Hi all,
Just wanto know whether have some one try implement this feature https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/mgmt_junos-routing-instance-configuring.html in the Chassis Cluster srx?
Thanks and appreciate any feedback
Hi All, i configured srx 300 firewalls with HA but strange is i unable to ping from trusted to untrusted zone device. i already allow all services on security policy. is it anyone can help about this? i will upload the config and simple network diagram
Hello,
I have a SRX300 at my place and a SRX220 on other location, both makes a VPN connection to our headquarter.
SRX220 is working normally and I can ping and receive ping from any other location.
My SRX300 is working fine, I can ping anywhere but I cannot receive pings.
If I ping my SRX300 I get a message of timeout.
I can ping anywhere from SRX300.
Its internal IP address is 10.196.23.1.
Take a look at SRX300 configuration. Please tell me what to do.
system {
host-name rotem_brazil_saopaulo;
time-zone GMT;
root-authentication {
encrypted-password "$5$dav8mVfZasd2131sa213xaA";
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
name-server {
10.196.23.169;
}
router {
10.196.23.1;
}
pool 10.196.23.0/24 {
address-range low 10.196.23.100 high 10.196.23.200;
exclude-address {
10.196.23.178;
10.196.23.169;
10.196.23.170;
10.196.23.171;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
ike {
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy Rotem {
mode aggressive;
proposals pre-g2-3des-sha;
pre-shared-key ascii-text "$9$AYJPuIc-dsoZjKMYoaJkq/CtuRSevL";
}
gateway Rotem {
ike-policy Rotem;
address 58.87.57.67;
local-identity hostname rotem_brazil_saopaulo;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Rotem {
proposals esp-3des-sha;
}
vpn Rotem {
bind-interface st0.0;
ike {
gateway Rotem;
no-anti-replay;
ipsec-policy Rotem;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0;
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 177.67.51.119/25;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.196.23.1/24;
}
}
}
st0 {
unit 0 {
family inet;
family inet6;
}
}
}
routing-options {
static {
route 10.0.0.0/8 next-hop st0.0;
route 0.0.0.0/0 next-hop 177.67.51.1;
}
}
Hi,
I downloaded the 17.3R1 software from juniper web site. But when I try to upload it from Jweb, It shows the following error :
The software package () was not a Junos package.
Installation of the package () is not supported.
My current version is 15.1X49-D100.6.
Is this version 17.3R1 support SRX300 ? Or is there another way to upgrade it ?
One more question,
Is 17.3R1 support client to site VPN server ? Like using smartphone to connect it by ipsec VPN?
Because I set up dynamic VPN now but it can't connect by my iPhone.
Thanks.
Hi all,
i saw in the datasheet of srx the throughput supported by this plataform (both branch and HE). My question is, how i can measure the throughput of VPN in the own SRX, for example, CLI? There some commands to identify the throughput in a specific moment? Can i verify this through Solarwinds or another Network Management Tool?
Tks,
João Victor
Hello,
What is the industry seeing as the latest "best design" practices for high end availability SRXs? In the event that there would be a failure for an active node belonging to a cluster between SRXs the redundant node belonging to that same cluster, more specifically the firewall, should still have the state of the current firewall sessions and be able to rebuild them. -At least in theory. Unfortunately this is not what is happening in practice. Experience has it that clustering has been causing bigger problems that what I feel would only be slight blip in traffic otherwise if traffic could rebuild itself going through a second firewall that wouldn't be clustered. As a matter a fact, on several occasions we've experienced multiple split brain outages that if clustering weren't being used perhaps only at most a minor hiccup would occur as the protocols would converge and user sessions were rebuilt through a 2nd non-clustered firewall.
Hi,
We have a number of srx210/220 running in mixed mode, i.e. family inet + family bridge devided by zones.
Version is 12.3X48-D55.
Everything works fine with policies, nat, routing etc. from cli.
But not in JWeb. First, the GUI says " The device is in L2 Transparent mode".
And that means that there are no settings for Nat, Routing etc.
Is this "works-as-designed" or is there a configuration that has to be made?
Please advice.
BR
veribk
Hello all,
i have a problem with my SRX-3600. I configured Jflow sampling and changed the input sampling
rate for testingfrom 100 to 10.
After that saw a big peak of flows and than the sending of flows stopped.I changed back to 100
but nothing happend.
Does anybody have an idea how i get the system back to send flows ? Here the configuration parts.
sampling {
input {
rate 100;
}
family inet {
output {
flow-server 10.8.232.45 {
port 2055;
version 5;
}
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
sampling {
input;
output;
}
address 10.8.231.12/29;
}
}
}
Thanks and regards
Marco
Hi,
I've Juniper SRX 240H (12.1R3.5) in my environment. Couple days ago it stopped responding for SNMP monitoring. I've tried to log in using SSH and HTTPS but it's rejecting my connections (timeout). I've tried console port on the device, but there is no prompt, just blank screen (it was working before).
