As per subject.
I have a high 'Real-time threads CPU utilization' on fwdd.
Yet, 'top -H' or 'show system processes extensive' shows fwdd as only taking 30 to 40% CPU....
Help/suggesstions here ?
↧
high 'Real-time threads CPU utilization' on fwdd
↧
SRX VLAN Tagged/Untagged Port (packet mode)
Hello all,
I am losing my mind here trying to figure out what I am doing wrong with this config. I am off-site from the device and am attempting to do some testing of different configurations and routing between devices. I have only made a few physical connections, and was hoping to be able to use VLAN interfaces as subinterfaces on one of the physical ports so that I could have multiple logically separate subnets.
I have tried using different unit numbers, and tried flexible vlan tagging but nothing seems to work. I have read probably 100 forum posts and articles that seem to have about 5 different ways of doing this and none of them seem to work, plus most aren't dealing with packet-mode and feel there is a bit of a disconnect in the support from one mode to another.
I have the physical all set up as a point to point link, but I would like to create another on the same physical port, tagged with VLAN 100 while leaving the below on Unit 0 as untagged.
I would like to place 172.20.20.1/30 on VLAN 100 on ge-0/0/2
ge-0/0/2 {
unit 0 {
family inet {
address 12.12.12.181/30;
Any ideas?
↧
↧
SRX340 SSD installation
I have been unable to find ANY documentation of the installation of an SSD device for logging in the SRX300 series.
I HAVE found references that indicate the following:
1) it is supported in our SRX340
2) minimum size for SRX340 is 100GB
BUT, after installing a 240GB Samsung 840 SSD, the SRX340 is stuck with the status light in alarm.
The device doesn't appear to have finished starting up, only the managment port is active.
ports 0/0 and up are dead/ inactive. Even the power button is nonresponsive.
After pulling the power cord and removing the drive, the device starts up normally when re-energized.
Please advise, what is the procedure for installing an SSD drive, and which drives are supported?
None of our resellers have the "official" Juniper SKU 100GB SSD drive for sale.
↧
Private VLANs - Juniper SRX Firewall
Hi all
We have a link from our Cisco switch to a Juniper SRX firewall where the Cisco end is configured as a promiscuous port. Over this link we configure a primary PVLAN.
Connected to the switch we also have a bunch of servers all in the same isolated PVLAN and subnet which is mapped to the primary. In this situation how is ARP handled when one server needs to communicate with another? An intra-zone rule on the SRX? Proxy ARP maybe?
Thank you
We have a link from our Cisco switch to a Juniper SRX firewall where the Cisco end is configured as a promiscuous port. Over this link we configure a primary PVLAN.
Connected to the switch we also have a bunch of servers all in the same isolated PVLAN and subnet which is mapped to the primary. In this situation how is ARP handled when one server needs to communicate with another? An intra-zone rule on the SRX? Proxy ARP maybe?
Thank you
↧
Nat'ing to public IP space before entering a route-based VPN
I'm trying to set up a route based VPN on an SRX340 to a Cisco ASA. The remote end will not allow private IPs to be tunneled thru and so i have to NAT the traffic on my side to public space before it enters the VPN so that it exits the other side as a public IP. Any pointers on how that might be done?
↧
↧
From ScreenOS to JunOS
Hello Expert,
I'm changin some configuration from ScreenOS SSG-550M to JunOS SRX5600 but I have some doubts regarding this change:
The current config in ScreenOS have several Virtual Routers my doubt is with the Trust-Vr - Do I need to create a Virtual Router for this or use the SRX [inet.0] router itself for this Virtual Router?
What is best practices for this?
