Hi There, 

I'm currently trying to solve an AWS transitive routing issue using a VPN between two SRX devices, coming from a Cisco world, this has been a bit of a learning curve this week - I've made some good progress but have hit a wall and not sure why.

The VPN is up and running between and on-prem SRX 100 and a Vsrx in AWS over our WAN. I can ping between the local/remote networks without issue. I set up source nat on the Vsrx to allow to egress to the internet via the VPN.

If I ping 8.8.8.8 using the L3 interface on the srx100 I can go throught the VPN without issue and can see the NAT working using the show security flow session command.

If I ping 8.8.8.8 from the L2 interface (which my client is connected to on fe-0/0/3.0) which has an IP on the same subnet, no dice. The L3 interface for the subnet is setup and contactable from the client.

I'm hoping I've missed something really stupid, would appreciate some help.

Below is my network diagram and two srx configs, Unfortunately it wont let me attached the configs as files:

On Prem SRX:

## Last commit: 2017-12-01 01:15:40 UTC by root
version 12.1X44-D30.4;
system {
root-authentication {
encrypted-password "$1$Xqnk0iLx$WJ59rffLgV0qWzE8G3Oyg."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0;
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust2;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.99.10.223/24;
}
}
}
st0 {
unit 0 {
family inet {
address 1.1.1.2/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 170 {
family inet {
address 192.168.170.1/24;
}
}
}
}
routing-options {
static {
route 192.168.168.0/24 next-hop st0.0;
route 10.220.1.60/32 next-hop 10.99.10.254;
route 0.0.0.0/0 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$2ygZDiHmTF/qmEyK8dVqmf5Qn/Ct01R6/Ct"; ## SECRET-DATA
}
gateway gw-vir {
ike-policy ike-phase1-policy;
address 10.220.1.60;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-vir {
bind-interface st0.0;
ike {
gateway gw-vir;
ipsec-policy ipsec-phase2-policy;
}
}
}
address-book {
book1 {
address ldn 192.168.170.0/24;
attach {
zone trust;
}
}
book2 {
address virginia 192.168.168.0/24;
attach {
zone vpn-vir;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn-vir {
policy vpn-tr-vir {
match {
source-address ldn;
destination-address virginia;
application any;
}
then {
permit;
}
}
}
from-zone vpn-vir to-zone trust {
policy vpn-vir-tr {
match {
source-address virginia;
destination-address ldn;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
fe-0/0/7.0;
fe-0/0/3.0;
vlan.170;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
security-zone vpn-vir {
interfaces {
st0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
}
vlan-trust2 {
vlan-id 170;
l3-interface vlan.170;
}
}

AWS Vsrx:

## Last changed: 2017-12-01 14:14:15 UTC
version 15.1X49-D100.6;
groups {
aws-default {
system {
root-authentication {
blanked out
}
services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.220.2.197/23;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.220.2.1;
}
}
}
}
apply-groups aws-default;
system {
host-name vsrx;
domain-name blank.com
root-authentication {
encrypted-password "$5$y1JinMy8$7EXZ.ly3HqvfUHQx427W.yOg5isev5s39K2x3a6ldb2"; ## SECRET-DATA
}
name-server {
8.8.8.8;
10.99.70.18;
}
services {
web-management {
https {
pki-local-certificate juniper-local;
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 193.150.34.2;
server 138.68.46.177;
}
}
security {
pki {
ca-profile ca-profile1 {
ca-identity ca-profile1;
}
}
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$f53/CA0Ihrp0-wgJHkp0B1RSrev8xNyrev"; ## SECRET-DATA
}
gateway gw-ldn {
ike-policy ike-phase1-policy;
address 10.99.10.223;
external-interface ge-0/0/1.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-ldn {
bind-interface st0.0;
ike {
gateway gw-ldn;
ipsec-policy ipsec-phase2-policy;
}
}
}
address-book {
book1 {
address virginia 192.168.168.0/24;
attach {
zone trust;
}
}
book2 {
address ldn 192.168.170.0/24;
attach {
zone vpn-ldn;
}
}
global {
address london 192.168.170.0/24;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set vpn-ldn-untrust {
from zone vpn-ldn;
to zone untrust;
rule ldnvpn-v4 {
match {
source-address-name london;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone orange to-zone orange {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn-ldn {
policy vpn-tr-ldn {
match {
source-address virginia;
destination-address ldn;
application any;
}
then {
permit;
}
}
}
from-zone vpn-ldn to-zone trust {
policy vpn-ldn-tr {
match {
source-address ldn;
destination-address virginia;
application any;
}
then {
permit;
}
}
}
from-zone vpn-ldn to-zone untrust {
policy vpn-ldn-ut {
match {
source-address ldn;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone vpn-ldn {
policy ut-vpn-ldn {
match {
source-address any;
destination-address ldn;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
lo0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0;
}
}
security-zone orange {
tcp-rst;
host-inbound-traffic {
system-services {
https;
}
}
}
security-zone red {
screen untrust-screen;
}
security-zone vpn-ldn {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.220.0.181/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.220.1.60/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.168.1/32;
}
}
}
st0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
}
routing-instances {
icg-1 {
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0;
interface st0.0;
routing-options {
static {
route 10.99.0.0/16 next-hop 10.220.1.1;
route 0.0.0.0/0 next-hop 10.220.0.1;
route 192.168.170.0/24 next-hop st0.0;
}
}
}
}

On prem Srx 100

Hi. I have a configuration for failover route default with RPM and IP-Monitoring.
My configuration is:
 show configuration services rpm | display set
set services rpm probe PRIN test test-8.8.8.8 target address 8.8.8.8
set services rpm probe PRIN test test-8.8.8.8 probe-count 3
set services rpm probe PRIN test test-8.8.8.8 probe-interval 5
set services rpm probe PRIN test test-8.8.8.8 test-interval 5
set services rpm probe PRIN test test-8.8.8.8 thresholds successive-loss 7
set services rpm probe PRIN test test-8.8.8.8 thresholds total-loss 7
set services rpm probe PRIN test test-8.8.8.8 destination-interface reth3.0
set services rpm probe PRIN test test-8.8.8.8 next-hop X.X.X.X

And the IP-Monitoring configuration is:
set services ip-monitoring policy Default_BKP match rpm-probe PRIN
set services ip-monitoring policy Default_BKP then preferred-route route 0.0.0.0/0 next-hop X.X.X.X
set services ip-monitoring policy Default_BKP then preferred-route route 0.0.0.0/0 preferred-metric 1

The probe result is OK, but the IP-MONitoring Status is FAIL:
> show services rpm probe-results
Owner: IPLAN, Test: test-8.8.8.8
Target address: 8.8.8.8, Probe type: icmp-ping
Destination interface name: reth3.0
Test size: 3 probes
Probe results:
Response received, Fri Dec 1 18:29:57 2017, No hardware timestamps
Rtt: 1741 usec, Round trip jitter: -479 usec, Round trip interarrival jitter: 4730 usec
Results over current test:
Probes sent: 1, Probes received: 1, Loss percentage: 0.000000
Measurement: Round trip time
Samples: 1, Minimum: 1741 usec, Maximum: 1741 usec, Average: 1741 usec, Peak to peak: 0 usec, Stddev: 0 usec,
Sum: 1741 usec
Measurement: Negative round trip jitter
Samples: 1, Minimum: 479 usec, Maximum: 479 usec, Average: 479 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 479 usec
Results over last test:
Probes sent: 3, Probes received: 3, Loss percentage: 0.000000
Test completed on Fri Dec 1 18:29:52 2017
Measurement: Round trip time
Samples: 3, Minimum: 1629 usec, Maximum: 2220 usec, Average: 1882 usec, Peak to peak: 591 usec, Stddev: 249 usec,
Sum: 5645 usec
Measurement: Positive round trip jitter
Samples: 1, Minimum: 591 usec, Maximum: 591 usec, Average: 591 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 591 usec
Measurement: Negative round trip jitter
Samples: 2, Minimum: 167 usec, Maximum: 256 usec, Average: 212 usec, Peak to peak: 89 usec, Stddev: 44 usec, Sum: 423 usec
Results over all tests:
Probes sent: 16051, Probes received: 15931, Loss percentage: 0.747617
Measurement: Round trip time
Samples: 15931, Minimum: 1512 usec, Maximum: 740514 usec, Average: 4735 usec, Peak to peak: 739002 usec, Stddev: 11771 usec,
Sum: 75434767 usec
Measurement: Positive round trip jitter
Samples: 8008, Minimum: 0 usec, Maximum: 738768 usec, Average: 5228 usec, Peak to peak: 738768 usec, Stddev: 15994 usec,
Sum: 41861962 usec
Measurement: Negative round trip jitter
Samples: 7922, Minimum: 1 usec, Maximum: 738297 usec, Average: 5284 usec, Peak to peak: 738296 usec, Stddev: 16085 usec,
Sum: 41861893 usec

