Hi,

I have purchased a SRX320 to replace a working Netscreen-25 which is used as a VPN concentrator. I cannot get the config to work, here is from the kmd-logs (I masked the IP addresses in the logs, x.x.x.x is my public IP, y.y.y.y is the remote side:

IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: x.x.x.x/500, Remote: y.y.y.y/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

The initiator is on the remote side. 

Part of my config:

# show security ike
traceoptions {
file ike-debug;
flag all;
}
proposal smartbox-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy ike-dyn-vpn-policy {
mode aggressive;
proposals smartbox-proposal;
pre-shared-key ascii-text "$9$VvYaGDikfTFYg3/AuIRlevw2GjHsYP5QnpuKM8Xs24jk.4o/Cp0RE-VbwaU.P56/AZU"; ## SECRET-DATA
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
connections-limit 10;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth {
access-profile access-profile-smartbox;
}
}

# show security ipsec
traceoptions {
flag all;
}
proposal smartbox-phase2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 600;
}
policy ipsec-dyn-vpn-policy {
proposals smartbox-phase2;
}
vpn dyn-vpn {
bind-interface st0.0;
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-dyn-vpn-policy;
}
establish-tunnels immediately;
}

The IKE SA shows:

> show security ike sa detail
IKE peer y.y.y.y, Index 401858
Role: Responder, State: DOWN
Initiator cookie: 8bba78cf71fcc127, Responder cookie: 051fc7e75b033b82
Exchange type: Unknown, Authentication method: Unknown
:500, Remote: y.y.y.y:500
Reauth Lifetime: Disabled
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : (null)
Diffie-Hellman group : unknown
Traffic statistics:
Input bytes : 396
Output bytes : 102
Input packets: 1
Output packets: 1
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0

Flags: IKE SA is created

Hi I have this situaton I have to setup on my SRX two subnets in one VLAN. Here's my interface config, but I am unable

to route traffic from subnet 1.0 to 3.0 but I am able to route traffic from 3.0 to 1.0. I know its not standart or even recommended but I have to ensure to communicate hosts between subnets for short period of time and then I will reconfigure whole network. Is it possible ? Thanks

description "TRUNK TO CORESW";
vlan-tagging;
redundant-ether-options {
 redundancy-group 1;
}
unit 1 {
 description LAN;
 vlan-id 1;
 family inet {
 filter {
 input SQUID;
 }
 sampling {
 input;
 output;
 }
 address 192.168.1.1/24 {
 primary;
 }
 address 192.168.3.1/24;
 }
}

. 

I am very new to juniper and need some help

I currently have one SRX 550M and 2 EX 2200 switch, below is the diagram, we have 2  ISP connections one is ILL and the other is a Broadband.'

1.How do we loadbalance traffic on SRX with available ISP connections

2.Currently one of EX2200 swicth is acting as DHCP server but the requirement is to move that from EX2200 to SRX 550, how to achive this I mean remove the DHCP configuration from swicth and add it on SRX.

3.I also have 2 VLAN's 192.168.28.0/24 and 192.168.24.0/24, I need to saggregate corporate traffic from Guest network (Wifi-Guest SSID) for which I need a separate VLAN i guess or can we  block it with some firewall rules?

SRX Conf:

