IP-IP Tunnel .IPv6 to ipV4 Problem

December 16, 2016, 7:04 am

≫ Next: Re: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

Hi ,

some hours ago I set up IP-IP Tunnel on my firewall , but tonnel does not working .I can ping address on my side of the tunnel but i cant ping other side ...

I'm Using Hurricane Electric Free IPv6 Tunnel Broker Service

Firewall Model: Juniper srx240h2

Firmware : 12.3X48-D35.7
Here is my configuration

interfaces {
ip-0/0/0 {
unit 0 {
tunnel {
source *.*.*.*;
destination *.*.*.*;
}
family inet6 {
address *.*.*.*;
}
}
}
}
routing-options {
rib inet6.0 {
static {
route ::/0 next-hop *.*.*.*;
}
}
}
security {
forwarding-options {
family {
inet6 {
mode packet-based;
}
}
}

May be i'm missing something ?

↧

Re: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

December 16, 2016, 7:48 am

≫ Next: Re: RG0 was already failed over to node 0 after reset PEM from Node 1 for the alarms cleared

≪ Previous: IP-IP Tunnel .IPv6 to ipV4 Problem

So I am just trying to delete the two filters that have &amp. I tried to delete the filter and it keep giving me a syntax error. I have attached the #show firewall | display set logs, the #show interfaces | match filter | display set command didnt display anything. Let me know if you need anything else.

↧

Re: RG0 was already failed over to node 0 after reset PEM from Node 1 for the alarms cleared

December 16, 2016, 9:06 am

≫ Next: Re: SRX SIP packets doesnt flow, instead ICMP

≪ Previous: Re: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

I don't know if I understand you correctly but if you just want to switch RG0 and RG1 back to node 0 you have to do the following:

For RG1

request chassis cluster failover reset redundancy-group 1

If Noce0 has higher priority for RG1 it should switch to Node0 as preempt is on.

For RG0

request chassis cluster failover redundancy-group 0 node 0

for 5 minutes Node1 will be in secondary-hold state for RG0

request chassis cluster failover reset redundancy-group 0

↧

Re: SRX SIP packets doesnt flow, instead ICMP

December 16, 2016, 9:06 am

≫ Next: re bios upgrade command is not valid on the srx320

≪ Previous: Re: RG0 was already failed over to node 0 after reset PEM from Node 1 for the alarms cleared

Run a flow trace and see what is happening with the traffic.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

↧

re bios upgrade command is not valid on the srx320

December 16, 2016, 11:42 am

≫ Next: Re: SRX SIP packets doesnt flow, instead ICMP

≪ Previous: Re: SRX SIP packets doesnt flow, instead ICMP

Hi,

New SRX320 - after upgrade to 15.1X49-D50.3 trying to upgrade re bios (like on srx2xx)

> show system firmware
Part           Type             Tag Current Available Status
                                    version version
Routing Engine 0 RE BIOS        0   3.1     2.9       OK
Routing Engine 0 RE BIOS Backup 1   0.0     2.9       OK

1. Why backup bios 0.0 ?

2. Why Current 3.1 > available 2.9 ?

Attempt to upgrade via CLI - error

0> request system firmware upgrade re
error: command is not valid on the srx320

Attempt to upgrade via Shell - do nothing.

% bootupgrade -u /boot/uboot
%

So my questions are:

1. Do I need to upgrade or downgrade bios?

2. If yes then how to do that?

Thank you,

Dmitry.

↧

Re: SRX SIP packets doesnt flow, instead ICMP

December 16, 2016, 12:41 pm

≫ Next: Default-Route Doesn't show up in Forwarding-instance Routing Table.

≪ Previous: re bios upgrade command is not valid on the srx320

It may be that SIP ALG needs to be turned off on your end and the ISP end. I've been able to get double NAT like your setup working with SIP, but if both devices are trying to do SIP ALG you may get strange results.

↧

Default-Route Doesn't show up in Forwarding-instance Routing Table.

