Correct on the OSPF, I just do it that way (because I'm weird). I have a separe VPN security zone which I'll throw the port/vlan for "Internal VPN" into. That way it's easier to keep adding VPNs in the future and keeping their traffic seperate but equal in case I ever need to lock them down a bit more.
Thanks for the help! I'm almost done implementing the changes and will post all of my configs when I have it working.
Suraj,
Thank you. Indeed the SRX100 CLI shows the SPU usage when I issue your command.
Can you tell me why the following command, when run from another computer, shows may OIDs but does not show the SPU Usage OID? I must have some fundamental misunderstanding about what it means to "walk" SNMP.
snmpwalk -OS -v2c -c @Public 192.168.9.7
Thanks again,
Chris
I did a test in the lab on two SRX100B with IPSEC proposal esp/hmac-sha-256-96/aes-256-cbc and I got
Changing st0.0 MTU to 1400B indeed helps avoiding fragmentation. Path MTU discovery kicks in in ths situation. As this mechanism not always work I guess the best way would be to use both, decreased mtu on st0.0 and tcp mss adjust.
As interesting as it was it didn't help a bit with your original problem. Do you maybe have any screens enabled on VPN zone? Or maybe you are also NATing the traffic? Btw. for my tests I used FTP.
Correct me if I'm wrong but it looks like you only thought of how to get traffic from remote site to the Internet via web filter. What about returning traffic? The only solution I see would be to NAT remote site triaffic to seperate IP and use FBF.
Terrible design. Nightmare to troubleshoot.
wdudys, I don't understand your concern. As far as return traffic is concern, the remote site is handled just like any other internal LAN subnet. And there's OSPF running.
My concern is that returning traffic will not be filtered by web filter. It thats not an issue then ok.
Why wouldn't it be ???
hey guys, as I said I cannot run the "--format" command. I get invalid url:
loader> install --format tftp://192.168.1.100/junos-srxsme-12.1X44-D60.2-domestic.tgz
invalid URL
Any idea why this won't work? uboot and loader are up to date.
Any other solution?
Ok I gave some more thoughts into it. With proper routing it should work. Please ignore my previous comments.
I have no real access to that ASA as it is in another country and owned by someone else.
But the below is the read-out of the command. Let me know if any more information might help.
ASA-Company# show crypto ipsec sa peer 198.XXX-XXX-XXX
peer address: 198.XXX-XXX-XXX
Crypto map tag: WAN1-Bestel_map, seq num: 3, local addr: 189.XXX-XXX-XXX
access-list CryptoMap-Karum extended permit tcp 10.200.0.0 255.255.0.0 172.16.61.0 255.255.255.0 eq www
local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/6/0)
remote ident (addr/mask/prot/port): (172.16.61.0/255.255.255.0/6/80)
current_peer: 198.XXX-XXX-XXX
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 375, #pkts decrypt: 35, #pkts verify: 35
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 36, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 340
local crypto endpt.: 189.XXX-XXX-XXX/0, remote crypto endpt.: 198.XXX-XXX-XXX/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 4E70460D
current inbound spi : B4770A9E
inbound esp sas:
spi: 0xB4770A9E (3027700382)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 200552448, crypto-map: WAN1-Bestel_map
sa timing: remaining key lifetime (sec): 3402
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000020 0x30000000
outbound esp sas:
spi: 0x4E70460D (1315980813)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 200552448, crypto-map: WAN1-Bestel_map
sa timing: remaining key lifetime (sec): 3400
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: WAN1-Bestel_map, seq num: 3, local addr: 189.XXX-XXX-XXX
access-list CryptoMap-Karum extended permit icmp 10.200.0.0 255.255.0.0 172.16.61.0 255.255.255.0
local ident (addr/mask/prot): (10.200.0.0/255.255.0.0/1)
remote ident (addr/mask/prot): (172.16.61.0/255.255.255.0/1)
current_peer: 198.XXX-XXX-XXX
#pkts encaps: 643, #pkts encrypt: 643, #pkts digest: 643
#pkts decaps: 721, #pkts decrypt: 721, #pkts verify: 721
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 643, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 189.XXX-XXX-XXX/0, remote crypto endpt.: 198.XXX-XXX-XXX/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0CD19201
current inbound spi : 93E04ACC
inbound esp sas:
spi: 0x93E04ACC (2480949964)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 200552448, crypto-map: WAN1-Bestel_map
sa timing: remaining key lifetime (sec): 2972
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0CD19201 (215060993)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 200552448, crypto-map: WAN1-Bestel_map
sa timing: remaining key lifetime (sec): 2972
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Hi,
I am having issues trying to delete firewall filters via jweb. I click to delete them, and then click commit and they show up with & time and time again. Anyone know how to correct this issue? It might have something to do with the jweb interface timing out after about 10minutes. Not sure what else I should post for logs. Any help would be greatly appreciated.