And int  the IP-Monitoring Output, the rpm status appear fail:
>

show services ip-monitoring status

Policy - Default_BKP (Status: FAIL)
RPM Probes:
Probe name Test Name Address Status
---------------------- --------------- ---------------- ---------
PRIN test-8.8.8.8 8.8.8.8 FAIL
Route-Action:
route-instance route next-hop state
----------------- ----------------- ---------------- -------------
inet.0 0.0.0.0/0 X.X.X.X APPLIED

{primary:node0}

Have anyone had this problem before? Can you tell me how solve this issue?
Regards
Sebastian

hi guys,

i've created a site2site vpn between our srx340 running junos 17.3R1.10 and an SOPHOS ASG.

3 subnets on my side and on on the other side all defined with Traffic Selectors.

Tunnel comes up fine  and traffic is flowing in both directions  , unfortunatly  is still get this error:

Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed 

Config is like this:

ike-policy-1

mode main;
proposals ike-proposal-1;
pre-shared-key ascii-text 

ike-proposal-1

authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;

ike-gateway

ike-policy ike-policy-1

address **.***.***.***
external-interface reth1.1;
version v1-only;

ipsec proposal ipsec-proposal-1

protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;

vpn vpn-1

bind-interface st0.2;
ike {
gateway ike-gateway-1;
ipsec-policy ipsec-policy-1;
}
traffic-selector TS1 {
local-ip 100.100.0.0/16;
remote-ip 192.168.50.0/24;
}
traffic-selector TS2 {
local-ip 110.100.0.0/16;
remote-ip 192.168.50.0/24;
}
traffic-selector TS3 {
local-ip 172.21.49.0/24;
remote-ip 192.168.50.0/24;
}
establish-tunnels immediately;
}

how to fix this or is this a bug?

Dear Juniper experts, 

I am facing an issue with SRX 1400, Network diagram is attached to understand the scenario.

Problem: Any end user who has his gateway on SRX 1400 is unable to download debian packages during debian distro installation. all other internet traffic is proccessed fine. If I bypass SRX 1400, I can download and install debian packages as per expectation.  I am unable to identify why SRX 1400 is blocking that traffic.

Please suggest what would be the possibilities that SRX 1400 is blocking only debian distro packages.

Forgive me here I am new to Junos but I believe I have created a network that is vlaned and is inter vlan routed but I cannot relay DHCP requests to a server. Attached is my config can anyone give me any pointers ?

Hi everyone,

This is I am trying to accomplish:

SRX f1-199.199.199.1/30-( PROVIDER A SWITCHED NETWORK)-199.199.199.2/30 PE

       f2-200.200.200.1/30-(PROVIDER B SWITCHED NETWORK)-200.200.200.2/30 PE

We are using Static routes on SRX:

0/0 next -hop 199.199.199.2 

0/0 next-hop 200.200.200.2 Route preferrence 10

We have control only over SRX, our issue is since SRX is not directly connected to PE, therefore any break within Switched Newtork of Providers will blackhole our traffics.