December 16, 2016, 2:17 pm

≫ Next: Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

≪ Previous: Re: SRX SIP packets doesnt flow, instead ICMP

I have a simple routing-instance config:

GuestWifi {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 7.91.187.65;

But this default route doesn't show up in routing table:

rahmad@aus-srx345-001> show route table GuestWiFi.inet.0

GuestWiFi.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.91.187.64/29 *[Direct/0] 23:41:00
> via ge-0/0/8.0
7.91.187.66/32 *[Local/0] 01:05:42
Local via ge-0/0/8.0

Any ideas why isn't the default route showing up?

When I try to ping out of this instance, it says can't assign this address:

aus-srx345-001> ping cnn.com routing-instance GuestWifi
PING cnn.com (151.101.128.73): 56 data bytes
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address

Thanks.

↧

Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

December 16, 2016, 7:59 pm

≫ Next: Re: re bios upgrade command is not valid on the srx320

≪ Previous: Default-Route Doesn't show up in Forwarding-instance Routing Table.

Hello,

It is a strange thing.

As long as you have interface-routes in the GuestWifi (imported from inet.0), default route should be visible.

Do you have any filter to block the default route's import?

Can you share routing & policy related configuration?

Regards,

Rushi

↧

Re: re bios upgrade command is not valid on the srx320

December 16, 2016, 8:06 pm

≫ Next: Re: Srx210 DHCP mac address block

≪ Previous: Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

Hello,

Can you check if this works for you?

https://kb.juniper.net/InfoCenter/index?page=content&id=KB27360&actp=search

Regards,

Rushi

↧

Re: Srx210 DHCP mac address block

December 16, 2016, 8:23 pm

≫ Next: Re: IP-IP Tunnel .IPv6 to ipV4 Problem

≪ Previous: Re: re bios upgrade command is not valid on the srx320

Hello,

You can try something like this:

https://www.juniper.net/techpubs/en_US/junos11.1/topics/example/layer-2-vlans-firewall-filters-filtering-frames-by-mac-address-mx-solutions.html

This will block certain source MAC on SRX.

Otherwise straightforward option is to configure allowed-mac & rest all will be blocked.

set interface ge–0/0/2 allowed-mac xx:xx:xx:xx:xx:xx

Regards,

Rushi

↧

Re: IP-IP Tunnel .IPv6 to ipV4 Problem

December 16, 2016, 8:24 pm

≫ Next: Re: re bios upgrade command is not valid on the srx320

≪ Previous: Re: Srx210 DHCP mac address block

Hello,

Is there any specific requirement to use only ip-ip tunnel?

Can you try IPSec tunnel or GRE?

Regards,

Rushi

↧

Re: re bios upgrade command is not valid on the srx320

December 16, 2016, 10:36 pm

≫ Next: SRX240-SMB2-CS-3

≪ Previous: Re: IP-IP Tunnel .IPv6 to ipV4 Problem

Hello,

I've checked and it is not working. The command bootupgrade do nothing. Here is output:

root@NO2-130% ls -al /boot/
total 2996
drwxr-xr-x   4 root  wheel     512 Dec 16 20:31 .
drwxr-xr-x  12 root  wheel     512 Dec 16 20:34 ..
-r-xr-xr-x   1 root  wheel     785 May 28  2016 bios-autoupgrade.conf
drwxr-xr-x   2 root  wheel     512 Dec 16 20:31 defaults-r-xr-xr-x   1 root  wheel  299308 May 28  2016 loader
-r--r--r--   1 root  wheel    7772 May 28  2016 loader.4th
-r--r--r--   1 root  wheel      88 May 28  2016 loader.conf
-r--r--r--   1 root  wheel     936 May 28  2016 loader.rc
drwxr-xr-x   2 root  wheel     512 Dec 16 20:31 modules
-r--r--r--   1 root  wheel   36440 May 28  2016 support.4th-r-xr-xr-x   1 root  wheel  649220 May 28  2016 uboot
-r-xr-xr-x   1 root  wheel  457144 May 28  2016 ushell
root@NO2-130% 
root@NO2-130% 
root@NO2-130% bootupgrade -u /boot/uboot -l /boot/loader
root@NO2-130%

↧

SRX240-SMB2-CS-3

December 17, 2016, 3:10 am

≫ Next: Re: IP-IP Tunnel .IPv6 to ipV4 Problem

≪ Previous: Re: re bios upgrade command is not valid on the srx320

Dear All,

Do Juniper still provide this item:

SRX240-SMB2-CS-3

I'm sure it still provide SRX240-SMB2-CS but not sure about SRX240-SMB2-CS-3.

