Hello,
I noticed that I made a mistake in the subject.It should be SRX340
Hello,
I noticed that I made a mistake in the subject.It should be SRX340
hi all
got my exam this week any last minute study material pls do let me know
I have an application which continues to send traffic between the source and destination as long as the current session is not interrupted. This application was running using an any any rule between 2 zones. Due to some security concerns the rule was deleted 6 months back. All of a sudden one day service owner is coming and telling us that the application is not working. On checking we found that the policy is not there in place. We installed a new policy and issue got fixed. Even the application logs are telling that the communication stopped only recently ie. after 6 months.
Question// If we remove a policy for which an existing session with continuous traffic is there, existing session will be removed or not?. If not removed do we need to manually clear the existing sessions?
To solve this you have to enable "policy-rematch" under security policies... otherwise existing sessions are kept open until they time out. Enabling policy-rematch existing sessions will be reevaluated with the newly updated ruleset.
srx-345 with Junos 15.1X49-D170.4
I have a setup with a VPN tunnel on the external interface (ge-0/0/8.0). This is working fine. Now I want to setup a second tunnel to a different customer. I created second IKE gateway.
IKE gateway for existing tunnel (remote is behind a dynamic IP Provider):
gateway IKE-GW-VSE {
ike-policy IKE-POL;
dynamic hostname srx345-e16;
dead-peer-detection {
always-send;
interval 15;
threshold 3;
}
external-interface ge-0/0/8.0;
version v2-only;
}
Now the gateway for the new tunnel:
gateway IKE-GW-JMU {
ike-policy IKE-POL-JMU;
address 1.2.3.4;
dead-peer-detection {
always-send;
interval 15;
threshold 3;
}
local-identity key-id keylocal;
remote-identity key-id keyremote;
external-interface ge-0/0/8.0;
version v2-only;
}
I expect now incoming calls from 1.2.3.4 for ID keylocal, coming from remote host with remote key keyremote to go to IKE gateway IKE-GW-JMU. However trace shows:
[Oct 27 13:17:46]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr IKE-GW-VSE for remote dynamic peer, sa_cfg[VSE-PT]
So, the incoming call is associated with the wrong IKE gateway. Obviously no SA is established.
How to handle this situation?
Thx for help
Turned out to be a filter on the Loopback.
Howdy, I see this has come up a few times in the past, and some have had success following the previously documented steps, but I have not. This is an eBay purchased device and was supposed kick off my collection of Juniper equipment to learn on. Obviously JTAC is not an option.
The SRX240H2 appears functional, I have link lights on the ge ports when I plug something in, without actual testing, it "looked" ok. However, going through the setup process, I found that the ethernet ports are not passing any data at all, just making an electrical connection.
I consoled into the device and only the "internal" interfaces are showing, no ge-'s at all. Attempting to do a 'show chassis hardware' and pretty much most others under 'show chassis' return back "error: the chassis-control subsystem is not running", I have followed the steps below previously suggested in another post by ScreenJun, with zero success. I am pending the item to be returned but wanted to give one last go to get it running as it was a great value.
Assist to confirm/execute following steps to recover:
1. Confirm if any configuration is on the box using {show configuration}
2. If yes, delete & execute: show chassis hardware
3. If 2 result is -ve, execute "restart chassis-control immediately"
4. Execute: show chassis hardware
5. If 4 result is -ve, execute "request system zeroize". [You need console as it would wipe off all info on the device including logs.]
6. upon restart, execute: show chassis hardware
7. If 6 is -ve, reinstall firmware version.
Logs indicate that the system tries to restart chassis-control, which appears to spawn security-intelligence and l2cpd-services, but every time fails with "chassis-control ... terminated by signal number 13!", Signal 13 is SigPipe which indicates the process died while trying to send data to another process it had spawned. This pattern repeats three times and then it gives up due to 'thrashing'
Any other suggestions that might recover this prior to shipping it back to the seller?
Hi,
Do u already try reformat/reinstall that box?
Thanks
wrote: Do u already try reformat/reinstall that box?
Hi, I believe so. I've done both the 'request system zeroize media' and also 'request system software add ... ', if those are the steps you are referring to. Just to be sure, I just reinstalled it off USB from the bootloader, currently installed is 12.1X46-D86.
The problem is solved. Remote site used IKEv1 and there is a chance of race conditions that might lead to using the wrong gateway if one vpn is dynamic and the other isn't. I was told so by Juniper support. However properly setting up IKEv2 avoids this situation.
We need an answer to this as well.
