Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: export network between routing instances

September 17, 2016, 9:11 am
$
0
0

I think one of your other import terms then must be rejecing this route.  I have the basic configuration working on a lab box.

 

Configuration:

root@none> show configuration routing-instances 
Trust-vr {
    interface fe-0/0/1.0;
}
Untrust-vr {
    interface fe-0/0/0.0;
    routing-options {
        instance-import SES_Route;
    }
}

root@none> show configuration policy-options       
policy-statement SES_Route {
    term 1 {
        from {
            instance Trust-vr;
            protocol direct;
            route-filter 192.168.27.64/28 exact;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

 

Result:

 

Trust-vr.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.27.64/28   *[Direct/0] 00:03:58
                    > via fe-0/0/1.0
192.168.27.65/32   *[Local/0] 00:03:58
                      Local via fe-0/0/1.0

Untrust-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.27.64/28   *[Direct/0] 00:00:21
                    > via fe-0/0/1.0
192.168.128.0/24   *[Direct/0] 00:02:23> via fe-0/0/0.0
192.168.128.14/32  *[Local/0] 00:02:23
                      Local via fe-0/0/0.0

 

 

Search

SRX config for Playstation

September 17, 2016, 3:51 pm
$
0
0

Ok so my PlayStation is getting a nat type 3 and its affecting some online gaming. I configured my srx to all allow the ports the PlayStation has released. Here is my config, can anyone see whats wrong?

nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool PLEX_NAT_POOL {
address 192.168.1.14/32 port 32400;
}
pool PLAYSTATION-DNAT-POOL {
address 192.168.1.109/32;
}
rule-set PLEX_RULE {
from zone Internet;
rule PLEX_PORT_FORWARD {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port 32400;
protocol tcp;
}
then {
destination-nat pool PLEX_NAT_POOL;
}
}
rule PLAYSTATION-TCP-80 {
match {
destination-address 0.0.0.0/0;
destination-port 80;
protocol tcp;
}
then {
destination-nat pool PLAYSTATION-DNAT-POOL;
}
}
rule PLAYSTATION-TCP-443 {
match {
destination-address 0.0.0.0/0;
destination-port 443;
protocol tcp;
}
then {
destination-nat pool PLAYSTATION-DNAT-POOL;
}
}
rule PLAYSTATION-TCP-UDP-3478 {
match {
destination-address 0.0.0.0/0;
destination-port 3478;
protocol [ tcp udp ];
}
then {
destination-nat pool PLAYSTATION-DNAT-POOL;
}
}
rule PLAYSTATION-TCP-UDP-3479 {
match {
destination-address 0.0.0.0/0;
destination-port 3479;
protocol [ tcp udp ];
}
then {
destination-nat pool PLAYSTATION-DNAT-POOL;
}
}
rule PLAYSTATION-TCP-3480 {
match {
destination-address 0.0.0.0/0;
destination-port 3480;
protocol tcp;
}
then {
destination-nat pool PLAYSTATION-DNAT-POOL;
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy PLEX {
match {
source-address any;
destination-address PLEX_SERVER;
application any;
}
then {
permit;
}
}
policy policy_in_wizard_dyn_vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn wizard_dyn_vpn;
}
}
}
}
policy Remote_MGMT {
match {
source-address any;
destination-address any;
application junos-https;
}
then {
permit;
}
}
policy PLAYSTATION {
match {
source-address any;
destination-address PS4;
application PLAYSTATION;
}
then {
permit;
}
}
}

}
applications {
application PLAYSTATION-80 {
protocol tcp;
destination-port 80;
}
application PLAYSTATION-443 {
protocol tcp;
destination-port 443;
}
application PLAYSTATION-3478 {
protocol tcp;
destination-port 3478;
}
application PLAYSTATION-3478_3480 {
protocol tcp;
destination-port 3478-3480;
}
application PLAYSTATION-3478_3479 {
protocol udp;
destination-port 3478-4479;
}
application-set PLAYSTATION {
application PLAYSTATION-80;
application PLAYSTATION-443;
application PLAYSTATION-3478_3480;
application PLAYSTATION-3478_3479;
}
}

SRX Stateless UDP mode

September 17, 2016, 6:01 pm
$
0
0

Is there any possible way to let srx not create session for UDP traffic ? 

