Re: Can SRX series work with Shrew Soft VPN client?

December 10, 2016, 11:05 pm

≫ Next: [SRX220] Is fan speed control possible?

≪ Previous: Re: Traffic hair-pinning with static NAT

SRX comes with two DynVPN user licenses. You have to purchase more to support more users. Why dont you enable traceoptiosn and see if it gets you some information?

↧

[SRX220] Is fan speed control possible?

December 11, 2016, 3:18 am

≫ Next: Re: [SRX220] Is fan speed control possible?

≪ Previous: Re: Can SRX series work with Shrew Soft VPN client?

Hello all,

Recently I have replaced both fans on SRX220 to a slightly more powerful ones (and more quiet) and now I would like to lower the fan speed when there is no need for such efficency.

Putting aside any safety and support aspects:

Is it possible to change the fan speed under 'normal' temperature threshold on SRX220? Any hidden CLI commands, anything?

↧

Re: [SRX220] Is fan speed control possible?

December 11, 2016, 8:06 pm

≫ Next: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

≪ Previous: [SRX220] Is fan speed control possible?

Hello,

I do not think there is any direct way to increase/reduce the fan speed but you can try to set temperature thresholds accordingly.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19745&actp=search

Regards,

Rushi

↧

With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

December 11, 2016, 10:55 pm

≫ Next: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

≪ Previous: Re: [SRX220] Is fan speed control possible?

We are observing HTTP client sending RSTs after initial TCP SYN from client and SYN ACK from server , when vSRX is deployed between webserver in private subnet (Trust zone) and HTTP client in public subnet (UnTrust zone). When vSRX is removed, same server and client face no issues.

Any specific reasons, why HTTP client is sending the RSTs? Please note few points, just FYI.

Destination NAT is configured for public IP Address and is working fine.
No routing issues since we can observe the TCP SYN from client to server and SYN ACK from server to client at client or server.
No other configurations (Screens, IDP, UTM etc), except NAT and static route at vSRX to simplify things in debugging.
Surprisingly, everything is normal if VSRX is not there in between.

Please suggest any reasons for this issue.

Thanks,

Shirish.

↧

Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

December 11, 2016, 11:00 pm

≫ Next: Re: Using SNMP to monitor SPU; what are MIBS

≪ Previous: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

Can you do a pcap on client machine and see if the client is sending RST or its the VSRX sending RST (while proxying)? You may take pcap simultaneously on CLient and vSRX and confirm the behavior

↧

Re: Using SNMP to monitor SPU; what are MIBS

December 11, 2016, 11:17 pm

≫ Next: Re: RTPERF_CPU_THRESHOLD_EXCEEDED when 40 Mbps passed to st0.1

≪ Previous: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

show snmp mib get 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.0 this is the OID for SPU usage.

SRX SNMP MONITORING GUIDE

https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/BK26199/SRX%20SNMP%20Monitoring%20Guide.pdf

↧

Re: RTPERF_CPU_THRESHOLD_EXCEEDED when 40 Mbps passed to st0.1

December 11, 2016, 11:32 pm

≫ Next: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

≪ Previous: Re: Using SNMP to monitor SPU; what are MIBS

Can you collect the below counters in scenario 1 and 2 .

show security flow statistics

use "clear security flow statistics" before start of test.

↧

Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

December 11, 2016, 11:58 pm

≫ Next: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

≪ Previous: Re: RTPERF_CPU_THRESHOLD_EXCEEDED when 40 Mbps passed to st0.1

vSRX is not sending any RSTs, its the HTTP client sending the RSTs.

↧

Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

December 12, 2016, 12:39 am

≫ Next: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

≪ Previous: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

BTW, Could this be the cause of the issue ?

1.) HTTP client at 172.31.81.76 sends TCP SYN for HTTP connection to SRX Untrust interface say 172.31.94.254.

So at HTTP Client , Source IP = 172.31.81.76

Destination IP = 172.31.94.254.

2.) vSRX successfully performs the destination NAT on (Dest IP for Server IP) and forwards the request/SYN to

server at IP 172.31.51.86.So at HTTP server,

Source IP = 172.31.81.76 and

Destination IP = 172.31.51.86

3.) HTTP Server replies the TCP ACK with source IP = 172.31.51.86 and dest IP = 172.31.81.76.

4.) HTTP client receives the SYN ACK with source IP = 172.31.51.86 and dest IP = 172.31.81.76 , BUT the source

IP now is not 172.31.94.254 where client made its initial connection. There is no socket thus open for this IP and it rejects

by sending RST.

Could this be the reason ?

↧

Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

December 12, 2016, 12:52 am

≫ Next: Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

≪ Previous: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

i dont think this will happen, destination NAT rule on SRX will take care of the reverse NAT.

↧

Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

December 12, 2016, 8:36 am

≫ Next: Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

≪ Previous: Re: With vSRX , HTTP client sending TCP RSTs after initial SYN and SYN-ACK.

rsuraj wrote:
We may see what packet/notification is coming during the issue using below command.

"monitor traffic interface ge-0/0/0.0 no-resolve matching udp detail" ===replace ge-0/0/0.0 with your VPN external interface

The monitor command does not seem to show any info on this particular tunnel even after watching the traffic through the events.

↧

Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

December 12, 2016, 8:40 am

≫ Next: QOS on ST0 interfaces?

≪ Previous: Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

rsuraj wrote:
We may see what packet/notification is coming during the issue using below command.

