Hi all,

SRX1500

I have created two new VRs and also, thanks to Kingsman, enabled ISIS on these VRs with the following command:

set routing-instance Customer-VR protocols isis interface ae2.0

set interface ae2 unit 0 family iso

set interface lo0 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

set protocols isis level 1 authentication-type md5

set protocols isis level 2 authentication-type mds

set protocols isis level 1 authentication-key xxxxxxxx

set protocols isis level 2 authentication-key xxxxxxxx

I have also placed ae2 into the routing-instance

But yet, I cannot get any ISIS routes to show in the routing tables....

I have configured ISIS on the second SRX that has no new defined routing-instance and it works fine.... with dual-stack

Any help would be greatly appreciated.

Thanks

Two edge routers on the LAN.  A Primary SRX at 192.168.0.1 and the backup DSL router at 192.168.0.2.

I have ip-monitoring working so that on fail it inserts route 0.0.0.0/0-192.18.0.2 but none of the traffic ever reaches the backup router.  I can ping from the router but none of the client traffic is making it back out.

I am guessing that the security zones  aren't allowing the Internet destined traffic back on the interface of the LAN to get over to the other router.

Not sure how or if I can configure this to work the way I would like it to.

Hi,

Is it possible to use a l3.interface for source NAT? Kind of something liek this...:

vlan-nat1 {

   vlan-id 30;

   l3-interface vlan.30;

}

security-zone nat1 {

   interfaces {

      vlan.30

   }

}

security-policies from-zone trust1 to-zone nat1 {

   policy trust1-to-nat1 {

      source-address trust1-subnets;

      destination-address any;

      application any;

   }

   then {

      permit;

   }

}

interfaces {

   ge-0/0/0 {

      unit 0 {

         family ethernet-switching {

            port-mode access;

            vlan {

               members vlan-nat1;

            }

      }

   vlan {

      unit 30 {

         description nat1;

         family inet {

            address 10.0.0.202/24;

         }

      }

   }

}

nat {

   source {

      pool nat1-l3-interface {

         address 10.0.0.202/32;

      }

      rule-set trust1-to-nat1 {

         from zone trust1;

         to zone nat1;

         rule source-nat-rule1 {

            match {

               source-address 172.16.0.0/24; #trust1 subnet

            }

            then {

               source-nat {

                  pool {

                     nat1-l3-interface;

                  }

               }

            }

         }

      }

   }

}

Is it possible to then have traffic from trust1 going to nat1 to source NAT? This is just a rough example I typed out to get advice...

What would I need to do if I wanted to use ge-0/0/0 for source NAT like that w/ a VLAN interface (if it is even possible), but maybe also turn it into a trunk to allow the Comcast network to also pass through on another VLAN... if that makes any sense.

By the way, I couldn't get this to work... the only way I got source NAT to work from 'trust1' subnets was to assign the interface as family inet and give it an ip address on the Comcast network i.e. 10.0.0.202/24 - instead of putting up a l3-interface vlan.30...

I currently have 2 different ISPs residental circuts and one SRX 240 when I work from home.

My goal is to utilize the 2 different carrier circuits for continuous connectivity and/or separate traffic, if possible.

Since they are residential circuits the SRX receives a DHCP address which it can hold forever as long as device is on, which it is (with UPS).

1. Can I have a failover solution for two ISPs on the same SRX device? (let's say ISP A on ge0/0 and ISP B on ge0/1)

2. Furhtermore, can i route heavy traffic like streaming, music, games, etc through one circuit and light traffic like VOIP, email, web throught the other? (Lets say Zone: Phone, Web, DMZ, LAN, Email)

Any suggestions are greatly appreciated.

Thanks.

Hello,

I am new here and new to the sophisticated router our SRX320.

This may not be the correct forum to ask this but, I have limited knowledge of installing and configuring

the UTM package that I purchased. Also, that it was brought to my attention the support is only break and fix, therefore

Juniper does not help with setting up the device. I was told that Dell would assist you through the setup process but I

was told that the Juniper was a better product and had better support.

Any help would be greatky appreciated,

Thank You

CharlieC

Hi all, im going to be mad, i cannot authenticate user on radius server with Pass-Through authentication on my SRX1400 cluster.

Below configuration and some outputs.