@jonashauge Its seems delete policy operation will make sure that existing sessions are re-checked under all scenarios whereas policy re-match will be beneficial for session rechecking when any modification of the policy(deletion, renaming ,adding new configs inside existing policy) will happen. Considering this there is no possible way in which an existing session can survive policy deletion. This will tear any existing session that matches the policy instantaneously(Since there are no other policies to permit that specific traffic).
And Microsoft plans to remove Flash...
https://www.zdnet.com/article/new-windows-10-update-permanently-removes-adobe-flash/
It urgently needs some attention despite the fact that the CLI is still the way to manage it. Some of our management folks use it because its all very pretty.
Hi, I'm newby and I'm learning all the time 🙂 I have the SRX 240H. Is it possible to somehow set DHPC - to provide ONLY addresses entered in Static Bindings.
Scenario - there are Access Points (WIFI) on one of the VLANs and I would like only the addresses entered into the static bindings to be downloaded from DHCP - and that no one who is not entered there would receive the address and access to the Internet (not knowing in RADIUS).
Can you give me a hint?
If you restrict your range to only the addresses you manually specify then you will have achieved your desired result.
I have the SRX 240H. I would like to create one WIFI vlan, access points will be connected to it. But that students and staff and teachers will connect via wifi - I would like to separate it somehow in order to be able to properly manage them and grant permissions or to prohibit access to something.
Would it be a good idea to create one vlan with an address pool, e.g. 192.168.80.0/22 which will give me 4 subnets (192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24) and then allocate in DHCP according to:
192.168.80.0/24 - students
192.168.81.0/24 - teachers
192.168.82.0/24 - employees
192.168.83.0/24 - guests
And then I could apply the appropriate per subnet restrictions.
Hello,
From my POV you are overcomplicating the situation, by trying to combine, what should be separated.
The SRX is a switch/router and FW, so I would create the individual VLANs per Department. Zone per functionality and IP Range per your needs.
Having a strong FW feature set (Zones) you should be in the position to create rules in the way you need.
Limiting the time/volume and speed of relevant departments
BR,
Andrei
OK. Maybe you're right.
Scenario: SRX--swich--AP
And how to transfer all these VLANS to Acess Points - I have UNIFI UBIQUITI LR + UBI KEY controller, I do not know if they will accept TRUNK - because the point is to be able to connect to all APs from different vlanes or subnets ...
I can of course set TRUNK between the SRX and the swich (to which the access points are attached) - but how do I extend all these vlans to individual ports?
Unless it is:
Hello, I'm a newbe and I'm just starting my adventure with SRX`s;)
My hard: SRX 240H (JUNOS Software Release [12.1X44-D40.2]
I would like to set up several subvilans or subnets on one physical interface, e.g. ge-0/0/6.
Here is a description of my idea. Something like multiple vlans. But I read that it can be done with irb.
I made two irb's but I don't know how to connect them to one VLAN or physical interface. Can you give me a hint? Maybe I made a mistake.
}
irb {
unit 1 {
family inet {
address 192.168.200.1/24;
}
}
unit 2 {
family inet {
address 192.168.201.1/24;
}
}
}
Hello,
Ok, now the picture looks better.
So step by step.
1. You do not need to have WIFI point to be able to handle VLANs, you have switch in between.
The Switch will do this job it will have:
a). Access Port (VLAN WIFI) towards the WIFI AP
b). Access Port(s) (VLAN per department) facing the relevant CPEs/Users
c). Trunk Port (permitted all vlans or only set of - up to you) towards SRX
2. The SRX in your case will be able to handle this in a few ways. Unfortunately, the IRB interfaces were introduced in later releases, but you will have to deal with vlan interfaces (logic is same).
I see min 2x ways to achieve it (all depends on how you are looking to use your SRX for the end customers)
1. Sub-Interfaces on SRX. The port facing the Switch will be "sliced" in subinterfaces. The port itself is the trunk based
EX:
interfaces {
ge-0/0/0 {
description "Facing Switch";
vlan-tagging;
unit 100 {
description "[WIFI] IP used to reach the WWW";
vlan-id 100;
family inet {
address 10.10.10.1/27;
}
}
unit 200 {
description "[STUDENTS]";
vlan-id 200;
family inet {
address 10.20.20.1/27;
}
}
unit 300 {
description "[GUESTS]";
vlan-id 300;
family inet {
address 100.100.100.1/29;
}
}
This way will make a bit difficult to use the SRX as "switch" for those VLANs - as you will need to deal with bridge groups and overall setup will be a bit complicated. But your subinterfaces will be able to participate in routing (active) and other features.