"monitor traffic interface ge-0/0/0.0 no-resolve matching udp detail" ===replace ge-0/0/0.0 with your VPN external interface

I spoke too soon. Was able to capture a short sequence

10:35:36.332380 In IP (tos 0x0, ttl 249, id 24912, offset 0, flags [none], proto: UDP (17), length: 184) 189.XXX-XXX-XXX.500 > 198.XXX-XXX-XXX.500: isakmp 1.0 msgid b5c766ba: phase 2/others ? oakley-quick[E]: [|hash]
10:35:36.351053 Out IP (tos 0x0, ttl 64, id 24605, offset 0, flags [none], proto: UDP (17), length: 184) 198.XXX-XXX-XXX.500 > 189.XXX-XXX-XXX.500: isakmp 1.0 msgid b5c766ba: phase 2/others ? oakley-quick[E]: [|hash]
10:35:36.383683 In IP (tos 0x0, ttl 249, id 21479, offset 0, flags [none], proto: UDP (17), length: 104) 189.XXX-XXX-XXX.500 > 198.XXX-XXX-XXX.500: isakmp 1.0 msgid b5c766ba: phase 2/others ? oakley-quick[E]: [|hash]
10:35:36.393107 Out IP (tos 0x0, ttl 64, id 24606, offset 0, flags [none], proto: UDP (17), length: 96) 198.XXX-XXX-XXX.500 > 189.XXX-XXX-XXX.500: isakmp 1.0 msgid a644afac: phase 2/others ? inf[E]: [|hash]
10:35:36.825417 In IP (tos 0x0, ttl 122, id 4624, offset 0, flags [none], proto: UDP (17), length: 124) 65.36.94.126.62885 > 198.XXX-XXX-XXX.4500: UDP, length 96
10:35:36.828233 Out IP (tos 0x0, ttl 64, id 24608, offset 0, flags [none], proto: UDP (17), length: 124) 198.XXX-XXX-XXX.4500 > 65.36.94.126.62885: UDP, length 96
10:35:37.477698 Out IP (tos 0x0, ttl 64, id 24609, offset 0, flags [none], proto: UDP (17), length: 29) 198.XXX-XXX-XXX.4500 > 76.185.93.13.60106: UDP, length 1
10:35:38.475174 In IP (tos 0x0, ttl 249, id 23593, offset 0, flags [none], proto: UDP (17), length: 184) 189.XXX-XXX-XXX.500 > 198.XXX-XXX-XXX.500: isakmp 1.0 msgid 53568c70: phase 2/others ? oakley-quick[E]: [|hash]
10:35:38.496892 Out IP (tos 0x0, ttl 64, id 24611, offset 0, flags [none], proto: UDP (17), length: 184) 198.XXX-XXX-XXX.500 > 189.XXX-XXX-XXX.500: isakmp 1.0 msgid 53568c70: phase 2/others ? oakley-quick[E]: [|hash]
10:35:38.529892 In IP (tos 0x0, ttl 249, id 24038, offset 0, flags [none], proto: UDP (17), length: 104) 189.XXX-XXX-XXX.500 > 198.XXX-XXX-XXX.500: isakmp 1.0 msgid 53568c70: phase 2/others ? oakley-quick[E]: [|hash]
10:35:38.540305 Out IP (tos 0x0, ttl 64, id 24612, offset 0, flags [none], proto: UDP (17), length: 96) 198.XXX-XXX-XXX.500 > 189.XXX-XXX-XXX.500: isakmp 1.0 msgid ca32943e: phase 2/others ? inf[E]: [|hash]

I cannot get any meaning from the above. Anyone else?

↧

QOS on ST0 interfaces?

December 12, 2016, 11:27 am

≫ Next: Re: QOS on ST0 interfaces?

≪ Previous: Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

how does one go about getting the QOS over ST interfaces?

it is not an option right now in the CLI

we have a RW rule on our MPLS interface the ST interface uses a seperate cable/dsl connection for a VPN backup

the issue is when on the VPN the QOS doesn't really work and the phones and critical bissness apps have issues

do i need to move the RW to the vlan ? to the phsical insterface the tunnle is on >? (vlan seem like it could work but not the phsyical)

what is the best practice on this? I have googled around but there is not much info and even in this forum the newest thread was from 2012

↧

Re: QOS on ST0 interfaces?

December 12, 2016, 12:21 pm

≫ Next: Re: QOS on ST0 interfaces?

≪ Previous: QOS on ST0 interfaces?

This is acheived by using virtual channels, check out this doc

http://www.juniper.net/documentation/en_US/junos12.1x44/information-products/pathway-pages/security/cos-virtual-channels-tunnels.pdf

↧

Re: QOS on ST0 interfaces?

December 12, 2016, 6:17 pm

≫ Next: Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

≪ Previous: Re: QOS on ST0 interfaces?

CoS/QoS on ST0 is supported from 15.1X49-D60 onwards.

Class of Service

* CoS support for the st0 interface for SRX300, SRX320, SRX340, SRX345, SRX550M devices and vSRX2.0 instances—Starting with Junos OS 15.1X49-D60, class of service (CoS) features such as classifier, policer, queuing, scheduling, shaping, rewriting markers, and virtual channels can now be configured on the secure tunnel interface (st0) for point-to-point VPNs. The st0 tunnel interface is an internal interface that can be used by route-based VPNs to route cleartext traffics to an IPsec VPN tunnel.

Ref: https://www.juniper.net/techpubs/en_US/junos15.1x49-d60/information-products/topic-collections/release-notes/15.1x49-d60/topic-108022.html#jd0e161

↧

Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes data but will drop every few minutes

December 12, 2016, 10:12 pm

≫ Next: Re: Trouble with firewall filters

≪ Previous: Re: QOS on ST0 interfaces?

Hello,

Just to confirm:

Is VPN created on Cisco ASA with correct crypto map?

This can be confirmed using 'show crypto ipsec sa detail' command for specific peer.

I have seen cases where a configured crypto map (and sequence number) is not utilized due to positioning or overlapping subnet or because default map kicks in.

Regards,

Rushi

↧