Thanks in advance... if someone can help me!

me@JUNRM01> show configuration access  
profile PROFILO-RADIUS {
    authentication-order radius;
    radius-server {
        192.168.16.108 {
            secret "xxxxxxxxxxxxxx"; ## SECRET-DATA
            source-address 192.168.2.112;
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile PROFILO-RADIUS;
        http {
            banner {
                login "PREGO INSERIRE CREDENZIALI DI ACCESSO";
                success "LOGIN ESEGUITA";
                fail "NOME UTENTE O PASSWORD ERRATI";
-------------------------------------------------------------------

POLICY to be matched

match {
    source-address PC_MAT_MMARASSI_10.198.1.20;
    destination-address any;
    application [ junos-http junos-http-ext junos-https ];
    source-identity any;
}
then {
    permit {
           firewall-authentication {
            pass-through {
                access-profile PROFILO-RADIUS;
            }
        }
    }
    count;
sh log radius

Dec 29 14:43:39.914243 ###################################################################
Dec 29 14:43:39.914279 ########################### AUTH REQ RCVD #########################
Dec 29 14:43:39.914314 ###################################################################
Dec 29 14:43:39.914392 Auth-FSM: Process Auth-Request for session-id:9261371437884501280
Dec 29 14:43:39.914446 Framework: Starting authentication
Dec 29 14:43:39.914489 authd_advance_module_for_aaa_request_msg: result:0
Dec 29 14:43:39.914544 Authd module start
Dec 29 14:43:39.914582 authd_radius_start_auth: Starting RADIUS authentication
Dec 29 14:43:39.914696 authd_radius_build_basic_auth_request: got params  profile=PROFILO-RADIUS, username=mberardi
Dec 29 14:43:39.914743 radius-access-request: User-Name added: mberardi
Dec 29 14:43:39.914780 radius-access-request: User-Password added: ""
Dec 29 14:43:39.914852 Verify source address c0a80270 (192.168.2.112) in routing instance index=0
Dec 29 14:43:39.915223 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
Dec 29 14:43:39.915293 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.915346 UserAccess:mberardi session-id:9261371437884501280 state:start
Dec 29 14:43:39.992978 Radius result is CLIENT_REQ_STATUS_SUCCESS
Dec 29 14:43:39.993089 Framework - module(radius) return: FAILURE
Dec 29 14:43:39.993128 authd_advance_module_for_aaa_response_msg: result:3
Dec 29 14:43:39.993174  authd_auth_update_local_server_address :earching access profile PROFILO-RADIUS for local DNS Server
Dec 29 14:43:39.993236 Auth-FSM: reinterpretFsmEvent 4 to 5
Dec 29 14:43:39.993284 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
Dec 29 14:43:39.993324 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371437884501280
Dec 29 14:43:39.993372 UserAccess:mberardi session-id:9261371437884501280 access-denied
Dec 29 14:43:39.993429 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.993479 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 60
Dec 29 14:43:39.993574 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 62
Dec 29 14:43:39.993623 Framework: auth result is 2. Performing post-auth operations
Dec 29 14:43:39.993661 Framework: result is 2.
Dec 29 14:43:39.993703 authd_auth_send_answer: conn=2d3e000, reply-code=2 (FAIL), result-subopcode=2 (SESSION_ACTIVATE), sub-id=9261371437884501280, cookie=44, rply_len=3972, num_tlv_blocks=0
Dec 29 14:43:39.993790 Delete session:9261371437884501280
Dec 29 14:43:39.993842 Subscriber session-id:9261371437884501280 not found
Dec 29 14:43:39.993886 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.993934 UserAccess:mberardi session-id:9261371437884501280 state:log-out
Dec 29 14:43:39.994029 Removing client snapshot
Dec 29 14:43:39.994197 authd_auth_aaa_msg_destroy
Dec 29 14:43:39.994253 authd_auth_aaa_msg_destructauth_aaa_msg: 0x1f1106c
Dec 29 14:43:39.994294 authd_write_conn: response is 0x2d3e05c, total len is 3972 and sent is 0
Dec 29 14:43:39.994370 authd_write_conn: response is 0x2d3e05c, wrote 3972 bytes
Dec 29 14:43:40.098675 serviceRadiusRequestQueues Serviced 1 RADIUS requests
Dec 29 14:43:40.098792 serviceRadiusRequestQueues Queue PROFILO-RADIUS has 0 requests, peak is 0

 show network-access aaa radius-servers

Profile: PROFILO-RADIUS
    Server address: 192.168.16.108
      Authentication port: 1812
      Accounting port: 1813
      Status: UP

Hello everyone,

How can I limit download and upload speed on Juniper SRX100? I am trying to limit the download speed for all connected devices to about 20-25 Mbps and limit the upload speed to about 3-4 Mbps. I read that some people do it with firewall and whatnot but I am not sure how I can do it myself. Please help thank you!

