Hi

I am trying to upgrade my SRX 5600 from 12.1X46-D40.2 to 15.X49-d120.3 and I am using the following command

request system software add /var/tmp/junos-srx5000-15.1X49-D120.3-domestic.tgz no-copy no-validate reboot

Installing package '/var/tmp/junos-srx5000-15.1X49-D120.3-domestic.tgz' ...
Verified junos-boot-srx5000-15.1X49-D120.3.tgz signed by PackageProductionRSA_2017 method RSA
Verified junos-srx5000-15.1X49-D120.3-domestic signed by PackageProductionRSA_2017 method RSA
Verified junos-boot-srx5000-15.1X49-D120.3.tgz signed by PackageProductionRSA_2017 method RSA
Verified junos-srx5000-15.1X49-D120.3-domestic signed by PackageProductionRSA_2017 method RSA
Available space: 403374 require: 595368

WARNING: The /cf filesystem is low on free disk space.
WARNING: This package requires 595368k free, but there
WARNING: is only 403374k available.

WARNING: This installation attempt will be aborted.
WARNING: If you wish to force the installation despite these warnings
WARNING: you may use the 'force' option on the command line.
ERROR: junos-15.1X49-D120.3-domestic fails requirements check
Installation failed for package '/var/tmp/junos-srx5000-15.1X49-D120.3-domestic.tgz'

I deleted all the unnecessary files still get only 398M. How do I proceed further

root@Sree-SRX-5600% pwd

/cf

root@Sree-SRX-5600% du -hs *

3.2M   boot

2.0K   dev

836K   etc

  0B   kernel

  0B   kernel.old

 18K   opt

398M   packages

 16K   root

134K   sbin

 14K   usr

 40K   var

Can I directly upgrade from 12.1x46-d40.2 to the new version or should I do it in phases? Should I also upgrade my firmware. Can I erase the existing OS,reformat the SRX and freshly install 15.x version directly?

show system firmware                                    
Part             Type           Tag Current   Available Status
                                    version   version
FPC 3            ROM Monitor 0  0   9.5.1               OK                
FPC 5            ROM Monitor 0  0   9.5.1               OK                
  PIC 0          SPU ROM Monito 0   9.4.2               OK                
Routing Engine 0 RE BIOS        0   1.5                 OK   

Pls help

Hello everyone.

I have 2 ISPs connected to 2 Juniper SRX345s in H.A. connected to a couple EX4000 series switches as the MDF. My question is how can I set up QoS/CoS for Skype for Business and conference calls? Does Juniper classify Skype traffic as VoIP? Even with minimal network usage, conference calls still are laggy and sometimes drop out alltogether.

Is the first option sufficiant for what I'm looking for?

https://www.juniper.net/us/en/local/pdf/app-notes/3500182-en.pdf

Thank you.

Hi everyone,

Is TCP dump/ packet capture feature  on SRX 650  for transit traffic or just for traffic destined/sourced from/ to SRX?

Thanks and have a nice evening!!

Hi 

I try to test dymamic VPN fucntion on SRX 3xx (version 15.1X49 D100)

But What's different between Pulse secure and NCP? Which one i should select

Regards,

Hi everyone.

I have a network with different subnets for the users that can't communicate with each other (this is a requirement from our clients), and a central subnet for the servers that everyone can reach (for domain authentication, file server, printers, and so on). So far, so good, everything is working as fine as should, now I have to expand the network and add a second Firewall SRX240 with other subnets including a new servers subnet, because my current Firewall has no ports available.

In the topology attached I drawed only the main subnets as example, but all the ports on the Firewall FW01 are already in use, only the Ge-0/0/15 are available.

- In the FW01 I added a new zone called "Link", setted the Ge-0/0/15.0 as member and setted the policies to permit traffic in both ways to the others zones-interfaces, then when I connected a notebook to this port with the NIC configurations in this subnet I can ping and access the others subnets.

- In the FW02 there's already policies that permit traffic between Ge-0/0/0.0 and Ge-0/0/1.0 interfaces zones, but i can't ping from the 172.32.1.0/24 LAN to the the others in the FW01.

What do I missing here? How can I accomplish this?

(PS: Sorry by the grammar mistakes, English is not my natural language.)

Hi, guys,

I have DNS server outside of SRX, DNS clients (our partner) will come in from a dedicated connection/security zone, we advertise 1.1.1.0/24 over the dedicated link to our partner. Here is it how it works,  "serviceA.example.com" resides on trust zone with private IP: 10.10.10.10, its correponding public "A" records is 1.1.1.1 (SRX has a static NAT between 1.1.1.1 and 10.10.10.10), our partner's DNS queries will go through SRX, DNS ALG is disabled, so when DNS response comes back, client will think " serviceA.example.com" is at 1.1.1.1 which they have route to via the private connection, all work well.

