Hello everyone,

I just want to know why we use Proxy-identity ( Local/remote) in VPN? At our design, earlier we were configuring VPN's without Proxy-identities, but after using NAT in our environment, the vendor has configured all the VPN's with Proxy-identities whether using NAT or not. Is this something related or necessary with NAT or has nothing to do with it? now i have a habit of configuring every VPN with proxy-identity but i can't explain to someone why i did this. 

Dear All

what is the best practice recommendation connecting srx chassis (active/standby) cluster with ex virtual chassis in Layer 3 deplyoment ?

I think about 2 interface in each node as a member of 1 reth interface with lacp active option in chassis cluster, and 2 interface in each switch as member of 2 ae interface, which are member of l3 vlan in virtual chassis

Please kindly be advice

A  juniper SRX240 collects multiple VPNs and forward to an output port was found to have packet loss.

Example : sequenced packet from interface ge-0/0/0.00 is routed to output ge-0/0/12.0, but certain packet was found missing.

How to configure RPM services, or SNMP traps to trouble shoot the issue? 

Hi

I need the ability to monitor RTP traffic ideally via SNMP. I already do this for traffic a a whole, but I would like to specifically monitor RTP traffic so I konw how mch bandwidth my VOIP servers are using. What is the best wy to do this with minimal impact on performanc? Using some type of jflow solution?

Thanks

Hello,

i want to configure an email redirection to monitoring my srx devices (SRX 240h & SRX4100). But the only one what i can configure is the email server.

we dont use the utm feature. But this is the only one what i have found for further email configuration.

The goal is to generate an email for:

- warnings / critical alarms

- changing the redundancy groups (Chassis Cluster)

- disconnected interfaces and so on.

Is there any chance to configure this?

Hello,

I am at a loss on this one. I have configured via cli and the wizard, and have confirmed configuration many times over. Downloaded Pulse Client directly from SRX device.

Model: srx210he2

JUNOS Software Release [12.1X44-D20.3]

JunOS Pulse client: 4.0.2

I see traffic being allowed via the firewall log, but I do not see any information in the kmd-logs when I enable traceoptions for IPSec and IKE. There is no entries for inactive sessions either. I see the 3 way handshake on wireshark on my local machine which I am trying to connect with. Dst port is 443 and SRC is random port. I know that the Dynamic VPN tunnel should using port 4500. The Pulse client doesnt seem to be getting a IP address, but DHCP is enabled and Proxy ARP enabled on the DHCP interface.

Not sure at this point what to try next. I havent found any links on the web about bugs with my particular JunOS version and SRX model when dealing with Dynamic VPN.

Config attached.

Any sort of assistance or direction would be appreciated.

Hello, we have an SRX running JUNOS 15.1X49-D50.3 and we are having a strange timeout issue.  attached is a log showing a session from a client A.A.A.A to server Z.Z.Z.Z with default session timeout of 1800 seconds.

This sesssion is a client accessing solarwinds and the timeout value ticks down as expected, when the Solarwinds screen is refreshed or another section accessed, the timeout value for the sessions is reset and once again starts to count down.

However, if the sesesion is just left open with no active activity, the timeout seeems to count down and then drastically drops and finally is cleared out of the session table, i attach a smaple output showing this, you will see the last session ID 2008402 has gone from 1704 seconds to 150 seconds in an instant, then it drops out completely.  if after drop out i refresh the Solarwinds screen then i see new session IDs...

can anyone advise what the cause of this is?  we are having some applications with issues and i want to rule this as a cause in/out.

Thanks

Ryan

Hi,

We have two SRX240H2 configured in packet mode. There are 15 VRF and 14 VRRP instance(multiple unit configured und ge-0/0/2 interface) configured. Please find below memory and cpu utilization status.

memory and cpu utilization

 1) If i configured this device into flow mode, will it work

2) How to configure multiple unit under single reth interface

3) Is there any tool to convert packet base configuration into flow mode

Thank you....

Hello experts,

We have a desing which involves the IPSec VPN between the SRX1500 firewall and Juniper Netscreen ISG2000. There are multiple LANs behind the SRX1500 and a single LAN behind the ISG2000. Traffic selectors have been configured on SRX with single Tunnel interface while Multiple Proxy-IDs  on the ISG2000 also with single tunnel interface. 

Now Sometimes one of the LAN's is inaccessible while other LAN's are accessible at the same time. How should i diagnose this? Please help me out. 