## Last commit: 2017-09-20 09:45:37 UTC by root
version 15.1X49-D30.3;
system {
root-authentication {
encrypted-password "password here"; ## SECRET-DATA
ssh-rsa "SSH Key here; ## SECRET-DATA
}
name-server {
202.83.21.2;
202.83.21.12;
103.8.46.5;
103.8.44.5;
192.168.1.46;
192.168.7.101;
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
services {
rpm {
probe Syncron_ISP_Failover_Track {
test TATA {
probe-type icmp-ping;
target address 111.93.155.57;
probe-count 5;
probe-interval 3;
test-interval 5;
thresholds {
successive-loss 5;
total-loss 5;
}
destination-interface ge-0/0/0.0;
}
test ACT {
probe-type icmp-ping;
target address 106.51.64.1;
probe-count 5;
probe-interval 3;
test-interval 5;
thresholds {
successive-loss 5;
total-loss 5;
}
destination-interface ge-0/0/1.0;
}
}
}
}
security {
ike {
proposal AWS-SNHQ-ike-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy ike_pol_INBAL1-SNHQ1 {
mode main;
proposals AWS-SNHQ-ike-proposal;
pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
}
policy ike_pol_INBAL1-SNHQ2 {
mode main;
proposals AWS-SNHQ-ike-proposal;
pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
}
policy ike_pol_INBAL2-SNHQ1 {
mode main;
proposals AWS-SNHQ-ike-proposal;
pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
}
policy ike_pol_INBAL2-SNHQ2 {
mode main;
proposals AWS-SNHQ-ike-proposal;
pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
}
gateway gw_INBAL1-SNHQ1 {
ike-policy ike_pol_INBAL1-SNHQ1;
address 52.48.134.12;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/0.0;
}
gateway gw_INBAL1-SNHQ2 {
ike-policy ike_pol_INBAL1-SNHQ2;
address 52.48.66.170;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/0.0;
}
gateway gw_INBAL2-SNHQ1 {
ike-policy ike_pol_INBAL2-SNHQ1;
address 52.48.134.12;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/1.0;
}
gateway gw_INBAL2-SNHQ2 {
ike-policy ike_pol_INBAL2-SNHQ2;
address 52.48.66.170;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/1.0;
}
}
ipsec {
proposal AWS-SNHQ-ipsec-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ipsec_pol_INBAL1-SNHQ1 {
perfect-forward-secrecy {
keys group2;
}
proposals AWS-SNHQ-ipsec-proposal;
}
policy ipsec_pol_INBAL1-SNHQ2 {
perfect-forward-secrecy {
keys group2;
}
proposals AWS-SNHQ-ipsec-proposal;
}
policy ipsec_pol_INBAL2-SNHQ1 {
perfect-forward-secrecy {
keys group2;
}
proposals AWS-SNHQ-ipsec-proposal;
}
policy ipsec_pol_INBAL2-SNHQ2 {
perfect-forward-secrecy {
keys group2;
}
proposals AWS-SNHQ-ipsec-proposal;
}
vpn INBAL1-SNHQ1 {
bind-interface st0.1;
vpn-monitor;
ike {
gateway gw_INBAL1-SNHQ1;
ipsec-policy ipsec_pol_INBAL1-SNHQ1;
}
establish-tunnels immediately;
}
vpn INBAL1-SNHQ2 {
bind-interface st0.2;
vpn-monitor;
ike {
gateway gw_INBAL1-SNHQ2;
ipsec-policy ipsec_pol_INBAL1-SNHQ2;
}
establish-tunnels immediately;
}
vpn INBAL2-SNHQ1 {
bind-interface st0.3;
vpn-monitor;
ike {
gateway gw_INBAL2-SNHQ1;
ipsec-policy ipsec_pol_INBAL2-SNHQ1;
}
establish-tunnels immediately;
}
vpn INBAL2-SNHQ2 {
bind-interface st0.4;
vpn-monitor;
ike {
gateway gw_INBAL2-SNHQ2;
ipsec-policy ipsec_pol_INBAL2-SNHQ2;
}
establish-tunnels immediately;
}
}
alg {
ike-esp-nat {
enable;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1387;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn-bang1 to-zone vpn-bang1 {
policy policy_out_INBAL1-SNHQ1 {
match {
source-address addr_169_254_1_144_30;
destination-address addr_52_48_134_8_29;
application any;
}
then {
permit;
}
}
policy policy_in_INBAL1-SNHQ1 {
match {
source-address addr_52_48_134_8_29;
destination-address addr_169_254_1_144_30;
application any;
}
then {
permit;
}
}
policy policy_out_INBAL1-SNHQ2 {
match {
source-address addr_169_254_1_144_30;
destination-address addr_52_48_66_168_29;
application any;
}
then {
permit;
}
}
policy policy_in_INBAL1-SNHQ2 {
match {
source-address addr_52_48_66_168_29;
