SRX static Binding using IRB

December 19, 2016, 10:13 am

≫ Next: Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

≪ Previous: Re: SRX SIP packets doesnt flow, instead ICMP

I have the following DHCP server setup on my IRB. I use the IRB as my layer 3 interface. I am trying to understand how I can do static binding with this configuration.

#set system services dhcp static-binding is not an option.

}
    services {
        ssh {
            protocol-version v2;
            connection-limit 3;
        }
        telnet;
        dhcp-local-server {
            group DHCP-Group {
                interface irb.0;
            }
        }
        web-management {
            https {
                system-generated-certificate;
                interface [ ge-0/0/0.0 irb.0 ];
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        boot-server 64.203.255.71;
        server 64.203.255.71 prefer;
    }
}
services {
    rpm;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 192.168.0.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool Camera-System {
                address 192.168.0.200/32;
            }
            rule-set Internet-to-Internal {
                from zone Internet;
                rule Camera-System {
                    match {
                        destination-address 0.0.0.0/32;
                        destination-port {
                            18004;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                Camera-System;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy Permit-Cameras {
                match {
                    source-address any;
                    destination-address Camera-System;
                    application Camera-System;
                }
                then {
                    permit;
                }
            }
            policy default-reject {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                    count;
                }
            }
        }
        from-zone Internal to-zone Internal {
            policy Permit-Any {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            address-book {
                address Camera-System 192.168.0.200/32;
            }
            interfaces {
                irb.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            tftp;
                            ntp;
                            traceroute;
                            dns;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Hargray Cable Modem";
        unit 0 {
            family inet {
                dhcp-client;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/2 {
        description "Netgear Switch";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/4 {
        description "Apple AP";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/5 {
        description "Dish Hopper DVR";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect-host;
                }
                address 127.0.0.1/32;
            }
        }
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
}
policy-options {
    prefix-list router-ipv4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list ntp-servers {
        apply-path "system ntp server <*>";
    }
    prefix-list dns-servers {
        apply-path "system name-server <*>";
    }
    prefix-list managed-ips {
        64.53.59.14/32;
        64.203.245.151/32;
        192.168.0.0/24;
        204.116.21.6/32;
        216.16.216.166/32;
    }
}
firewall {
    filter protect-host {
        term accept-managed {
            from {
                prefix-list {
                    managed-ips;
                }
                protocol tcp;
                port [ ssh https ];
            }
            then {
                count accept-managed;
                accept;
            }
        }
        term accept-dhcp {
            from {
                protocol udp;
                port dhcp;
            }
            then {
                count accept-dhcp;
                accept;
            }
        }
        term accept-ntp {
            from {
                prefix-list {
                    ntp-servers;
                    router-ipv4;
                }
                protocol udp;
                port ntp;
            }
            then {
                count accept-ntp;
                accept;
            }
        }
        term accept-dns {
            from {
                source-prefix-list {
                    dns-servers;
                }
                protocol udp;
                port 53;
            }
            then {
                count accept-dns;
                accept;
            }
        }
        term accept-ping {
            from {
                protocol icmp;
            }
            then {
                count accept-ping;
                accept;
            }
        }
        term reject {
            then {
                count default-reject;
                reject;
            }
        }
    }
}
access {
    address-assignment {
        pool DHCP_Pool {
            family inet {
                network 192.168.0.0/24;
                range DHCP_Range {
                    low 192.168.0.10;
                    high 192.168.0.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                    }
                    router {
                        192.168.0.1;
                    }
                }
            }
        }
    }
}
applications {
    application Camera-System {
        term t1 protocol tcp destination-port 18004;
    }
    application MS1 {
        term t1 protocol tcp destination-port 80;
    }
}
vlans {
    vlan1 {
        vlan-id none;
        l3-interface irb.0;
    }
}

↧

Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

December 19, 2016, 10:52 am

≫ Next: Re: Brand new SRX300 high CPU usage

≪ Previous: SRX static Binding using IRB

Hello,

So if I understand correctly, you want to use different default-gateway for Guest (on ge-0/0/8) while other traffic should use appropate default route in inet.0

Is my understanding correct?