Hello,

I get this error on the NCP gateway when I try connecting NCP remote client to SRX acting as the VPN gateway:

VPN error: RECVG-MSG2-AGGR-PSK -> invalid preshared key

I changed the preshared-key on both sides i.e. the SRX gaeway and NCP client several times, but still doesn't successfully connect.

Is there a good solution to using Mac with a VPN on the SRX or should I look elsewhere for a VPN solution?

Is there a way to have the secondary node for RG0 go into an ineligible/disabled state when a fabric link failure happens?

Hi,

I have probably missed something simple here. 

I have a network attached to port ge-0/0/8 and have placed a static route pointing to the port for the network. I have also placed this in ISIS as per other devices off ports that work and have cretaed a policy. But, it is advertising to the default which then loops from one core to the other (due to the iBGP route)... it should be being advertised correctly.... here is the config:

set routing-instances netopstest2 instance-type virtual-router
set routing-instances netopstest2 interface lt-0/0/0.9
set routing-instances netopstest2 interface ge-0/0/8.0
set routing-instances netopstest2 interface lo0.50
set routing-instances netopstest2 protocols isis export export_statics
set routing-instances netopstest2 protocols isis level 1 authentication-key "$9$KZDvxd2gJDHmaZmTF/0OSrevX7dbs4JG"
set routing-instances netopstest2 protocols isis level 1 authentication-type md5
set routing-instances netopstest2 protocols isis level 2 authentication-key "$9$g54UHf5F/A0z30Ihr8Lbs24GDHqmTFn"
set routing-instances netopstest2 protocols isis level 2 authentication-type md5
set routing-instances netopstest2 protocols isis interface lt-0/0/0.9
set routing-instances netopstest2 protocols isis interface ge-0/0/8.0
set routing-instances netopstest2 protocols isis interface lo0.50

set routing-options static route 192.168.10.0/24 next-hop 192.168.10.210

set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept

set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match source-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match destination-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match application any
set security policies from-zone Customer-Network to-zone Customer-Network policy Steve then permit

set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest match source-address any
set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest match destination-address any
set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest match application any
set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest then permit
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match source-address any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match destination-address any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match application any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 then permit

If anything else is required then please let me know....

Hi,

I have checked everything before posting this question (unlike my last one which I apologise for)....

I am trying to enable SSH access to an SRX1500. I have no use for the trust zone as I have created 4 x routing-instances..... This may be a trust zone issue but am unsure....

I am entering via an instance named "netopstest2". I have configured the following:

set system services ssh

set security address-book global address netopstest2-network 192.168.10.0/24

set security address-book global address-set Cust-to-dmz-bidirectional address netopstest2-network

set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match source-address any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match destination-address any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match application any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 then permit
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match source-address any
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match destination-address any
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match application any
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 then permit

set security zones security-zone netopstest2 host-inbound-traffic system-services all
set security zones security-zone netopstest2 host-inbound-traffic protocols all
set security zones security-zone netopstest2 interfaces ge-0/0/8.0 host-inbound-traffic system-services ssh
set security zones security-zone netopstest2 interfaces lt-0/0/0.9

set interfaces ge-0/0/8 unit 0 family inet address 192.168.10.210/24
set interfaces ge-0/0/8 unit 0 family iso

set routing-instances netopstest2 instance-type virtual-router
set routing-instances netopstest2 interface lt-0/0/0.9
set routing-instances netopstest2 interface ge-0/0/8.0
set routing-instances netopstest2 interface lo0.50
set routing-instances netopstest2 protocols isis export export_statics
set routing-instances netopstest2 protocols isis level 1 authentication-key "$9$KZDvxd2gJDHmaZmTF/0OSrevX7dbs4JG"
set routing-instances netopstest2 protocols isis level 1 authentication-type md5
set routing-instances netopstest2 protocols isis level 2 authentication-key "$9$g54UHf5F/A0z30Ihr8Lbs24GDHqmTFn"
set routing-instances netopstest2 protocols isis level 2 authentication-type md5
set routing-instances netopstest2 protocols isis interface lt-0/0/0.9
set routing-instances netopstest2 protocols isis interface ge-0/0/8.0
set routing-instances netopstest2 protocols isis interface lo0.50

Any ideas why I cannot get SSH access please?

Thanks

Dear Forum

I get nuts with my problem. Maybe you can give me some hints.
We use a SRX 340 (15.1X49-D120.3)
There are the Internal Security Zone (irb.10) and the Wlan Security Zone (irb.20).
From Wlan Security Zone we want access just one Server in Internal Security Zone.