destination-address addr_169_254_1_144_30;
application any;
}
then {
permit;
}
}
policy policy_out_INBAL2-SNHQ1 {
match {
source-address addr_169_254_1_152_30;
destination-address addr_52_48_134_8_29;
application any;
}
then {
permit;
}
}
policy policy_in_INBAL2-SNHQ1 {
match {
source-address addr_52_48_134_8_29;
destination-address addr_169_254_1_152_30;
application any;
}
then {
permit;
}
}
policy policy_out_INBAL2-SNHQ2 {
match {
source-address addr_169_254_1_156_30;
destination-address addr_52_48_66_168_29;
application any;
}
then {
permit;
}
}
policy policy_in_INBAL2-SNHQ2 {
match {
source-address addr_52_48_66_168_29;
destination-address addr_169_254_1_156_30;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0;
ge-0/0/4.0;
st0.1;
st0.2;
st0.3;
st0.4;
st0.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone vpn-bang1 {
address-book {
address addr_169_254_1_144_30 169.254.1.144/30;
address addr_52_48_134_8_29 52.48.134.8/29;
address addr_169_254_1_148_30 169.254.1.148/30;
address addr_52_48_66_168_29 52.48.66.168/29;
address addr_169_254_1_152_30 169.254.1.152/30;
address addr_169_254_1_156_30 169.254.1.156/30;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description TATA;
family inet {
address 111.93.155.58/30;
}
}
}
ge-0/0/1 {
unit 0 {
description ACT;
family inet {
address 106.51.65.162/19;
}
}
}
ge-0/0/2 {
unit 0 {
description LAN;
family inet {
filter {
input FILTER;
}
address 10.10.10.1/30;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 10.10.10.5/30;
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet {
mtu 1436;
address 169.254.1.146/30;
}
}
unit 2 {
family inet {
address 169.254.1.150/30;
}
}
unit 3 {
family inet {
address 169.254.1.154/30;
}
}
unit 4 {
family inet {
address 169.254.1.158/30;
}
}
}
}
snmp {
description "Juniper Main Router";
contact "ukesh.upendran@syncron.com";
view jweb-view-all {
oid .1 include;
}
community public {
view jweb-view-all;
authorization read-write;
}
}
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 {
next-hop 111.93.155.57;
qualified-next-hop 106.51.64.1 {
preference 100;
}
}
route 192.168.24.0/22 next-hop 10.10.10.2;
route 192.168.28.0/22 next-hop 10.10.10.2;
}
rib-groups {
IMPORT-PHY {
export-rib inet.0;
import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
}
}
autonomous-system 65012;
}
protocols {
bgp {
group AWS-SNHQ-BGP-GROUP {
type external;
export export_bgp;
peer-as 65001;
neighbor 169.254.1.145 {
family inet {
unicast {
rib-group IMPORT-PHY;
}
}
}
neighbor 169.254.1.149 {
family inet {
unicast {
rib-group IMPORT-PHY;
}
}
}
neighbor 169.254.1.153 {
family inet {
unicast {
rib-group IMPORT-PHY;
}
}
}
neighbor 169.254.1.157 {
family inet {
unicast {
rib-group IMPORT-PHY;
}
}
}
}
}
}
policy-options {
policy-statement export-from-bgp {
term 10 {
from protocol bgp;
then accept;
}
term 20 {
then reject;
}
}
policy-statement export_bgp {
term 10 {
from {
protocol static;
route-filter 192.168.24.0/22 orlonger;
}
then accept;
}
}
policy-statement import-from-bgp {
term 10 {
from protocol bgp;
then accept;
}
term 20 {
then reject;
}
}
}
firewall {
filter FILTER {
term Management {
from {
source-address {
192.168.24.0/22;
}
}
then {
routing-instance routing-table-ISP1;
}
}
term Employee {
from {
source-address {
192.168.28.0/23;
}
}
then {
routing-instance routing-table-ISP2;
}
}
term Uplink {
from {
source-address {
10.10.10.0/30;
}
}
then accept;
}
}
}
routing-instances {
routing-table-ISP1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 111.93.155.57;
qualified-next-hop 106.51.64.1 {
preference 100;
}
}
}
}
}
routing-table-ISP2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 106.51.64.1;
qualified-next-hop 111.93.155.57 {
preference 100;
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 10;
l3-interface irb.10;
}
vlan-trust1 {
vlan-id 20;
l3-interface irb.20;
}
}