This is what I am thinking:

( I do not want to use Filter based Forwarding with RPM  to keep the design simple and intutive)

1) Define RPM and then tie RPM to STATIC routes, so if RPM fails, STATIC route is removed from routing table.

I can use the link to set up desired RPM but I am trying to figure out how to associate RPM with static routes.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25052

Thanks and have a nice weekend!!

Hi everyone,

This is my undertanding:

PIM SPARSE , PIM SPARSE- DENSE/  PIM DENSE mode all refer to how PIM enbaled router deals with sending multicast stream towards PIM neighbor; For Dense, the logic is if PIM enbaled router receives MULTICAST STREAM ( after the due homework i.e RPF CHECK), it forwards it to its PIM NEIGHBOR, it will continue to do so unless DOWN STREAM NEIGHBOR sends PIM PRUNE.

FOR SPARSE mode, the logic is if PIM ENABLED router receives MULTICAST STREAM, It contacts RP by Sending REGISTER MESSAGE carrying Multicast stream packet as payload. In all above cases, we see there has to be PIM neighbor, otherwise no STREAM is forwarded .EXCEPTION: If PIM enbaled router is LHR, then it will send the STREAM out on the interface Listerners are located.

Please consider the case when SRX is both FHR/LHR shown below:

                        R10 (RP)

                           |

                           f2

SRC----   f1 --   SRX- f3---Listeners ( 235.1.1.1)

Above, we see SRX being both FHR/LHR, since no PIM neighbors are on F3 and F1,   do we expect:

Regardless of PIM Mode on F1 or F3, SRX will send the STREAM 235.1.1.1  out of f3 because SRX is LHR.?

I see the following behavior on CISCO 
Regardless of PIM Mode on F1 or F3, CIsco router will send the STREAM 235.1.1.1  out of f3 because it is LHR.

Thanks and have a nice weekend!!

Hi, I have a cluster on the SRX 3600. RG0 and RG1 active on different nodes.
In syslog began to appear messages
FW-node1 node1.fpc7.pic0 usp_ipc_client_reconnect: failed to connect to the server: Connection refused (61)
FW-node1 node1.fpc8.pic0 usp_ipc_client_reconnect: failed to connect to the server: Connection refused (61)
FW-node1 node1.fpc9.pic0 usp_ipc_client_reconnect: failed to connect to the server: Connection refused (61)
FW-node1 node1.fpc10.pic0 usp_ipc_client_reconnect: failed to connect to the server: Connection refused (61)
Perhaps someone can explain the reason for these messages.
Thanks

Hi all,

Can RSVP help in the scenario where if the SRX interconnect via Microwave link , when primary microwave link bandwidth is downgrade from 100mbps to 20 mbps , can the RSVP detect the congestion and swing to secondary link ? 

note : SRX1 --> 1G copper to Microwave equipment -> over the air radio(~100mbs) -> 1G  copper to Microwave equipment -> SRX3

Example as per topology

LSP from SRX1-SRX3 via direct ge-0/0/0 , when SRX1 to SRX3 the in between microwave link is downgrade to 20 mbps , can i switch LSP to SRX1-SRX3 via SRX2 ?

Tring to connect to ISP over ADSl.  I am able to establish a session and see packets flowing but no IP address is assigned to the interface a LCP is down.  The ISP should assign IP by DHCP.  Not experienced with ADSL, what do I look at next?

show interfaces pp0
Physical interface: pp0    , Enabled, Physical link is Up
  Interface index: 129, SNMP ifIndex: 501
  Type: PPPoE, Link-level type: PPPoE, MTU: 1532
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps
  Link type      : Full-Duplex
  Link flags     : None
  Input rate     : 712 bps (1 pps)
  Output rate    : 0 bps (0 pps)

