Short question: Does anyone have any idea what causes SRX 1400 to only log this with ike debug enabled, not bringing up a VPN tunnel?

[Oct 6 13:22:29 PIC 1/1/0 KMD2][234.234.234.234 <-> 123.123.123.123] Reached max initiated negotiations in progress. Ignoring the request to trigger new negotiation
[Oct 6 13:22:33 PIC 1/1/0 KMD2][234.234.234.234 <-> 123.123.123.123] Received IKE Trigger message with local_gw_addr = 234.234.234.234 remote_gw_addr = 123.123.123.123

Looks like I have this problem with one particular routed VPN tunnel with three network pairs, doesn't matter if the tunnel is configured with traffic-selectors or as three different tunnels. Other tunnels on the same device seem to work just fine, even newer ones than this problematic one.

The devices are an SRX 1400 cluster, with some 50-100 active routed tunnels. The configuration maximums shouldn't be even close, as far as I know the limit should be like 5000 tunnels for SRX 1400?

Hello ,

We are facing with 20Gbps + ldap amplification attacks , the images given below to show how it is an emergency issue. IP addresses are directly sending to the blackhole community so we are closing ip address directly , this is why it seems nearly 10g . But when they hit to one of whitelisted ip address we see that the attack is nearly 24 Gbps. 

We have avalibla link aggregation ports and connectivity to handle this traffic but the biggest problem is ldap is coming with fragmanted packets , there is no udp header in LDAP amp packets so it seems like that

traffic seems like :

xxxx.ZZZZ . -> . ourip:389

xxxx.0 . -> . ourip.0

first packet hits to 389 port and next packets are coming fragmanted , without the udp headers. So there seems no source and destination port information in packet. 

we can not block the fragmantation because we have stream customers. 

Any body knows a solution for this ?

Hello ,

We are facing with an issue on SRX 3600 , if some single source ip address starts a flood SRX creates a session for this connection on single core of SPU and what if the selected core is on the first SPU , it causing to 100% usage of this core and locking all the device easily . This is a known issue on any kernel based device. We have tested on 

Freebsd / Centos /debian ...etc. they all give the same result 

depending on the instructions on 

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/general/npc-srx3k-npc.html

SRX NPC :

 it can drop traffic to or from a particular IP address 

I think it is sth. similar to ntuple filters on intel 82599 chips , but we can easily write a script on c / perl / python to detect flooder and block on other operating systems and block this kind of flooder before the packets arrive net_recv filter on kernel. 

Is there any possible way to do the same thing on srx , is there any possibility to block depending on PPS for /32 source  on NPC ?

Thank you

Hello ,

Depending on the instructions below , we want to connect 2x10G link aggregation to the box. But each ioc has 10Gbps connectivity.

So what if i need 10+Gbps connection with upstream do i need to get each 10G links from different iocs ?

This are the bandwith limitation any body knows pps limitations ?

Each NPC can not bind to multiple iocs but on documetations it says 55gbps connectivity , what if we need 30Gbps connectivity , an npc limit is 20Gbps how you should connect 3 or more 10G link and let them bind in one aggregation port whil it does not supporting to go through an NPC ?

https://www.juniper.net/assets/cn/zh/local/pdf/datasheets/1000267-en.pdf

Each IOC binds to exactly one NPC
Multiple IOCs can be bound to one NPC
Multiple NPCs cannot bind to one IOC, each NPC will bind to a separate IOC

Each IOC has a 10 Gb full duplex connection to the fabric
Each SPC has a 10Gb full duplex connection to the fabric
Each NPC has two 10 Gb full duplex connections to the fabric: one towards the IOCs, and one towards the SPCs