Swicth Conf:

## Last commit: 2015-02-25 11:26:39 UTC by root
version 12.3R9.4;
system {
root-authentication {
encrypted-password "password here"; ## SECRET-DATA
}
services {
ssh;
web-management {
https {
system-generated-certificate;
}
}
dhcp {
name-server {
202.83.21.2;
202.83.21.12;
103.8.46.5;
103.8.44.5;
}
traceoptions {
file dhcp_logfile;
level all;
flag all;
}
pool 192.168.24.0/22 {
address-range low 192.168.24.50 high 192.168.27.254;
name-server {
103.8.46.5;
103.8.44.5;
202.83.21.2;
202.83.21.12;
}
router {
192.168.24.1;
}
}
pool 192.168.28.0/22 {
address-range low 192.168.28.50 high 192.168.31.254;
name-server {
103.8.46.5;
103.8.44.5;
202.83.21.2;
202.83.21.12;
192.168.225.160;
192.168.225.100;
}
router {
192.168.28.1;
}
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
chassis {
auto-image-upgrade;
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/25 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/26 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/27 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/28 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/29 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/30 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/31 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/32 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/33 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/34 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/35 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/36 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/37 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/38 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/39 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/40 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/41 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan20;
}
}
}
}
ge-0/0/42 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/43 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/44 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan10;
}
}
}
}
ge-0/0/45 {
unit 0 {
family inet {
address 10.10.10.6/30;
}
}
}
ge-0/0/46 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/47 {
unit 0 {
family inet {
address 10.10.10.2/30;
}
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
me0 {
unit 0 {
family inet {
dhcp {
vendor-id Juniper-ex2200-48t-4g;
}
}
}
}
vlan {
unit 10 {
family inet {
address 192.168.24.1/22;
}
}
unit 20 {
family inet {
address 192.168.28.1/22;
}
}
}
vme {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
snmp {
description "Router 1";
contact "ukesh upendran";
view jweb-view-all {
oid .1 include;
}
community public {
view jweb-view-all;
authorization read-write;
}
health-monitor {
interval 300;
rising-threshold 80;
falling-threshold 70;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.10.10.1;
route 192.168.24.0/22 next-hop 10.10.10.1;
route 192.168.28.0/22 next-hop 10.10.10.1;
route 10.10.10.0/30 next-hop 10.10.10.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
voip;
storm-control {
interface all;
}
}
vlans {
default;
vlan10 {
description Management;
vlan-id 10;
l3-interface vlan.10;
}
vlan20 {
description Employee;
vlan-id 20;
l3-interface vlan.20;
}
}

{master:0}

Hi everyone,

Can we use BA DSCP classifier under layer 2 port on SRX 650?

I do not see any option to Multified classifier using Filter family ethernet-switching under layer 2 port on SRX 100 but i am not sure if this is the case for SRX 650 as well?

Thanks and have a nice day!!

Hi everyone,

Does SRX copy DSCP value from inner packet ( payload) into GRE imposed IP header when encapsulating it?  If not , how can we tell SRX to copy DSCP value from inner packet into GRE header imposed IP header?

Thanks and have a nice day!!

Hi everyone,

What DSCP value SRX use when creating PIM messages by default ? Can it be modified ?

when i have "only one"  ip assigned for ge-0/0/0 untrust  interface  (example: 1.1.1.1)

and  i need to use this ip address  to destination  NAT  my many server port service  int the trust zone 

after I set    destination pool  ,  rule-set  and  rule for  source/ destination port mapping 

should i need use this ip addres to  proxy-arp ? because  have error commit 

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.1    

admin@SRX300# commit check
[edit security nat proxy-arp interface ge-0/0/0.0]
'address 1.1.1.1/32'
Proxy ARP IP address range [1.1.1.1 1.1.1.1] overlaps with interface IP address range [1.1.1.1 1.1.1.1] defined on interface 'ge-0/0/0.0'
error: configuration check-out failed

and  other require  only one ip address at untrust  (same with the nat destination-address)  for static nat  need mapped-port  10000~20000 range

should i need  proxy-arp ?

please help me ~   thanks a lot ~~

I can't upgrade SRX100B from current firmware 12.1X46.D55.3 to 12.1X46.D65.4 or other versions (D50, D60), and got error message as below, does any one know what is the problem? I can't rollback to backup version now, because I cleaned up the backup file already. 

root@WDF-SRX100> .../usb/junos-srxsme-12.1X46-D65.4-domestic.tgz no-validate no-copy
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 297.9MB (610044 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 74.47MB, 4766 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
 32, 152544, 305056, 457568
Extracting /tmp/usb/junos-srxsme-12.1X46-D65.4-domestic.tgz ...
grep: /etc/db/pkg/j*/+COMMENT: No such file or directory
Installing package '/altroot/cf/packages/install-tmp/junos-12.1X46-D65.4-domestic' ...
Verified junos-boot-srxsme-12.1X46-D65.4.tgz signed by PackageProductionEc_2016 method ECDSA
Verified junos-srxsme-12.1X46-D65.4-domestic signed by PackageProductionEc_2016 method ECDSA
Verified junos-boot-srxsme-12.1X46-D65.4.tgz signed by PackageProductionEc_2016 method ECDSA
Verified junos-srxsme-12.1X46-D65.4-domestic signed by PackageProductionEc_2016 method ECDSA
sed: /etc/db/pkg/junos/+COMMENT: No such file or directory

WARNING: This base version of JUNOS will not properly
WARNING: support this package.  Please install base OS
WARNING: JUNOS 6.4 or newer first.  You can do this via
WARNING: a jinstall package or install-media.

WARNING: Or use the command:

WARNING:        'request system software rollback'

WARNING: to attempt to restore the previous software set.

WARNING: This installation attempt will be aborted.