Hi Guys,

Can someone please guide me regarding the following scenario.

I have been asked to use the SRX1500 for DHCP services for multiple vlans. When doing so I have to make a trunk connection to pass vlan tagged packets between the core switch and firewall. This results the firewall to use L2 interface and hence move to Transparent  mode.

Upon inspection the following page:

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-mixed-mode-understanding.html

It is evident from:

Table 2: Security Features Supported in Mixed Mode (Transparent and Route Mode)

That Route mode is optimal mode for using all SRX features such as NAT , VPN and UTM.

Therefore is it okay to conclude that the DHCP services for multiple VLANs cannot be deployed on srx if route mode is preferred mode.

Your prompt feedback is much appretiated.

Regards,

Mannan

System Engineer

JNICIS-SP,SEC , Ingenious Champion Service Provider.

i hvae a new installation of two SRX1400, i am tring to configure HA but i facing some problems:

HA Amber light

cannot reach pingable or HTTP in reth0 and reth1.

{primary:node0}
admin@CIG-HQ-FW> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring

Cluster ID: 2
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 1 secondary no no None

Redundancy group: 1 , Failover count: 1
node0 0 primary no no IF CS
node1 0 secondary no no IF SP CS HW

{primary:node0}
admin@CIG-HQ-FW> show system alarms
node0:
--------------------------------------------------------------------------
2 alarms currently active
Alarm time Class Description
2018-01-01 09:48:08 UTC Minor IDP Signature usage requires a license
2018-01-01 08:11:13 UTC Major Host 0 fxp0 : Ethernet Link Down

node1:
--------------------------------------------------------------------------
3 alarms currently active
Alarm time Class Description
2018-01-01 10:34:16 UTC Minor IDP Signature usage requires a license
2018-01-01 09:03:25 UTC Major Host 0 fxp0 : Ethernet Link Down

{primary:node0}
admin@CIG-HQ-FW> show chassis alarms
node0:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time Class Description
2018-01-01 08:11:13 UTC Major Host 0 fxp0 : Ethernet Link Down

node1:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time Class Description
2018-01-01 12:19:06 UTC Major Host 0 fxp0 : Ethernet Link Down

this is my configuration:

{primary:node0}
admin@CIG-HQ-FW> show configuration
## Last commit: 2018-01-01 09:44:27 UTC by admin
version 12.3X48-D30.7;
groups {
node0 {
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.100.100/32;
}
}
}
}
}
node1 {
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.100.100/32;
}
}
}
}
}
}
system {
host-name CIG-HQ-FW;
root-authentication {
encrypted-password "$1$dZJ8pLjI$ZyoWOqn78ILIZsYdR3CRC/"; ## SECRET-DATA
}
login {
user admin {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$jzdnN6Hx$NDCg8NBUTMfReWiJCccaY."; ## SECRET-DATA
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
reth-count 16;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-2/0/0 weight 255;
ge-2/0/1 weight 255;
ge-6/0/0 weight 255;
ge-6/0/1 weight 255;
}
}
}
}
security {
idp {
security-package {
url https://services.netscreen.com/cgi-bin/index.cgi;
}
}
zones {
security-zone untrust {
interfaces {
reth0.0;
}
}
security-zone trust {
interfaces {
reth1.0;
}
}
}
}
interfaces {
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-2/0/1 {
gigether-options {
redundant-parent reth1;
}
}
ge-6/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-6/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/6;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-4/0/6;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.10.10.200/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}

{primary:node0}
admin@CIG-HQ-FW>

Hi

I have setup a VPN using the guide supplied by Amazon for the SRX. All went OK and its showing as connected inthe AWS console. But traffic is not flowing either way. When I try to ping the inside tunnel from the SRX I get no response. I've followed the trouble shooting guide in the below link and all checks out until the ping test where it fails.

http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper_Troubleshooting.html

Please see extract from my config of the settings I added. One thing I did notice is that there is no global policy they tell you to set for the VPN do I need this as I thought I would?  How can I trouble shoot further?

