Hi,

Sorry for disturbing you guys again with what may be an easily resolved issue.... I have checked everything I can with regards to this issue and am now at a loss (with no ability to wireshark):

As I am using separate VRs and Tunnels, it may be better to simply post the whole config minus the secitons that are not really relevant:

set system services ftp
set system services ssh root-login deny
set system services ssh connection-limit 3
set system services web-management http
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set chassis aggregated-devices ethernet device-count 2
set security log mode stream
set security log report
set security address-book global address hexradiusbtb 195.80.10.73/32
set security address-book global address thwradiusbtb 195.80.10.69/32
set security address-book global address thw-lns-01 195.80.10.13/32
set security address-book global address thw-radius-01 195.80.10.38/32
set security address-book global address monitor-server 192.168.50.201/32
set security address-book global address monitor-server-nic2 195.80.10.9/32
set security address-book global address hex-radius-02 195.80.10.54/32
set security address-book global address thw-dns-server 195.80.10.85/32
set security address-book global address thw-dns-anycast1 195.80.10.81/32
set security address-book global address thw-dns-anycast2 195.80.10.82/32
set security address-book global address netopstest2-network 192.168.50.0/24
set security address-book global address-set Cust-to-dmz-bidirectional address thw-lns-01
set security address-book global address-set Cust-to-dmz-bidirectional address thw-radius-01
set security address-book global address-set Cust-to-dmz-bidirectional address monitor-server
set security address-book global address-set Cust-to-dmz-bidirectional address monitor-server-nic2
set security address-book global address-set Cust-to-dmz-bidirectional address netopstest2-network
set security forwarding-options family inet6 mode flow-based
set security forwarding-options family iso mode packet-based
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match source-address Cust-to-dmz-bidirectional
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match destination-address Cust-to-dmz-bidirectional
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-ntp
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-pingv6
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-ping
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-dns-tcp
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-dns-udp
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application RADIUS
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-ssh
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-http
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve match application junos-https
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve then permit
set security policies from-zone Customer-Network to-zone ninegroup-radius policy Steve then log session-init
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match source-address Cust-to-dmz-bidirectional
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match destination-address Cust-to-dmz-bidirectional
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-ntp
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-pingv6
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-ping
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-dns-tcp
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-dns-udp
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application RADIUS
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-ssh
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-http
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 match application junos-https
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 then permit
set security policies from-zone ninegroup-radius to-zone Customer-Network policy Steve1 then log session-init
set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match source-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match destination-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match application any
set security policies from-zone Customer-Network to-zone Customer-Network policy Steve then permit
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match source-address Cust-to-dmz-bidirectional
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match destination-address Cust-to-dmz-bidirectional
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-ntp
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-pingv6
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-ping
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-dns-tcp
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-dns-udp
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application RADIUS
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-ssh
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-http
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 match application junos-https
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 then permit
set security policies from-zone ninegroup-radius to-zone ninegroup-radius policy Steve1 then log session-init
set security policies from-zone Customer-Network to-zone NineGroup-BTB policy radiusbtb match source-address hexradiusbtb
set security policies from-zone Customer-Network to-zone NineGroup-BTB policy radiusbtb match destination-address thwradiusbtb
set security policies from-zone Customer-Network to-zone NineGroup-BTB policy radiusbtb match application junos-icmp-all