ERROR: junos-12.1X46-D65.4-domestic fails requirements check
Installation failed for package '/altroot/cf/packages/install-tmp/junos-12.1X46-D65.4-domestic'

Hi,

We use Polycom video conferencing. We have a video conferencing unit at the edge site behind an SRX-210 firewall running Junos 12.1X46-D40.2. This runs an ipsec VPN back to an SRX-210 firewall at the main site, which is running Junos 12.1X44-D15.5. There is no NAT.

I have tried turning the ALG's off at both ends and also tried with them on, but in both scenarios either the video call will not establish or there is missing audio or video. The rules are completely open at both ends and all other data traffic flows over the VPN ok.

My last option was the upgrade the firmware on the firewalls to the latest version, but I need a version where the ALG is working. Also, I cant seem to find any documentation on upgrade paths, so I need to know which interim updates I need to install, in order to get to the latest version of Junos where the ALG is fixed.

Thanks,

Mark

https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-scheduler-security-overview.html

An individual device interface has multiple queues assigned to store packets temporarily before transmission. To determine the order to service the queues, the device uses a round-robin scheduling method based on priority and the queue's weighted round-robin (WRR) credits. Junos OS schedulers allow you to define the priority, bandwidth, delay buffer size, rate control status, and RED drop profiles to be applied to a particular queue for packet transmission.

Still confused about the order described above

Assuming all traffics are in contract.

VIDEO--Q1--Schdeuler priority low, tranmsit rate 40%

 VOICE-Q2- Scheduler priority low , Transmit rate 20%

Network-CONTROl--Q3--Scheduler priority low, Transmit rate 40%

Are we saying the order will be based on Sceduler priority plus Weight of each queue? or just Scheduler' priority alone?

If all scheduler have same priority, how is this order determined just wieght or we go from q7 to q0?

Cisco:

In Cisco, for example for  Classed based weighted fair queuing, All traffic class are serviced in round robin , but this round round robin is not fixed , it changes. For example

We have four traffic class:

T1

T2

T3

T4

Then Cisco router firts compute the sequence number using Flow ( SRC IP.DST IP, TCP/UDP PORT, etc) for each traffic class which then dictates the order the Queues are serviced. So we may have order:

T3, T2,T1,T4

T4,T3,T1,T2

so forth.

###########

Thanks

Hi everyone,

Please consider the following example:

On SRX 650, we have following logical interfaces :

ge-0/0/1 unit family inet   1.1.1.1

ge-0/0/2 unit family inet  2.2.2.2

so when I do show interface queue ge-0/0/1, is it showing the totals egress stats of all logical interfaces?

My second question is there anyway we can have separte egress STATS for each logical interface? 

Will enabling per unit scheduler i.e set interface ge0/0/1 per unit scheduler do the trick?

Thanks,

Hi everyone,

Juniper COS is way complicated compared to other vendors I have worked witjh in past.

I am going to keep pushing until i get COS down.

A few questions on scheduler:

JR2> show configuration class-of-service schedulers
EF10 {
    transmit-rate {
        percent 10;
        exact;
    }
}
BE_REST {
    transmit-rate {
        remainder {
            100;

1)Let say above the CKT is 100M there is no other traffic just EF only , in this case EF is still limited to 10M or it can use all the availabe bandidth?

2) If we add Priority strict high to EF above, is traffic still limited to 10M?

3)  Let say we have  ge-0/0/0 connected to many many provider using logical interfaces:

ge-0/0/0 unit 10---CIR 10M

ge-0/0/0 unit 20--CIR  10 M

4)We have defined all our COS (  forwarding class, classifiers,  one scheduler map A ), both CKTS have identical COS requirements.

What is the difference between appying scheduler map A  to the whole  physical port ge-0/0/0 versus to logical units 10 and units 20 individually?

5)  Does  applying scheduler per unit basis give us egress queue stats using "show interface queue ge-0/0/0.10" not sure if this command is valid?

Thanjs and have a nice weekend!!

Hi,

Can anyone tell me the Maximum number of SSL VPN users supported on SRX5k using  NPC client.

Regards,

Mannan

Hi Friends,

I am trying to setup a VPN tunnel between a customer and application service provider. I completed this job using Cisco IOS and successfully made it. But,

I need this to be done using SRX110: JUNOS Software Release [12.3X48-D40.5]

Can you guys refer my config and let me share your experience. I try policy based routing. Am I correct?, what else I need to change in config level in junos?

