port 2:30).

Reth1 redundant-ether-options lacp passive

Reth1 redundant-ether-options lacp periodic slow

Reth0 - Connects to Juniper EX4200 VC

Reth1 interfaces xe-0/0/18, xe-0/0/19, xe-7/0/18 and xe-7/0/19.

Reth0 redundant-ether-options lacp passive

Reth0 redundant-ether-options lacp periodic slow

EX4200 AE2 connects to node0 interface xe-0/0/18 and xe-0/0/19 and AE3 connects to node1 interfaces xe-7/0/18 and xe-7/0/19

xe-0/1/0 ether-options 802.3ad ae2

xe-1/1/0 ether-options 802.3ad ae2

xe-0/1/1 ether-options 802.3ad ae3

xe-1/1/1 ether-options 802.3ad ae3

ae2 aggregated-ether-options lacp active

ae2 aggregated-ether-options lacp periodic slow

ae3 aggregated-ether-options lacp active

ae3 aggregated-ether-options lacp periodic slow

Extreme X460 Sharing Stack 1 connects to Node 0

enable sharing 1:30 grouping 1:30,2:30

configure sharing 1:30 lacp

Extreme X460 Sharing Stack 2 connects to Node 0

enable sharing 1:30 grouping 1:30,2:30

configure sharing 1:30 lacp

As you can see on the Extreme stacks I don't have the LACP mode configured or the time out configured.  Could this be the issue?

When I check the timeout values for Extreme LACP and Juniper LACP, Extreme have either a 3 second timeout or a 90 second timeout and juniper have either a 1 second timeout or a 30 second timeout.

One the Juniper SRX's I have 15.1X49-D75.5 installed.  On the Extreme stacks I am running 16.1.3.6 running.

I think the problems are all caused by LACP between SRX's and Extreme stacks, so if any one has any suggestion or has configured SRX to Extreme networks before any help would be grate full.

I can create a diagram if that would help

Richard

ello all,

I try to connect a Juniper SRX with a Cisco 1841. The first one is connected with a VLAN interface:

reth0 {
        description "Link to Cisco 1841";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 81 {
            vlan-id 81;
            family inet {
                address 192.168.81.254/24;
            }
        }
    }

and a second:

interface FastEthernet0/1/0
 switchport access vlan 81
 no ip address

interface Vlan81
 ip address 192.168.81.1 255.255.255.0

At this moment I not able to ping the interface in a both ways, but I do a "show arp" on the both equipment:

3c:8a:b0:2a:32:b0 30.17.0.2       30.17.0.2                 fab0.0              permanent
50:c5:8d:33:f6:30 30.18.0.1       30.18.0.1                 fab1.0              permanent
3c:8a:b0:2a:32:47 130.16.0.1      130.16.0.1                fxp1.0              none
00:17:95:dc:49:48 192.168.6.1     192.168.6.1               fxp0.0              none
00:0a:b8:51:b9:c1 192.168.6.10    192.168.6.10              fxp0.0              none
a4:93:4c:ee:5f:a6 192.168.111.1   192.168.111.1             reth1.0             none

Cisco:

Internet  192.168.81.1            -   0018.7345.de88  ARPA   Vlan81
Internet  192.168.81.254          0   0010.dbff.1000  ARPA   Vlan81

and I don't understand why I see the entries in the Cisco equipment and It's empty into the Juniper equipment.

And I suppose this is for that the both equipment don't communicate.

I put for you all configuration for you see all configuration:

version 12.1X47-D35.2;
groups {
    node0 {
        system {
            host-name EROS;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.6.30/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name HADES;
        }
        interfaces {
            fxp0 {
                unit 0 {                
                    family inet {
                        address 192.168.6.31/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    domain-name xxxx.corp;
        root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
    }
    name-server {
        192.168.100.4;
    }
    login {
        user xxxx {
            uid 2000;
            class super-user;
            authentication {            
                encrypted-password "xxxxxxxxxxxxxxxx"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh {
            root-login deny;
            protocol-version v2;
            rate-limit 2;
        }
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface fxp0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;              
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 192.168.111.1 prefer;
    }
}
chassis {
    cluster {
        reth-count 2;                   
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
            interface-monitor {
                fe-0/0/1 weight 255;
                fe-1/0/1 weight 255;
                fe-0/0/2 weight 255;
                fe-1/0/2 weight 255;
            }
        }
    }
}
interfaces {
    fe-0/0/1 {
        description "Link to Cisco 1841 Fe0/1/0";
        fastether-options {
            redundant-parent reth0;
        }
    }                                   
    fe-0/0/2 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fe-1/0/1 {
        description "Link to Cisco 1841 Fe0/1/1";
        fastether-options {
            redundant-parent reth0;
        }
    }
    fe-1/0/2 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                fe-0/0/0;
            }
        }
    }                                   
    fab1 {
        fabric-options {
            member-interfaces {
                fe-1/0/0;
            }
        }
    }
    reth0 {
        description "Link to Cisco 1841";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 81 {
            vlan-id 81;
            family inet {
                address 192.168.81.254/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;         
        }
        unit 0 {
            family inet {
                address 192.168.111.30/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    zones {
        security-zone Trusted {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                reth0.81;
            }
        }                               
        security-zone Untrusted {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                reth1.0;
            }
        }
        security-zone MGMT;
    }
}
routing-instances {
    RI-VR-LAN {
        instance-type virtual-router;
        interface reth0.81;
        routing-options {
            static {
                route 192.168.100.0/24 next-hop 192.168.81.1;
            }
        }
    }                                   
}[

Thank you for your help...

Hello everyone.

I just bought SRX 100 and deleted all the default config.

Please consider the following set up:

Cisco R1 f1 199.199.199.10---------199.199.199.1 f0/0/0 SRX

Cisco R1 and SRX should talk using dot q tag 10

ISSUE:

R1 can not ping 199.199.199.1 because SRX does not respond to R1's ARP request for 199.199.199.1:

SRX Config:

root> show configuration | display set
set version 11.4R7.5
set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 0 vlan-id 20
set interfaces fe-0/0/0 unit 0 family inet address 200.200.200.1/24
set interfaces fe-0/0/0 unit 10 vlan-id 10
set interfaces fe-0/0/0 unit 10 family inet address 199.199.199.1/24
set interfaces fe-0/0/1 unit 0
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone TRUST interfaces fe-0/0/0.10 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces fe-0/0/0.10 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces fe-0/0/0.0

#########################

what am i missing?