Thanks in advance.

Regards.

Muneer

↧

Re: IP-IP Tunnel .IPv6 to ipV4 Problem

December 17, 2016, 3:34 am

≫ Next: Re: SRX 210 giving slow download speed but max upload speed

≪ Previous: SRX240-SMB2-CS-3

Yes it should work. Maybe if you indicate which addresses are configured, that would help, insert some IP addresses so one oculd identify possibly a misconfiguration. The consruct looks ok, but at least indicate what each of the IP represents. Many IP addresses are available that you could substitute

↧

Re: SRX 210 giving slow download speed but max upload speed

December 17, 2016, 4:22 am

≫ Next: Re: SRX240 Internet Speed slow

≪ Previous: Re: IP-IP Tunnel .IPv6 to ipV4 Problem

Hi chillipepper,

May i know whether u have solution this issue. I have same issue. The diffrence is im using SRX1500 cluster and no VR involve in my setup.

Appreciate if someone know the solution.

Thanks

↧

Re: SRX240 Internet Speed slow

December 17, 2016, 4:34 am

≫ Next: dhcp relay from a routing-instance

≪ Previous: Re: SRX 210 giving slow download speed but max upload speed

Hi All,

I have the same issue on SRX1500 chassis cluster. Does some have the soution ?

Thanks

↧

dhcp relay from a routing-instance

December 17, 2016, 5:04 am

≫ Next: Re: Srx210 DHCP mac address block

≪ Previous: Re: SRX240 Internet Speed slow

I have 2x srx5400 in active-passive cluster and the following topology

DHCPClients ----(172.23.58.0/24) reth1.58 SRX reth1.590 (172.23.59.0/25)----(172.23.59.15) DHCPserver

reth1.590 is in the master/default routing instance, reth1.58 is in a custom-VR routing instance.

Basically with the configuration from KB28642 i cannot get dhcp relay to work.

# run show dhcp relay statistics
Packets dropped:
    Total                      760
    No binding found           760

# run show dhcp relay statistics routing-instance custom-vr
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                764
    DHCPDECLINE                0
    DHCPDISCOVER               764

I've additionally enabled dhcp/bootp host-inbound-traffic on both client ingress and server ingress interfaces.

Setup should be almost identical to KB28642 except i'm using next-table stanza for routes from master->custom-vr. Other direction, custom-vr->master is covered with instance-import and policy-options.

I.e. routing between VRs works, hosts at 172.23.58.0/24 can access dhcp server at 172.23.59.15.

Actual config:

# show policy-options
prefix-list routes-from-master {
    172.23.59.0/25;
}
policy-statement accept-from-master {
    term ok {
        from {
            instance master;
            prefix-list routes-from-master;
        }
        then accept;
    }
    term reject-rest {
        then reject;
    }
}

# show routing-options
static {
 route 172.23.58.0/24 next-table custom-vr.inet.0;
}

# show routing-instances custom-vr routing-options instance-import
instance-import accept-from-master;

# show forwarding-options dhcp-relay
server-group {
    dummy-config;
}

# show routing-instances custom-vr forwarding-options
dhcp-relay {
    server-group {
        dhcp-srv {
            172.23.59.15;
        }
    }
    active-server-group dhcp-srv;
    group relay-in-vr {
        interface reth1.58;
    }
}

Any hints appreciated!

↧

Re: Srx210 DHCP mac address block

December 17, 2016, 5:06 am

≫ Next: Re: dhcp relay from a routing-instance

≪ Previous: dhcp relay from a routing-instance

By documentation Layer2 firewall filters are supported only on MX and EX platforms, Out of curiosity I've tried it on SRX110 12.1x47 in transparent mode and it didn't work. I was able to commit configuration with firewall family bridge filter but there were no filter hits.

You could use port security with only allowed mac adresses or if SRX is acting as a DHCP server do static-binding with fixed-ip address and then policy to deny this IP address.

↧