  Logical interface pp0.0 (Index 78) (SNMP ifIndex 534)
    Flags: Hardware-Down Up Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
    PPPoE:
      State: SessionUp, Session ID: 3048,
      Session AC name: rb3-bras.def-0A014070500924, Remote MAC address: 00:30:88:15:db:9d,
      Configured AC name: None, Service name: None,
      Auto-reconnect timeout: 5 seconds, Idle timeout: Never,
      Underlying interface: ge-0/0/3.0 (Index 77)
      Ignore End-Of-List tag: Disable
    Input packets : 239462
    Output packets: 245209
  Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
  Keepalive: Input: 0 (never), Output: 0 (never)
  LCP state: Down
  NCP state: inet: Not-configured, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
  CHAP state: Closed
  PAP state: Closed
    Security: Zone: Null
    Protocol inet, MTU: 1492
      Flags: Sendbcast-pkt-to-re, Protocol-Down, Negotiate-Address

ge-0/0/3 {
    unit 0 {
        encapsulation ppp-over-ether;
    }
}
pp0 {
    unit 0 {
        ppp-options {
            pap {
                local-name XXXXXXXXXXXXXXXXX;
                local-password "XXXXXXXXXXXXXXX"; ## SECRET-DATA
            }
        }
        pppoe-options {
            underlying-interface ge-0/0/3.0;
            idle-timeout 0;
            auto-reconnect 5;
            client;
        }
        family inet {
            negotiate-address;
        }
    }
}

I'm trying to NAT off a VLAN trunk directly to public static interface on an SRX-345, is that possible? Do I have to create ge-0/0/0.0 and ge-0/0/0.1 etc for each subnet or something like that, and can I do that on a trunk interface? Here's a diagram of what I'm trying to do:

Default router is the SRX.  If the ISP goes down I want the default route to change on the router to an alternate router?

The primary router and default-gateway for the network is the SRX at 192.168.0.1/24.  The backup router is at 192.168.0.2/24.

How do I get the default router to switch from the primary's up-stream router to the secondary router?

Hi,

Our ISP want to monitor SRX(MPLS mode) loopback IP(Provided by ISP) from below given IP subnet.

ISP has shared below Cisco router configuration and request us to configure the same on SRX.

access-list 98 permit tcp 203.62.38.0 0.0.0.255
access-list 98 permit tcp 203.62.39.0 0.0.0.255
access-list 98 deny   any log
snmp-server community rcuil RO 98
snmp-server ifindex persist
ip route 203.62.38.0 255.255.255.0 <PE WAN IP>
ip route 203.62.39.0 255.255.255.0 <PE WAN IP>
Advertize the loopback IP address in the BGP if BGP is running
OR configure static route
ip route <loopback ip> <subnet mask> <pe wan ip>

Please find attached SRX configuration display set output. We are allowing only 203.62.3X.X/24 subnet for SNMP access using firewall filters for addon security. lo.15 interface will be monitor by ISP. Airtel link is terminated under "office" VRF interface ge-0/0/6.

After commit this configuration BGP peer was up but network users could not get access (i.e. linc, email, web etc.)

Kindly suggest how to fix it.

Thank you...

Generally speaking, I really like working with the SRX.  We use 210, 220, and 240 models throughout the company.  It's trivially easy to set up tunnels with OSPF to do all kinds of neat inter-office connectivity, and working with JTAC is WAY better than Cisco TAC.  (we have a Cisco phone system)

Five years ago, we bought 15 new SRXes from an authorized Juniper dealer, and each was installed in a separate geographic location.

I'm having GRAVE concerns about their reliability.  In the past 2 years, 5 of the 15 have failed with a 6th one heading to the toilet.