Provided by the remote site IT 

IKE Phase 1 Proposal
IKE Version IKE V1
Encryption Algorithm Aes-256
Hash Algorithm SHA
Lifetime 86400 (seconds)
DH Group DH Group 2

IKE Phase 2 (IPSEC) Proposal
Mode IKE V1 Tunnel
ESP Encryption aes-256 ,, aes-256-esp
ESP Hash Algorithm sha
AH Hash Algorithm ah
Perfect Forward Secrecy Disabled
Lifetime 28800 (seconds)

working configuration from Cisco IOS:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key PRESHARED-KEY address 202.114.x.y
!
!
crypto ipsec transform-set TransformSet1 esp-aes 256 esp-sha-hmac
!
crypto map CryptoMAP1 10 ipsec-isakmp
set peer 202.114.x.y
set transform-set TransformSet1
match address 133
!
interface Loopback1
ip address 172.29.140.36 255.255.255.255
!

interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
!

interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username username@isp-xyz.com password 7 0R1759034106RW1E1E
crypto map CryptoMAP1
crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip nat inside source list 111 interface Dialer1 overload
ip nat inside source list 122 interface Loopback1 overload
!
!
access-list 111 remark *** Internet Traffic ***
access-list 111 deny ip 192.168.20.0 0.0.0.255 10.125.0.0 0.0.255.255
access-list 111 permit ip 192.168.20.0 0.0.0.255 any

access-list 122 remark *** VPN NAT in Loopback1 Interface ***
access-list 122 permit ip 192.168.20.0 0.0.0.255 10.125.0.0 0.0.255.255
access-list 122 permit ip host 172.29.140.36 10.125.0.0 0.0.255.255

access-list 133 remark *** IPSec VPN Traffic ***
access-list 133 permit ip host 172.29.140.36 10.125.0.0 0.0.255.255
!
!

 I am trying in JunOS..

r

root# show | display set
set version 12.3X48-D40.5
..
set system ntp server 27.124.125.252
set security ike proposal IKE-Proposal authentication-method pre-shared-keys
set security ike proposal IKE-Proposal dh-group group2
set security ike proposal IKE-Proposal authentication-algorithm sha1
set security ike proposal IKE-Proposal encryption-algorithm aes-256-cbc
set security ike proposal IKE-Proposal lifetime-seconds 86400
set security ike policy IKE-Policy mode main
set security ike policy IKE-Policy proposals IKE-Proposal
set security ike policy IKE-Policy pre-shared-key ascii-text "PRE-SHARED-KEY"
set security ike gateway IKE-Gateway ike-policy IKE-Policy
set security ike gateway IKE-Gateway address 202.114.x.y
set security ike gateway IKE-Gateway external-interface pp0.0
set security ipsec proposal IPSec-Proposal protocol esp
set security ipsec proposal IPSec-Proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSec-Proposal encryption-algorithm 3des-cbc
set security ipsec proposal IPSec-Proposal lifetime-seconds 28800
set security ipsec policy IPSec-Policy perfect-forward-secrecy keys group2
set security ipsec policy IPSec-Policy proposals IPSec-Proposal
set security ipsec vpn IPSec-VPN ike gateway IKE-Gateway
set security ipsec vpn IPSec-VPN ike ipsec-policy IPSec-Policy
set security ipsec vpn IPSec-VPN establish-tunnels immediately
set security flow tcp-mss all-tcp mss 1442
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

set security nat source rule-set LAN-to-VPN from zone trust
set security nat source rule-set LAN-to-VPN to zone ipsec-vpn
set security nat source rule-set LAN-to-VPN rule VPN-NAT-OFF match source-address 192.168.20.0/24
set security nat source rule-set LAN-to-VPN rule VPN-NAT-OFF match source-address 172.29.140.36/32
set security nat source rule-set LAN-to-VPN rule VPN-NAT-OFF match destination-address 10.125.0.0/16
set security nat source rule-set LAN-to-VPN rule VPN-NAT-OFF then source-nat off
set security nat source rule-set LAN-to-Internet from zone trust
set security nat source rule-set LAN-to-Internet to zone untrust
set security nat source rule-set LAN-to-Internet rule SNAT-RULE match source-address 0.0.0.0/0
set security nat source rule-set LAN-to-Internet rule SNAT-RULE then source-nat interface

