Hi aarseniev, 

I set following: 

set remote-id fqdn K9143116144.nokiasiemensnetworks.com

and this is a result: 

ipsec-ike_log

Sep 21 08:21:53 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { 13bbb675 1d69b340 - bbaef3ce a9b3e4ec 

} / 00000000, remote = 10.42.147.32:500
Sep 21 08:21:53 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to 

unknown Isakmp SA, ip = 10.42.147.32:500
Sep 21 08:22:09 [10.42.131.81 <-> 10.42.147.32] ikev2_fb_request_certificates_cb: No certificates found
Sep 21 08:22:09 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { a7d43999 ed5a640a - fcab90e7 

e0842c4b [-1] / 0x00000000 } IP; Warning, junk after packet len = 208, decoded = 205
Sep 21 08:22:09 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<2744>.
Sep 21 08:22:09 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 21 08:22:09 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1282>.
Sep 21 08:22:10 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 21 08:22:13 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { 13bbb675 1d69b340 - bbaef3ce a9b3e4ec 

} / 00000000, remote = 10.42.147.32:500
Sep 21 08:22:13 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to 

unknown Isakmp SA, ip = 10.42.147.32:500
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32] ike_retransmit_callback: Isakmp query retry limit reached, deleting
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { a7d43999 ed5a640a - fcab90e7 

e0842c4b [-1] / 0x00000000 } IP; Error = Timeout (8197)
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Private notification, do not send notification
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32] IKE SA negotiation failed for remote-ip:10.42.147.32,do tunnel failover
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32]   IKEv1 Error : Timeout
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ipsec_sa_done_callback:IPSEC SA setup timedout
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32] IKE SA not usable 1c77000, error 65540
Sep 21 08:23:05 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500
Sep 21 08:23:24 [10.42.131.81 <-> 10.42.147.32] ikev2_fb_request_certificates_cb: No certificates found
Sep 21 08:23:24 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { ab180428 13496ab9 - 5e40d82a 

44407b35 [-1] / 0x00000000 } IP; Warning, junk after packet len = 208, decoded = 205
Sep 21 08:23:24 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<2744>.
Sep 21 08:23:24 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 21 08:23:24 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1282>.
Sep 21 08:23:25 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 21 08:23:34 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<2744>.
Sep 21 08:23:34 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 21 08:23:34 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1282>.
Sep 21 08:23:35 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 21 08:23:35 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: Remote ID check failed for received der_asn1_dn(any:0,

[0..81]=CN=K9143116144.nokiasiemensnetworks.com, O=Nokia Siemens Networks)
Sep 21 08:23:35 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: remote ID check failed
Sep 21 08:23:35 [10.42.131.81 <-> 10.42.147.32] IKE SA negotiation failed for remote-ip:10.42.147.32,do tunnel failover
Sep 21 08:23:35 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500

pki_log

Sep 21 08:21:43 CERT VERIFIED: /CN=K9143116144.nokiasiemensnetworks.com/O=Nokia Siemens Networks
Sep 21 08:21:43 pkid_retrieve_obj_from_lhash, try retrieve obj from lhash type <2> for id <CA_Level_L1a>
Sep 21 08:21:43 pkid_retrieve_obj_from_lhash, retrieved obj from lhash for id <CA_Level_L1a>
Sep 21 08:21:43 Cert-Chain-Val> warning: Revocation Check skipped
Sep 21 08:21:43
Sep 21 08:21:43 Cert-Chain-Val> Cert-Chian Validation Cur<0> Total<2>
Sep 21 08:21:43 Cert-Chain-Val> at end
Sep 21 08:21:43 ldapNotify_func
Sep 21 08:21:43 Top of chain verified ok: /CN=K9143116144.nokiasiemensnetworks.com/O=Nokia Siemens Networks
Sep 21 08:21:43 cert verified ok: /CN=K9143116144.nokiasiemensnetworks.com/O=Nokia Siemens Networks
Sep 21 08:21:43 ldapIdleCleanup <28><104><243><22>
Sep 21 08:21:43 pCert_no_buf: /CN=K9143116144.nokiasiemensnetworks.com/O=Nokia Siemens Networks
Sep 21 08:21:43 pCert_with_buf: /CN=K9143116144.nokiasiemensnetworks.com/O=Nokia Siemens Networks
Sep 21 08:21:43 pCaCert: /DC=NSN Ulm/CN=Root CA
Sep 21 08:21:43  p_cert_stack: /CN=K9143116144.nokiasiemensnetworks.com/O=Nokia Siemens Networks
Sep 21 08:21:43 scep_http_release_all: releasing LDAP-STATE 192ed00
Sep 21 08:21:43 pkid_ipc_send: Queued packet to IKED-Q, len 1324
Sep 21 08:21:43 pkid_ipc_write: Sending packet to IKED len 1324, total packets sent 60

when I added following command - nothing really changed: 

ep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32] ike_retransmit_callback: Isakmp query retry limit reached, deleting
Sep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { 07236698 58cccc8f - 678d3943 