Regards,

Rushi

↧

Re: Brand new SRX300 high CPU usage

December 19, 2016, 11:06 am

≫ Next: Re: SRX static Binding using IRB

≪ Previous: Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

@aaron@ARB JTAC resolved your problem? or the case is still open?

We are facing the same exact problem with our SRX 300s, thanks for your input.

↧

Re: SRX static Binding using IRB

December 19, 2016, 12:01 pm

≫ Next: Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

≪ Previous: Re: Brand new SRX300 high CPU usage

Tried this....still no Joy. Cleared arp table still pulled wrong IP Cleared binding dhcp server for irb still came back and pulled wrong IP @FW1> show configuration | display set | match MS1 set access address-assignment pool DHCP_Pool family inet host MS1 hardware-address b8:27:eb:ed:b0:37 set access address-assignment pool DHCP_Pool family inet host MS1 ip-address 192.168.0.205 @FW1> show arp MAC Address Address Name Interface Flags 00:01:5c:71:c6:46 64.20.130.1 64.20.130.1.dyn-e-pool3.p ge-0/0/0.0 none b8:27:eb:5d:e7:c6 192.168.0.9 192.168.0.9 irb.0 [ge-0/0/5.0] none 00:16:a2:01:24:e6 192.168.0.10 192.168.0.10 irb.0 [ge-0/0/5.0] none 00:1f:5b:00:82:5b 192.168.0.11 192.168.0.11 irb.0 [ge-0/0/5.0] none 4c:82:cf:01:67:8a 192.168.0.12 192.168.0.12 irb.0 [ge-0/0/5.0] none 00:0d:c5:4d:51:b9 192.168.0.13 192.168.0.13 irb.0 [ge-0/0/5.0] none 18:b4:30:06:13:8f 192.168.0.14 192.168.0.14 irb.0 [ge-0/0/5.0] none b8:27:eb:ed:b0:37 192.168.0.19 192.168.0.19 irb.0 [ge-0/0/5.0] none 00:23:63:27:b9:9b 192.168.0.200 192.168.0.200 irb.0 [ge-0/0/5.0] none

↧

Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

December 19, 2016, 12:26 pm

≫ Next: Re: Brand new SRX300 high CPU usage

≪ Previous: Re: SRX static Binding using IRB

That's correct.

Guests are on ge-0/0/6. Internet is on ge-0/0/8. On inet.0 I don't want to have a default-route pointing out of ge-0/0/8. There are some VPN end-points that will continue to point out of ge-0/0/8 but actual default-route will be an internal interface/IP.

Regards

↧

Re: Brand new SRX300 high CPU usage

December 19, 2016, 12:27 pm

≫ Next: Re: SRX static Binding using IRB

≪ Previous: Re: Default-Route Doesn't show up in Forwarding-instance Routing Table.

Hi,

if you read the release notes for 15.1X49-D70 (http://www.juniper.net/techpubs/en_US/junos15.1x49-d70/information-products/topic-collections/release-notes/15.1x49-d70/junos-release-notes-15.1X49-D70.pdf) under resolved issues, the following PR is seen:

• On SRX300 Series devices, high RE CPU is noticed when ethernet-switching is configured. This leads to a higher than expected latency for traffic originating from the device itself. This issue has no impact on transit traffic through the device. PR1206823

It could sound like the issue people are facing.

15.1X49-D70 release notes are online but the actual software image is not. I would expect to show up shortly as D70 is expected to be release this month.