In my opinion, the last thing I can try is to restart the device. But I'm afraid that there's some hardware problem, like corrupted flash, and the device is working as long, as it has configuration loaded to RAM.
Have you ever faced this kind of problem? Is restarting good idea?
I've backup of configuration and service contract, but I want to know what can I check by myself - minimum downtime is required.
I have a number of GRE tunnels between an MX480 and some branch SRX devices. Unfortunately I have an MSS problem. The SRX'es typically have a regular connection (typically fiber) to an MPLS network and a GRE-encapsulated backup. They run in packet mode.
Currently the GRE tunnels are transported in a way where the packets get transparently encrypted and fragmented as needed by an external device after passing through the SRX, and decrypted and defragmented again before the MX480 sees them. This provides an effectively 4000-byte MTU between the SRX and the MX480, which means that there are technically no problems just presenting a 1500 byte MTU and pretending it is a regular Internet link.
However, in practice the performance of the link is significantly better if I limit the GRE packets to about 1300 bytes, to keep the packets from fragmenting.
On the MX side I have two ways of achieving this. One is to set tcp-mss on the gre-subinterface to something appropriate, and the other is to simply set the MTU on that same interface, and rely on ICMP packet-too-big.
I cannot seem to find a way to accomplish the same on the SRX. The options seem to be:
Security flow tcp-mss gre-in and gre-out, which only work when the traffic is entering an IPSEC tunnel
Security flow tcp-mss all-tcp which hits traffic going through the main fiber and does not seem to work in packet-mode anyway
Zone-based firewalling, which only works in flow mode
Setting MTU on the GRE subinterface which seems to make the SRX fragment the packets itself and helps in the wrong direction anyway, the MX-side has fixed the MSS in that direction. Fragmenting is a no-go without reassembly, too many fragment blackholes on the Internet (hello Azure).
I would rather avoid messing with the MTU, path-MTU-discovery is just too fragile. Is there any way to adjust the MSS on a packet-mode branch SRX?
mgd process daemon not behaving
I tried
%mgd -l
mgd: error: daemon MGD detects exising daemon using lock file '/var/run/mgd.pid'
%rm /var/run/mgd.pid
% /usr/sbin/mgd -N
runs some process in the background for unknown time but shows nothing on the screen.
In cli it shows
warning: ethernet-switching subsystem not running - not needed by configuration
* I have already tried multiple firmwares and request system zeroize but it won't work
Hi all,
First of all im upgrade the SRX5800 to version 17.3 coz i'm thinking the JWEB will have more improvment such as JWEB on vSRX15.D100. But its look like still same as old JWEB version. And one more thing the JWEB still slow to loading and i'm see nothing improve on JWEB side on SRX5800 using ver 17.3.
So my question is it juniper will not do any improvement on JWEB on high end SRX?
Thanks and appreciate any feedback
Hi,
I have a problem with a remote access VPN in a SRX340 with JUNOS Software Release [15.1X49-D110.4]. I can establish the VPN with NCP client and access the protected resources just one time. When I disconnect VPN and connect again, I can establish VPN but I can´t access the protected resources. The only way to access resourse is set default-policy with pemit-all value or reboot the SRX device. I could test the inter-zone policy betwen the VPN zone and resources zone (trust zone), and it work just the first time when I connect the VPN client. In successive connections, the default-policy is applied,and I don´t know why this behaivor.
Hi everyone,
Have a quick question:
Below command shows PPS STATS , is it for UP Stream or Down Strem interface?
root> show multicast route inet extensive
Instance: master Family: INET
Group: 235.1.1.1
Source: 9.9.9.9/32
Upstream interface: fe-0/0/6.0
Downstream interface list:
fe-0/0/7.0
Session description: Unknown
Statistics: 0 kBps, 0 pps, 189 packets
Next-hop ID: 262143
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 00:16:24
Thanks and have a nice weekend!!
Hi all,
Refering to this url https://www.juniper.net/documentation/en_US/junos/topics/concept/appsecure-security-understanding.html
do i can run all the features as per url AppQoS and Advanced policy-based routing when i purchase SRX5400-APPSEC-3?
Thanks and appreciate any feedback.
Good day
I would like to know how to completely block web browsing using the SRX100 device.
This in order to use the internet network for ip telephony.
Summary, I want to block web browsing and use the internet for ip telephony.
