Hi,
Many apologies. This is one part of the configuration I neglected.
I need to configure an IPSec VPN for client access. So, for example, we will need access to the ISP Data Network via a VPN but only for work personnel so if any work needs completing from home it can be.
The Client VPN package we use is "anyconnect".... Basically, I have no idea how to complete this configuration.
Thank you
I have two VLANs, and two IRB interface for two guest VMs
Both two VLANs is associated with ge-0/0/5 interface and It is a same DMZ zone.
They can't ping to each others. What is miss configuration?
Here is configuration
show vlans
VLAN66 {
vlan-id 66;
l3-interface irb.66;
}
VLAN77 {
vlan-id 77;
l3-interface irb.77;
}
show interfaces irb
unit 66 {
family inet {
address 10.10.66.254/24;
}
}
unit 77 {
family inet {
address 10.10.77.254/24;
}
}
show security zones security-zone DMZ
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.66;
irb.77;
}
Dear All,
Download speed of my network is very slow. Upload speed can get full performance.
My download speed is under 30kbps everytime without user. How to fix to improve my download speed .
Host--->L2 Switch-->L3Switch--->Firewall===>> ISP router 1,ISP router 2
My SRX 340 perform dual loadbalancing the two isp links 20 M each.
Hello
I have a need to have 2 static NAT's going to the same server in the same subnet for a few different servers. A example 192.168.5.10 needs to have static NAT of 172.2.2.10 & 172.2.2.100. See config below.
There are 3 subnets involved in total:
172.2.2.0/24
10.8.9.0/24
192.168.5.0/24
I there are 6 servers in 10.8.9.0/24 which I need to communicate with but in a particualr way. Se below the bi directional way that should be allowed. In the 192.168.5.X subnet there are about 4 servers I need to have this setup with I have given 2 examples below and the others will be similar.
Server A
172.2.2.10 <-> 10.8.9.10
172.2.2.10 <-> 10.8.9.11
172.2.2.10 <-> 10.8.9.13
172.2.2.10 <-> 10.8.9.14
172.2.2.100 <-> 10.8.9.100
172.2.2.100 <-> 10.8.9.101
Server B
172.2.2.11 <-> 10.8.9.10
172.2.2.11 <-> 10.8.9.11
172.2.2.11 <-> 10.8.9.13
172.2.2.11 <-> 10.8.9.14
172.2.2.101 <-> 10.8.9.100
172.2.2.101 <-> 10.8.9.101
How can I get it to behave this way as from my understanding in the current setup below when 192.168.5.10 goes to communicate with 10.8.9.10 or 10.8.9.100 it will not know which static NAT is should present itself as?
static {
rule-set outside_inter {
from zone outside_inter;
rule inter1 {
description Server1_alpha;
match {
destination-address 172.2.2.10/32;
}
then {
static-nat {
prefix {
192.168.5.10/32;
}
}
}
}
rule inter2 {
description Server1_beta;
match {
destination-address 172.2.2.100/32;
}
then {
static-nat {
prefix {
192.168.5.10/32;
}
}
}
}
Hey Guys,
i am currently facing an issue with natting on Juniper SRX. Topology is as follows:
SRX -> VPN-Gateway -> Remote VPN Gateway -> Remote Subnet
SRX LAN 10.1.1.1/24 -> Source Server (10.1.1.246)
SRX DMZ 10.2.2.1/24 -> connects to VPN-Gateway (10.2.2.2)
Remote Server (10.3.3.1)
Subnet that needs to be used: 10.4.4.2/24
The VPN-Gateway is building the VPN, Juniper SRX only routes packets destined for the remote subnet (10.3.3.1) to the VPN-Gateway. The Problem now is the following. Remote Subnet states that we need to use specific Subnet for the VPN-Connection. This can not be done on VPN-Gateway Side and needs to be done on SRX. My idea was to route 10.4.4.2/24 to the SRX DMZ Interface (Interface that connects SRX DMZ to VPN Gateway). Then i did set static route like this on SRX: route 10.4.4.2/24 next-hop 10.1.1.1 so that zone lookup should be working fine and 10.4.4.2 looks ups to trust zone .