set security policies from-zone Customer-Network to-zone NineGroup-BTB policy radiusbtb then permit
set security policies from-zone NineGroup-BTB to-zone Customer-Network policy radiusbtb1 match source-address thwradiusbtb
set security policies from-zone NineGroup-BTB to-zone Customer-Network policy radiusbtb1 match destination-address hexradiusbtb
set security policies from-zone NineGroup-BTB to-zone Customer-Network policy radiusbtb1 match application junos-icmp-all
set security policies from-zone NineGroup-BTB to-zone Customer-Network policy radiusbtb1 then permit
set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy radiusbtb1 match source-address any
set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy radiusbtb1 match destination-address any
set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy radiusbtb1 match application any
set security policies from-zone NineGroup-BTB to-zone NineGroup-BTB policy radiusbtb1 then permit
set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest match source-address any
set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest match destination-address any
set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest match application any
set security policies from-zone Customer-Network to-zone netopstest2 policy netopstest then permit
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match source-address any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match destination-address any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match application any
set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 then permit
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match source-address any
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match destination-address any
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match application any
set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 then permit
set security policies from-zone ninegroup-dns to-zone Customer-Network policy thw-ninegroupdns match source-address any
set security policies from-zone ninegroup-dns to-zone Customer-Network policy thw-ninegroupdns match destination-address any
set security policies from-zone ninegroup-dns to-zone Customer-Network policy thw-ninegroupdns match application any
set security policies from-zone ninegroup-dns to-zone Customer-Network policy thw-ninegroupdns then permit
set security policies from-zone Customer-Network to-zone ninegroup-dns policy thw-ninegroupdns-1 match source-address any
set security policies from-zone Customer-Network to-zone ninegroup-dns policy thw-ninegroupdns-1 match destination-address any
set security policies from-zone Customer-Network to-zone ninegroup-dns policy thw-ninegroupdns-1 match application any
set security policies from-zone Customer-Network to-zone ninegroup-dns policy thw-ninegroupdns-1 then permit
set security policies from-zone ninegroup-dns to-zone ninegroup-dns policy thw-ninegroupdns match source-address any
set security policies from-zone ninegroup-dns to-zone ninegroup-dns policy thw-ninegroupdns match destination-address any
set security policies from-zone ninegroup-dns to-zone ninegroup-dns policy thw-ninegroupdns match application any
set security policies from-zone ninegroup-dns to-zone ninegroup-dns policy thw-ninegroupdns then permit
set security zones security-zone ninegroup-radius host-inbound-traffic system-services all
set security zones security-zone ninegroup-radius host-inbound-traffic protocols all
set security zones security-zone ninegroup-radius interfaces ge-0/0/2.0
set security zones security-zone ninegroup-radius interfaces lt-0/0/0.1
set security zones security-zone ninegroup-radius interfaces lt-0/0/0.8
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces lt-0/0/0.2
set security zones security-zone Customer-Network interfaces ae2.0
set security zones security-zone Customer-Network interfaces lt-0/0/0.4
set security zones security-zone Customer-Network interfaces lt-0/0/0.6
set security zones security-zone Customer-Network interfaces lt-0/0/0.10
set security zones security-zone NineGroup-BTB host-inbound-traffic system-services all
set security zones security-zone NineGroup-BTB host-inbound-traffic protocols all
set security zones security-zone NineGroup-BTB interfaces lt-0/0/0.3
set security zones security-zone NineGroup-BTB interfaces ge-0/0/4.0
set security zones security-zone ninegroup-dns host-inbound-traffic system-services all
set security zones security-zone ninegroup-dns host-inbound-traffic protocols all
set security zones security-zone ninegroup-dns interfaces lt-0/0/0.5
set security zones security-zone ninegroup-dns interfaces lt-0/0/0.7
set security zones security-zone ninegroup-dns interfaces ge-0/0/6.0
set security zones security-zone netopstest2 host-inbound-traffic system-services all
set security zones security-zone netopstest2 host-inbound-traffic protocols all
set security zones security-zone netopstest2 interfaces ge-0/0/8.0
set security zones security-zone netopstest2 interfaces lt-0/0/0.9
set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 2
set interfaces lt-0/0/0 unit 1 family inet address 20.20.20.1/30
set interfaces lt-0/0/0 unit 1 family iso
set interfaces lt-0/0/0 unit 2 encapsulation ethernet
set interfaces lt-0/0/0 unit 2 peer-unit 1
set interfaces lt-0/0/0 unit 2 family inet address 20.20.20.2/30
set interfaces lt-0/0/0 unit 2 family iso
set interfaces lt-0/0/0 unit 3 encapsulation ethernet
set interfaces lt-0/0/0 unit 3 peer-unit 4
set interfaces lt-0/0/0 unit 3 family inet address 30.30.30.1/30
set interfaces lt-0/0/0 unit 3 family iso
set interfaces lt-0/0/0 unit 4 encapsulation ethernet