• One lost its flash-- no storage recognized at boot.  It will only boot from a USB stick.
• Another suddenly came up with a huge number of flash errors, enough that we had to remove from service-- and this one's in a very high quality colo facility (clean power always).
• One has a "reset" button problem, such that it kept resetting itself to factory defaults  randomly.  I had to set "config-button no-clear" as a workaround.
• One randomly lost power internally several times a day... not an OS crash, but as in "all the lights blink off then back on".  (Power supply swap didn't help.)
• One slowly lost its RJ-45 interfaces, one at a time.  I moved services to other interfaces as they failed, until one day...... the unit just crashed and never rebooted.
• Another one is starting the "randomly loses power internally" issue, in the exact same way as the other one did.  I'm configuring its replacement today.

6 failures out of 15... that's a 40% failure rate in 5 years.  For the record, all are on APC UPSes of varying capacities, and utility power problems are extremely rare.

Is the SRX really this much of a failure-prone dog?  Juniper Netscreens we bought circa 2005-06 are still running TODAY with no problems at all... which is why I was so anxious to adopt the SRX at new locations.  But wow.... the problems never end.

Are we alone in this experience?

I have 2 SRX100H2 devices that were somehow locked and cannot be factory defaulted or changed in any way. I need assistance trying to set them back to factory default and enable jWEB.

What I have done:

I performed nand-format

I downloaded latest software from juniper: junos-srxsme-12.1X46-D67-domestic.tgz to USB stick and performed watchdog disable and install file junos-srxsme-12.1X46-D67-domestic.tgz.

device booted up and I configured via CLI.

saved and reboot, here is what I see on console: DOES THIS LOOK NORMALL? OR IS THIS IN ANY WAY UNUSUAL?

init regular console

Primary ICache: Sets 64 Size 128 Asso 4

Primary DCache: Sets 1 Size 128 Asso 64

Secondary DCache: Sets 128 Size 128 Asso 8

GDB: debug ports: uart

GDB: current port: uart

KDB: debugger backends: ddb gdb

KDB: current backend: ddb

kld_map_v: 0x8ff80000, kld_map_p: 0x0

Copyright (c) 1996-2017, Juniper Networks, Inc.

All rights reserved.

Copyright (c) 1992-2006 The FreeBSD Project.

Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994

        The Regents of the University of California. All rights reserved.

JUNOS 12.1X46-D67 #0: 2017-07-12 01:39:21 UTC

    builder@quoarth.juniper.net:/volume/build/junos/12.1/service/12.1X46-D67/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel

JUNOS 12.1X46-D67 #0: 2017-07-12 01:39:21 UTC

    builder@quoarth.juniper.net:/volume/build/junos/12.1/service/12.1X46-D67/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel

real memory  = 2147483648 (2048MB)

avail memory = 1057017856 (1008MB)

FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs

Security policy loaded: JUNOS MAC/pcap (mac_pcap)

Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)

netisr_init: !debug_mpsafenet, forcing maxthreads from 2 to 1

cpu0 on motherboard

: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented

        L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.

        L2 Cache: Size 128kb, 8 way

obio0 on motherboard

uart0: <Octeon-16550 channel 0> on obio0

uart0: console (9600,n,8,1)

twsi0 on obio0

dwc0: <Synopsis DWC OTG Controller Driver> on obio0

usb0: <USB Bus for DWC OTG Controller> on dwc0

usb0: USB revision 2.0

uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1

uhub0: 1 port with 1 removable, self powered

uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2

uhub1: single transaction translator

uhub1: 2 ports with 1 removable, self powered

umass0: STMicroelectronics ST72682  High Speed Mode, rev 2.00/2.10, addr 3

umass1: General USB Flash Disk, rev 2.00/1.00, addr 4

cpld0 on obio0

pcib0: <Cavium on-chip PCI bridge> on obio0

Disabling Octeon big bar support

PCI Status: PCI 32-bit: 0xc041b

pcib0: Initialized controller

pci0: <PCI bus> on pcib0

pci0: <serial bus, USB> at device 2.0 (no driver attached)

pci0: <serial bus, USB> at device 2.1 (no driver attached)

pci0: <serial bus, USB> at device 2.2 (no driver attached)

gblmem0 on obio0

octpkt0: <Octeon RGMII> on obio0

cfi0: <AMD/Fujitsu - 4MB> on obio0

Timecounter "mips" frequency 500000000 Hz quality 0

###PCB Group initialized for udppcbgroup

###PCB Group initialized for tcppcbgroup

da0 at umass-sim0 bus 0 target 0 lun 0

da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device

da0: 40.000MB/s transfers

da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)

da1 at umass-sim1 bus 1 target 0 lun 0

da1: <General USB Flash Disk 1.00> Removable Direct Access SCSI-2 device

da1: 40.000MB/s transfers

da1: 7651MB (15669248 512 byte sectors: 255H 63S/T 975C)