Now we offer "serviceB.example.com" which resides at public cloud, say its IP are  2.2.2.2 and 2.2.2.3 for DNS loadbalancing, partner would also want to access this serviceB via the same direct connection, no problem, I just statically map 2.2.2.2 to 1.1.1.2, 2.2.2.3 mapped to 1.1.1.3 on SRX and ask partner to send request to 1.1.1.2 and 1.1.1.3 (plus source PAT for return traffic), problem is I don't want to statically add new serviceB entry points 1.1.1.2 and 1.1.1.3 to our public DNS,  i.e. I want to use existing DNS entries, the reason is it has health check/load balancing etc built in, so in this case I want DNS ALG enabled when partner gets an DNS answer, this IP (either 1.1.1.2 and 1.1.1.3) is guaranteed to be healthy.

So the question is how can I solve this problem of selectively disabling DNS ALG? or any alternative solution?

Thanks,

Our client recently requested to implement following rule

Source 150.140.197.110 (remote)
destination IP 140.200.20.40 (DMZ)
port 3299 and icmp to allowed through
destination NAT translated to 192.168.1.1

so the flow diagram would as follows

Internet (untrusted) 203.58.11.1 ----->Juniper DMZ firewall (Destination NAT Pool 192.168.1.1) ---->Trusted (destination) 192.168.1.1

After implementing we are seeing denies in Firewall log from Externa_zone to External_Zone, basically, NAT translation is not happening from 140.200.20.40 to 192.168.1.1.
Clearly adding the icmp in destination rule set broke the session
but customer wants icmp
So question here , what is the best practice to allow icmp in destination nat rule set , if not recommended, what would be the best practice to allow the icmp ?

 

 


destination nat happening on the interface

So user with source IP 203.58.11.1

 

###configuration entered for NAT###


set security nat destination pool wss-sapag1 address 192.168.1.1/32
set security nat destination rule-set destination-dmz rule nat-dmz match destination-address 140.200.20.40/32
set security nat destination rule-set destination-dmz rule nat-dmz match destination-port 3299
set security nat destination rule-set destination-dmz rule nat-dmz match protocol icmp
set security nat destination rule-set destination-dmz rule nat-dmz then destination-nat pool wss-sapag1

######
Show security nat destinatio rule all command shows , IP protocol icmp

user@DMZ_firewall> show security nat destination rule a all

Destination NAT rule: nat-dmz Rule-set: destination-dmz
Rule-Id : 12
Rule position : 12
From interface : ge-2/0/0.1755
: ge-2/0/0.1757
: ge-2/0/0.1758
Destination addresses : 140.200.20.40 - 140.200.20.40
Destination port : 3299 - 3299
IP protocol : icmp
Action : wss-sapag1
Translation hits : 4531
Successful sessions : 4531
Failed sessions : 0
Number of sessions : 0


###########
DMZ firewall log showing traffic hitting the global deny policy , so the destination NAT is not working.


Mar 14 14:40:31 DMZ_firewall JUNOS: RT_FLOW: RT_FLOW_SESSION_DENY: session denied 169.145.197.110/21376->140.200.20.40/3299 None 6(0) deny-all-log(global) External_Zone External_Zone UNKNOWN U

Hi

Which one is a source interface when ping from RE or PFE to internet? Loopback ip or fxp0 ip

If I want to create policy for allow ping from RE or PFE to internet, Have I create new policy (junos host)? Can you share me an example?

Thanks!

Hi there, i have another question regarding to the use of traceoption.

I saw on the log, the SRX did twice of doing policy lookup. The detail are as follow.

So the result, the SRX dropped the packet.

What cause of that?

Hi all

Maybe anybody have experience with other VPN Clients that supports IPsec/IKEv1 with PSK. At the moment I use the NCP Exclusive Remote

Access Client with success, no issue there. Works very well. Bit I dont agree why I have to buy Remote Access IPsec VPN Clients from Juniper

and at the same time I have to buy the NCP Client as well (Which is not cheap (Around 100US$ per Client).

I also try the VPNC Client with success but for me it seems outdated (DH Group 1/2/5).

Is there an other (Freeware would be good) VPN Client outside which covers me needs?

Sure I can implement Ikev2 with Certificate authentication, but I want try first the PSK solution.

Many thanks for your Input,

Ben

hi  Experts,

i find one SRX IPSEC VPN guide as below, it explains every clearly how to setup SRX for Pico Cell Provisioning. 