set interfaces lt-0/0/0 unit 4 peer-unit 3
set interfaces lt-0/0/0 unit 4 family inet address 30.30.30.2/30
set interfaces lt-0/0/0 unit 4 family iso
set interfaces lt-0/0/0 unit 5 description to-customer-vr
set interfaces lt-0/0/0 unit 5 encapsulation ethernet
set interfaces lt-0/0/0 unit 5 peer-unit 6
set interfaces lt-0/0/0 unit 5 family inet address 40.40.40.1/30
set interfaces lt-0/0/0 unit 5 family iso
set interfaces lt-0/0/0 unit 6 description to-ninegroup-dns
set interfaces lt-0/0/0 unit 6 encapsulation ethernet
set interfaces lt-0/0/0 unit 6 peer-unit 5
set interfaces lt-0/0/0 unit 6 family inet address 40.40.40.2/30
set interfaces lt-0/0/0 unit 6 family iso
set interfaces lt-0/0/0 unit 7 description to-ninegroup-radius
set interfaces lt-0/0/0 unit 7 encapsulation ethernet
set interfaces lt-0/0/0 unit 7 peer-unit 8
set interfaces lt-0/0/0 unit 7 family inet address 60.60.60.1/30
set interfaces lt-0/0/0 unit 7 family iso
set interfaces lt-0/0/0 unit 8 description to-ninegroup-dns
set interfaces lt-0/0/0 unit 8 encapsulation ethernet
set interfaces lt-0/0/0 unit 8 peer-unit 7
set interfaces lt-0/0/0 unit 8 family inet address 60.60.60.2/30
set interfaces lt-0/0/0 unit 8 family iso
set interfaces lt-0/0/0 unit 9 description to-customer-vr
set interfaces lt-0/0/0 unit 9 encapsulation ethernet
set interfaces lt-0/0/0 unit 9 peer-unit 10
set interfaces lt-0/0/0 unit 9 family inet address 65.65.65.1/30
set interfaces lt-0/0/0 unit 9 family iso
set interfaces lt-0/0/0 unit 10 description to-netopstest-network
set interfaces lt-0/0/0 unit 10 encapsulation ethernet
set interfaces lt-0/0/0 unit 10 peer-unit 9
set interfaces lt-0/0/0 unit 10 family inet address 65.65.65.2/30
set interfaces lt-0/0/0 unit 10 family iso
set interfaces ge-0/0/2 unit 0 description To-RADIUS-Server
set interfaces ge-0/0/2 unit 0 family inet address 195.80.0.37/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address xxxx
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 description To-RADIUSBTB-Server
set interfaces ge-0/0/4 unit 0 family inet address 195.80.10.70/30
set interfaces ge-0/0/4 unit 0 family iso
set interfaces ge-0/0/4 unit 0 family inet6 address xxxx
set interfaces ge-0/0/6 unit 0 description To-DNS-Server
set interfaces ge-0/0/6 unit 0 family inet address 195.80.10.86/30
set interfaces ge-0/0/6 unit 0 family iso
set interfaces ge-0/0/6 unit 0 family inet6 address xxxx
set interfaces ge-0/0/8 unit 0 description to-netopstest2-network
set interfaces ge-0/0/8 unit 0 family inet address 192.168.50.210/24
set interfaces ge-0/0/8 unit 0 family iso
set interfaces xe-0/0/16 description Group-ae2
set interfaces xe-0/0/16 gigether-options 802.3ad ae2
set interfaces xe-0/0/17 unit 0 family inet
set interfaces xe-0/0/18 description Group-ae2
set interfaces xe-0/0/18 gigether-options 802.3ad ae2
set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family inet address 195.80.10.18/30
set interfaces ae2 unit 0 family iso
set interfaces ae2 unit 0 family inet6 address xxxx
set interfaces fxp0 unit 0 family inet address 185.89.120.8/24
set interfaces lo0 unit 0 family inet address 195.80.10.3/32
set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0014.00
set interfaces lo0 unit 0 family inet6 address xxxx
set interfaces lo0 unit 10 family iso address 49.0001.1950.0080.0114.00
set interfaces lo0 unit 20 family iso address 49.0001.1950.0080.0224.00
set interfaces lo0 unit 30 family iso address 49.0001.1950.0080.0334.00
set interfaces lo0 unit 40 family iso address 49.0001.1950.0080.0444.00
set interfaces lo0 unit 50 family iso address 49.0001.1950.0080.0554.00
set snmp v3 usm local-engine user test authentication-md5 authentication-key "$9$Q9A.3CtRhSKvLREyKMWx7VwYg4Zkqfzn/wYFnCA0O7-dw4aJGDjk.JZ69tpB1VwsgGDq.5T36.mEcrlLXHq.5n/AtOIRSCABEyr8LDiHq5Q6/tRcy.P39pu1Idbw2gJHqmzF/go369CB1X7NdYgGUHPfz-V5QF6At7-dwYoji.Q36kqQn/Cu08Xx-ds"
set snmp v3 usm local-engine user test privacy-aes128 privacy-key "$9$EbNSKM-Vw4oG-ds4aJDjqmfTQnpu1hylmfcyKvLXjHkmQF369Cp03nreMWx7qmPT69u0IRSr0OdbY2GUtu0IylvMXN-wKvxdsYZG9AtuIErlM-bs0BSeW87Nk.m5T3tuOhclTzSreKx7UjikfT6/tB1hHqIEcrvMjHkmfzCA0ESrpuEylK8LZUDHkP"
set snmp v3 vacm security-to-group security-model usm security-name test group snmpgroup
set snmp v3 vacm access group snmpgroup default-context-prefix security-model usm security-level authentication read-view allmibs
set snmp engine-id use-default-ip-address
set snmp view allmibs oid .1.3.6.1 include
set snmp view allmibs oid .1 include
set routing-options static route 195.80.10.69/32 next-hop 195.80.0.70
set routing-options static route 195.80.10.9/32 next-hop 195.80.0.10
set routing-options static route 192.168.50.0/24 next-hop 192.168.50.210
set routing-options static route 195.80.10.38/32 next-hop 195.80.0.37
set routing-options static route 195.80.10.85/32 next-hop 195.80.0.86
set protocols isis level 1 authentication-key "$9$xNR7wgGUHm5FikF/A0hcM8X7bsgoJDHq"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "$9$ynUrWxbwgJUH24Hm5FAtRhSrM8xNdsgo"
set protocols isis level 2 authentication-type md5
set protocols isis interface lo0.0
set policy-options policy-statement From_Customer_To_Nine from instance Customer-VR
set policy-options policy-statement From_Customer_To_Nine from protocol direct
set policy-options policy-statement From_Customer_To_Nine then accept
set policy-options policy-statement From_Nine_To_Customer from instance ninegroup-radius
set policy-options policy-statement From_Nine_To_Customer from protocol direct
set policy-options policy-statement From_Nine_To_Customer then accept
set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept
set policy-options policy-statement from_hexradius_to_thwradius from instance Customer-VR
set policy-options policy-statement from_hexradius_to_thwradius from protocol direct
set policy-options policy-statement from_hexradius_to_thwradius then accept
set policy-options policy-statement from_thwradius_to_hexradius from instance NineGroupBTB-VR
set policy-options policy-statement from_thwradius_to_hexradius from protocol direct
set policy-options policy-statement from_thwradius_to_hexradius then accept
set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set routing-instances Customer-VR instance-type virtual-router
set routing-instances Customer-VR interface lt-0/0/0.2
set routing-instances Customer-VR interface lt-0/0/0.4
set routing-instances Customer-VR interface lt-0/0/0.6
set routing-instances Customer-VR interface lt-0/0/0.10
set routing-instances Customer-VR interface ae2.0
set routing-instances Customer-VR interface lo0.10
set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$3M.wntOhclMLNreNbYoji5QFnApO1RSlK"
set routing-instances Customer-VR protocols isis level 1 authentication-type md5
set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$jgiPQ/9pBRStuSeMXbwJGDimfQFnCp0"
set routing-instances Customer-VR protocols isis level 2 authentication-type md5
set routing-instances Customer-VR protocols isis interface lt-0/0/0.2
set routing-instances Customer-VR protocols isis interface lt-0/0/0.4
set routing-instances Customer-VR protocols isis interface lt-0/0/0.6
set routing-instances Customer-VR protocols isis interface lt-0/0/0.10
set routing-instances Customer-VR protocols isis interface ae2.0
set routing-instances Customer-VR protocols isis interface lo0.10
set routing-instances NineGroupBTB-VR instance-type virtual-router
set routing-instances NineGroupBTB-VR interface lt-0/0/0.3
set routing-instances NineGroupBTB-VR interface ge-0/0/4.0
set routing-instances NineGroupBTB-VR interface lo0.30
set routing-instances NineGroupBTB-VR protocols isis level 1 authentication-key "$9$g74UHf5F/A0z30Ihr8Lbs24GDHqmTFn"
set routing-instances NineGroupBTB-VR protocols isis level 1 authentication-type md5
set routing-instances NineGroupBTB-VR protocols isis level 2 authentication-key "$9$Wn78-woaUH.5GD5F6A1IlKM8NdwYgJUj"
set routing-instances NineGroupBTB-VR protocols isis level 2 authentication-type md5
set routing-instances NineGroupBTB-VR protocols isis interface lt-0/0/0.3
set routing-instances NineGroupBTB-VR protocols isis interface ge-0/0/4.0
set routing-instances NineGroupBTB-VR protocols isis interface lo0.30
set routing-instances netopstest2 instance-type virtual-router
set routing-instances netopstest2 interface lt-0/0/0.9
set routing-instances netopstest2 interface ge-0/0/8.0
set routing-instances netopstest2 interface lo0.50
set routing-instances netopstest2 protocols isis export export_statics
set routing-instances netopstest2 protocols isis level 1 authentication-key "$9$KZDvxd2gJDHmaZmTF/0OSrevX7dbs4JG"
set routing-instances netopstest2 protocols isis level 1 authentication-type md5
set routing-instances netopstest2 protocols isis level 2 authentication-key "$9$g54UHf5F/A0z30Ihr8Lbs24GDHqmTFn"
set routing-instances netopstest2 protocols isis level 2 authentication-type md5
set routing-instances netopstest2 protocols isis interface lt-0/0/0.9
set routing-instances netopstest2 protocols isis interface ge-0/0/8.0
set routing-instances netopstest2 protocols isis interface lo0.50
set routing-instances ninegroup-dns instance-type virtual-router
set routing-instances ninegroup-dns interface lt-0/0/0.5
set routing-instances ninegroup-dns interface lt-0/0/0.7
set routing-instances ninegroup-dns interface ge-0/0/6.0
set routing-instances ninegroup-dns interface lo0.40
set routing-instances ninegroup-dns protocols isis level 1 authentication-key "$9$xSz7wgGUHm5FikF/A0hcM8X7bsgoJDHq"
set routing-instances ninegroup-dns protocols isis level 1 authentication-type md5
set routing-instances ninegroup-dns protocols isis level 2 authentication-key "$9$GxUqf3nCuBE9AEyeW-d4aZUk.fTz6Ct"
set routing-instances ninegroup-dns protocols isis level 2 authentication-type md5
set routing-instances ninegroup-dns protocols isis interface lt-0/0/0.5
set routing-instances ninegroup-dns protocols isis interface lt-0/0/0.7
set routing-instances ninegroup-dns protocols isis interface ge-0/0/6.0
set routing-instances ninegroup-dns protocols isis interface lo0.40
set routing-instances ninegroup-radius instance-type virtual-router
set routing-instances ninegroup-radius interface lt-0/0/0.1
set routing-instances ninegroup-radius interface lt-0/0/0.8
set routing-instances ninegroup-radius interface ge-0/0/2.0
set routing-instances ninegroup-radius interface lo0.20
set routing-instances ninegroup-radius protocols isis export export_statics
set routing-instances ninegroup-radius protocols isis level 1 authentication-key "$9$RplElM7Nb2oGVwGiqfn60BIEreM8X-bs"
set routing-instances ninegroup-radius protocols isis level 1 authentication-type md5
set routing-instances ninegroup-radius protocols isis level 2 authentication-key "$9$lc7eLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
set routing-instances ninegroup-radius protocols isis level 2 authentication-type md5
set routing-instances ninegroup-radius protocols isis interface lt-0/0/0.1
set routing-instances ninegroup-radius protocols isis interface lt-0/0/0.8
set routing-instances ninegroup-radius protocols isis interface ge-0/0/2.0
set routing-instances ninegroup-radius protocols isis interface lo0.20
set applications application RADIUS term 1 protocol udp
set applications application RADIUS term 1 destination-port 1812-1814