    ike {

        proposal ike-prop-vpn-c0e245fn-1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
        }
        proposal ike-prop-vpn-c0e245fn-2 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;

        policy ike-pol-vpn-c0e245fn-1 {
            mode main;
            proposals ike-prop-vpn-c0e245fn-1;
            pre-shared-key ascii-text "dfhsthjrthrthjrtj"; ## SECRET-DATA
        }
        policy ike-pol-vpn-c0e245fn-2 {
            mode main;
            proposals ike-prop-vpn-c0e245fn-2;
            pre-shared-key ascii-text "ytkruktilktkty"; ## SECRET-DATA

        gateway gw-vpn-c0e245fn-1 {
            ike-policy ike-pol-vpn-c0e245fn-1;
            address 34.222.89.23;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            no-nat-traversal;
            external-interface reth0.0;
        }
        gateway gw-vpn-c0e245fn-2 {
            ike-policy ike-pol-vpn-c0e245fn-2;
            address 52.212.76.86;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            no-nat-traversal;
            external-interface reth0.0;
        }
    }
    ipsec {
        proposal ipsec-prop-vpn-c0e245fn-1 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        proposal ipsec-prop-vpn-c0e245fn-2 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;

        policy ipsec-pol-vpn-c0e245fn-1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-prop-vpn-c0e245fn-1;
        }
        policy ipsec-pol-vpn-c0e245fn-2 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-prop-vpn-c0e245fn-2;
        }
        vpn vpn-c0e245fn-1 {
            bind-interface st0.2;
            df-bit clear;
            ike {
                gateway gw-vpn-c0e245fn-1;
                ipsec-policy ipsec-pol-vpn-c0e245fn-1;
            }
        }
        vpn vpn-c0e245fn-2 {
            bind-interface st0.3;
            df-bit clear;
            ike {
                gateway gw-vpn-c0e245fn-2;
                ipsec-policy ipsec-pol-vpn-c0e245fn-2;
            }
        }
    }
    zones {
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    https;
                    ssh;
					ping;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
				st0.2;
                st0.3;
            }
        }
    }
}

    st0 {
        unit 2 {
            family inet {
                mtu 1436;
                address 169.241.11.123/30;
            }
        }
        unit 3 {
            family inet {
                mtu 1436;
                address 169.241.11.170/30;
            }
        }
    }
}

protocols {
    bgp {
        group ebgp {
            type external;
            neighbor 169.241.11.212 {
                hold-time 30;
                export EXPORT-DEFAULT;
                peer-as 9059;
                local-as 65000;
            }
            neighbor 169.241.11.169 {
                hold-time 30;
                export EXPORT-DEFAULT;
                peer-as 9059;
                local-as 65000;
            }
        }
    }
    l2-learning {
        global-mode switching;
    }
}

Hi,

Easy question to answer I expect:

The SRX1500 has 2 expansion slots on the front. Are these slots capable of inserting 10g expansion modules please?

Thanks

 Hi,

I'm having another issue with regrds to ISIS routing and multiple VRs on the SRX1500s we are using.

On one SRX1500 I have created 2 x VRs ....... The issue is that lo0.10 holds the NET address for ISIS and Juniper will only allow me to enter that interface under one instance of VR and not two. The issue now being that the second interface is not being advertised. Below is the configuration I have used and hoping that someone can offer an idea of how to achieve this (Route leaking etc etc):

set interfaces ge-0/0/2 unit 0 family inet address xxx.xxx.xxx.xxx/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

set interfaces lo0 unit 0 family inet address xxx.xxx.xxx.xxx/32
set interfaces lo0 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
set interfaces lo0 unit 10 family iso address 49.0001.xxxx.xxxx.xxxx.00

set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family inet address xxx.xxx.xxx.xxx/30
set interfaces ae2 unit 0 family iso
set interfaces ae2 unit 0 family inet6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/127

set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces ae2.0

set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit

set routing-instances Customer-VR interface ae2.0
set routing-instances Customer-VR interface lo0.10
set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
set routing-instances Customer-VR protocols isis level 1 authentication-type md5
set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
set routing-instances Customer-VR protocols isis level 2 authentication-type md5
set routing-instances Customer-VR protocols isis interface ae2.0
set routing-instances Customer-VR protocols isis interface lo0.10
set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0
set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$Ac7/t1heK87dsWLs4JDmPn/CtBIhSrv8X"
set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$Woo8-woaUH.5GD5F6A1IlKM8NdwYgJUj"
set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0

So, I need to be able to advertise both instances of VR into the ISIS routing tables...