Also If you can share with me a config in ScreenOS to JunOS it will be for great help
Thanks for the help
Mario Cruz
↧
XE- 10G Interface no Power
Hello,
We are installing a new SRX5600 and we are looking that some interface 10G are not working. [ALL SFP are Juniper]
Looking the outpower output and there is nothing:
show interfaces diagnostics optics xe-3/0/1
Physical interface: xe-3/0/1
Laser bias current : 0.000 mA
Laser output power : 0.0000 mW / - Inf dBm
Module temperature : 18 degrees C / 65 degrees F
Module voltage : 3.3390 V
Receiver signal average optical power : 0.0000 mW / - Inf dBm
Laser bias current high alarm : Off
Laser bias current low alarm : On
Laser bias current high warning : Off
Laser bias current low warning : On
Laser output power high alarm : Off
Laser output power low alarm : On
Laser output power high warning : Off
Laser output power low warning : On
Module temperature high alarm : Off
Module temperature low alarm : Off
Module temperature high warning : Off
Module temperature low warning : Off
Module voltage high alarm : Off
Module voltage low alarm : Off
Module voltage high warning : Off
Module voltage low warning : Off
Laser rx power high alarm : Off
Laser rx power low alarm : On
Laser rx power high warning : Off
Laser rx power low warning : On
Laser bias current high alarm threshold : 95.000 mA
Laser bias current low alarm threshold : 3.000 mA
Laser bias current high warning threshold : 90.000 mA
------------------------------------------------------------------------------------------
This is the hardware installed:
show chassis hardware
FPC 3 REV 09 750-061262 CAHZ1366 SRX5k IOC II
CPU REV 03 711-061263 CAJA9651 SRX5k MPC PMB
MIC 0 REV 11 750-049488 CAJA0871 10x 10GE SFP+
PIC 0 BUILTIN BUILTIN 10x 10GE SFP+
Xcvr 1 REV 01 740-021309 H3P2004895 SFP+-10G-LR
Xcvr 2 REV 01 740-021309 H3P2004630 SFP+-10G-LR
MIC 1 REV 07 750-055732 CAHX9529 20x 1GE(LAN) SFP
PIC 2 BUILTIN BUILTIN 10x 1GE(LAN) SFP
Xcvr 0 REV 02 740-011613 AM16382KQAM SFP-SX
Xcvr 1 REV 02 740-011613 AM16382KQA9 SFP-SX
PIC 3 BUILTIN BUILTIN 10x 1GE(LAN) SFP
Xcvr 0 REV 02 740-013111 H114328 SFP-T
Xcvr 1 REV 02 740-011613 AM16382KPGU SFP-SX
Xcvr 2 REV 02 740-011613 AM16382KQBB SFP-SX
Xcvr 6 REV 02 740-013111 H124469 SFP-T
Xcvr 7 REV 02 740-013111 H111051 SFP-T
Xcvr 8 REV 02 740-013111 H110681 SFP-T
Xcvr 9 REV 02 740-013111 H113404 SFP-T
-----------------------------------------------------------------------
The status of the port:
root@ROFW02> show interfaces xe-3/0/2 brief
Physical interface: xe-3/0/2, Enabled, Physical link is Down
Link-level type: Ethernet, MTU: 1500, LAN-PHY mode, Speed: 10Gbps,
Loopback: None, Source filtering: Disabled, Flow control: Enabled
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x4000
Any idea of what could be wrong?
Thanks
↧
Does latest junos D110 on SRX can assign fxp0 into VR?
Hi all,
Im reading this url https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/SRX-cluster-monitoring-best-practices.pdf and i'm interested on page 79.
May i know whether using the latest junos D110 we can assign fxp0 into VR and using the same segment with reth interface. In other word we use reverse on page 79.
I'm using SRX5800 chassis cluster setup.
Thanks and appreciate any feedback
↧
Potential slow peers Minor alarm
Hello,
I've recently configured an SRX cluster. However, for one of the nodes I get the following alarm:
node1:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time Class Description
2017-09-22 18:04:55 CEST Minor Potential slow peers are: FWDD0 FWDD1
Has anyone seen this before or know what this could be? The firewalls are running JUNOS Software Release [17.3R1.10]
Any help would be greatly appreciated. Thanks in advance.
↧
↧
LSYS on SRX5800 cluster not send log flow session to syslog after Cluster failover?
Hi all,
I have facing wierd problem. On our two syslog server SIEM & Junos Log Collector we not see any flow session log send from LSYS on SRX5800 cluster after the cluster switch over. Previously the node1 is master on RG0 and RG1. But during some issue the SRX reboot and now node0 master on RG0 but node1 is master on RG1.
On our syslog server we can see log flow session from main routing but we just cannot see log flow session on LSYS only after cluster failover.
Appreciate someone help.
↧
Reverse Static Nat question on SRX
Hi everyone,
Case#1
set security nat static rule-set rs1 from zone untrust
set security nat static rule-set rs1 rule r1 match destination-address 199.199.199.10
set security nat static rule-set rs1 rule r1 then static-nat prefix 10.10.10.10
As a result of using static nat, we also have nat in reverse direction where all traffic sourced from 199.199.199.10 will be natted to 10.10.10.10
Does this " Reverse Static Nat" highlighted above refers to Reverse nat we see in case1?
Case#1
set security nat static rule-set rs1 from zone untrust
set security nat static rule-set rs1 rule r1 match destination-address 199.199.199.10
set security nat static rule-set rs1 rule r1 then static-nat prefix 10.10.10.10
As a result of using static nat, we also have nat in reverse direction where all traffic sourced from 199.199.199.10 will be natted to 10.10.10.10
Does this " Reverse Static Nat" highlighted above refers to Reverse nat we see in case2?
Thanks and have a nice day!!
↧
Traceoption and packet filter for GRE encapsulated traffic on SRX
Hi everyone,
Please coonsider the following scenario:
H1-10.10.10.1---R1- f1199.199.199.1- tun10-------tun10---200.200.200.1 f1-SRX—10.10.11.2-G2
R1 has GRE tun10 with tunnel source f1, tunnel destination 200.200.200.1
SRX has GRE tunnel tun10 with tunnel source f1, tunnel destination 199.199.199.1
H1 and H2 communicate with over GRE tunnel.