communication is needed into both directions from source server to remote server and the other way around
then i configured source and destination nats and security policys (any/any)
Natting (Source):
[edit security nat source]
+ pool XYZ {
+ address {
+ 10.4.4.2/32;
+ }
+ }
[edit security nat source rule-set Trust to DMZ]
+ rule Source_NAT {
+ match {
+ source-address 10.1.1.246/32;
+ destination-address 10.3.3.1/32;
+ }
+ then {
+ source-nat {
+ pool {
+ XYZ;
+ }
Natting (Destination)
+ static {
+ rule-set blabla {
+ from zone DMZ;
+ rule r1 {
+ match {
+ destination-address 10.4.4.2/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 10.1.1.246/32;
I then checked with a show-security flow session source-prefix 10.1.1.246 and an icmp request to remote server to check if everything was working. I did saw that natting took place but i did not get any received bytes back. Also i saw that all originating traffic from 10.1.1.246 was natted to 10.4.4.2. I think this is related to the static nat. I think using destination NAT with match "any" and a "pool" with just the ip-address without services would have been better here, correct?
Is the idea with setting static route for non-existent subnet to trust IP from FW working?
Looking Forward to your Feedback, have a great day ahead.
Hi there,
We have 2 SRX240 firewalls which work together as a VC. We've found recently (within the last year) when logging in and perfoming commands (such as show, commit, etc) the firewall is slow and commits take about 2 minutes to complete. It was much faster in the past.
Running some commands I can see the first firewall (master) is pretty much maxed out and the second one isnt as busy:
show chassis routing-engine
node0:
--------------------------------------------------------------------------
Routing Engine status:
Temperature 42 degrees C / 107 degrees F
CPU temperature 40 degrees C / 104 degrees F
Total memory 2048 MB Max 1208 MB used ( 59 percent)
Control plane memory 1104 MB Max 552 MB used ( 50 percent)
Data plane memory 944 MB Max 651 MB used ( 69 percent)
CPU utilization:
User 45 percent
Background 0 percent
Kernel 52 percent
Interrupt 2 percent
Idle 1 percent
Model RE-SRX240H2
Serial ID ACLY9411
Start time 2017-10-01 13:55:47 UTC
Uptime 170 days, 1 hour, 38 minutes, 47 seconds
Last reboot reason Router rebooted after a normal shutdown.
Load averages: 1 minute 5 minute 15 minute
2.85 2.57 2.47
node1:
--------------------------------------------------------------------------
Routing Engine status:
Temperature 40 degrees C / 104 degrees F
CPU temperature 40 degrees C / 104 degrees F
Total memory 2048 MB Max 1024 MB used ( 50 percent)
Control plane memory 1104 MB Max 375 MB used ( 34 percent)
Data plane memory 944 MB Max 651 MB used ( 69 percent)
CPU utilization:
User 10 percent
Background 0 percent
Kernel 9 percent
Interrupt 0 percent
Idle 80 percent
Model RE-SRX240H2
Serial ID ACLY9169
Start time 2017-10-01 13:34:41 UTC
Uptime 170 days, 1 hour, 38 minutes, 30 seconds
Last reboot reason Router rebooted after a normal shutdown.