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone trust to-zone ipsec-vpn policy VPN-Policy match source-address K-LAN
set security policies from-zone trust to-zone ipsec-vpn policy VPN-Policy match destination-address IPSec-Remote-IP
set security policies from-zone trust to-zone ipsec-vpn policy VPN-Policy match application any
set security policies from-zone trust to-zone ipsec-vpn policy VPN-Policy then permit tunnel ipsec-vpn IPSec-VPN

set security policies from-zone ipsec-vpn to-zone trust policy VPN-Policy-In match source-address IPSec-Remote-IP
set security policies from-zone ipsec-vpn to-zone trust policy VPN-Policy-In match destination-address K-LAN
set security policies from-zone ipsec-vpn to-zone trust policy VPN-Policy-In match application any
set security policies from-zone ipsec-vpn to-zone trust policy VPN-Policy-In then permit tunnel ipsec-vpn IPSec-VPN

set security zones security-zone trust address-book address IPSec-Remote-IP 172.29.140.36/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces lo0.0

set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces pp0.0

set security zones security-zone ipsec-vpn address-book address IPSec-Remote-IP 10.125.0.0/16

set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust

set interfaces at-1/0/0 encapsulation ethernet-over-atm
set interfaces at-1/0/0 atm-options vpi 8
set interfaces at-1/0/0 unit 0 encapsulation ppp-over-ether-over-atm-llc
set interfaces at-1/0/0 unit 0 vci 8.35

set interfaces lo0 unit 0 family inet address 172.29.140.36/32

set interfaces pp0 unit 0 ppp-options pap default-password "$9$PASSWORD"
set interfaces pp0 unit 0 ppp-options pap local-name "my-login@isp.com.au"
set interfaces pp0 unit 0 ppp-options pap local-password "$9$PASSWORD"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 no-keepalives
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces vlan unit 0 family inet address 192.168.20.1/24
set routing-options static route 0.0.0.0/0 qualified-next-hop pp0.0
set protocols stp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

You must forgive me, I have Junos 11.47, Dont crack on me.No DHCPV6 client.

Upon entering the following code my DHCPV6 server does not operate at all. Am I missing something?

dhcp-local-server {
            dhcpv6 {
                group group1 {
                    interface ge-0/0/0.0;
                    interface sp-0/0/0.0;
                    interface ge-0/0/13.0;
                    interface ge-0/0/14.0;
                    interface ge-0/0/15.0;
                    interface lo0.0;
                    interface vlan.0;
                }
            }
......

access {
    address-assignment {
        pool 1 {
            family inet6 {
                prefix 2601:204:ce00:5550::/64;
                range v6-range {
                    low 2601:204:ce00:5550::1/64;
                    high 2601:204:ce00:5550:ffff:ffff:ffff:ffff/64;
                }
                dhcp-attributes {
                    dns-server {
                        2001:558:feed::1;
                        2001:558:feed::2;
                    }
                }
            }
        }
        pool 2 {
            family inet6 {
                prefix 2001:558:5515:37::/64;
                range v6-range2 {
                    low 2001:558:5515:37::1/64;
                    high 2001:558:5515:37:ffff:ffff:ffff:ffff/64;
                }
                dhcp-attributes {
                    dns-server {
                        2001:558:feed::1;
                        2001:558:feed::2;
                    }
                }
            }
        }
        pool 3 {
            family inet6 {
                prefix fe80::/64;
                range v6-range3 {
                    low fe80::1/64;
                    high fe80::ffff:ffff:ffff:ffff/64;
                }
                dhcp-attributes {
                    dns-server {
                        2001:558:feed::1;
                        2001:558:feed::2;
                    }
                }
            }
        }
    }
}

When i use the command "show dhcpv6 server binding" there is no output at all.

Help and suggestions NEEDED!!!!!!

Hello,
I have a issue at SRX-550 software upgrade, at compatibility check , does anybody has has the same issue ?

I need to upgrade a couple of SRX550M clusters from 15.1X49-D30.3 to 17.3.
At upgrade, compatibility check fails because the system tries to write on a 'read-only' directory.
The behavior is the same with 15.1X49-D110.

I start with the secondary node :

admin@PK5-SBY-FW-11> request system software add /var/tmp/upg/junos-srxsme-17.3R1.10.tgz validate no-copy

Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 2529.8MB (5181084 sectors) block size 16384, fragment size 2048
        using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
 32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,
 3384608, 3760672, 4136736, 4512800, 4888864
Checking compatibility with configuration
Initializing...
mkdir: /var/v: Read-only file system
cd: can't cd to /var/v/c
usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] source_file target_file
       cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] source_file ... target_directory
cp: /var/v/c/mfs/var/etc: Read-only file system
cp: /var/v/c/mfs/var/etc: Read-only file system
mkdir: /var/v: Read-only file system
mount: /var/v: No such file or directory
ERROR: validate-config: cannot mount junos-15.1X49-D30.3-domestic
mkdir: /var/v: Read-only file system
mount: /var/v: No such file or directory
mkdir: /var/v: Read-only file system
mount: /var/v: No such file or directory
Using junos-17.3R1.10 from /altroot/cf/packages/install-tmp/junos-17.3R1.10
Copying package ...
mkdir: /var/v/c/tmp/junos: Read-only file system
mount_nullfs: /var/v: No such file or directory
cd: can't cd to /var/v/c/tmp/junos
mkdir: /var/v: Read-only file system
/usr/libexec/ui/validate-config: cannot create /var/v/c/tmp/junos/+INSTALL.x: Read-only file system
chroot: /var/v/c: No such file or directory
ERROR: validate-config: /var/v/c/tmp/junos/+INSTALL fails
ERROR: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-17.3R1.10