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-pico-cell-provisioning-understanding.html

in the example ,  the SRX acquires  the ipsec client/Pico provisioning information (IP addr.  DNS server ip...) from a radius server, it also support acquiring  client provisioning information from a DHCP server via the RADIUS server.

My question is if SRX support acquiring the ipsec client/Pico provisioning informaiton directly from DHCP , e.g. via DHCP recovery and offer ?

Many thanks !

BRs

Cainiao

Hello everyone,

So I have a SRX240 that was pulled from a production network. After holding down the reset config button to blow the configs away, I get the issue below regarding not being able to load kernel. I have tried disabling watchdog. I currently don't have internet access nor anyway to connect it to a tftp server. I do however have a machine with a usb port and usb drive. I have attempted to install a few images, but all resulted in the same messages below.

Any help would be greatly appreciated.

Thank you.

U-Boot 1.1.6-JNPR-2.1 (Build time: Jul  4 2011 - 03:55:46)

SRX_240_HIGHMEM board revision major:0, minor:31, serial #: AAAM9214
OCTEON CN5230R-SCP pass 2.0, Core clock: 600 MHz, DDR clock: 333 MHz (666 Mhz data rate)
DRAM:  1024 MB
Starting Memory POST...
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
USB:   scanning bus for devices...
Root Hub 0: 4 USB Device(s) found
Root Hub 1: 1 USB Device(s) found
       scanning bus for storage devices... 2 Storage Device(s) found
Clearing DRAM........ done
BIST check passed.
1:00:00.0 Vendor/Device ID = 0x811210b5
1:01:07.0 Vendor/Device ID = 0xc72414e4
Boot Media: nand-flash usb
Net:   octeth0
POST Passed
Press SPACE to abort autoboot in 1 seconds
ELF file is 32 bit
Loading .text @ 0x8f000078 (245596 bytes)
Loading .rodata @ 0x8f03bfd4 (13940 bytes)
Loading .rodata.str1.4 @ 0x8f03f648 (16648 bytes)
Loading set_Xcommand_set @ 0x8f043750 (100 bytes)
Loading .rodata.cst4 @ 0x8f0437b4 (20 bytes)
Loading .data @ 0x8f044000 (5608 bytes)
Loading .data.rel.ro @ 0x8f0455e8 (120 bytes)
Loading .data.rel @ 0x8f045660 (136 bytes)
Clearing .bss @ 0x8f0456e8 (11656 bytes)
## Starting application at 0x8f000078 ...
Consoles: U-Boot console
Found compatible API, ver. 2.1

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.1
(builder@chamuth.juniper.net, Mon Jul  4 03:14:10 UTC 2011)
Memory: 1024MB
[1]Booting from nand-flash slice 1
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ not found

U-Boot Exception, Cause: 4
Failed to load kernel.
zero: 00000000  at: acedbade    v0: 00000000    v1: aaaaaaaa
a0: 8f05fd70    a1: ffffffaa    a2: 00000028    a3: ffffffaa
t0: 8f060388    t1: 8f0603b0    t2: 8f047210    t3: 00000000
t4: 00000000    t5: fffffffc    t6: 800aa4f0    t7: 800af834
t8: 00000080    t9: 800573b4    s0: 00000000    s1: 8f066778
s2: 8f066728    s3: 00000000    s4: 00000000    s5: 8f066e60
s6: 8f0403d4    s7: 00000000    k0: aaaaaaaa    k1: aaaaaaaa
gp: 800aaa20    sp: 8f011c50    s8: 00000001    ra: 8f01eb90
sr: 504000e7    mullo: 0000000e mulhi: 000000e0 badvaddr: ffffa16c
cause: 40008010 pc: 00000a04


U-Boot 1.1.6-JNPR-2.1 (Build time: Jul  4 2011 - 03:55:46)