Load averages: 1 minute 5 minute 15 minute
0.18 0.24 0.28
Looking at what processes are taking up resources, I've found:
show system processes extensive node 0
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1402 root 1 77 0 13720K 6532K select 0 140.9H 7518.75% rtlogd
1396 root 7 76 0 994M 58280K RUN 0 ??? 292.38% flowd_octeon_hm
1060 root 1 120 0 19336K 11336K RUN 0 759.4H 35.30% eventd
1450 root 1 83 0 28540K 13416K RUN 0 221.6H 12.01% mib2d
1451 root 1 77 0 24960K 17696K select 0 119.3H 2.25% snmpd
22 root 1 171 52 0K 16K RUN 0 1493.1 0.00% idle: cpu0
And some more tests:
show security monitoring performance spu
node0:
--------------------------------------------------------------------------
fpc 0 pic 0
Last 60 seconds:
0: 93 1: 94 2: 90 3: 90 4: 71 5: 74
6: 70 7: 71 8: 85 9: 79 10: 75 11: 72
12: 71 13: 70 14: 74 15: 73 16: 80 17: 73
18: 79 19: 76 20: 65 21: 70 22: 73 23: 63
24: 83 25: 63 26: 67 27: 76 28: 78 29: 67
30: 72 31: 58 32: 66 33: 75 34: 63 35: 70
36: 74 37: 75 38: 72 39: 74 40: 72 41: 70
42: 72 43: 81 44: 70 45: 73 46: 68 47: 67
48: 79 49: 77 50: 72 51: 65 52: 63 53: 63
54: 71 55: 75 56: 66 57: 67 58: 72 59: 72
node1:
--------------------------------------------------------------------------
fpc 0 pic 0
Last 60 seconds:
0: 9 1: 10 2: 13 3: 6 4: 10 5: 9
6: 11 7: 10 8: 13 9: 13 10: 11 11: 12
12: 13 13: 12 14: 11 15: 10 16: 8 17: 11
18: 7 19: 13 20: 17 21: 9 22: 6 23: 8
24: 9 25: 8 26: 6 27: 11 28: 8 29: 11
30: 9 31: 10 32: 6 33: 6 34: 7 35: 6
36: 6 37: 6 38: 9 39: 8 40: 7 41: 6
42: 7 43: 5 44: 6 45: 5 46: 7 47: 6
48: 13 49: 15 50: 8 51: 8 52: 7 53: 5
54: 7 55: 6 56: 6 57: 6 58: 9 59: 5
Can anyone recommend what we can do to help performance? Or to have the 2nd firewall do more work.
Thank you,
Vishal
I have one pair of SRX and configured enhanced mode on group. and applied its on both nodes.
After that I reboot all SRX in cluster but an error still shown
root@SRX-Primary# commit check
node0:
configuration check succeeds
node1:
warning: You have changed enhanced services mode.You must reboot the system for your change to take effect.If you have deployed a cluster, be sure to reboot all nodes.
[edit security policies from-zone trust to-zone untrust policy skyatp then permit]
'application-services'
Error in processing secintel policy: Please configure security forwarding-process enhanced-services-mode and reboot.
error: configuration check-out failed
node0:
error: remote commit-configuration failed on node1
error: configuration check-out failed
"
Hi there,
I'm trying to upgrade my SRX220H2 to lattes firmware version:
12.3X48-D65
Actually I have:
--- JUNOS 12.1X46-D72.2 built 2017-12-23 09:11:03 UTC
During the progress of the processing I've got that the:
platform srx220h for 12.1X47 and higher is not supported.
I've the same hardware and chassis cluster in the other localization:
There I've upgraded cluster successfully but in two steps:
Why it's not working for upgrade from 12.1X46-D72.2 ?
log:
/var/tmp/incoming-package.5246 1103 kB 1103 kBps
Package contains junos-12.3X48-D65.1.tgz ; renaming ...
NOTICE: Validating configuration against junos-12.3X48-D65.1.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 299.7MB (613852 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 74.94MB, 4796 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 153504, 306976, 460448
Extracting /var/tmp/junos-12.3X48-D65.1.tgz ...
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProductionEc_2017 method ECDSA
veriexec: cannot bless /packages/junos-12.1X46-D72.2-domestic: Authentication error
Verified junos-12.1X46-D72.2-domestic signed by PackageProductionEc_2017 method ECDSA
Using junos-12.3X48-D65.1-domestic from /altroot/cf/packages/install-tmp/junos-12.3X48-D65.1-domestic
Copying package ...
ERROR: Unsupported platform srx220h for 12.1X47 and higher
ERROR: validate-config: junos/+REQUIRE fails
WARNING: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-12.3X48-D65.1-domestic
version:
>>>> show version
node0:
--------------------------------------------------------------------------
Hostname: gwoffice
Model: srx220h
JUNOS Software Release [12.1X46-D72.2]
node1:
--------------------------------------------------------------------------
Hostname: gwoffice
Model: srx220h
JUNOS Software Release [12.1X46-D72.2]
>>>>>> show chassis hardware
node0:
--------------------------------------------------------------------------
Hardware inventory:
Item Version Part number Serial number Description
Chassis AQxxAAxxxx SRX220H
Routing Engine REV 21 750-031175 AAFTxxxx RE-SRX220H
FPC 0 FPC
PIC 0 8x GE Base PIC
Power Supply 0
node1:
--------------------------------------------------------------------------
Hardware inventory:
Item Version Part number Serial number Description
Chassis AQxxxxAAxxxx SRX220H
Routing Engine REV 21 750-031175 AADNxxxx RE-SRX220H
FPC 0 FPC
PIC 0 8x GE Base PIC
Power Supply 0
I'll be appreciate for help.