I hope you can help me,
regards
Hi everyone,
Below, we have security plocy with log option:
set security policies from-zone ZO to-zone ZOP policy T1 match source-address any
set security policies from-zone ZO to-zone ZOP policy T1 match destination-address any
set security policies from-zone ZOto-zone ZOP policy T1 match application any
set security policies from-zone ZO to-zone ZOP policy T1 then permit
But when i tried to see the logs generated by Policy I see a lot of files, which file contain the logs generated by policy?
oot> show log ?
Possible completions:
<[Enter]> Execute this command
<filename> Name of log file
LEE Size: 44615, Last changed: Oct 21 19:23:33
__jsrpd_commit_check__ Size: 52, Last changed: Nov 13 01:03:58
appidd Size: 0, Last changed: Oct 07 22:40:46
authd_libstats Size: 0, Last changed: Oct 07 22:38:56
authd_profilelib Size: 0, Last changed: Oct 07 22:38:56
authd_sdb.log Size: 0, Last changed: Oct 07 22:38:56
authlib_jdhcpd_trace.log Size: 0, Last changed: Oct 17 01:42:54
autod Size: 1898, Last changed: Oct 07 22:45:40
chassisd Size: 819525, Last changed: Nov 13 01:04:15
cosd Size: 753165, Last changed: Nov 13 00:40:10
dcd Size: 417839, Last changed: Nov 13 01:04:15
dfwc Size: 0, Last changed: Oct 07 22:38:44
eccd Size: 7285, Last changed: Nov 13 01:03:47
ext/ Last changed: Oct 07 22:38:00
flowc/ Last changed: Oct 07 22:38:01
fwauthd_chk_only Size: 297, Last changed: Nov 13 00:38:26
ggsn/ Last changed: Oct 07 22:38:01
gres-tp Size: 29605, Last changed: Nov 13 00:40:10
httpd.log Size: 1568, Last changed: Nov 13 00:40:10
idpd Size: 0, Last changed: Oct 07 22:41:05
ifstraced Size: 435, Last changed: Nov 13 00:38:24
interactive-commands Size: 0, Last changed: Nov 13 01:04:04
inventory Size: 30000, Last changed: Nov 13 01:03:47
jdhcpd_era_discover.log Size: 0, Last changed: Oct 17 01:42:55
jdhcpd_era_discover.log.0 Size: 0, Last changed: Oct 17 01:42:55
jdhcpd_era_solicit.log Size: 0, Last changed: Oct 17 01:42:56
jdhcpd_era_solicit.log.0 Size: 0, Last changed: Oct 17 01:42:56
jdhcpd_profilelib Size: 0, Last changed: Oct 17 01:42:55
jdhcpd_sdb.log Size: 0, Last changed: Oct 17 01:42:55
jsrpd Size: 391247, Last changed: Nov 13 01:04:15
kmd Size: 20759, Last changed: Nov 13 01:04:13
license Size: 0, Last changed: Oct 07 22:40:39
license_subs_trace.log Size: 20223, Last changed: Nov 13 00:40:42
mastership Size: 55, Last changed: Nov 10 22:17:46
messages Size: 92167, Last changed: Nov 13 01:04:36
messages.0.gz Size: 10451, Last changed: Oct 29 01:30:01
messages.1.gz Size: 10696, Last changed: Oct 15 20:30:01
nsd_chk_only Size: 33476, Last changed: Nov 13 01:03:58
nstraced_chk_only Size: 243, Last changed: Nov 13 00:38:26
Thanks and have a good evening!!
Hi everyone,
Let say we have SPARSE-DENSE MODE set up.
SRX1 is RP 1.1.1.1 for group 236.1.1.1 and 236.2.2.2.2
SRX2 is configured to act as PIM DENSE Router for group 238.1.1.1
Suppose SRX2 receives multicast stream for 237.1.1.1 from directly attached source, this stream is not defined as DENSE Group and RP is not configured to accept registration for such stream either.
What will happen next?
Will SRX2 send register message carrying 237.1.1.1 to RP? If yes, how will SRX2 to react upon receiving REGISTER STOP from RP as this group is not defined on RP? Will SRX2 start using DENSE Mode for 237.1.1.1?
Thanks,
Hello,
after upgding to 2gb memory router can't boot with new ram ver. 12.1X46-D67 but is working without any problems to ver. 12.1X46-D65.4.
Any solutions to fix this ?
Booting [/kernel]...