SRX_240_HIGHMEM board revision major:0, minor:31, serial #: AAAM9214
OCTEON CN5230R-SCP pass 2.0, Core clock: 600 MHz, DDR clock: 333 MHz (666 Mhz data rate)
DRAM:  1024 MB
Starting Memory POST...
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
USB:   scanning bus for devices...
Root Hub 0: 4 USB Device(s) found
Root Hub 1: 1 USB Device(s) found
       scanning bus for storage devices... 2 Storage Device(s) found
Clearing DRAM........ done
BIST check passed.
1:00:00.0 Vendor/Device ID = 0x811210b5
1:01:07.0 Vendor/Device ID = 0xc72414e4
Boot Media: nand-flash usb
Net:   octeth0
POST Passed
Press SPACE to abort autoboot in 1 seconds
ELF file is 32 bit
Loading .text @ 0x8f000078 (245596 bytes)
Loading .rodata @ 0x8f03bfd4 (13940 bytes)
Loading .rodata.str1.4 @ 0x8f03f648 (16648 bytes)
Loading set_Xcommand_set @ 0x8f043750 (100 bytes)
Loading .rodata.cst4 @ 0x8f0437b4 (20 bytes)
Loading .data @ 0x8f044000 (5608 bytes)
Loading .data.rel.ro @ 0x8f0455e8 (120 bytes)
Loading .data.rel @ 0x8f045660 (136 bytes)
Clearing .bss @ 0x8f0456e8 (11656 bytes)
## Starting application at 0x8f000078 ...
Consoles: U-Boot console
Found compatible API, ver. 2.1

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.1
(builder@chamuth.juniper.net, Mon Jul  4 03:14:10 UTC 2011)
Memory: 1024MB
[2]Booting from usb slice 1
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
\
can't load '/kernel'
can't load '/kernel.old'
Press Enter to stop auto bootsequencing and to enter loader prompt.
 

Hello, I am trying to add an option 66 to some current configuration, and I am gettin an error:

"Incompatible with the dhcp server configured under 'system services dhcp'"

The configuration I am trying to add is 

set system services dhcp boot-server "ADDRESS" 

or

set system services dhcp option 66 string "ADDRESS" 

The current DHCP configuration is: 

I am not sure what exactly is causing the issue, I tried adding the configuration to each group as well, but I receive a syntax error as soon as I add "group" to the end of the command.

Thank you ahead of time for the assistance!

Hello Experts,

I am looking for advice regarding setting up interface monitoring in a HA cluster with multiple sub-interfaces.

reth1                   up    up
reth1.1                 up    up   inet     10.10.11.1/24   
reth1.2                 up    up   inet     10.10.12.1/24   
reth1.3                 up    up   inet     10.10.13.1/24   
reth1.4                 up    up   inet     10.10.14.1/24   


user@FW> show configuration chassis cluster redundancy-group 1 
node 0 priority 254;
preempt;
interface-monitor {
    reth1 weight 255;
}

The interface-monitor just says reth1. Does it mean that even if reth1.1 or 1.4 goes down, then that traffic will be moved over to the standby FW?

hi all i had submitted a a help document but could not find it again so i started another 

what im trying to do i create ports for different items i have scanned off a diagram of what im attempting to accomplish 

i have 2 firewalls  one is a srx 300  and the other is   srx 220h

i am not good at all with the command line interface that the 2 srx devices use very new to them but this is the only thing that i have left to program 

i am using for the primary output on erpro-8    172.16.0.1/19  that is my DHCP and DNS i would like to have all the network devices get address through erpro-8 however i would like the srx firewall to have different zones for security on each one for instance dmz only goes out to configure the dmz but all communication from dmz is blocked to prevent connection into trusted lan dmz has managed switch will have to be accessable from time to time i would like to have help on both the srx firewalls will need NAS switch to be accessable as well and have the DLNA port open for media into both wireless (zone-director) and wired (GSM7242v2)  

I know this is asking alot but im desperate i am lost with these and im new to them thatnk you all for the help  Matt

Hi everyone,

 It is possible to nat one source private IP address to many source public IP address?

 I have proxy server with private IP and I would like to nat this IP to many (pool) public IP. Is it possibly? 

Thanks in advance.

Hi everyone.

Let say we have a  JUNOS install file in VAR/TMP folder .  When we use the command  request system software add var/tmp/ FILE NAME,  are we loading the file into " Pacakages" folder on flash?

Thanks and have a nice weekend!!

I have a problem regarding to the connection for transit the https traffic. We've attempt do dump using PCAP by setting up the datapath-debug. The following are the result of PCAP.

TCP dump, failed TLS.

At this point the source host send the hello packet to the server. But it seems the server didn't reply hello packet to the client. The following should be depicts of successful TLS connection.

Is there something not configured on SRX?

Recently we purchased logical system license and installed in our SRX5400. Is there any way to easily migrate the existing configuration of SRX (without logical system) into the logical system on the same device. Please advice me.

Dear All,

I got error and please help me to fix it.I configure proxy arp and DNAT in my network.It is working.I can access my some servers form outside network by using public ip .But i cannot access from local network to my server configuring DNAT by using public.if i want to access those server from local i have to use internal IP. I cannot not access those server if i use internal IP. I cannot ping local top public ip that is assigned or mapped to servers to get from outside access. 

May i know why route  cannot back to interal ? why it can access from outsice ?