When you do a MIB walk you expect to get ~15000 OIDs and it will have the SPU CPU usage as ".1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4" or "jnxJsSPUMonitoringCPUUsage".
You may have to wait till the SNMP MIB walk complete, which will take few minutes and it has to print ~15k lines.
do you get any error/warning while commit? Also can you verify the configuration from CLI after you delete?
Hi All,
Just let you know the issue has been resolved.
Now all 4 ports are shown up and all ping successfull.
The reason was due to the incorrect cabling ...
Hello,
My problem is, I have srx-320 with 2 vlan connected to a swicth cisco sg300 by a trunk port allowing all vlan and I have 2 dhcp pool, all windows devices and sip phone take dhcp ok but apple devices and verifone cardCredit do not take dhcp I do not see why
please help me
Dear All
I have a pair of SRX240H's in an Active/Active cluster. We are working on a project where there will be about 350 vitual servers accessing resources across the global but using these SRX's as there internet gateway, at present we only have 110 servers switched on. We started with about 40 servers accessing the Internet and no problems were reported, over the last week we have increased the number of servers from 40 to 110, as soon as we had 110 servers running the throughput of the firewall's completely fell away. For example with all but 1 server switched off transfering a 900MB file from one zone to another using windows file copy we get around 25MBytes a second, turn all the servers back on and this drops down to 3-5MBytes a second if we are lucky.
I have looked at the all the interfaces and they are all showing Full-Duplex 1000MB. Look at the stats for the interfaces and I see a large number of input error's but a detail look at the interfaces shows this is due to "Policed discard". When the servers are switched off there is about 24000 sessions, turn the servers on and this jumps upto 27000. If I check the stats on the PFE it shows about 75000 pps.
The tcp-mss is set to 1450 and all interfaces execpt FAB0 and FAB1 are set to 1514 MTU.
I have seen some post from others forum's suggest setting "set security flow tcp-session no-sequence-check" but I have not been in a position to test this change.
Also would be the recommended tcp-mss size as juniper report this can also be an issue if set to large.
If anyone has seen this before or has any idea's your help would be grate.
Richard
It is still showing up in the cli, and I am not getting an error when trying to commit. Below is the cli for one of the filters that won't delete. Let me know if you need me to post the second one. When I am trying to delete it from the cli I am getting the error "warning: statement not found"
filter "Servers - MSN OPS & Lab to CAV/COW OPS" {
term "lab (OPSWAN) to COWOPSWAN" {
from {
source-address {
X.X.100.0/24;
}
destination-address {
X.X.108.18/32;
X.X.108.19/32;
X.X.108.23/32;
X.X.108.27/32;
X.X.108.28/32;
X.X.108.41/32;
X.X.108.42/32;
X.X.108.43/32;
X.X.108.44/32;
X.X.108.45/32;
X.X.108.46/32;
X.X.108.47/32;
}
protocol udp;
source-port ntp;
destination-port ntp;
}
then accept;
}
}
I'm looking for a way to allow users to change their own VPN (dynamic VPN) password on a Juniper SRX650 running 12.1X47-D35. My problem is if I log in via cli and type out the command "set access profile bla-profile client bla-client firewall-user password " and have the user finish the command by typing in their password, it shows as they typed it in the terminal window. So then if I take control of the terminal to commit I will see their password. I really don't want the users to commit changes, plus this starts to instruct users on typing multiple commands... I have the SRX650 running in HA, so I can't have the user make the change, close the terminal window, then log back in and commit the changes. I've tried to find the users in J-Web, but I'm failing at finding where to edit the users password. I see the access profile with list of users, just can't figure out how to change the password. I believe J-Web might be able to accomplish my needs, but I fail at the GUI....
Any suggestions?
I suspect you cannot delete them because they are in use in another portion of the configuration. Usually they would be applied to interfaces. So in order to remove the filter you also need to remove the reference to the filter on the interface as well.