52f1e262 [-1] / 0x00000000 } IP; Error = Timeout (8197)
Sep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32] ike_send_notify: Private notification, do not send notification
Sep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32] IKE SA negotiation failed for remote-ip:10.42.147.32,do tunnel failover
Sep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32]   IKEv1 Error : Timeout
Sep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ipsec_sa_done_callback:IPSEC SA setup timedout
Sep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32] IKE SA not usable 1c77000, error 65540
Sep 21 08:25:50 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500
Sep 21 08:25:54 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<2744>.
Sep 21 08:25:54 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 21 08:25:54 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1282>.
Sep 21 08:25:55 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

Sep 21 08:25:55 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: Remote ID check failed for received der_asn1_dn(any:0,

[0..81]=CN=K9143116144.nokiasiemensnetworks.com, O=Nokia Siemens Networks)
Sep 21 08:25:55 [10.42.131.81 <-> 10.42.147.32] kmd_pm_ike_match_remote_id: remote ID check failed
Sep 21 08:25:55 [10.42.131.81 <-> 10.42.147.32] IKE SA negotiation failed for remote-ip:10.42.147.32,do tunnel failover
Sep 21 08:25:55 [10.42.131.81 <-> 10.42.147.32] Removing DPD server entry for remote peer: 10.42.147.32:500
Sep 21 08:26:04 [10.42.131.81 <-> 10.42.147.32] ike_get_sa: Invalid cookie, no sa found, SA = { cfedc264 cc08f7ce - c1672a01 2f262e8a 

} / 00000000, remote = 10.42.147.32:500
Sep 21 08:26:04 [10.42.131.81 <-> 10.42.147.32] unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to 

unknown Isakmp SA, ip = 10.42.147.32:500
Sep 21 08:26:09 [10.42.131.81 <-> 10.42.147.32] ikev2_fb_request_certificates_cb: No certificates found
Sep 21 08:26:09 [10.42.131.81 <-> 10.42.147.32] 10.42.131.81:500 (Initiator) <-> 10.42.147.32:500 { f832cf2a fac168ba - c6246442 

215a79b9 [-1] / 0x00000000 } IP; Warning, junk after packet len = 208, decoded = 205
Sep 21 08:26:09 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet <1> ca parsing pos <4>, in len<2744>.
Sep 21 08:26:09 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<0> parsing pos <8>.
Sep 21 08:26:09 [10.42.131.81 <-> 10.42.147.32] parse_request_certificate_rep_packet ca <0> cert<1> parsing pos <1282>.
Sep 21 08:26:10 [10.42.131.81 <-> 10.42.147.32] kmd_policy_request_certificates: got certificate info

For clarity, I added all security config after modyfication - attached in txt file

here is a status for ike: 

run show services ipsec-vpn ike security-associations
Remote Address  State         Initiator cookie  Responder cookie  Exchange type
10.42.147.32    Not matured   c729818010bd4766  0000000000000000  Main

thank you @Junspert

it solves my issues  with a BT HUB 3 provide ADSL2, I set mss to 1452 and I can reach all the website.

only one thing I can't work it out if I ping google.com from the Juniper it doesn't to be working :


8.8.8.8 woks :

junipersrx240> ping 8.8.8.8 
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=22.518 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=8.788 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=8.623 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=8.494 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=8.398 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=55 time=8.490 ms
64 bytes from 8.8.8.8:^C
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.398/10.539/22.518/4.892 ms

google.com :

ping google.com    
PING6(56=40+8+8 bytes) :: --> 2a00:1450:400e:805::200e
ping: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1
ping: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1
^C
--- google.com ping6 statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

any suggestion ?

HI Suraj,

Thanks for explanation. 

But I route mode to mix mode switching when set access vlan to interface and try to commit check, it prompts message following . So SRX is  route mode before to  set vlan.

#commit check
warning: Interfaces are changed from route mode to mix mode. Please use the command request sy stem reboot on current node or all nodes in case of HA cluster!
error: In routing-instance default-switch vlan VLAN100 configured under interface ge-0/0/5.0 do es not exist
error: configuration check-out failed

But latest junos doc state there are two mode, switching and transparent bridge. 