Item             Version  Part number  Serial number     Description
Chassis                                AB4209AA0014      SRX3600
Midplane         REV 07   710-020310   AAAV0320          SRX3600 Midplane
PEM 0            rev 08   740-027644   G087FD002R08P     AC Power Supply
PEM 1            rev 08   740-027644   G087FE004B08P     AC Power Supply
CB 0             REV 14   750-021914   AAAV0881          SRX3k RE-12-10
  Routing Engine          BUILTIN      BUILTIN           Routing Engine
  CPP                     BUILTIN      BUILTIN           Central PFE Processor
  Mezz           REV 08   710-021035   AAAN7843          SRX HD Mezzanine Card
FPC 0            REV 16   750-021882   AADE3908          SRX3k SFB 12GE
  PIC 0                   BUILTIN      BUILTIN           8x 1GE-TX 4x 1GE-SFP
FPC 1            REV 20   750-020321   AAFE5669          SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     T09L21440         XFP-10G-SR
    Xcvr 1                NON-JNPR     T09L21452         XFP-10G-SR
FPC 4            REV 14   750-020321   AAAV0984          SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     T09L21443         XFP-10G-SR
    Xcvr 1                NON-JNPR     T09L21436         XFP-10G-SR
FPC 7            REV 13   750-016077   AADC9162          SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Cp-Flow
FPC 10           REV 19   750-017866   AABZ0103          SRX3k NPC
  PIC 0                   BUILTIN      BUILTIN           NPC PIC
FPC 11           REV 16   750-016077   AAEA6880          SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Flow
FPC 12           REV 13   750-016077   AADC9166          SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Flow
Fan Tray 0       REV 06   750-021599   AAAM4505          SRX3600 Fan Tray

Hopefully a quick question for the guru's. 

I have a test network where I have dual-stack IPv4 and IPv6 with a neighbor that was directly connected. 

This was accomplished through the use of two neighbor statements, one with v4 and one with v6 address. 

To experiement with multi-hop, I put a "dumb" router in between the two (the other BGP end is a cisco 1941) and configured the loopback address and got multi-hop up and running, however I got a conflict when I tried to commit and had to remove the neighbor v6 address. 

'bgp'
Error in neighbor <IPv6 address here> of group external:
local and peer addresses must be from the same family
error: configuration check-out failed

When I tried to add a "local address" with a v6 address, it overwrote the v4 address? 

I am not sure if I am doing it incorrectly, or if I have to create a separate "group" to multihop over v6 from the v4 group, which is strange because when they are directly connected I can dual-stack the same group. 

Any thoughts? 

Hi everyone,

Source 199.199.199.1-----  tun10 -Cisco-fe0/0/4---- Receiver ( 239.1.1.1)

On Cisco :

Source is not sending any multicast stream yet

As soon as LHR  receives IGMP report about 239..1.1.1, (*,239.1.1.1) is created that can be seen with show ip multicast route i.e we do not need to receive multicast stream from source to create (*,239.1.1.1) state. It is created as result of IGMP.

Now if we use the same setup on SRX:

Again source is not sending any multicast stream yet

Source 199.199.199.1-----  tun10 -SRX-fe0/0/4---- Receiver ( 239.1.1.1)

I noticed following:

1) ( *,239.1.1.1.)  state is not created in multicast table eventhough SRX is able to discover using IGMP , receiver is interested in 239.1.1.1, that can be seen using show igmp but multicast table does not show entry.

Now if contrast this with Cisco, Cisco creates ( *,239.1.1..1) state in multicast routing table once it receives IGMP report for 239.1.1.1 from Receiver.

Is that normal behavior on SRX?

2) Source  199.199.199.10 is sending stream at 239.1.1.1

SRX creates a ( S,G) state i.e ( 199.199.199.10, 239.1.1.1) which can be seen by using  show multicast route.

This behavior is common between Cisco and SRX.

3)  Do we have any command on SRX that can show me the number pf packet dropped because of RPF failure?

Thanks and have a nice weekend!!

Hi

I want to establish VPN with Cisco firewalls and other 3rd party vendors, the VPN ACL conatins a lot of hosts addresses which will require huge policies if I will configure policy-based VPN.

So can I use route-based VPN using traffic selectors?

Is this tested before?

Thanks

Hi

I want to establish VPN with Cisco firewalls and other 3rd party vendors, the VPN ACL conatins a lot of hosts addresses which will require huge policies if I will configure policy-based VPN.

So can I use route-based VPN using traffic selectors?

Is this tested before?

Thanks

Hi

I want to establish VPN with Cisco firewalls and other 3rd party vendors, the VPN ACL conatins a lot of hosts addresses which will require huge policies if I will configure policy-based VPN.
So can I use route-based VPN using traffic selectors?
Is this tested before?

Thanks

Hi all,

Im reading this url https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/SRX-cluster-monitoring-best-practices.pdf  and i'm interested on page 79.

May i know whether using the latest junos D110 we can assign fxp0 into VR and using the same segment with reth interface. In other word we use reverse on page 79.

I'm using SRX5800 chassis cluster setup.