Kernel entry at 0x801000e0 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 512 Size 128 Asso 8
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
kld_map_v: 0x8ff80000, kld_map_p: 0x0
panic: Error: Failed to find a valid wired memory profile
cpuid = 0
KDB: stack backtrace:
SP 0: not in kernel
uart_z8530_class+0x0 (0,0,0,0) ra 0 sz 0
pid 0, process:
KDB: enter: panic
[thread pid 0 tid 0 ]
Stopped at breakpoint+0x4: jr ra
db> help
DDB Quick Help
-------------------
Type 'c' to continue, 'reset' or 'panic' to restart.
print p examine x search set write
w delete d break dwatch watch dhwatch
hwatch step s continue c until next
match trace alltrace where bt call show
ps gdb reset kill watchdog thread panic
dumpsys ddbdumpsys
db> trace
Tracing pid 0 tid 0 td 0x80cd4a60
breakpoint+0x4 (0,0,0,0) ra 0x8027052c sz 0
kdb_enter+0x2c4 (0,0,0,0) ra 0x8023b7c8 sz 56
panic+0x760 (0,0x80c09c74,0,0x80000000) ra 0x808042a4 sz 72
srxsme_wmem_init+0x98 (0,0x80c09c74,0,0x80000000) ra 0x807b30d8 sz 32
0x807b2f7c+0x15c (0,0x80c09c74,0,0x80000000) ra 0 sz 0
pid 0, process:
db>
Hi everyone,
Please condiser following config:
source(199.199.199.10)--f7 SRX-f0/6(200.200.200.20)-------------200.200.200.2( CISCO ROUTER)
199.199.199.10 is known as 6.6.6.6 by Cisco router,
root> show configuration security nat | display set
set security nat static rule-set LEE from zone ZOO
set security nat static rule-set LEE rule R1 match destination-address 6.6.6.6/32
set security nat static rule-set LEE rule R1 then static-nat prefix 199.199.199.10/32
We expect following:
All traffic received from ZONE LEE and destined to 6.6.6.6/32 will have DESTINATION NATTED To 199.199.199.10
We can see that:
Session ID: 5097, Policy name: T1/4, Timeout: 4, Valid
In: 200.200.200.2/17242 --> 6.6.6.6/1;icmp, If: fe-0/0/6.0, Pkts: 1, Bytes: 60
Out: 199.199.199.10/1 --> 200.200.200.2/17242;icmp, If: fe-0/0/7.0, Pkts: 1, Bytes: 60
Since we are using STATIC ( DESTINATION NAT), so following is also true:
All traffic sourced from 199.199.199.10 and destined to Zone LEE will have Source natted to 6.6.6.6
We can see that: ( 200.200.200.20 is recahable via Interface which is in Zone LEE)
Session ID: 5686, Policy name: T1/4, Timeout: 2, Valid
In: 199.199.199.10/170 --> 200.200.200.2/1;icmp, If: fe-0/0/7.0, Pkts: 1, Bytes: 60
Out: 200.200.200.2/1 --> 6.6.6.6/170;icmp, If: .local..0, Pkts: 1, Bytes: 60
So far so good!!
source(199.199.199.10)--f7 SRX-f0/6(200.200.200.20)-------------200.200.200.2( CISCO ROUTER)
Above 200.200.200.2 is RP
But I noticed following when 199.199.199.10 sends multicast to 235.1.1.1,SRC IP 199.199.199.10 remains unchanged i.e it was not natted to 6.6.6.6 when destination IP is 235.1.1.1
ON RP
We see RP receives register message with 199.199.199.10 , note src ip is not changed to 6.6.6.6 in Register message
*Mar 1 11:53:13.140: PIM(0): Received v2 Register on FastEthernet0/0 from 199.199.199.1
*Mar 1 11:53:13.140: for 199.199.199.10, group 235.1.1.1
*Mar 1 11:53:13.140: PIM(0): Send v2 Register-Stop to 199.199.199.1 for 199.199.199.10, group 235.1.1.1
Session ID: 9032, Policy name: self-traffic-policy/1, Timeout: -1, Valid
In: 199.199.199.10/532 --> 235.1.1.1/1;icmp, If: fe-0/0/7.0, Pkts: 1, Bytes: 60
Out: 235.1.1.1/1 --> 199.199.199.10/532;icmp, If: ppe0.32769, Pkts: 0, Bytes: 0
Below we can see SRX has not natted SOURCE IP :
ession ID: 9032, Policy name: self-traffic-policy/1, Timeout: -1, Valid
In: 199.199.199.10/532 --> 235.1.1.1/1;icmp, If: fe-0/0/7.0, Pkts: 1, Bytes: 60
Out: 235.1.1.1/1 --> 199.199.199.10/532;icmp, If: ppe0.32769, Pkts: 0, Bytes: 0
Is it normal for SRX not perform NAT when destination IP is multicast as seen above.?
Thanks and have a nice evening!!