I created a Policy to allow that traffic.
I had in mind I must also allow Host-Inbound on Internal Zone (I set it to all) and not NAT the traffic.

The problem is that I cant access that host (Even not ping the host).

Config you'll find in the attachment.

Many thanks for your help!

Rocksteady

Hi everyone.

I would like some help to redirect a server in my Company to another Internet link, in a different physical location, interconnected by two SRX240.

I'll try to explain next, and post a print of my topology, as follows:

1) My Company has two site locations where "SITE A" is the office building and "SITE B" is the data center (image attached).

2) Each one has an Internet link with a different valid pulic IP address assigned by also two different ISP.

3) The buildings are connected by a radio link and there are two Juniper SRX240 in each point managing all the LAN traffic.

Due to technical problems, the Link2 (on the "SITE B") is offline and there's no deadline from the ISP to fix it.

What I want is to redirect the Server in the 172.20.2.0/24 LAN to use the Internet link in the "SITE A". Both of SRX240 are comunicating with each other, and the LANs too.

How can I acomplish this?

Thanks in advance.

Hi All, 

Looking for some assistance with a pair of Juniper SRX 340's configured in HA Active/Passive mode.

Trying to troubleshoot the instability, where node1 drops out of the cluster with the following error : 

Successfully sent jnxJsChClusterIntfTrap trap with severity minor to inform that Control link -  fxp1 state changed from UP to DOWN on cluster 1; reason: missed heartbeats

To assist - I would like to ship the JSRPD log off to a syslog server to analyse off the device in realtime.

I am struggling to find out how to ship just the JSRPD log by itself - without the rest of the any any or other category logging.

Does anyone know how this can be achieved?

Any assistance would be greatly appreciated.

Kind regards, 

Liam

Hi,

We have srx340 with latest junos and idp signature update. if i enabled IDP on security policy then it blocks openvpn client traffic.

if i disabled IDP on security policy then openvpn working fine.

Kindly suggest how to check blocked application/ports logs on SRX and how to apply exception for specific application/ports

Thank you...

Are there any issues with using fxp0 only for management of an SRX? Are there any limitations in regards to SNMP, NTP, etc.?

Hi,

admin@SRX550-DC-SH> show interfaces ge-0/0/1 extensive | match "L2 channel errors:" | refresh 5
---(refreshed at 2018-02-18 10:26:29 UTC)---
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 9700, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0
---(refreshed at 2018-02-18 10:26:34 UTC)---

This interface is connected to EX4200 switch

SRX version: 12.1X44-D40.2

EX version: 15.1R5.5

VLANs are the same on both

RSTP is disabled on the EX switch

Nothing susbecious in the :

admin@SRX550-DC-SH> monitor traffic interface ge-0/0/1 layer2-headers size 1500
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/1, capture size 1500 bytes

10:29:21.555242  In 80:71:1f:d3:c0:94 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
Reverse lookup for 172.21.10.254 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