My apologies for the length of the config.

I can ping from my desktop on the 192.168 network to the thw-radius server but I cannot get to the GUI (HTTP/HTTPS) although I am allowing that through.

On the other SRX I can access the RADIUS server but it does not have the netopstest2 network associated as it comes in on the customer interface.

Can anyone see any obvious reason why HTTP access just will not work please?

Also, I can SSH onto this SRX and although the other SRX is configured correctly, I cannot SSH onto it.

Thanks

Hi guys, 

I'm not able to configure a source-based routing and it's driving me crazy!

Scenario: I have 2 IPSec tunnels, st0.1 and st0.2, the remote local address on both ends is the same, 10.70.78.0/23

I want to make the SRX to route the packets based on the source addess, so:

 - Traffic coming from 10.210.241.0/24 should be routed to st0.1

- Traffic coming from 10.210.225.0/24 should be routed to st0.2

The physical interface on my SRX receiving the traffic is reth0. 

This is the current configuration :

## INTERFACE reth0 config:

reth0 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input TEST_SRC_Routing;
            }
            address 10.210.225.190/28;
        }
    }

## FILTER configuration:

{primary:node1}[edit firewall]
root@FIREWALL# show 
filter TEST_SRC_Routing {
    term t1 {
        from {
            source-address {
                10.210.241.0/24;
            }
        }
        then {
            routing-instance Test_STG_RoutingInstance;
        }
    }
    term t2 {
        from {
            source-address {
                10.210.225.0/24;
            }
        }
        then {
            routing-instance Test_PROD_RoutingInstance;
        }
    }
}
filter other {
    term default {
        then accept;
    }
}

## Routing Instances configuration:

{primary:node1}[edit routing-instances]
root@FIREWALL# show 
Test_PROD_RoutingInstance {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop st0.2;
        }
    }
}
Test_STG_RoutingInstance {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop st0.1;
        }
    }
}

## Finally, the rib-options:

{primary:node1}[edit routing-options]
root@FIREWALL# show 
interface-routes {
 rib-group inet rib_group_test;
}
static {
 route 10.234.18.0/23 next-hop 10.101.1.254;
 route 0.0.0.0/0 next-hop 85.159.122.1;
 route 192.168.254.0/24 next-hop 10.101.1.254;
}
rib-groups {
 rib_group_Test {
 import-rib [ inet.0 Test_PROD_RoutingInstance.inet.0 Test_STG_RoutingInstance.inet.0 ];
 }
}

Any help?

Thanks!!!

Hi All,

A few years back I had setup https for my SRX 240 cluster of 2 nodes by the following commands

# Enable https/http/ssh

set system services ssh
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ping 
set system services web-management http interface reth0.0

set system services web-management https system-generated-certificate
set security zones security-zone untrust interfaces reth0 host-inbound-traffic system-services https
set system services web-management https interface reth0.0

set security zones security-zone trust interfaces reth2.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces reth2.0 host-inbound-traffic system-services http
set system services web-management http interface reth2.0

commit

Now suddenly stopped working. I can access http and ssh but not https on reth 0.0.