If I have to do trace options using file and packet filter to see how packets received over GRE tunnel from R1 are treated inside SRX, should we define the packet filter for trace option for GRE imposed IP i.e src 199.199.19.1 dest 200.200.200.1 or should we define packet filter for inner packet i.e. source 10.10.10.1 , destination 10.10.11.2?
My hunch:
We should define packet filter for traceoption based on how packets arrived on SRX. Above we have to analyze traces as traffic received from H1 to H2 over GRE tunnel, traffic will be arriving with GRE imposed header SRC 199.199.199.1 DEST 200.200.200.1, so if we define packet-filter for traceoption based on these IP, we can see, how the packet is received, decapsulated,
On the otherhand, we define packet filter for trace option based on inner packet i,e src 10.10.10.1 dst 10.10.11.2, we will only see traces after the decapsulation by GRE.
Not sure if the above is true .
Thanks and have a nice day!!
↧
SRX3600 Spoof test
Hello ,
We were not using our SRX 3600 for nearly 2 years i just want to know if there is an update for this kind of syn attack .
Attack is comming from spoofed source so any source ip is not hitting the second time. and 1 million+ syn packet is coming for per second. This attack is nearly 300mbps.
Srx was not able to any thing for this 2 years ago . Is it still same ? because it does not trigger the syn proxy / cookie protection threshold in any way. It requires 4 times hit in any situation from single source
↧
↧
Block ICMP Interface Specific - Packet Mode
Hello all,
I am trying to prevent my SRX340 (which is in packet mode) from responding to ICMP on a per-interface basis with the firewall family feature set.
I am able to create and apply rules that block ICMP entirely on an interface, and any traffic that flows through it, and I am also able to block ICMP responses for a specific destination address, but I don't know how to apply it to an interface (without specifying the address) and NOT have it block in-transit ICMP that is passing through that interface originated on one side or the other.
I would like to create a rule that I can slap on an interface just to block that interface or unit number from giving an echo-reply, but not prevent ICMP from passing through.
Can anyone lead me in the right direction? Would also like to know how to hide the hop from a trace route if required, but perhaps that is another question...
↧
What is Juniper SRX
Hello ,
I want to know what is an SRX device , what is the aim of it ?
I could not tell it is a ddos mitigator, because we have broken and locked the device in hundreds of way
I could not tell it is a exact application firewall because we have tested it with Botnet attacks and could not succeded
What is it should some body tell me please ?
↧
SRX1500 RMA Secure return
We need to return an SRX 1500 using the RMA process. The unit is coming from a secure environment and trying to find the best way of returning the equipment with least traces of data- short of shredding it. My proposal is
. set system encrypt-configuration-files
. commit
. request system autorecovery state clear
. request system zeroize
I see that files are only unlinked during the zeroize process, is there anything else that can be usefully done to remove data?
↧
Having Issues Updating IDP Signatures
Hi Guys,
Currently having some issues updating IDP signatures on my devices, just realized this recently. Getting the error of:
error-message="Done;FetchingSignatureUpdate_tmp.xml.gzfailed, error:-1"] Failedtostartscheduledupdate(error
one;FetchingSignatureUpdate_tmp.xml.gzfailed, error:-1)
Has anyone had experiences troubleshooting this?
Do I need security policies to allow access to services.netscreen.com?
Thanks
↧
↧
Cannot reset root password
I'm trying to run the root password reset and get through all the steps but the system will still not login me in with the new password. It just drops me back to the login: prompt. If I give it an intentional bad password it will tell me the login is incorrect so it's recognizing the new password but not allowing me into the CLI. This is running on a SRX 110 running 12.1X44-D30 (I'm guessing on the software since I can't login to the machine but it's a good guess)
↧
Packet mode interface failover
Hi,
We have two SRX in packet mode. their are two ISP link connected on per gateway for redundancy.
ISP1 is connected on ge-0/0/0 interface and ISP2 is connected on ge-0/0/1 interface.
Here if ISP1(Primary) down ISP2(Secondary) interface should start communicate. once ISP1 interface come up that should again become primary.
Kindly suggest configuration KB.
Thank you...
↧
How to advertise static routes in BGP
I will have a /24 routed to me over bgp, and I would like to subnet and statically route the /24 to various interfaces from my SRX340 in packet mode.
I have set up an aggregation policy so that when any contingent part of the /24 is active (/24 orlonger), it advertises the entire /24 over BGP to my neighbours as per my export policy.
I am having trouble keeping the route active when I don't either have part of it static to "discard", part of it active on an interface, or one of the addresses attached to the loopback interface.
If I would like to route any part of the /24 statically to other addresses that are not part of that subnet, none of them will be "active" on the SRX, and it won't advertise the /24 over bgp. How can I correct this? I have tried advertise-inactive as well but I don't think I either understood it or got it to work.
Thanks for the help!
↧