2. The VLAN interfaces.
Your SRX port facing the Switch is a trunk (with all or selected members)
interfaces {
ge-0/0/0 {
description "Facing Switch";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}
And your VLAN interfaces are:
vlans {
Local-Lan {
vlan-id 100;
l3-interface vlan.100;
}
}
vlan {
unit 0 {
description "[WIFI]";
family inet {
address 10.10.10.1/27;
}
}
In this way you will be able to re-use some ports on SRX as customer-facing ports.
Please pay attention to the next development you are looking for your networks as VLAN interfaces vs sub-interfaces may have limitations under different feature sets.
BR
Andrei
Hello,
I think it was answered already under
BR,
Andrei
Hi Juniper Team,
Where can I ask for a feature upgrade regarding our Juniper Configurator and Quote Tool?
The tool straightforward for us to navigate. However, the tool is quite some time consuming as it loads right after you select each option or tried to input a character on each fields. Is it possible to change this approach? Like the page will load at the end of transaction or right after I completed filling up all required fields.
Regards,
Your Pre-Sales SE
Hello,
I can see that the SRX- SYS - JE includes Application security , so my question is what will be the benefit of this as the premium flex license includes this and the advanced one as well !
The SRX-SYS-JE SKUs only provides a perpetual license for Application security which is also included in the flex subscriptions (both A1, A2, A3, P1, P2 and P3) - so if you need flex subscriptions anyway, then just go with SYS-JB hardware SKUs.
secondly the SYS-JE will probably be phased out soon... so in general always look at SYS-JB + flex licenses on all new installations.
You can start by sending your inputs to EMEA-Channel-Support-Configurator@juniper.net - they should be able to pass the request to the right people.
Secondly; I'm a part of the technical advisory board on this tool and will raise the requests as well at our next meeting - but no promises that it can be changed as I see some validations being done at each step. But overall I agree - it takes too long if you try to add multiple types of transceivers.
Can anyone help into it, please ?
Thanks jonashauge for the clarification ..
Is there any announcement for its end of life ?
Hi, Can I do bandwidth monitoring on SRX (like mrtg in Linux) like something like this.
I know SRX has its own web server as well. Or maybe it can make SMNP packets available to the monitoring server ... do you have any hints - can it be done and how?
In linux on mrtg it was done like this:
#---------------------------------------------------------------
# eth0
#---------------------------------------------------------------
PageTop[eth0]: <center><h2>monitoring bandwidth</h2>
Target[eth0]: `/usr/bin/mrtg-ip-acct`
MaxBytes[eth0]: 125000000
kilo[eth0]: 1024
Options[eth0]: nobanner, noborder, growright, nopercent, bits, noinfo, integer
YLegend[eth0]: bits per second
ShortLegend[eth0]: b/s
WithPeak[eth0]: ymwd
Background[eth0]: #f0f0f0
Colours[eth0]:AQUA#00ccff,BLUE#1000ff, DARK GREEN#006600,VIOLET#ff00ff
#Colours[eth0]: GREEN#30c030,BLUE#1000ff,DARK GREEN#006600,VIOLET#ff00ff
XSize[eth0]: 500
YSize[eth0]: 200
XScale[eth0]: 1.5
YScale[eth0]: 1.2
PNGTitle[eth0]: title - monitoring bandwidth
TimeStrPos[eth0]: RU
TimeStrFmt[eth0]: %H.%M
YTics[eth0]: 5
Hi,
What should i do, when i need to permit ssh access to 20nos of random ip's from a huge segment.And deny everything else.
set security policies from-zone trust to-zone srv-frm policy srv-access match source-address srv_admin_list
set security policies from-zone trust to-zone srv-frm policy srv-access match destination-address srv_list
set security policies from-zone trust to-zone srv-frm policy srv-access match source-address-excluded
set security policies from-zone trust to-zone srv-frm policy srv-access match application junos-ssh
set security policies from-zone trust to-zone srv-frm policy srv-access then deny
set security policies from-zone trust to-zone srv-frm policy srv-access then log session-init
set security policies from-zone trust to-zone srv-frm policy srv-access then log session-close
In the "srv_admin_list" i have 10 random ip's.And these are allowed to connect.And they are working fine.But when I add more than ten it refuces to add the ip's.And getting the message the limit of source-address are 10Nos.I need 20 random IP's to be added.I was forced to use "source-address-excluded" because there is a "permit any any" statement which is used by some traffic which I dont want to disrupt.
Best Regards,
S.Syed
Hi to all,
I have a customer who has an SRX345 box.
Sometimes the device get frezzed an becomes inaccesible via icmp, web, etc... The device doesn't answer to any traffic via any interface and the customer becomes incomunicated. The only way to recover the device is reboot it. This behaivor is aleatory and they don't do anything estrange apparently.