Hi,
As the SRX is currently not being utilised, other than ISIS traffic and UDP 1812, 1813 and 1814 authentication process, I am a little concerned that the J-Web "resource utilization" shows at 100% stating that Kernel = 62%, users=28% and interrupt 10%.
When I utilise the shell and complete a "top" command, the process I can see utilisng anything above 10% is ppmd. I don't know exactly what is casuing the J-Web to show utilisation at 100% when the CPU is not doing anything?
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
1568 root 1 139 0 9816K 7140K RUN 786:44 46.00% ppmd
1561 root 1 4 0 91356K 32952K kqread 320:45 18.99% rpd
1559 root 1 79 0 23068K 18004K select 174:11 8.50% snmpd
1336 root 1 76 0 5724K 3468K select 58:59 2.98% eventd
1619 root 1 76 0 5476K 2456K select 421:51 0.00% sysctlrelayd
1614 root 7 76 0 20908K 5656K select 86:47 0.00% aamwd
1591 root 1 8 0 2312K 1528K wait 73:32 0.00% sh
1580 root 1 76 0 92896K 25652K select 35:16 0.00% authd
1564 root 1 76 0 47572K 18776K select 27:41 0.00% pfed
1625 root 1 76 0 9384K 4276K select 24:20 0.00% license-check
1579 root 1 76 0 86300K 12112K select 13:08 0.00% jdhcpd
1560 root 1 76 0 32460K 15060K select 12:27 0.00% mib2d
1562 root 1 76 0 22532K 8336K select 12:04 0.00% l2ald
1555 root 1 76 0 39488K 14228K select 10:29 0.00% chassisd
1586 root 1 76 0 12612K 3640K select 8:20 0.00% shm-rtsdbd
1613 root 7 8 0 96356K 6336K nanslp 4:31 0.00% ipfd
Thanks
Can anyone please tell me how many security policies,NAT,Zones can be reserved and for logical system. Is there any limitations?
Thanks in advance
Hi,
I have 2 SRX210 with configured helper bootp interface vlan.12/13 server 10.111.136.6
Both have:
set interfaces vlan unit 12 family inet primary
set interfaces vlan unit 12 family inet address 10.111.185.1/25 primary
set interfaces vlan unit 13 family inet primary
set interfaces vlan unit 13 family inet address 10.111.182.1/25 primary
No lo0 interface configured.
Location 1:
DHCP request from network 10.111.182.0/25
10.111.182.1 and 192.168.250.50 are configure on the same SRX210 in different VLAN
Tracing route to 10.111.136.6 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.111.182.1 <-- from this location I see this IP
2 1 ms 1 ms 1 ms 192.168.250.50
3 1 ms 1 ms 1 ms 192.168.136.10
4 2 ms 2 ms 2 ms 10.111.136.241
5 1 ms 1 ms 1 ms 10.111.136.6
Log from: 192.168.136.10
RT_FLOW_SESSION_CREATE: session created 10.111.182.1/67->10.111.136.6/67 junos-dhcp-server
Location 2:
DHCP request from network 10.111.185.0/25
10.111.185.1 and 192.168.251.10 are configure on the same SRX210 in different VLAN
Tracing route to 10.111.136.6 over a maximum of 30 hops
1 1 ms 1 ms <1 ms 10.111.185.1
2 1 ms 1 ms 1 ms 192.168.251.9 <-- from this location I see IP of this network 192.168.251.10/30
3 1 ms 1 ms 1 ms 192.168.136.10
4 2 ms 2 ms 2 ms 10.111.136.241
5 1 ms 1 ms 1 ms 10.111.136.6
Log from: 192.168.136.10
RT_FLOW_SESSION_CREATE: session created 192.168.251.10/67->10.111.136.6/67 junos-dhcp-server
Why once do I see a gateway IP and the other one I see IP of interconnection network?
Hello,
I am trying to establish a vpn , and i have phase 1 established but on phase 2 i m getting these errors.
Would you please have a look and advise what might cause it ?