↧

Re: SRX static Binding using IRB

December 19, 2016, 12:34 pm

≫ Next: Re: SRX static Binding using IRB

≪ Previous: Re: Brand new SRX300 high CPU usage

You configure this under "access address-assignment". Example-config:

jh@fw# show access address-assignment pool int-guest
family inet {
network 192.168.0.0/24;
range scope {
low 192.168.0.30;
high 192.168.0.99;
}
dhcp-attributes {
grace-period 86400;
name-server {
8.8.8.8
}
router {
192.168.0.1;
}
}
host static-host {
hardware-address 11:11:11:11:11:11;
ip-address 192.168.0.123;
}
}

↧

Re: SRX static Binding using IRB

December 19, 2016, 2:14 pm

≫ Next: Re: Brand new SRX300 high CPU usage

≪ Previous: Re: SRX static Binding using IRB

Worked, Thanks you very much!

↧

Re: Brand new SRX300 high CPU usage

December 19, 2016, 2:23 pm

≫ Next: Re: Brand new SRX300 high CPU usage

≪ Previous: Re: SRX static Binding using IRB

Jonas,

Thanks for taking the time to post this. I look forward to reading over the release notes.

I see this on my srx300 @ idle as well, high cpu usage that is. We were considering deploying these for a new businsess class product and this has made up hesitant. I have a 220 running version 12 with a similar config and it only using about 3% cpu at idle.

Jarrod@FW1> show version
Hostname: FW1
Model: srx300
Junos: 15.1X49-D60.7
JUNOS Software Release [15.1X49-D60.7]

Jarrod@FW1> show chassis routing-engine
Routing Engine status:
Temperature 50 degrees C / 122 degrees F
CPU temperature 65 degrees C / 149 degrees F
Total memory 4096 MB Max 2540 MB used ( 62 percent)
Control plane memory 2624 MB Max 2152 MB used ( 82 percent)
Data plane memory 1472 MB Max 368 MB used ( 25 percent)
5 sec CPU utilization:
User 57 percent
Background 0 percent
Kernel 3 percent
Interrupt 0 percent
Idle 40 percent
Model RE-SRX300
Serial ID CV2116AF0542
Start time 2016-12-19 19:42:53 UTC
Uptime 2 hours, 34 minutes, 31 seconds
Last reboot reason 0x200:normal shutdown
Load averages: 1 minute 5 minute 15 minute
0.68 0.58 0.57

Jarrod@FW1> show chassis forwarding
FWDD status:
State Online
Microkernel CPU utilization 59 percent
Real-time threads CPU utilization 0 percent
Heap utilization 25 percent
Buffer utilization 1 percent
Uptime: 2 hours, 37 minutes, 2 seconds

↧

Re: Brand new SRX300 high CPU usage

December 19, 2016, 2:33 pm

≫ Next: SRX 3600 MSS Drop

≪ Previous: Re: Brand new SRX300 high CPU usage

Correct, I had a call logged with JTAC and they sent me D62.1 before it was released. I have been running it for about 2 weeks now without issue.

Current time: 2016-12-20 05:30:36 ICT
Time Source:  NTP CLOCK
System booted: 2016-12-18 13:20:04 ICT (1d 16:10 ago)
Protocols started: 2016-12-18 13:20:04 ICT (1d 16:10 ago)
Last configured: 2016-12-10 15:37:12 ICT (1w2d 13:53 ago) by arbadmin
 5:30AM  up 1 day, 16:11, 1 user, load averages: 0.13, 0.10, 0.08

Information for junos:

Comment:
JUNOS Software Release [15.1X49-D62.1]

So I am guessing that D70 is either a rollup from D62.1 or has additional fixes in it. Either way, it works, we have our devices set for etherswitching (for vlan functionality via irb) and its behaving.

↧

SRX 3600 MSS Drop

December 19, 2016, 4:25 pm

≫ Next: SYN Attack

≪ Previous: Re: Brand new SRX300 high CPU usage

Is there any possible way to write a filter for drop mss value is smaller then 1300 or larger then 1800 ?