So I tried 

restart web-management

did not work

Next I tried recreating web-management

delete system services web-management

commit

set system services web-management management-url jweb
set system services web-management http interface reth0.0
set system services web-management http interface reth2.0
set system services web-management https system-generated-certificate
set system services web-management https interface reth0.0

commit

But still doesn't work. Any ideas?

We have a srx300 trying to get a DHCP IP address from a modem.
The problem is that we get a local IP address in our interface when we force the DHCP Renew. EX: 192.168.100.2
We tried to make a clear: MAC - force Renew - disable interface - reboot firewall and nothing works.
On the other hand, the internet provider sees that we obtain a public IP on their side, but we in our interface always see the same IP. 192.168.100.2
what is the command to see where this IP comes from. can we reset all IPs in the interface? Is this a known problem?
To make it work, we need to placed the IP in Static in the interface and we entered the address that the ISP saw on its side afterwards we removed it and the DHCP is initialize?
Have we forgotten a starting configuration?
In our Zone DHCP is enable and in our DHCP interface is enable.

I think we have the same probleme https://forums.juniper.net/t5/SRX-Services-Gateway/SRX300-legacy-DHCP-vs-JDHCP-client-identifier/td-p/312455
Thank you

hi,

not sure what is happing here, it is working on srx220 even without the accept at the end.

Model: srx320
Junos: 15.1X49-D75.5
JUNOS Software Release [15.1X49-D75.5]

i'm trying to advertise my ebgp routes to my next peered ibgp.

set policy-options policy-statement ibgp-out term acept from protocol bgp
set policy-options policy-statement ibgp-out term acept from route-filter 10.10.10.0/24 orlonger
set policy-options policy-statement ibgp-out term acept then next-hop self
set policy-options policy-statement ibgp-out term acept then accept

i tried prefix-list , source-address-filter  as well but none of them are working for me, any idea  why or how to debug it , except this command "show route advertising-protocol bgp" 

note if I do the same policy with "protocol direct" and local subnet it works fine. 

Hi,

We have SRX340 in cluster. Please find below configuration  and suggest best practice for management insterface(available on the chassis)

set version 15.1X49-D120.3
set groups node0 system host-name SRX-A
set groups node0 interfaces fxp0 unit 0 family inet address 172.16.10.1/30  #(Controll link is configured on ge-0/0/1 and ge-5/0/1 interface)
set groups node1 system host-name SRX-B
set groups node1 interfaces fxp0 unit 0 family inet address 172.16.10.2/30

set system services web-management https interface fxp0.0

set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-5/0/0
set interfaces fxp0 unit 0 family inet address 10.30.40.50/24 

Now i am able to access SSH through 10.30.40.50 IP but not getting https access.

Thank you..

Hello,

We have two SRX 1500's (node 0 and node 1) in an HA configuration.

We recently expereinced an issue where the primary node, node 0, was powered down ungracefully (power failure) and Node 0 never took over routing. Power cycling both nodes routing was restored. Later, we perform a failover test by ungracefully powering down node 0 to simulate a real failure and again our network went down entirely until bringing node0 back online.

We opened a JTAC support ticket and they indicated that the cluster was healthy and operating as expected. JTAC says that an ungraceful shutdown of the primary node will not result in a successful failover which seems absurd since that is exactly what HA is meant to protect against.

Can anyone else confirm this behavior? Should I expect my network to go down if my priamry SRX fails without a graceful shutdown when running an chassis cluster?

Thank you

With current CoS implementation on SRX300 15.1X49-D120, what interface should I apply CoS config to - pp0 or underlaying ethernet interface (ge-)? 

Common configuration for both scenarios:

ge-0/0/3 {
   per-unit-scheduler;
   unit 0 {

      encapsulation ppp-over-ether;
   }
}

pp0 {
   per-unit-scheduler;
   unit 0 {
   (...)
   pppoe-options {
      underlying-interface ge-0/0/3.0;
      (...)
   }

(...)

}

Scenario 1:

    ge-0/0/3 {

        unit 0 {

            scheduler-map Some_scheduler-map;

            shaping-rate 10m;

        }

    }

Scenario 2:

    pp0 {

        unit 0 {

            scheduler-map Some_scheduler-map;

            shaping-rate 10m;

        }

    }

Both configs are "commitable", no idea if both work the same... 

Thanks in advance!