Inside iked_pm_phase2_sa_cfg_lookup
Address based phase 2 SA-CFG lookup failed for local:x.x.x.x, remote:y.y.y.y IKEv1. Error 34
SA-CFG lookup for Phase 2 failed for local:x.x.x.x, remote:y.y.y.y IKEv1
Regards,
Vlad
Hello Folks,
I have created a test setup with an SRX300 with dual ISP Failover
Ziggo is the default ISP and connected through ge-0/0/0.0 with next-hop 10.255.255.254
DSL is secondary and connected through ge-0/0/1.0 with next-hop 10.255.253.254
Both interfaces are in the same zone
I have a strange issue.
When i deactivate the services section i can ping to 8.8.8.8 from 10.255.255.131 (my current ge/0-0-0.0 address)
When i activate the services section i cannot ping to 8.8.8.8 from 10.255.255.131
When i set the target address for example to an address within the subnet of the WAN interface and use nog next-hop address the rpm is working but i want to monitor an address in another subnet.
Thanx in advance
The result is that the ip-monitoring result is FAIL
root# run show services ip-monitoring status
Policy - test (Status: FAIL)
RPM Probes:
Probe name Test Name Address Status
---------------------- --------------- ---------------- ---------
Ziggo/0.0 test-1 8.8.8.8 FAIL
Route-Action:
route-instance route next-hop state
----------------- ----------------- ---------------- -------------
inet.0 0.0.0.0/0 10.255.253.254 APPLIED
This are the current routes
inet.0: 7 destinations, 10 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/1] 00:03:05, metric2 0
> to 10.255.253.254 via ge-0/0/1.0
[Static/5] 01:56:50> to 10.255.255.254 via ge-0/0/0.0
[Access-internal/12] 01:08:01> to 10.255.253.254 via ge-0/0/1.0
[Access-internal/12] 01:56:50> to 10.255.255.254 via ge-0/0/0.0
10.0.0.0/24 *[Direct/0] 01:57:07> via ge-0/0/5.0
10.0.0.254/32 *[Local/0] 01:57:07
Local via ge-0/0/5.0
10.255.253.0/24 *[Direct/0] 01:08:01> via ge-0/0/1.0
10.255.253.22/32 *[Local/0] 01:08:01
Local via ge-0/0/1.0
10.255.255.0/24 *[Direct/0] 01:56:50> via ge-0/0/0.0
10.255.255.131/32 *[Local/0] 01:56:50
Local via ge-0/0/0.0This are the interfaces
root# run show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.255.255.131/24
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
inet6
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up up
ge-0/0/1.0 up up inet 10.255.253.22/24
ge-0/0/2 up down
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up up
ge-0/0/5.0 up up inet 10.0.0.254/24
ge-0/0/6 up down
ge-0/0/7 up down
gre up up
ipip up up
irb up up
jsrv up up
jsrv.1 up up inet 128.0.0.127/2
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.0.4 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up down
vtep up upThis is the current configuration
version 15.1X49-D120.3;
services {
rpm {
probe Ziggo/0.0 {
test test-1 {
target address 8.8.8.8;
probe-count 3;
probe-interval 2;
test-interval 2;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/0.0;
next-hop 10.255.255.254;
}
}
}
ip-monitoring {
policy test {
match {
rpm-probe Ziggo/0.0;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 10.255.253.254;
}
}
}
}
}
}
security {
nat {
source {
rule-set SNAT {
from zone Data;
to zone Internet;
rule 10 {
match {
source-address 10.0.0.0/24;
destination-address 0.0.0.0/0;
application any;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Data to-zone Internet {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internet {
host-inbound-traffic {
system-services {
dhcp;
ssh;
https;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}
}
security-zone Data {
host-inbound-traffic {
system-services {
http;
https;
ping;
ssh;
}
}
interfaces {
ge-0/0/5.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
dhcp-client;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 10.0.0.254/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.255.255.254;
}
}
Recently the following log has been encountered on the one of the high end SRX(s). It is noted it is relating to the pyhsical interface -ge-5/3/9 as the interface is up up from the output of >sh int ge-5/3 terse . Any idea please?