I'm looking for some log or file which tell to me what's happend when the device becomes inaccesible but I don't find any. Any idea where could I look to have any explain of this??? A few weeks ago, the ISP told to my customer that they were being attacked, could be a DDoS attack the root cause to the lockdown?? If yes, what can I do to mitigate it??
Thanks in advance!!
David.
The SYS-JE SKUs are not announced end of life yet so can still be purchased - as stated this is my subjective expectation as it doesn't make sense to have the SYS-JE SKU as it's more expensive than SYS-JB plus a A1 subscription.
Hi Jonas,
From a certificate perspective, do i need to add:
and then something like
request security pki ca-certificate tls-syslog load file /var/certs/syslog.cer
Thanks.
The best suggestion from my side would be to have somebody log on the device via serial console to figure out if the device is actually responding there.. and secondly looking at cpu load, interface counters and similar which could indicate a (D)DoS attack.
Just rebooting it will not provide any data to solve this permanently.
Hello,
Regarding information from the Juniper documentation on SecIntel feeds
Does anyone know of feeds for Microsoft servers or CDNs that are associated with Microsoft products and their associated updates? Alternatively, are there any good repositories that may have feed URLs that can be referenced to try to find a corresponding feed for something that you might need? I can't seem to find any documentation on what kind of "feeds" these are and I haven't been able to turn up anything with searches on third party SecIntel feeds.
I want to know if we create multiple user logical systems in SRX4100 then is it must to define security profile for each user logical systems as well as for master logical logical.
What will happen if i don't create security profile,will the resources of device shared amount all logical systems from master logical system profile.
Thanks
Hello
Long story short, srx 5400 crashed and went into boot loop. I took working snapshot to usb from another 5400 and booted faulty srx with usb, seems ok. But question is, how can i get content from usb back to compact flash ? With 5400 only snapshot media option is usb.
Egert
If you have managed to boot your SRX5400 via the snapshot, I would just do a reinstall of the Junos image to properly write the software to the compact flash.
Just download the install package, do request system add <image> and then reboot in a planned maintenance window.
Hi
Does this message the same as issue described in this article?
https://kb.juniper.net/InfoCenter/index?page=content&id=KB23977&cat=SRX_5800_1&actp=LIST
srx3600 // 12.1X44-D10.4
I agree it seems to match the kb but the article is not very helpful in trying to see why it can occur for reasons that require action.
Seems like it might be harmless and might not but they don't give you enough information to determine which is the case.
We have a juniper router onsite and when pinging a cctv at site we are seeing below:
execute ping 10.112.34.20
PING 10.112.34.20 (10.112.34.20): 56 data bytes
64 bytes from 10.112.34.20: icmp_seq=0 ttl=61 time=1.6 ms
64 bytes from 10.112.34.20: icmp_seq=0 ttl=61 time=1.6 ms (DUP!)
64 bytes from 10.112.34.20: icmp_seq=1 ttl=61 time=1.6 ms
64 bytes from 10.112.34.20: icmp_seq=1 ttl=61 time=1.7 ms (DUP!)
64 bytes from 10.112.34.20: icmp_seq=2 ttl=61 time=1.6 ms
64 bytes from 10.112.34.20: icmp_seq=2 ttl=61 time=1.6 ms (DUP!)
Quite confused with this ping response as we don't have any duplicate IPs etc so unsure why juniper is throwing this?
Hello
There could be a number of reasons:
https://forums.juniper.net/t5/SRX-Services-Gateway/DUP-ping-response/td-p/164474
https://forums.freebsd.org/threads/dup-in-ping-replies-to-or-from-server.36371/
BR,
Andrei
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Good afternoon!
I have Juniper SRX220H, recently started a problem like this:
Inside the local network, passive ftp sessions suddenly ceased to take place, although all protocols are allowed in trust-to-untrust. The "show chassis routing-engine" command was showing excessive "User" utilization among CPU utilization. After restarting the device, the problem went away, but now the router does not distribute DHCP addresses to devices on the local network. In this case, the DHCP service is running and correctly restarted, and also shows a working address pool.
What could be the problem?
technical data:
Software Version: JUNOS Software Release [12.1X44-D35.5]
Bios Version: 1.9
Tryed that but it returned error:
/usr/libexec/ui/downgrade: the bootstrap installer is missing...
Is it possible to verify that the CF card is actualy working ok ?
Egert
To troubleshoot dhcp please enable trace options for dhcp server as outlined here.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB26748
Then pull the logs from the generated file.
If there is only one device with that ip address then you likely have a layer 2 loop in this broadcast domain.
Hi
How to remove static ARP entry from SRX650
Appreciate you help
Thanks
These are configured in one of two ways
static entries
proxy arp
You would remove static entries under the interface configuration
And proxy arp under security nat
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785