Regards,

Pawel Mazurkiewicz

Hi,

I have two SRX 220 and 320 setups in VRRP and VPN to another remote location with DPD and failover.

so in the remote location, there is one VPN set with two IP of both SRX1 and SRX2  and DPD that checks SRX1 IP if it is up -the VPN will form with SRX1 and if the IP is not available it will try to form it with SRX2.

now my problem starts when VPN failover to SRX2 and stays in SRX2 even after SRX1 recovery.

because traffic comes to SRX2 exit to LAN servers, then lan servers go to SRX1 du to VRRP default gateway from their back to SRX2 through Back-to-Back connection, so the flow from the remote is as the following:

Remote-SRV--->(ge-0/0/7)SRX2(ge-0/0/0)--->Local-SRV--->(ge-0/0/0)SRX1(ge-0/0/2)--->(ge-0/0/2)SRX2(ge-0/0/7)--->Remote-SRV

ge-0/0/2 and ge-0/0/0 in same zone ,till now  all worked for me because I didn't really have TCP traffic, all IIhad was UDP monitoring and pings, so both worked.

now i need to do some SSH between these two sites and it is not working - blocked on SRX1.

to fix it i had to enter set security flow tcp-session no-syn-check and set security flow tcp-session no-sequence-check .

this reduce the security and i'm asking : is there an option after SRX1 is back online to make the vpn  go back to SRX1.

I tried to do event-option by clearing the ike and ipsec but it didn't work, it looks the the remote srx keep trying to form it with srx2.

I'm kind new here, however I'm been studying SRX JunOS for about 6 months, and sometimes I find some caveats and this forum still being my support, and I'm thankful for that and the effort of the community.

            However, there's a problem that I'm been studying it a lot:

            We, a public university, have a setup of two SRX1400 in HA with a link of 10 Gbps and internet of 1 Gbps. There's about 30 SNATs for different purposes with approximate 10 to 100 hosts/clients and the Internet access is pretty good.

            However, there's a SNAT for a public WIFI network that could reach 3000 hosts/clients easily and the Internet access is really poor (~76% of packet loss) and the packet lost in the link (host/client <-> SRX1400 gateway) is 0% of failure. The first problem was the DNS UDP queries, they didn't reach the outside DNS and problem start with no domain resolution, then TCP connection weren't made with the external servers. So, I brought an interface of our DNS inside the network and the DNS queries success rate raised to 100%. So the problem starts to become more "tactile".

            Next, I checked the CPU load (~0.30, ok), MEM (~30% free, ok) and our NAT logs and see a lot of this message:

            RT_FLOW_SESSION_CLOSE: session closed source NAT allocation failure
            
            Another symptom is the great number of ACK Retransmissions.
            
            So...
            
            First, I increased the aging timeout of the session flow
                set security flow aging early-ageout 20
                
            But, no success.

            So I tried to understand the process of session creation in the SRX and learned that there's a default limit for each SNAT of 128 concurrent sessions for destination-based. I created a screen to increase this limit, however I adjusted some instructions described here:
                https://www.juniper.net/documentation/en_US/junos/topics/concept/denial-of-service-firewall-destination-based-session-limit-understanding.html
                https://www.juniper.net/documentation/en_US/junos/topics/example/denial-of-service-firewall-destination-based-session-limit-setting-cli.html
            to increase the destination-based number in the INTERNAL_OPENWIFI zone, so a large number of clients could access the same host at the "same" time.
            
            But I'm still getting these SNAT FLOW errors (no success).
            
            The number of sessions is ~80000, with ~7000 invalidate sessions (I think this number is pretty high), but the session limit of the SRX is about 2^20 (1048576), so the number of sessions is a way bellow the maximum (I thinks this is good).
            
            I have the impression that the SRX is doing a WFQ (Weighted Fair Queue) between the SNATs transferring (INTERNAL_{Zone1|Zone2|...|ZoneN} -> UNTRUST), so I think it could be reserving the same bandwidth to SNATs with less hosts, however, I didn't find any source check this and to teach how to "tame" it if this really exists.
            
            If someone could help me with something, it will help us and a lot of users

Hi Folks,

I've spent a fair bit of yesterday and today playing around with this.  Have reached some confusing conclusions.  

Here the snippet from SRX cli,

Using keyboard-interactive authentication.
pam_unix: pam_sm_authenticate: UNIX authentication refused

Access denied
Using keyboard-interactive authentication.

My box doesn't  allow me newly created user but old user is accepted. How to get rid of this issue. Pl let me know if ur need any desired info.

Hi,

Can any one let me know what does below command means ?

"op find-security-zone ip 1.1.1.1 | grep ABC " (where ABC is the zone name).

Thnaks in advance

I have a brand new SRX320.  I pulled it out, assembled it, plugged it in, and attempted to follow the "How to Set Up Your SRX320 Services Gateway".

I got a 192.168.1.2 address on port 5--which is *NOT* what the documentation claims.

Okay, so I moved my connection to port 1 and attempted to get to J-Web on 192.168.1.1--but there was no web server on that.

Okay, so I pull out my serial cable, connect to the management port, and look at the configuration--which bears no resemblance to what the documentation claims the setup should be.

Did I screw something up when I plugged the hardware in?  Was I supposed to hold down a button somewhere?

