I've found only a few obscure posts dating a few years back but apparently there's no conclusion.
Is gre key supported in JunOS?
I am migrating an old ISG2000 with lots of gre keyed tunnels.
Any clue?
Thanks
↧
GRE with key
↧
Re: GRE with key
GRE with key is not supported on SRX.
[edit]
root@SRX# set interfaces gr-0/0/0 unit 0 tunnel ? ---> Below given are supported options
Possible completions:
allow-fragmentation Do not set DF bit on packets
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
destination Tunnel destination
do-not-fragment Set DF bit on packets
flow-label Flow label field of IP6-header (0..1048575)
no-path-mtu-discovery Don't enable path MTU discovery for tunnels
path-mtu-discovery Enable path MTU discovery for tunnels
> routing-instance Routing instance to which tunnel ends belong
source Tunnel source
traffic-class TOS/Traffic class field of IP-header (0..255)
ttl Time to live (0..255)
[edit]
root@SRX# set interfaces gr-0/0/0 unit 0 tunnel key 123456 ----> Key is hidden command
[edit]
root@SRX# show interfaces gr-0/0/0
unit 0 {
tunnel {
source 1.1.1.1;
destination 1.1.1.2;
##
## Warning: statement ignored: unsupported platform (srx650) ----> Throws error as unsupported
##
key 123456;
}
family inet;
}
[edit]
root@SRX#
↧
↧
Re: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb
As soon as you commit the changes from J-web, can you collect below output from SRX CLI- this is to confirm if the commit is successfull. As steve mentioned you cannot delete filrewall filters if its used on some interfaces, but I expect a commit fail/error in that case.
root> show system uptime
root> show system commit
↧
Re: integration juniper with cisco
are you using DHCP ? This is a know issues with old DHCP configuration due to the unicast flags on DHCP discover messages from Apple devices and the same has been fixed on JDHCP design. Request you to use JDHCP config and check.
If you already have JDHCP config , please do a pcap from apple and compare it with working device to see if there is anything difference.
Run below command to see if you have DHCP or JDHCP
root> show system processes extensive | match dhcp
29644 root 1 76 0 85792K 11700K select 0:00 0.00% jdhcpd ----> Here its JDHCP
root>
Sampel JDHCP config:
set system services dhcp-local-server group JDHCP interface ge-0/0/0.0
set access address-assignment pool JDHCPVR-POOL family inet network 6.6.6.0/24
set access address-assignment pool JDHCPVR-POOL family inet range JDHCPVR-RANGE low 6.6.6.66
set access address-assignment pool JDHCPVR-POOL family inet range JDHCPVR-RANGE high 6.6.6.67
set access address-assignment pool JDHCPVR-POOL family inet dhcp-attributes router 6.6.6.1
ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB26898&actp=search
↧
Re: Dynamic VPN - Users Change Own Password
User configuration using J-web is explained on Page 12 - https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v21.pdf
let me know if this helps you.
↧
↧
Re: SRX240H Slow throughput but can not see why
Use " show security monitoring performance spu " and see if the dataplane CPU is going high. You have also mentioned that you have active/active setup, can you check the performance with Active/Backup to see if the fab link is creating bottleneck.
Also 1350 is the generally used MSS.
↧
Re: Dynamic VPN - Users Change Own Password
Thank you for the reply, but this looks to be while setting users up. Users are already set up and I want to provide them a way to change their password, even if it's with my laptop while logged in.
↧
Re: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb
So this is a brand new setup, and we haven't configured any of the actual interfaces yet, besides the IP address to be able to access the jWeb GUI. So I find it hard to believe that it could be attached to an actual interface, when we haven't even configured one. Here is the system uptime and the commit. It seems that maybe it has something to do with an apostrophy in the title name that is throwing it off?
root@SRX550> show system uptime
Current time: 2016-12-15 15:34:50 UTC
Time Source: LOCAL CLOCK
System booted: 2016-12-12 16:31:11 UTC (2d 23:03 ago)
Protocols started: 2016-12-12 16:31:12 UTC (2d 23:03 ago)
Last configured: 2016-12-15 15:27:50 UTC (00:07:00 ago) by root
3:34PM up 2 days, 23:04, 1 user, load averages: 0.00, 0.05, 0.06
root@SRX550> show system commit
0 2016-12-15 15:27:50 UTC by root via junoscript
1 2016-12-15 15:27:18 UTC by root via junoscript
2 2016-12-15 15:20:47 UTC by root via junoscript
3 2016-12-14 19:17:26 UTC by root via junoscript
4 2016-12-12 20:26:27 UTC by root via junoscript
5 2016-12-12 20:07:20 UTC by root via junoscript
root@SRX550>
↧
Re: Traffic hair-pinning with static NAT
Since I have static NAT mapping for every host, I simply allowed intra-zone traffic in security policy and hairpining just worked!
↧
↧
RG0 was already failed over to node 0 after reset PEM from Node 1 for the alarms cleared
Hi All,
I have the case about PEM module failed. In the troubleshooting, I do a manual failover to node 1 for RG1. RG0 was already failed over to node 1.