Thank you

↧

SYN Attack

December 19, 2016, 4:52 pm

≫ Next: Re: Brand new SRX300 high CPU usage

≪ Previous: SRX 3600 MSS Drop

Is there any body faced with an attack like that befure :

03:48:13.180659 IP 61.222.68.47.45941 > 178.20.231.250.80: Flags [S], seq 1534189947, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180688 IP 0.42.240.108.14914 > 178.20.231.250.80: Flags [S], seq 3471670553, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180701 IP 149.20.5.114.7000 > 178.20.231.250.80: Flags [S], seq 1408038190, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180721 IP 45.217.187.20.61553 > 178.20.231.250.80: Flags [S], seq 4072083542, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180753 IP 105.63.126.51.29587 > 178.20.231.250.80: Flags [S], seq 2707506253, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180781 IP 213.42.133.94.6839 > 178.20.231.250.80: Flags [S], seq 3176463954, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180816 IP 17.125.150.64.54602 > 178.20.231.250.80: Flags [S], seq 3250646339, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180845 IP 29.21.40.101.15199 > 178.20.231.250.80: Flags [S], seq 2197526060, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180870 IP 75.163.81.100.49546 > 178.20.231.250.80: Flags [S], seq 670367868, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180908 IP 189.136.224.98.57069 > 178.20.231.250.80: Flags [S], seq 2461090845, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180934 IP 186.145.71.35.20849 > 178.20.231.250.80: Flags [S], seq 2745581065, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180964 IP 99.143.109.49.5047 > 178.20.231.250.80: Flags [S], seq 1630709508, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.180990 IP 171.183.52.22.29748 > 178.20.231.250.80: Flags [S], seq 1443038244, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181012 IP 195.140.169.89.32774 > 178.20.231.250.80: Flags [S], seq 1874807642, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181039 IP 61.190.196.92.41941 > 178.20.231.250.80: Flags [S], seq 697539946, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181048 IP 180.133.136.11.20686 > 178.20.231.250.80: Flags [S], seq 2167291504, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181088 IP 38.141.102.63.13242 > 178.20.231.250.80: Flags [S], seq 1696980280, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181116 IP 136.105.160.4.25554 > 178.20.231.250.80: Flags [S], seq 397293925, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181135 IP 185.29.121.54.52210 > 178.20.231.250.80: Flags [S], seq 2767532649, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181161 IP 138.136.135.37.18192 > 178.20.231.250.80: Flags [S], seq 3107938625, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181192 IP 91.154.119.67.45867 > 178.20.231.250.80: Flags [S], seq 3882705690, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181208 IP 129.97.209.58.9609 > 178.20.231.250.80: Flags [S], seq 3630275411, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181256 IP 124.16.154.3.53654 > 178.20.231.250.80: Flags [S], seq 3077513796, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181272 IP 93.30.80.43.52571 > 178.20.231.250.80: Flags [S], seq 3150679893, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181312 IP 183.191.73.28.5437 > 178.20.231.250.80: Flags [S], seq 805165671, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181340 IP 215.237.0.113.57794 > 178.20.231.250.80: Flags [S], seq 1919287312, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181539 IP 208.40.99.77.61926 > 178.20.231.250.80: Flags [S], seq 633093443, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181553 IP 115.199.36.42.42672 > 178.20.231.250.80: Flags [S], seq 1362458716, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181582 IP 171.107.80.24.22272 > 178.20.231.250.80: Flags [S], seq 3330966295, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181597 IP 153.233.3.58.36636 > 178.20.231.250.80: Flags [S], seq 3419733540, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181631 IP 71.122.126.121.8530 > 178.20.231.250.80: Flags [S], seq 123935776, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181658 IP 162.206.189.42.17013 > 178.20.231.250.80: Flags [S], seq 31043932, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181674 IP 198.94.198.105.30307 > 178.20.231.250.80: Flags [S], seq 1575869185, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181706 IP 105.176.221.71.50775 > 178.20.231.250.80: Flags [S], seq 610078526, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181735 