Thanks

Hi all,

In this url https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/BK28528/ipsec-vpn-ike2-config-payload-configuring.pdf  it mention SRX support on PicoCell. But how about SmallCell/FemtoCell?

Anyone has exprience to deploy it?

Thanks

My firmware version for SRX650 is 12.1X46-D50.4

I would like to know if there's a lock out period for "root" user after multiple incorrect password entry? 

If "Yes" and is part of the configuration defined for the device, please advise the line which defines that. 

Many thanks,

VBK

Hi,

Is there a way to prioritize voice traffic over the rest of the traffic on a route based IPSec VPN tunnel for SRX firewalls?

Where can i find some configuration examples and some documentation related to that?

Thank you,

tcp

We recently upgraded our Gateway firewall from an SRX5600 to a SRX5800 firewall and with no increase in traffic, we have noticed that the total cp session has almost doubled. Is there a difference between the way SRX 5600 and 5800 records theirs sessions?

> show snmp mib walk jnxJsSPUMonitoringCurrentTotalSession
jnxJsSPUMonitoringCurrentTotalSession.0 = 62514477

I have applied to config IDP:

set security idp idp-policy base-policy rulebase-ips rule R1 match from-zone trust to-zone
untrust source-address any destination-address any application default
set security idp idp-policy base-policy rulebase-ips rule R1 match attacks
predefined-attack-groups "SSH-All"
set security idp idp-policy base-policy rulebase-ips rule R1 then action drop-connection
set security idp idp-policy base-policy rulebase-ips rule R1 then notification log-attacks
alert
set security idp idp-policy base-policy rulebase-ips rule R1 then severity critical
set security idp active-policy base-policy

once I apply cmd 

show security idp attack table 

It doesnt show me any out either i am applying for ssh from untrust.

Is there any mistake that i am doing during this config, IDP/IPS  licence is installed as well.

Hi,

I realise this is a copy of my last question, but that's because I now have 2 working LNS and can concentrate on this ISIS issue...

So, on the last question, the last recommendation was to create a policy. Here is the configuration I have on the SRX currently and as far as I can see should work:

set routing-instances Customer-VR instance-type virtual-router
set routing-instances Customer-VR interface ae2.0
set routing-instances Customer-VR interface lo0.10
set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$iHfz9Cu1Eyp0yKWxwsZUjHP5z36AuO"
set routing-instances Customer-VR protocols isis level 1 authentication-type md5
set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$3DmzntOhclMLNreNbYoji5QFnApO1RSlK"
set routing-instances Customer-VR protocols isis level 2 authentication-type md5
set routing-instances Customer-VR protocols isis interface ae2.0
set routing-instances Customer-VR protocols isis interface lo0.10

set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0
set routing-instances NineGroup-VR interface lo0.20
set routing-instances NineGroup-VR protocols isis export from_customer_to_ninegroup
set routing-instances NineGroup-VR protocols isis level 1 authentication-key "$9$kqT3AtORcl0BlMLNY2UjHq5Q369pO1"
set routing-instances NineGroup-VR protocols isis level 1 authentication-type md5
set routing-instances NineGroup-VR protocols isis level 2 authentication-key "$9$5T6AB1hrK8Ec87dsJZqmfTn/Ap0IhS"
set routing-instances NineGroup-VR protocols isis level 2 authentication-type md5
set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0
set routing-instances NineGroup-VR protocols isis interface lo0.20

set interfaces lo0 unit 0 family inet address 195.80.0.6/32
set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0006.00
set interfaces lo0 unit 0 family inet6 address 2a05:d840:001c:ffff:ffff:ffff:0000:0001/128
set interfaces lo0 unit 10 family iso address 49.0001.1950.0080.0026.00
set interfaces lo0 unit 20 family iso address 49.0001.1950.0080.0016.00

set interfaces ae2 unit 0 description To-HEX-CORE-02-ae2
set interfaces ae2 unit 0 family inet address 195.80.0.33/30
set interfaces ae2 unit 0 family iso
set interfaces ae2 unit 0 family inet6 address 2a05:d840:0048:ffff:ffff:ffff:0000:0002/127

set interfaces ge-0/0/2 unit 0 description To-HEX-RADIUS-SERVER
set interfaces ge-0/0/2 unit 0 family inet address 195.80.0.53/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:004d:ffff:ffff:ffff:0000:0001/127

set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit
set security zones security-zone NineGroup-DMZ host-inbound-traffic system-services all
set security zones security-zone NineGroup-DMZ host-inbound-traffic protocols all
set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces ae2.0