Re: SRX Stateless UDP mode

September 17, 2016, 6:29 pm
$
0
0

Hello,

 

You can bypass Flow daemon for UDP traffic using the below KB article with the help of  Firewall filters.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26757

 

However please be informed that the above KB article is only valid for SRX branch series devices as selective packet mode is only possible on them and not on High End SRX devices.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17263

 

Hence on High End Devices the only poassible way is to completely change the SRX in packet mode as mentioned in the below KB article:-

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

Re: SRX Stateless UDP mode

September 17, 2016, 6:43 pm
$
0
0

Thank you paul for the fast answer , we use SRX 3600 . And i think the article is not for 3k series 

Re: SRX Stateless UDP mode

September 17, 2016, 9:20 pm
$
0
0

Hi, 

 

 

That's right The first KB article is not for SRX 3600 as it does not supoort seelctive traffic in packet mode since it is a High End SRX device.

 

On High End SRX device you will have to convert the complete device into packet mode as mentioned in the other two KB articles on my previous note.

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

Re: SRX 340 OSPF Advertise entire /23 when only portions of the subnet currently exist in the routing table

September 17, 2016, 11:00 pm
$
0
0

Thanks,

 

The example works for aggregation if I assign send-aggregate the to the global ospf setting but I can't seem to get it to be constrained on a single interface if I set it as a policy on a non global area based instance. 

Re: SRX Stateless UDP mode

September 18, 2016, 3:45 am
$
0
0

As the device in packet mode will work as a router (and not a firewall), delete the security feature configuration from the device.

 

 

As far as i see this time it lost protection features ?

Search

default Mode of SRX

September 18, 2016, 6:45 am

Re: SRX config for Playstation

September 18, 2016, 8:05 am

Re: SRX300 series VLAN interface

September 18, 2016, 9:44 am
$
0
0
This is still an issue in D50 and specifically the srx300 model, it is not fixed.

Re: SRX config for Playstation

September 18, 2016, 11:36 am
$
0
0

Thats the guide I followed, the only think i didnt do was all the ports that he opened.  So im assuming that I should include all of those ports that he did?

Re: default Mode of SRX

September 18, 2016, 8:15 pm
$
0
0

Hi Shyam,

 

Mix-mode is the default. If you check the first link itslef there is a "NOTE" stating "Note: In mixed mode, which is the default mode, you can configure an SRX Series device using both transparent mode (Layer 2) and route mode (Layer 3) simultaneously, with no reboot required."

 

The following statement looks incorrect and the documentation need to be corrected

"The device operates in route mode (the default mode) if there are no physical interfaces configured as Layer 2 interfaces."

 

Re: export network between routing instances

September 18, 2016, 8:25 pm
$
0
0

 Can you check if there is any other import policy? If yes, we need to make sure the last term on that policy states "next-policy" instead of "reject". You may use below comman to check if there is any other import policies,

 

> show configuration routing-instances Untrust-vr routing-options instance-import

Re: VPN tunnels monitoring

September 19, 2016, 1:27 am
$
0
0
Dears,

I have tried all the mentioned OIDs but nothing was working for our case.
all the "show snmp mib walk < OIDs>" output are empty .


It may be software version dependent or is there any special treatment that enables the VPN monitoring using MIBs.


Best regards.
Bassem
Search

Re: VPN tunnels monitoring

September 19, 2016, 1:27 am
$
0
0
Dears,

I have tried all the mentioned OIDs but nothing was working for our case.
all the "show snmp mib walk < OIDs>" output are empty .


It may be software version dependent or is there any special treatment that enables the VPN monitoring using MIBs.


Best regards.
Bassem

Re: SRX Stateless UDP mode

September 19, 2016, 2:45 am
$
0
0

Hello,

 

Yes, That is right if you turn the SRX 3600 in Packet mode it will turn into a router and will lose all of its protection features.

 

Unfortunately on High End SRX devices (like your SRX 3600) it is not possible to have only selective traffic in packet mode.

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

Comit error message

September 19, 2016, 5:33 am
$
0
0

Hello everyone!