IP 71.35.116.78.54980 > 178.20.231.250.80: Flags [S], seq 3166786935, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181760 IP 145.198.152.100.15401 > 178.20.231.250.80: Flags [S], seq 4010103620, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181787 IP 66.79.237.60.15263 > 178.20.231.250.80: Flags [S], seq 2501701469, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181803 IP 100.11.158.52.32346 > 178.20.231.250.80: Flags [S], seq 2134957177, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181841 IP 58.231.235.124.11521 > 178.20.231.250.80: Flags [S], seq 2771362933, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181869 IP 190.123.83.7.38542 > 178.20.231.250.80: Flags [S], seq 2055573049, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181902 IP 184.238.15.46.36156 > 178.20.231.250.80: Flags [S], seq 883003474, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181926 IP 40.26.215.119.62480 > 178.20.231.250.80: Flags [S], seq 3713754632, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181941 IP 198.177.89.90.6709 > 178.20.231.250.80: Flags [S], seq 3496201574, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181976 IP 62.192.95.0.9797 > 178.20.231.250.80: Flags [S], seq 1870653786, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.181992 IP 93.239.71.122.12600 > 178.20.231.250.80: Flags [S], seq 684689463, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182023 IP 23.84.185.89.19660 > 178.20.231.250.80: Flags [S], seq 119671146, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182048 IP 29.234.101.27.38331 > 178.20.231.250.80: Flags [S], seq 357076285, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182071 IP 170.238.98.104.60287 > 178.20.231.250.80: Flags [S], seq 327322668, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182103 IP 41.20.191.92.16778 > 178.20.231.250.80: Flags [S], seq 1388332365, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182117 IP 161.65.234.13.9327 > 178.20.231.250.80: Flags [S], seq 812260143, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182158 IP 193.149.195.98.47440 > 178.20.231.250.80: Flags [S], seq 792155155, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182186 IP 108.240.65.96.33911 > 178.20.231.250.80: Flags [S], seq 1877245551, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182204 IP 41.58.215.107.48137 > 178.20.231.250.80: Flags [S], seq 2011727730, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182232 IP 66.177.73.45.19233 > 178.20.231.250.80: Flags [S], seq 366492725, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182262 IP 215.220.33.22.17198 > 178.20.231.250.80: Flags [S], seq 861948207, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182291 IP 0.195.76.72.22270 > 178.20.231.250.80: Flags [S], seq 2807404557, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182305 IP 36.32.242.111.28531 > 178.20.231.250.80: Flags [S], seq 1710305584, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182509 IP 83.33.195.52.65468 > 178.20.231.250.80: Flags [S], seq 319675187, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182524 IP 128.238.223.37.29455 > 178.20.231.250.80: Flags [S], seq 2499250501, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182566 IP 68.160.172.0.49467 > 178.20.231.250.80: Flags [S], seq 1306831655, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182593 IP 183.27.188.117.57433 > 178.20.231.250.80: Flags [S], seq 4224144502, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182609 IP 198.223.158.77.19910 > 178.20.231.250.80: Flags [S], seq 2474946906, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182631 IP 177.41.67.46.46431 > 178.20.231.250.80: Flags [S], seq 3517591603, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182659 IP 122.105.37.60.10766 > 178.20.231.250.80: Flags [S], seq 4147248707, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182674 IP 22.38.245.76.36030 > 178.20.231.250.80: Flags [S], seq 3096178688, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182698 IP 86.5.81.17.8711 > 178.20.231.250.80: Flags [S], seq 2119743337, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182722 IP 82.251.114.16.42965 > 178.20.231.250.80: Flags [S], seq 161146484, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182751 IP 95.55.65.79.17435 > 178.20.231.250.80: Flags [S], seq 2743821343, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182772 IP 215.116.68.72.42747 > 178.20.231.250.80: Flags [S], seq 2937217026, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182798 IP 208.8.47.105.42692 > 178.20.231.250.80: Flags [S], seq 