Trying to mount root from ufs:/dev/da0s1a

MFSINIT: Initialising MFSROOT

Process-1 beginning MFSROOT initialization...

Creating MFSROOT...

/dev/md0: 20.0MB (40956 sectors) block size 16384, fragment size 2048

        using 4 cylinder groups of 5.00MB, 320 blks, 640 inodes.

super-block backups (for fsck -b #) at:

32, 10272, 20512, 30752

Populating MFSROOT...

Creating symlinks...

Setting up mounts...

Continuing boot from MFSROOT...

Attaching /cf/packages/junos via /dev/mdctl...

Mounted junos package on /dev/md1...

D

automatic reboot in progress...

** /dev/da0s1a (NO WRITE)

** Last Mounted on /

** Root file system

** Phase 1 - Check Blocks and Sizes

** Phase 2 - Check Pathnames

** Phase 3 - Check Connectivity

** Phase 4 - Check Reference Counts

** Phase 5 - Check Cyl groups

161 files, 75850 used, 236336 free (56 frags, 29535 blocks, 0.0% fragmentation)

mount reload of '/' failed: Operation not supported

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

Checking integrity of BSD labels:

  s1: Passed

  s2: Passed

  s3: Passed

  s4: Passed

** /dev/bo0s3e

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 23569 free (25 frags, 2943 blocks, 0.1% fragmentation)

** /dev/bo0s3f

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 313159 free (87 frags, 39134 blocks, 0.0% fragmentation)

Checking integrity of licenses:

Checking integrity of configuration:

  rescue.conf.gz: No recovery data

Loading configuration ...

mgd: commit complete

Setting initial options: .

Starting optional daemons:  usbd.

Doing initial network setup:.

Initial interface configuration:

Time and ticks drifted too much,                        resetting synchronization...

additional daemons: eventd.

Additional routing options:kern.module_path: /boot//kernel;/boot/modules -> /boot/modules;/modules/ifpfe_drv;/modules;

kld netpfe drv: ifpfed_dialer ipsec kld.

Doing additional network setup:.

Starting final network daemons:.

setting ldconfig path: /usr/lib /opt/lib

starting standard daemons: cron.

Initial rc.mips initialization:.

Local package initialization:.

starting local daemons:set cores for group access

.

Creating JAIL MFS partition...

JAIL MFS partition created

boot.upgrade.uboot="0xBFC00000"

boot.upgrade.loader="0xBFE00000"

Boot media /dev/da0 has dual root support

** /dev/da0s2a

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 240288 free (48 frags, 30030 blocks, 0.0% fragmentation)

Fri Dec  8 05:16:29 UTC 2017

Hi all,

currently we facing and issue when the snmp server cannot poling the certain interface info on other MX router. The traffic is flow through SRX5800 before it reach the MX router. When do tcp dump on snmp server it see "bad UDP checksum". When we do traceoption on SRX we see "bad udp length".

So may i know whether its related to MTU issue?