I managed to get the web management stuff enabled from the serial console after poking at things for about 5 hours, but something seems really broken.  If I screwed up, please tell me where I failed.  Or, somebody at Juniper really needs to go back over their documentation.

Thanks.

I intend to deploy sFlow or NetFlow impact on my juniperSRX3400.

Can you tell me the impact of sFlow and NetFlow on my device performance like : CPU, RAM...

Which one should I choose?

Thank you!

Hi there, i would like to ask.

Since SRX able to make Policy Based Routing (they call it as Forwarding Based Filter), it is able to forward traffic through routing table that has be set up at routing-instance forwarding type. My question is, how to check the validity of the routing table for this type of routing-instance? For instance that i have virtual-router, i can simply to check the route by.

show route table 8.8.8.8

And for further troubleshooting, using virtual-router at the routing-instance able to track the problem by using traceoption on this hierarchy.

set security flow traceoptions

Is there any idea how to troubleshoot when applying forwarding routing-instance on filter on this hierarchy?

set firewall filter

Hi,

We have a VPN tunnel between two of our offices and one of the SRX's is playing up.

On one side we have an SRX240H running 12.1X46-D67 and on the other side is a SRX210HE running 12.1X46-D40.2.

The issue we're having is on the SRX240H, where static routes randomly stop working. It could be weeks or days of the issue to appear.

Multiple static routes in the routing table. One or two or multiple routes out of ten routes will stop working, even though they are in the static route list. These routes are going via the VPN tunnel and the tunnel is still up when this problem happens.

To get them to work again, need to delete those affected routes, commit the changes, then re-add them again. Once committed, some work, some dont. When they still dont work,  need to re-arrange those affected routes by moving them higher or lower in the static route list.

Hopefully this makes sense.

Any help would be appreciated.

Thank you.

BUY FAKE PASSPORT (superiorfalsodocs017@gmail.com),COUNTERFEIT MONEY,HOLOGRAMS,FALSE DRIVING LICENSE, FALSE ID CARD.
We are a team of professionals with many years of experience in producing COUNTERFEIT MONEY,HOLOGRAMS,fake passports
And other identity documents, best producers as fake documents. With
More than 10 million documents circulating around the world.
We only offer originals of great qualities of real-fake passports, licensed
Drivers, Identity Cards, Stamps, Birth Certificates, False International Diplomas
And other products for a number of countries including: USA, Australia, Belgium, Brazil, Norway
Canada, Italy, Finland, France, Germany,  Mexico, Netherlands, South Africa, Spain, United Kingdom.
This list is not complete.
For further information and to place an order, simply
Contact us by email or mobile.

BUY BRITISH PASSPORT (UK), AMERICANS, CANADIANS
FALSE ONLINE IDENTITY CARDS IN THE UNITED STATES, DRIVING LICENSE.
BUY FALSE OF BIRTH
BUYING FALSE DRIVING LICENSES

Contact mails:superiorfalsodocs017@gmail.com
Soutien general: express.eu.docs@gmail.com
whatsapp: +32 460 20 63 42
Do not hesitate to contact by email or call at any time and at any discretion.

Dear Forum

I get nuts with my problem. Maybe you can give me some hints.
We use a SRX 340 (15.1X49-D120.3)
There are the Internal Security Zone (irb.10) and the Wlan Security Zone (irb.20).
From Wlan Security Zone we want access just one Server in Internal Security Zone.

I created a Policy to allow that traffic.
I had in mind I must also allow Host-Inbound on Internal Zone (I set it to all) and not NAT the traffic.

The problem is that I cant access that host (Even not ping the host).

Config you'll find in the attachment.

Many thanks for your help!

Rocksteady

Hello Experts,

I am newbie to Juniper world. I have a question about setting up a HA parir SRX cluster.

I have planning to do a setup like this. First thing I wanted to know is whether this is a valid design?

The reason why I am aiming for etherchannel between SRX and the switch is there a around 10 differnet zones that we need to setup in SRX. I could set each zone into a physical interface in SRX. What I wanted to check is if there is way to setup a trunk from switch to SRX and push differnet zone traffic to SRX. At the same time I need to setup differnet Reth interfaces for all zones for HA between the SRXs.

To recap the requirements are:

1) All 10 zones traffic sent to the SRX using a Etherchannel that carries different VLAN traffic to SRX

2) Have a proper HA cluster using Reth interfaces for 10 different redundancy groups.

Please let me know if you need more details.

Hi,

I've go Juniper SRX1500 with SSL Proxy up and running. I've imported the sertificate to my OS and I can see that my srx1500 signs the certificates and everything works. Also works URL filtering with AppFW (i can filter .*youtube\.com.* ie)

Now I want to see the decrypted traffic that SRX makes for its core to run filters against it. How do I capture the decrypted traffic to see, what happens there and find some patterns I want to filter by?