{secondary:node0}
admin@PK5-SBY-FW-11>

Problem starts with 'mkdir: /var/v: Read-only file system'
Indeed, the /var directory is Read-only :
% ls -l
...
dr-xr-xr-x   3 root  wheel   4096 Dec 17  2015 var
...

I tried to add the write rights as root but of course I can't :
% su
Password:
root@PK5-SBY-FW-11% chmod +w /var
chmod: /var: Read-only file system
root@PK5-SBY-FW-11%

I saw on the net somebody having the same issue, but with no solution provided :
http://wiki.jusouschi.net/networking:equipments:juniper:srx:manage_junos
 
Thanks for your tips!


 

Hello,

I'm trying to set up VPN for a SRX550m unit.  I was able to establish connection (via Pulse Secure v5.1.5).  However, once connected, although the client's got the correct IP address assignment, its netmask is somehow set to 255.255.255.255 (it should be 255.255.255.0, aka /24), and on top of that, the default gateway is set to... blank!

I've stumbled upon a post (see link below) where the exact same issue was presented, but the solution (?) seemed to be downgrade to 11.1 R.4 -- but that was back in 2012.

http://forums.juniper.net/t5/SRX-Services-Gateway/Pulse-Clients-Getting-Wrong-Subnet-Mask/m-p/140005

I've inherited this SRX550m unit and it's currently in production mode so downgrading JunOS is definitely not a viable option.

I was hoping that Juniper would've fixed it by now, but it doesn't seem to be the case.  I hope that I'm wrong and that I've either missed an important step or fat-fingered something, and if so, please feel free to point out my mistakes.

Please find attached the configuration of the unit for your perusal.  Any advises/pointers would be very, very much appreciated.

PS: I am aware of Juniper have switched over to NCP client but that would require us to procure license and what-nots so I have to make this work with Pulse Secure.  (I hope that all of this is not a Pulse Secure bug of some sort...)

PPS: Also, unfortunately, along with the inheritance of this unit, I've also inherited not having a support contract with Juniper Support team so I couldn't ping them for assistance.  :-(

 Regards,

Hi everyone,

Please consider the following set up:

Let say we have mapped 8 traffic class to queues on our SRX 650

Traffic 0—Q0

Traffic 1-q1

Traffic2-q2

Traffic3 q3

Traffic4-q4

Traffic5-q5

Traffic-q6

Network Control-q7

If we do not define any scheduler,  will SRX  service queues from high to low queue using default scheduler?

How about if we want to modify this order for example:

Traffic 0—Q0

Traffic 1-q1 Scheduler 1, priority high

Traffic2-q2 Scheduler 2 priority low

Traffic3 q3 Scheduler 3 priority low

Traffic4-q4 Scheduler 4 priority low

Traffic5-q5 Scheduler 5 priority medium

Traffic-q6 scheduler 6 priority low

Network Control-q7 scheduler 7 priority low

Will the above config cause queues be serviced in following order?

Q1 first ( because Scheduler priority is high)

Q5 second ( because Scheduler priority is medium)

Then rest of them in these order

Q7

Q6

Q4

Q3

Q2

Q0

Thanks and have a nice day!!

Let say we have following scenario:

Traffic>----f1/0-SRX

We applied multified classiifer  ingress f1/0, which classifies traffic based on some criteria, what happens to traffic that is permitted  by Multified filter but not assigned to any forwarding class? is such traffic placed in best effort queue?

Example:

We have multifiled classfier:

 TERM 1 from TCP 80-- then  Forwading class Critica, then accept

TERM 2 from TCP 70-  then Forwarding class Bulk, then accept

TERM 3 from TCP 60 -> then accept ( i.e we did not assign any forwarding class)

Will traffic TCP 60 be placed in default queue as no forwarding class is specified  or is it subject to default Classifer applied on the Interface?

Thanks and have a nice day!!

Hi all,

Is there someone here know whether the SRX ALG support for JAVA RMI.?

Thanks