I do reset PEM 1 from node 1 and the alarm was cleared and looked good. PEM 1 was in OK/Online state.
Why when I want back to failover to Node 0, impact the device can't global access ?
So Now, the device status on Node 1.
Thanks,
Andriy
JNCIP-SP, JNCIP-SEC
↧
Re: RG0 was already failed over to node 0 after reset PEM from Node 1 for the alarms cleared
↧
Re: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb
Hi Colorado,
Do you wish to remove all the firewall filters or just the one you have attached earlier?
can you share the output of
#show interfaces | match filter | display set
#show firewall | display set
Regards,
Anand
↧
SRX300 - port mirror
Followed instructions found here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21833&smlogin=true&actp=search
Can't seem to get traffic to show up when I do a port mirror. I'm trying to get my untrust interface of ge-0/0/0 to send ingress and egress traffic to ge-0/0/3. I know for sure that there's certain traffic that I should see going through here, and I'm not seeing it. This would show me ALL traffic going in and out of ge-0/0/0 right? Are there any gotcha's here? My EX3300 port mirror works perfectly...
Thanks for any help
↧
↧
Re: SRX300 - port mirror
In addition, if I try to monitor traffic interface ge-0/0/0 I see zero packets.
↧
Re: RG0 was already failed over to node 0 after reset PEM from Node 1 for the alarms cleared
Hi Anand,
The state cluster on below :
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 4
node0 129 secondary no yes None
node1 255 primary no yes None
Redundancy group: 1 , Failover count: 4
node0 129 secondary yes yes None
node1 255 primary yes yes None
Now, Node 1 as primary.
What the solution for this case?
Thanks,
↧
SRX SIP packets doesnt flow, instead ICMP
Hi.
network sheme is very simple:
LAN----ge0/0/0.15<SRX>vlan.100----ISP----10.3.7.81
(ISP have host with address from private netw)
So. My aster have address 192.168.77.122 and outgoing SIP session going through source nat rule:
pool PBX {
address {
37.230.255.21/32;
}
}
rule-set NAT {
from zone trust;
to zone untrust;
rule NAT-PBX {
match {
source-address 192.168.77.122/32;
}
then {
source-nat {
pool {
PBX;
persistent-nat {
permit target-host;
inactivity-timeout 7200;
}
}
}
}
}
}I have a problem with connecting to SIP peer with private address:
When I try to ping, I see packets in flow session and in wireshark
When I try to call I see packets in flow session:
Session ID: 175737, Policy name: internet-access/4, Timeout: 16, Valid In: 192.168.77.122/43112 --> 10.3.7.82/5060;tcp, If: ge-0/0/15.0, Pkts: 3, Bytes: 180 Out: 10.3.7.82/5060 --> x.x.x..21/13234;tcp, If: vlan.100, Pkts: 0, Bytes: 0
but I dont see, packets out from interface (port mirroring)
Where is the problem may ocure
↧
custom objects to block bad sites and good sites to allow in srx210 firewall
hi i have srx210 firewall. i have configured two categories bad-sites and good-sites.i want to block bad-sites url and allow good-sites.but the problem is that both are being allowed on my firewall.my configuraion is as under.pls any one can help me in this regard.i am filtering these sites locally.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [editsecurityutm] root@srx# show custom-objects url-pattern{ blocked-urls{ value http://rtoodtoo.com; } allowed-urls{ value http://rtodto.net; } } custom-url-category{ bad-sites{ value blocked-urls; } good-sites{ value allowed-urls; } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | [editsecurityutm] root@srx# show feature-profile web-filtering{ url-whitelist good-sites; url-blacklist bad-sites; type juniper-local; juniper-local{ profilewf-local{ custom-block-message"Juniper UTM firewall blocked this request"; fallback-settings{ defaultlog-and-permit; server-connectivity block; timeout block; too-many-requests block; } } } } |
1 2 3 4 5 | [editsecurityutm] root@srx# show utm-policy wf-local web-filtering{ http-profile wf-local; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [edit] root@srx# show security policies from-zoneTRUSTto-zoneINTERNET{ policytrust-internet{ match{ source-address n172.4.1.4_30; destination-address any; application[junos-http junos-dns-udp junos-ping]; } then{ permit{ application-services{ utm-policy wf-local; } } } } } |
this is the complete config that i have done on my srx210
↧
↧
Srx210 DHCP mac address block
hi
how to srx210 single mac address block
thx
↧
Re: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb
I think you will need to try the delete on the CLI and then do a commit check so the error can be seen.
↧
Re: SRX300 - port mirror
I suspect this is platform related, the SRX300 series is NOT listed on any port mirroring kb that I can find.
You can submit a kb article feedback on the right side of that page. The document owner will get your note that the procedure does not work on the SRX300 and open a case to update the documentation. I've used this before to get documentation corrected or updated. But you do need to be patient as this goes through the normal updates workflow.
If no one here has done this on an SRX300 yet, you will need to open a ticket then for a quicker answer.
↧