Thanks and appreciate any feedback

Hello, 

I've recently configured an SRX cluster. However, for one of the nodes I get the following alarm:

node1:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time Class Description
2017-09-22 18:04:55 CEST Minor Potential slow peers are: FWDD0 FWDD1

Has anyone seen this before or know what this could be? The firewalls are running JUNOS Software Release [17.3R1.10]

Any help would be greatly appreciated. Thanks in advance. 

Hi

I want to establish VPN with Cisco firewalls and other 3rd party vendors, the VPN ACL conatins a lot of hosts addresses which will require huge policies if I will configure policy-based VPN.
So can I use route-based VPN using traffic selectors?
Is this tested before?

Thanks

Hi All,

Lets say the current screenos config have secondary ip on interface. The purpose of this secondary ip is because the ccurrent public ip address on the interface already full. In other word purposed for MIP. Example like below:

set interface ethernet2/1.420:1 ip 40.30.20.1 255.255.255.240

set interface ethernet2/1.420:1 ip 40.30.31.70 255.255.255.240 secondary

set interface ethernet2/1.420:1 ip 50.70.31.70 255.255.255.240 secondary

So in SRX do we need also put secondary ip on that interface? Or we just create the pool under source-nat / destination-nat?

Thanks and appreciate any feedback

You must forgive me, I have Junos 11.47, Dont crack on me.No DHCPV6 client.

Upon entering the following code my DHCPV6 server does not operate at all. Am I missing something?

dhcp-local-server {
            dhcpv6 {
                group group1 {
                    interface ge-0/0/0.0;
                    interface sp-0/0/0.0;
                    interface ge-0/0/13.0;
                    interface ge-0/0/14.0;
                    interface ge-0/0/15.0;
                    interface lo0.0;
                    interface vlan.0;
                }
            }
......

access {
    address-assignment {
        pool 1 {
            family inet6 {
                prefix 2601:204:ce00:5550::/64;
                range v6-range {
                    low 2601:204:ce00:5550::1/64;
                    high 2601:204:ce00:5550:ffff:ffff:ffff:ffff/64;
                }
                dhcp-attributes {
                    dns-server {
                        2001:558:feed::1;
                        2001:558:feed::2;
                    }
                }
            }
        }
        pool 2 {
            family inet6 {
                prefix 2001:558:5515:37::/64;
                range v6-range2 {
                    low 2001:558:5515:37::1/64;
                    high 2001:558:5515:37:ffff:ffff:ffff:ffff/64;
                }
                dhcp-attributes {
                    dns-server {
                        2001:558:feed::1;
                        2001:558:feed::2;
                    }
                }
            }
        }
        pool 3 {
            family inet6 {
                prefix fe80::/64;
                range v6-range3 {
                    low fe80::1/64;
                    high fe80::ffff:ffff:ffff:ffff/64;
                }
                dhcp-attributes {
                    dns-server {
                        2001:558:feed::1;
                        2001:558:feed::2;
                    }
                }
            }
        }
    }
}

When i use the command "show dhcpv6 server binding" there is no output at all.

Help and suggestions NEEDED!!!!!!

Hello,
I have a issue at SRX-550 software upgrade, at compatibility check , does anybody has has the same issue ?

I need to upgrade a couple of SRX550M clusters from 15.1X49-D30.3 to 17.3.
At upgrade, compatibility check fails because the system tries to write on a 'read-only' directory.
The behavior is the same with 15.1X49-D110.

I start with the secondary node :

admin@PK5-SBY-FW-11> request system software add /var/tmp/upg/junos-srxsme-17.3R1.10.tgz validate no-copy

Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 2529.8MB (5181084 sectors) block size 16384, fragment size 2048
        using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
 32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,
 3384608, 3760672, 4136736, 4512800, 4888864
Checking compatibility with configuration
Initializing...
mkdir: /var/v: Read-only file system
cd: can't cd to /var/v/c
usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] source_file target_file
       cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] source_file ... target_directory
cp: /var/v/c/mfs/var/etc: Read-only file system
cp: /var/v/c/mfs/var/etc: Read-only file system
mkdir: /var/v: Read-only file system
mount: /var/v: No such file or directory
ERROR: validate-config: cannot mount junos-15.1X49-D30.3-domestic
mkdir: /var/v: Read-only file system
mount: /var/v: No such file or directory
mkdir: /var/v: Read-only file system
mount: /var/v: No such file or directory
Using junos-17.3R1.10 from /altroot/cf/packages/install-tmp/junos-17.3R1.10
Copying package ...
mkdir: /var/v/c/tmp/junos: Read-only file system
mount_nullfs: /var/v: No such file or directory
cd: can't cd to /var/v/c/tmp/junos
mkdir: /var/v: Read-only file system
/usr/libexec/ui/validate-config: cannot create /var/v/c/tmp/junos/+INSTALL.x: Read-only file system
chroot: /var/v/c: No such file or directory
ERROR: validate-config: /var/v/c/tmp/junos/+INSTALL fails
ERROR: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-17.3R1.10