1764048128, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182837 IP 79.112.229.22.27483 > 178.20.231.250.80: Flags [S], seq 2827151720, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182855 IP 44.195.228.121.17580 > 178.20.231.250.80: Flags [S], seq 371994225, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182883 IP 39.62.54.119.25600 > 178.20.231.250.80: Flags [S], seq 3552682001, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182899 IP 170.99.18.124.40683 > 178.20.231.250.80: Flags [S], seq 2200231537, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182935 IP 137.6.19.86.60614 > 178.20.231.250.80: Flags [S], seq 812811550, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182962 IP 121.5.154.2.18878 > 178.20.231.250.80: Flags [S], seq 625250163, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.182977 IP 23.54.48.91.64054 > 178.20.231.250.80: Flags [S], seq 2606219371, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183013 IP 223.14.61.16.10570 > 178.20.231.250.80: Flags [S], seq 3067671060, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183029 IP 168.174.86.79.38986 > 178.20.231.250.80: Flags [S], seq 1703741821, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183063 IP 93.179.33.115.42012 > 178.20.231.250.80: Flags [S], seq 2549809758, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183113 IP 59.153.96.116.45535 > 178.20.231.250.80: Flags [S], seq 3933272835, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183150 IP 132.169.171.36.33982 > 178.20.231.250.80: Flags [S], seq 1240310901, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183179 IP 7.7.224.66.22674 > 178.20.231.250.80: Flags [S], seq 3269885474, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183211 IP 145.50.5.81.38063 > 178.20.231.250.80: Flags [S], seq 1033757213, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183256 IP 199.17.212.107.59445 > 178.20.231.250.80: Flags [S], seq 954941241, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183290 IP 183.83.169.116.29221 > 178.20.231.250.80: Flags [S], seq 632662043, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183314 IP 5.172.61.47.18165 > 178.20.231.250.80: Flags [S], seq 2900704025, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183337 IP 14.154.195.76.41261 > 178.20.231.250.80: Flags [S], seq 1587091263, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183528 IP 14.75.242.61.10301 > 178.20.231.250.80: Flags [S], seq 1271736870, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183554 IP 218.147.76.122.46924 > 178.20.231.250.80: Flags [S], seq 1242230836, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183569 IP 73.254.220.84.56677 > 178.20.231.250.80: Flags [S], seq 1844393335, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183605 IP 175.11.190.92.62023 > 178.20.231.250.80: Flags [S], seq 1549649181, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183620 IP 161.248.56.92.48095 > 178.20.231.250.80: Flags [S], seq 3402179143, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183649 IP 81.205.48.33.12013 > 178.20.231.250.80: Flags [S], seq 2302722886, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183682 IP 217.15.7.42.41994 > 178.20.231.250.80: Flags [S], seq 3799389530, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183706 IP 139.76.167.126.7280 > 178.20.231.250.80: Flags [S], seq 3847050579, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183729 IP 181.15.109.58.2780 > 178.20.231.250.80: Flags [S], seq 3687628311, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183756 IP 156.75.178.124.8131 > 178.20.231.250.80: Flags [S], seq 1301615971, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183781 IP 154.89.37.68.41400 > 178.20.231.250.80: Flags [S], seq 2754945877, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183806 IP 77.120.117.33.60998 > 178.20.231.250.80: Flags [S], seq 2135120410, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183843 IP 184.197.170.64.64925 > 178.20.231.250.80: Flags [S], seq 3163308651, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183859 IP 128.193.111.85.61681 > 178.20.231.250.80: Flags [S], seq 2359812955, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183887 IP 111.251.209.3.52242 > 178.20.231.250.80: Flags [S], seq 2825859693, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183902 IP 165.172.84.85.52072 > 178.20.231.250.80: Flags [S], seq 64716892, win 8192, options [mss 1460,nop,nop,sackOK], length 0
03:48:13.183940 IP 66.125.24.13.43159 > 178.20.231.250.80: Flags [S], seq 2827624534, win 8192, options [mss 1460,nop,nop,sackOK], length 0