I also created a policy-statment as follows and placed within the NineGroup-VR:

set policy-options policy-statement from_customer_to_ninegroup term 1 from rib Customer-VR.inet.0

set policy-options policy-statement from_customer_to_ninegroup term 1 then accept

set routing-instance NineGroup-VR protocols isis export from_cusotmer_to_ninegroup

This makes no difference at all. I have also tried with the interface as the "from" and also the "protocol" as the from, all with no success....

I am really stuck on this and you guys are my last resort as I really cannot find anything, even on the Juniper Website, with how to complete this...

Thank you

Hello Everyone,

I am trying to limit the download and upload speed for all clients using Ethernet (more than 30). How can I do it with the CLI editor or with point and click CLI? I am sorry I am new to this and I am kind of lost. I attached the DHCP pool information and an example of how many IP addresses I have got.

I am sorry, I am new to this and this is really confusing me.

Thanks in advance.

I'm experiencing an issue with my SRX300 where the DHCP service serves an incorrect ip address on an interface.

The config of the device (trimmed down):

version 15.1X49-D110.4;
system {
services {
dhcp-local-server {
group vlan10 {
interface irb.10;
}
group vlan20 {
interface irb.20;
}
group vlan122 {
interface irb.122;
}
}
}
}
security {
zones {
security-zone trust {
interfaces {
irb.10 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
irb.20 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
irb.122 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client {
update-server;
}
}
}
}
ge-0/0/4 {
native-vlan-id 10;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members 10;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ 10 20 122 ];
}
}
}
}
irb {
unit 10 {
family inet {
address 192.168.10.1/24;
}
}
unit 20 {
family inet {
address 192.168.20.1/24;
}
}
unit 122 {
family inet {
address 192.168.122.1/24;
}
}
}
}
protocols {
l2-learning {
global-mode switching;
}
}
access {
address-assignment {
pool p10 {
family inet {
network 192.168.10.0/24;
range r10 {
low 192.168.10.2;
high 192.168.10.254;
}
dhcp-attributes {
router {
192.168.10.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
pool p20 {
family inet {
network 192.168.20.0/24;
range r20 {
low 192.168.20.2;
high 192.168.20.254;
}
dhcp-attributes {
router {
192.168.20.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
pool p122 {
family inet {
network 192.168.122.0/24;
range r122 {
low 192.168.122.10;
high 192.168.122.254;
}
dhcp-attributes {
router {
192.168.122.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
guest {
vlan-id 20;
l3-interface irb.20;
}
home {
vlan-id 10;
l3-interface irb.10;
}
mgmt {
vlan-id 122;
l3-interface irb.122;
}
}

Interface ge-0/0/4 is connected to an unmanaged switch.

One client on interface ge-0/0/4 (which is configured as vlan 10 only) has an ip address of the pool of vlan 122:

> show dhcp server binding
IP address    Session Id    Hardware address    Expires    State    Interface
192.168.10.8    6    ##:##:##:##:##:##    81433    BOUND    irb.10
192.168.10.6    4    ##:##:##:##:##:##    53298    BOUND    irb.10
192.168.122.12    23    ##:##:##:##:##:##    53428    BOUND    irb.122
192.168.10.10    8    ##:##:##:##:##:##    63668    BOUND    irb.10
192.168.10.21    21    ##:##:##:##:##:##    64474    BOUND    irb.10
192.168.10.7    5    ##:##:##:##:##:##    53284    BOUND    irb.10
192.168.10.12    11    ##:##:##:##:##:##    83031    BOUND    irb.10
192.168.10.3    14    ##:##:##:##:##:##    78047    BOUND    irb.10
192.168.122.14    38    ##:##:##:##:##:##    86281    BOUND    irb.10

I'm not 100% sure but I think that this happens when the client is connected to vlan 122 and receives it's ip address from the dhcp server
and is then connected to vlan 10.

In other words it seems that the ip address assigned to a mac address on one vlan, follows that mac address across vlans.

On the client (windows machine) I can verify that the address 192.168.122.14 was assigned by dhcp server 192.168.10.1.

Is this an issue with my configuration?