{secondary:node0}
admin@PK5-SBY-FW-11>

Problem starts with 'mkdir: /var/v: Read-only file system'
Indeed, the /var directory is Read-only :
% ls -l
...
dr-xr-xr-x   3 root  wheel   4096 Dec 17  2015 var
...

I tried to add the write rights as root but of course I can't :
% su
Password:
root@PK5-SBY-FW-11% chmod +w /var
chmod: /var: Read-only file system
root@PK5-SBY-FW-11%

I saw on the net somebody having the same issue, but with no solution provided :
http://wiki.jusouschi.net/networking:equipments:juniper:srx:manage_junos
 
Thanks for your tips!


 

Hello,

I'm trying to set up VPN for a SRX550m unit.  I was able to establish connection (via Pulse Secure v5.1.5).  However, once connected, although the client's got the correct IP address assignment, its netmask is somehow set to 255.255.255.255 (it should be 255.255.255.0, aka /24), and on top of that, the default gateway is set to... blank!

I've stumbled upon a post (see link below) where the exact same issue was presented, but the solution (?) seemed to be downgrade to 11.1 R.4 -- but that was back in 2012.

http://forums.juniper.net/t5/SRX-Services-Gateway/Pulse-Clients-Getting-Wrong-Subnet-Mask/m-p/140005

I've inherited this SRX550m unit and it's currently in production mode so downgrading JunOS is definitely not a viable option.

I was hoping that Juniper would've fixed it by now, but it doesn't seem to be the case.  I hope that I'm wrong and that I've either missed an important step or fat-fingered something, and if so, please feel free to point out my mistakes.

Please find attached the configuration of the unit for your perusal.  Any advises/pointers would be very, very much appreciated.

PS: I am aware of Juniper have switched over to NCP client but that would require us to procure license and what-nots so I have to make this work with Pulse Secure.  (I hope that all of this is not a Pulse Secure bug of some sort...)

PPS: Also, unfortunately, along with the inheritance of this unit, I've also inherited not having a support contract with Juniper Support team so I couldn't ping them for assistance.  :-(

 Regards,

Hi everyone,

Please consider the following set up:

Let say we have mapped 8 traffic class to queues on our SRX 650

Traffic 0—Q0

Traffic 1-q1

Traffic2-q2

Traffic3 q3

Traffic4-q4

Traffic5-q5

Traffic-q6

Network Control-q7

If we do not define any scheduler,  will SRX  service queues from high to low queue using default scheduler?

How about if we want to modify this order for example:

Traffic 0—Q0

Traffic 1-q1 Scheduler 1, priority high

Traffic2-q2 Scheduler 2 priority low

Traffic3 q3 Scheduler 3 priority low

Traffic4-q4 Scheduler 4 priority low

Traffic5-q5 Scheduler 5 priority medium

Traffic-q6 scheduler 6 priority low

Network Control-q7 scheduler 7 priority low

Will the above config cause queues be serviced in following order?

Q1 first ( because Scheduler priority is high)

Q5 second ( because Scheduler priority is medium)

Then rest of them in these order

Q7

Q6

Q4

Q3

Q2

Q0

Thanks and have a nice day!!

Let say we have following scenario:

Traffic>----f1/0-SRX

We applied multified classiifer  ingress f1/0, which classifies traffic based on some criteria, what happens to traffic that is permitted  by Multified filter but not assigned to any forwarding class? is such traffic placed in best effort queue?

Example:

We have multifiled classfier:

 TERM 1 from TCP 80-- then  Forwading class Critica, then accept

TERM 2 from TCP 70-  then Forwarding class Bulk, then accept

TERM 3 from TCP 60 -> then accept ( i.e we did not assign any forwarding class)

Will traffic TCP 60 be placed in default queue as no forwarding class is specified  or is it subject to default Classifer applied on the Interface?

Thanks and have a nice day!!

Hi all,

Is there someone here know whether the SRX ALG support for JAVA RMI.?

Thanks