10:29:21.756919 Out 28:8a:1c:3e:3c:01 > 00:50:56:9d:13:c9, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp reply 172.21.10.254 is-at 28:8a:1c:3e:3c:01
10:29:21.861011 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp who-has 172.21.10.20 tell 172.21.10.254
10:29:22.121014 Out 28:8a:1c:3e:3c:01 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:22.556300  In 80:71:1f:d3:c0:94 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:23.061577 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1856, p 0, ethertype ARP, arp who-has 172.21.13.11 tell 172.21.13.254
10:29:23.122931 Out 28:8a:1c:3e:3c:01 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:23.557345  In 80:71:1f:d3:c0:94 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:23.660900 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1856, p 0, ethertype ARP, arp who-has 172.21.13.11 tell 172.21.13.254
10:29:23.699514 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp who-has 172.21.10.20 tell 172.21.10.254
10:29:23.816847 Out 28:8a:1c:3e:3c:01 > 00:50:56:9d:1a:22, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp reply 172.21.10.254 is-at 28:8a:1c:3e:3c:01
10:29:24.123835 Out 28:8a:1c:3e:3c:01 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:24.558490  In 80:71:1f:d3:c0:94 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:24.560805 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1856, p 0, ethertype ARP, arp who-has 172.21.13.11 tell 172.21.13.254
10:29:24.660777 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp who-has 172.21.10.20 tell 172.21.10.254
10:29:24.915592 Out 28:8a:1c:3e:3c:01 > 00:50:56:9d:13:e6, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp reply 172.21.10.254 is-at 28:8a:1c:3e:3c:01
10:29:25.124730 Out 28:8a:1c:3e:3c:01 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:25.354316 Out 28:8a:1c:3e:3c:01 > 00:50:56:9d:1a:0f, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp reply 172.21.10.254 is-at 28:8a:1c:3e:3c:01
10:29:25.360670 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1856, p 0, ethertype ARP, arp who-has 172.21.13.11 tell 172.21.13.254
10:29:25.360688 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp who-has 172.21.10.20 tell 172.21.10.254
10:29:25.560439  In 80:71:1f:d3:c0:94 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:25.690003 Out 28:8a:1c:3e:3c:01 > 00:50:56:9d:19:fe, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp reply 172.21.10.254 is-at 28:8a:1c:3e:3c:01
10:29:25.960601 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1856, p 0, ethertype ARP, arp who-has 172.21.13.11 tell 172.21.13.254
10:29:26.125597 Out 28:8a:1c:3e:3c:01 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:26.260525 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp who-has 172.21.10.20 tell 172.21.10.254
10:29:26.561486  In 80:71:1f:d3:c0:94 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:26.960522 Out 28:8a:1c:3e:3c:01 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 1853, p 0, ethertype ARP, arp who-has 172.21.10.20 tell 172.21.10.254
10:29:27.126531 Out 28:8a:1c:3e:3c:01 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
10:29:27.562563  In 80:71:1f:d3:c0:94 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110

SRX configuration:

set interfaces ge-0/0/1 gigether-options 802.3ad ae1
set interfaces ge-0/0/2 gigether-options 802.3ad ae1
set interfaces ae1 description To_BB
set interfaces ae1 vlan-tagging
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
set interfaces ae1 unit 1853 description TS_DC
set interfaces ae1 unit 1853 vlan-id 1853
set interfaces ae1 unit 1853 family inet address 172.21.10.254/24
set interfaces ae1 unit 1854 description AD_DC
set interfaces ae1 unit 1854 vlan-id 1854
set interfaces ae1 unit 1854 family inet address 172.21.11.254/24
set interfaces ae1 unit 1855 description IIS_DC
set interfaces ae1 unit 1855 vlan-id 1855
set interfaces ae1 unit 1855 family inet address 172.21.12.254/24
set interfaces ae1 unit 1856 description FS_DC
set interfaces ae1 unit 1856 vlan-id 1856
set interfaces ae1 unit 1856 family inet address 172.21.13.254/24
set interfaces ae1 unit 1857 description WCF_DC
set interfaces ae1 unit 1857 vlan-id 1857
set interfaces ae1 unit 1857 family inet address 172.21.14.254/24
set interfaces ae1 unit 1858 description Managment
set interfaces ae1 unit 1858 vlan-id 1858
set interfaces ae1 unit 1858 family inet address 172.21.15.254/24
set interfaces ae1 unit 1864 description TIS-FE
set interfaces ae1 unit 1864 vlan-id 1864
set interfaces ae1 unit 1864 family inet address 172.21.25.254/24
set interfaces ae1 unit 1865 description TIS-DB
set interfaces ae1 unit 1865 vlan-id 1865
set interfaces ae1 unit 1865 family inet address 172.21.26.254/24

EX configuration:

set interfaces ge-0/0/11 ether-options 802.3ad ae20
set interfaces ge-1/0/11 ether-options 802.3ad ae20
set interfaces ae20 description To_Firewall
set interfaces ae20 aggregated-ether-options lacp active
set interfaces ae20 unit 0 family ethernet-switching port-mode trunk
set interfaces ae20 unit 0 family ethernet-switching vlan members Marvad_AD_DC
set interfaces ae20 unit 0 family ethernet-switching vlan members Marvad_FS_DC
set interfaces ae20 unit 0 family ethernet-switching vlan members Marvad_IIS_DC
set interfaces ae20 unit 0 family ethernet-switching vlan members Marvad_TS_DC
set interfaces ae20 unit 0 family ethernet-switching vlan members Marvad_WCF_DC
set interfaces ae20 unit 0 family ethernet-switching vlan members Marvad_Management
set interfaces ae20 unit 0 family ethernet-switching vlan members TIS-FE
set interfaces ae20 unit 0 family ethernet-switching vlan members TIS-DB
set protocols rstp interface ae20.0 disable