>show log messages | match ge-5/3/9
/kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
rpd[2740]: Decode ifd ge-5/3/9 index 172: ifdm_flags 0xc001
rpd[2740]: EVENT <UpDown> ge-5/3/9.0 index 101 <Broadcast Multicast> address #0 0.10.db.ff.b0.0
rpd[2740]: EVENT <UpDown> ge-5/3/9 index 172 <Broadcast Multicast> address #0 0.10.db.ff.b0.0
mib2d[2796]: SNMP_TRAP_LINK_DOWN: ifIndex 680, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-5/3/9
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
/kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
rpd[2740]: Decode ifd ge-5/3/9 index 172: ifdm_flags 0xc000
rpd[2740]: EVENT <UpDown> ge-5/3/9.0 index 101 <Up Broadcast Multicast> address #0 0.10.db.ff.b0.0
rpd[2740]: EVENT <UpDown> ge-5/3/9 index 172 <Up Broadcast Multicast> address #0 0.10.db.ff.b0.0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
mib2d[2796]: SNMP_TRAP_LINK_UP: ifIndex 680, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-5/3/9
mib2d[2796]: SNMP_TRAP_LINK_UP: ifIndex 681, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-5/3/9.0
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
/kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
rpd[2740]: Decode ifd ge-5/3/9 index 172: ifdm_flags 0xc001
-------------------------------00000000000------------------------------------------
>show interfaces ge-5/3/9 terse
Interface Admin Link Proto Local Remote
ge-5/3/9 up up
ge-5/3/9.0 up up aenet --> reth0.0
Hi,
I have configured new SRX 340 with DHCP and VLANs for internal and guest access. I can not get the DHCP clients to access the network when using wifi. LAN DHCP is fine. However, if the clients are configured with static IPs(both wired and wireless) the connectivity is alright.
I have a Cisco WLC configured as DHCP proxy and was working fine with SRX240 which had similar config. DHCP bindings seems ok. SRX240 is with vlans not irb, with old dhcp not new.
Tried with DHCP option 43 too. Any one who is using Cisco WLC as DHCP relay for SRX340 DHCP server?
set vlans VLAN10 vlan-id 10
set vlans VLAN10 l3-interface irb.10
set interfaces irb unit 10 family inet address 192.168.10.1/24
set system services dhcp pool 192.168.10.0/24 address-range low 192.168.10.10 high 192.168.10.50
set system services dhcp pool 192.168.10.0/24 name-server 8.8.8.8
set system services dhcp pool 192.168.10.0/24 router 192.168.10.1
set security nat source rule-set guest-wifi-ap from zone FC-GUEST-NET
set security nat source rule-set guest-wifi-ap to zone untrust-zone
set security policies from-zone FC-GUEST-NET to-zone untrust-zone policy FC-GUEST-NET match source-address any
set security policies from-zone FC-GUEST-NET to-zone untrust-zone policy FC-GUEST-NET match destination-address any
set security policies from-zone FC-GUEST-NET to-zone untrust-zone policy FC-GUEST-NET match application any
set security policies from-zone FC-GUEST-NET to-zone untrust-zone policy FC-GUEST-NET then permit
set security zones security-zone FC-GUEST-NET interfaces irb.10 host-inbound-traffic system-services ping
set security zones security-zone FC-GUEST-NET interfaces irb.10 host-inbound-traffic system-services dhcp
Similar config for other vlans.
Hi all,
may i know is it possible to block mac-address using zone-to-zone policy in SRX5800. If cannot use zone-to-zone then is it have other way to achived it using SRX5800 family inet.
Thanks and appreciate any fedback
can I set a security policy to block traffic based on HTTP HOST in http request?
Hi we have Juniper SRX 3400 Firewall as you see in attachment it has only 38% sessions and its CPU is 99%...
Can anyone suggest what we should do? Also find output of command:
show system processes extensive
in attachment.
These SRX 3400 are deployed in HA as an Active/Passive mode.
Thanks
Hi,
I hope somebody can help me with this setup.
There is a cluster of two srx345 and two non-stackable switches.For redudancy, each SRX node must be connected to each switch.The current configuration does not work. How to make it work correctly?
Hi
I would like to configure SSL Proxy so ertificate is required.
I have no CA on test environment .
Could you guide me the step to configure root CA, generate CSR, sent CSR to CA, load certificate on SRX and import certificte to client? I 've generated key on SRX already