Thanks

hey,

was looking to set up a real lab with routers and switches where i could ping from a windows 10 machine and also use wireshark to learning purposes.  i was thinking about buying a 4 port PCIe card for my windows desktop and connecting them for 4 differnet networks on junipers srx's.  my question is is that possible and will it work for what i need.  also is there a cheaper option that will work thru vm workstqation.  i have googled where i see learning videos of switches connected to other switches and they have workstations on a vm.  Basically, how would i connect a vm where i can ping from to a vsrx.  overall i would like to save money by not having to buy laptops just to ping networks / policies.

thank you and suggestions are much welcomed.  also the 4port PCIe ethernet port link is below is what i was thinkin about too as an option

http://www.dell.com/en-us/work/shop/accessories/apd/a8755068?cid=302824&st=&gclid=CjwKCAiAjanRBRByEiwAKGyjZacOlrMyh-hvCIAWRQxIDYyEIc7t40P7qoz1lZ4o1Anmp7-m4b0GkhoCmqYQAvD_BwE&lid=5758064&VEN1=skGBkzprR,112781467989,901q5c14135,c,,A8755068&VEN2=,&dgc=st&dgseg=so&acd=12309152537501410&VEN3=502203864378610526

HI everyone,

I want SRX 100  to do this:

If RPM for 10.10.10.1 fails, install static route 8.8.8.8/32 next hop 10.10.10.2 using EVENT -OPTION

SET UP:

SRX 10.10.10.6----SW-----10.10.10.1F1 R1

                                    ------10.10.10.2 F1 R2

Below is my config :

set services rpm probe A test PING-A-1 probe-type icmp-ping
set services rpm probe A test PING-A-1 target address 10.10.10.1
set services rpm probe A test PING-A-1 test-interval 3
set services rpm probe A test PING-A-1 thresholds successive-loss 3

set event-options policy A events ping_test_failed
set event-options policy A within 100 trigger on
set event-options policy A within 100 trigger 1
set event-options policy A attributes-match ping_test_failed.test-owner matches A
set event-options policy A attributes-match ping_test_failed.test-name matches PING-A-1
set event-options policy A then execute-commands commands "set routing-option static route 8.8.8.8/32 next-hop 10.10.10.2"

Below  I have shutdown the inerface on R1 f0/0 10.10.10.1 , as expecetd SRX shows PROBE fails:

root> show services rpm probe-results
Owner: A, Test: PING-A-1
Target address: 10.10.10.1, Probe type: icmp-ping, Test size: 1 probes
Probe results:
No route to target, Sat Dec 9 21:33:00 2017
Results over current test:
Probes sent: 1, Probes received: 0, Loss percentage: 100
Results over last test:
Probes sent: 1, Probes received: 0, Loss percentage: 100
Results over all tests:
Probes sent: 1015, Probes received: 905, Loss percentage: 10
Measurement: Round trip time
Samples: 905, Minimum: 3988 usec, Maximum: 31554 usec,
Average: 10959 usec, Peak to peak: 27566 usec, Stddev: 3859 usec,
Sum: 9917737 usec

But I do not see the command " set routing-option static route 8.8.8.8/32 next-hop 10.10.10.2" executed.

root> show route protocol static

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

root>

1) What am I missing?

2)  what is 100 bel;ow is it in seconds ?

set event-options policy A within 100 

Thanks and have a nice weekend!!

Hi everyone

When we use the command show below, we see " USER" ,  what does USER mean below?

user@host> show chassis routing-engine

Routing Engine status:
    Temperature                 38 degrees C / 100 degrees F
    CPU temperature             36 degrees C / 96 degrees F
    Total memory               512 MB Max   435 MB used ( 85 percent)
      Control plane memory     344 MB Max   296 MB used ( 86 percent)
      Data plane memory        168 MB Max   138 MB used ( 82 percent)
    CPU utilization: User                       8 percent
      Background                 0 percent
      Kernel                     4 percent
      Interrupt                  0 percent
      Idle                      88 percent

Thanks and have a nice weekend

I am having a bit of trouble replicating some orginal cisco qos configuration. I am in routed mode on the SRX.

In summary, I have a physical wan interface with multiple dot1q sub-interfaces which are on different units.

 I want the qos Scheduling to apply to all of them as a whole. I also want the shaper to apply on the physical Interface and not to individual units.

Is there any way to achieve this ? I am bit new to juniper but I have noticed that this is possible on  EX switches.

Many thanks