Regards

Shyam

As far as i read on : 

http://www.jnpr.net/techpubs/en_US/junos12.3x48/topics/example/denial-of-service-firewall-syn-ack-ack-proxy-flood-attack-protecting-cli.html

It say : 

In this example, you enable protection against a SYN-ACK-ACK proxy flood. The value unit is connections per source address. The default value is 512 connections from any single address.

So we get spoofed attacks which never hit with same ip second time , so when we put 1 to to threshold it does not trigger i think it count the first to not trigger the proxy.

Also we are using as bridge the SRX 3600

MX80 -->----<--- SRX3600 ----->----<----- MX80   is that make sense ? 

Our routing table as this :

routing-options {
    static {
        route 0.0.0.0/0 next-hop 178.20.225.17;
        route 185.9.156.0/24 next-hop 10.10.10.22;
        route 185.9.157.0/24 next-hop 10.10.10.22;
        route 185.9.158.0/24 next-hop 10.10.10.22;
        route 185.90.80.0/22 next-hop 10.10.10.22;
        route 185.118.140.0/22 next-hop 10.10.10.22;
        route 178.20.224.0/21 next-hop 10.10.10.22;
        route 37.123.96.0/21 next-hop 10.10.10.22;
        route 213.238.170.0/24 next-hop 10.10.10.22;
        route 213.238.171.0/24 next-hop 10.10.10.22;
        route 213.238.172.0/24 next-hop 10.10.10.22;
        route 213.238.173.0/24 next-hop 10.10.10.22;
        route 10.0.0.4/30 next-hop 10.10.10.22;
    }
}

 xe-1/0/1 {
 unit 0 {
 family inet {
 filter {
 input stateless;
 }
 address 10.10.10.21/30;
 }
 }
 }
 xe-4/0/0 {
 unit 0 {
 family inet {
 address 178.20.225.18/29;
 }
 }
 }

Any timeline to fix it ???

It is really big issue. The same feature is not in new prduct line which replace the EOL  products.

Hi,

I set default route to wan interface peering IP and some static route to lan interface peering IP. I can see routing for connected and deault route but not  for static  route in routing table. Is it issue on SRX345 junos15.1X49.D50 ? or need any license to operate basic feature ??

Thanks

Shyam

Screen rules :

security {
    log {
        mode event;
        event-rate 1500;
    }
    alg {
        ftp disable;
        msrpc disable;
        sunrpc disable;
        rsh disable;
        sip;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
        ike-esp-nat {
            enable;
        }
    }
    flow {
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 20;
            low-watermark 80;
            high-watermark 90;
        }
    }
    screen {
        ids-option IcNetwork {
            icmp {
                flood threshold 1000;
            }
        }
        ids-option untrust-screen {
            icmp {
                ip-sweep threshold 1000000;
                fragment;
                large;
                flood threshold 8000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 1000000;
                syn-ack-ack-proxy threshold 1;
                syn-flood {
                    alarm-threshold 512;
                    attack-threshold 1500;
                    source-threshold 200;
                    destination-threshold 20000;
                    timeout 10;
                }
                land;
                winnuke;
                tcp-sweep threshold 1000;
            }
            limit-session {
                source-ip-based 200;
                destination-ip-based 10000;
            }
        }
        traceoptions {
            file screen.log;
            flag all;
        }
    }



You don't need a license for routing.  Can you provide the routing table?

you dont need licence,

Here is the config and Routing table info. My scenario is in HA. HA is ok and passing trasit traffic

#show route
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:14:26
> to X.X.X.X via reth14.0
X.X.X.72/29 *[Direct/0] 00:14:26
> via reth14.0
X.X.X.73/32 *[Local/0] 00:14:26
Local via reth14.0
X.X.X.80/29 *[Direct/0] 00:14:26
> via reth15.0
X.X.X.81/32 *[Local/0] 00:14:26
Local via reth15.0
{primary:node1}[edit]
user@FW2# show routing-options
static {
route 0.0.0.0/0 next-hop X.X.X.X;
route 10.10.18.0/24 next-hop X.X.X.82;
route 10.10.19.0/24 next-hop X.X.X.82;

Which device is primary?  Can you provide the output of "show chassis cluster status".

#show chassis cluster status

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 100 secondary no no None
node1 1 primary no no None

Redundancy group: 1 , Failover count: 2
node0 100 primary yes no None
node1 1 secondary yes no None

I am able to ping lan side peerig IP

# ping X.X.X.82
PING X.X.X.82 (X.X.X.82): 56 data bytes
64 bytes from X.X.X.82: icmp_seq=0 ttl=64 time=4.865 ms
64 bytes from X.X.X.82: icmp_seq=1 ttl=64 time=4.390 ms
64 bytes from X.X.X.82: icmp_seq=2 ttl=64 time=13.135 ms
64 bytes from X.X.X.82: icmp_seq=3 ttl=64 time=12.154 ms
^C
--- X.X.X.82 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.390/8.636/13.135/4.027 ms

You have RG0 on one node and RG1 on the other node.  Is reth.14 part of RG1?  If so, you should see the route on the node1, not node0.