 

Today I was going to enable some debugging stuff and then I found some config which seems uncommited. I did rollback 0 and issued the commands in order to enable these debug stuff, but when I ran commit, it gaves me the following message, along with the config which was uncommited in the past:

 

warning: patch removes statement that is not empty

 

I have also tried to clean the configuration that was causing these messagesm but it still apears. Is there any idea how to overcome this? Is this related to a bug?

 

Best regards!

 

Vitor

Re: ipsec vpn config on MX80 MIC card

September 19, 2016, 6:03 am
$
0
0

Hi,

 

Thanks 

 

run show configuration services

...

        policy all-ca-level-l1 {
            mode main;
            version 1;
            proposals Feve3-TT_ike_proposal;
            local-certificate CA_Level_L1a;
        }
        policy all-ca-level-l2 {
            mode main;
            version 1;
            proposals Feve3-TT_ike_proposal;
            local-certificate CA_Level_L2a;
        }
        policy all-ca-level-l3 {
            mode main;
            version 1;
            proposals Feve3-TT_ike_proposal;
            local-certificate CA_Level_L3a;


...

    }
    establish-tunnels immediately;

 

 

Sep 19 14:52:17 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0xeb377c66 } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:52:17 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0xeb377c66 } Info; Error = No SA established (8194)
Sep 19 14:52:17 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored
Sep 19 14:52:21 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0x43cc1eac } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:52:21 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [0] / 0x43cc1eac } Info; Error = No SA established (8194)
Sep 19 14:52:21 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<6458>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1097>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<2> parsing pos <2899>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<3> parsing pos <4996>.
Sep 19 14:52:23 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: Remote ID check failed, Received ID(type = dn (9), len = 82, value = 3050312d 302b0603 55040313 244b3931 34333131 36313434 2e6e6f6b 69617369 656d656e 736e6574 776f726b 732e636f 6d311f30 1d060355 040a1316 4e6f6b69 61205369 656d6
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: remote ID check failed
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] IKE SA negotiation failed for remote-ip:10.42.147.32,do tunnel failover
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { e5ef3dc7 272c4b49 - feb00ff9 ede95a23 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_sa_done: UNUSABLE ike sa tunnel_id 24
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32]   IKEv1 Error : Timeout
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ipsec_sa_done_callback:IPSEC SA setup timedout
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] IKE SA not usable 1ce3400, error 65540
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { b049541b d230b39b - 61009300 b2a9827e } / 8b98eb25, remote = 10.42.147.32:500
Sep 19 14:52:24 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 10.42.147.32:500
Sep 19 14:52:33 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { b049541b d230b39b - 61009300 b2a9827e } / 00000000, remote = 10.42.147.32:500
Sep 19 14:52:33 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 10.42.147.32:500
Sep 19 14:52:53 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { b049541b d230b39b - 61009300 b2a9827e } / 00000000, remote = 10.42.147.32:500
Sep 19 14:52:53 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 10.42.147.32:500
Sep 19 14:53:00 [10.42.131.81 <-> 10.42.147.32] ikev2_fb_request_certificates_cb: No certificates found
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [-1] / 0x00000000 } IP; Warning, junk after packet len = 208, decoded = 205
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<6458>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1097>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<2> parsing pos <2899>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<3> parsing pos <4996>.
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x276075a7 } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x276075a7 } Info; Error = No SA established (8194)
Sep 19 14:53:01 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored
Sep 19 14:53:06 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x51f26723 } Info; Trying to decrypt, but no decryption context initialized
Sep 19 14:53:06 [10.42.131.81 <-> 10.42.147.32] <none>:500 (Responder) <-> 10.42.147.32:500 { 91b57ff4 242162fe - 70b4008c d9472b03 [0] / 0x51f26723 } Info; Error = No SA established (8194)
Sep 19 14:53:06 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Notification to informational exchange ignored

Re: Comit error message

September 19, 2016, 6:12 am
$
0
0

Hi vstrabello,

 

Are you configuring it in private mode ? Can you share the output of the commit command with the error message ? If you are configuring it in Private Mode try logging out and log in again in normal configure mode and do "commit full".

 

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>