Both wan and lan interface are part of RG1 and  you may also know that RG0 is device primay seconday group.

Another point is HA is in A/P senario, in this case only active device maintain the routing table. 

The RE is always on RG0, which is on node1 per the output.  Your transit is via RG1, which is on node0.

Hi,

I believe the routing table will always be present on the node on which RG0 is active, even in Active/Active mode.

Could you give a try using next-hop resolve for those routes:

route 10.10.18.0/24 next-hop X.X.X.82 resolve;

Cheers,

Ashvin

Hello,

So if I understand correctly, you have following thing setup is, is that correct?

set security flow syn-flood-protection-mode syn-cookie.

Regards,

Rushi

Correct  , it does not accept new request but the olders which has session still able to connect. it seems like syn-cookie not working correctly and dropping all packets or it passes the cookie mode and applies hard limits for syn 

    flow {
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 20;
            low-watermark 90;
            high-watermark 90;
        }
    }



        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
                xe-1/0/0.0;
            }




    screen {
        ids-option untrust-screen {
            icmp {
                ip-sweep threshold 1000000;
                fragment;
                large;
                flood threshold 8000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                block-frag;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 1000000;
                syn-ack-ack-proxy threshold 1000;
                syn-flood {
                    alarm-threshold 250;
                    attack-threshold 625;
                    source-threshold 25;
                    timeout 10;
                }
                land;
                winnuke;
                tcp-sweep threshold 1000;
            }
            limit-session {
                source-ip-based 200;
            }
        }
        traceoptions {
            file screen.log;
            flag all;
        }
    }

Hi All

I have configured an SRX320 with a 1x VDSL2 mPIM (RoHS) card to connect to FTTC VDSL connections but when performing a commit the VDSL session drops for 2-3mins before the session is re-established.

It only seems to drop the session when making a change to an interface or RE Firewall Filter.

To it seems like some sort of bug as we are having the same issue with multiple VDSL providers (GAMMA and MDNX FTTC).

!----Config

set interfaces pt-1/0/0 description "Physical VDSL Interface in PIM1 (MDNX Shared FTTC)"
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 vdsl-options vdsl-profile auto
set interfaces pt-1/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pt-1/0/0 unit 0 vlan-id 101

set interfaces pp0 unit 1 description "Link to MDNX Shared FTTC"
set interfaces pp0 unit 1 ppp-options chap default-chap-secret "password"
set interfaces pp0 unit 1 ppp-options chap local-name "username@dsl.mdnx.com"
set interfaces pp0 unit 1 ppp-options chap passive
set interfaces pp0 unit 1 pppoe-options underlying-interface pt-1/0/0.0
set interfaces pp0 unit 1 pppoe-options auto-reconnect 10
set interfaces pp0 unit 1 pppoe-options client
set interfaces pp0 unit 1 keepalives interval 1
set interfaces pp0 unit 1 keepalives up-count 1
set interfaces pp0 unit 1 keepalives down-count 1
set interfaces pp0 unit 1 family inet negotiate-address

set routing-options static route 0.0.0.0/0 next-hop pp0.1

-------------------

user@SRX320> show interfaces pp0.1
Logical interface pp0.1 (Index 85) (SNMP ifIndex 539)
Description: Link to MDNX Shared FTTC
Flags: Up Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
PPPoE:
State: SessionUp, Session ID: 82,
Session AC name: <ACNAME>, Remote MAC address: <REMOTE MAC>,
Configured AC name: None, Service name: None,
Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
Underlying interface: pt-1/0/0.0 (Index 84)
Ignore End-Of-List tag: Disable
Input packets : 27533
Output packets: 90234
Keepalive settings: Interval 1 seconds, Up-count 1, Down-count 1
Keepalive: Input: 469 (00:00:16 ago), Output: 14084 (00:00:00 ago)
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
CHAP state: Success
PAP state: Closed
Security: Zone: UNTRUST
Allowed host-inbound traffic : ike ping snmp ssh traceroute
Protocol inet, MTU: 1492
Flags: Sendbcast-pkt-to-re, Negotiate-Address
Addresses, Flags: Kernel Is-Preferred Is-Primary
Destination: <DEST - IP>, Local: <PUBLIC IP>

Any help would be much appreciated.

Thanks

Troy

I found the ping4 solution here https://kb.juniper.net/InfoCenter/index?page=content&id=KB25265&act=RATE&newguid=0248022066475a7a01574c2353c4007627&actp=search