↧

Re: Brand new SRX300 high CPU usage

December 21, 2016, 4:08 am

≫ Next: Re: SRX 3600 MSS Drop

≪ Previous: SYN Attack

Thanks a lot for your inputs. We have tested the new version of the firmware, it's true that the high cpu and high memory usage is resolved.

But, in our tests, We have seen high latency when you do ping from the router itself.

This is a problem because We can't do benchmark or see real results from ping, mtr, etc.

↧

Re: SRX 3600 MSS Drop

December 21, 2016, 4:10 am

≫ Next: Re: DVPN, Pulse 5.0 and Connection-specific DNS Suffix

≪ Previous: Re: Brand new SRX300 high CPU usage

It looks like mss is not a valid option in firewall filters:

root# set firewall family inet filter test term 1 from protocol tcp ?
Possible completions:<[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups> destination-address  Match IP destination address
+ destination-port     Match TCP/UDP destination port> destination-prefix-list  Match IP destination prefixes in named list
+ dscp                 Match Differentiated Services (DiffServ) code point
  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type> interface            Match interface name
+ ip-options           Match IP options
  is-fragment          Match if packet is a fragment
+ precedence           Match IP precedence value
+ protocol             Match IP protocol type> source-address       Match IP source address
+ source-port          Match TCP/UDP source port> source-prefix-list   Match IP source prefixes in named list
  tcp-established      Match packet of an established TCP connection
  tcp-flags            Match TCP flags (in symbolic or hex formats)
  tcp-initial          Match initial packet of a TCP connection
+ ttl                  Match IP ttl type

↧

Re: DVPN, Pulse 5.0 and Connection-specific DNS Suffix

December 21, 2016, 5:58 am

≫ Next: ADVPN with Dual ISP

≪ Previous: Re: SRX 3600 MSS Drop

Has this been resolved?

↧

ADVPN with Dual ISP

December 21, 2016, 9:15 am

≫ Next: Re: ADVPN with Dual ISP

≪ Previous: Re: DVPN, Pulse 5.0 and Connection-specific DNS Suffix

We are trying to move away from the conventional site-site VPN to ADVPN for 4 of our remote site and their connectivity to our data center. Each of these sites have dual ISP and the ipsec is configured and is working fine with the auto ISP failove. While we move to ADVPN do we still have to configure 2 seperate tunnels from each site to hub and spoke for dual ISP failover? i was refering to http://www.juniper.net/us/en/training/jnbooks/day-one/networking-technologies-series/advpn/ but i could not find the scenarios that we are looking for.

↧

Re: ADVPN with Dual ISP

December 21, 2016, 9:32 am

≫ Next: How to anchor a /32 route and advertise it to BGP peer

≪ Previous: ADVPN with Dual ISP

Hello,

This might give you a fair idea about the necessary configuration.

https://www.juniper.net/techpubs/en_US/junos15.1x49/topics/example/security-autovpn-ibgp-active-backup-tunnel-configuring.html

Regards,

Rushi

↧

How to anchor a /32 route and advertise it to BGP peer

December 21, 2016, 11:39 am

≫ Next: l2cpd-service is thrashing, not restarted ntpd-service is thrashing, not restarted

≪ Previous: Re: ADVPN with Dual ISP

Hi, guys,

I have a situation that I need your suggestion.

I have a one to one static mapping, say: 172.16.1.1 mapped to 1.2.3.4, I have a BGP session over st0 interface, I want to advertise 1.2.3.4/32 over this BGP peering, how do I anchor this route so BGP will know?

Thanks,

↧

l2cpd-service is thrashing, not restarted ntpd-service is thrashing, not restarted

December 21, 2016, 1:56 pm

≫ Next: Re: How to anchor a /32 route and advertise it to BGP peer

≪ Previous: How to anchor a /32 route and advertise it to BGP peer

Hello all,

These logs are appearing in our SRX240H2.
I've never seen these log messages are so don't know how to fix them or why they are appearing.

I've tried restarting the ntp service & l2cpd service, logs still appear.

Dhcp & dhcp relay is not configured in this SRX.

It is setup to act like a router at the moment.

I'm pretty sure these are false positives but why are they showing now.

Help needed!

↧

Re: How to anchor a /32 route and advertise it to BGP peer

December 21, 2016, 5:35 pm

≫ Next: Command to check the bandwidth in SRX

≪ Previous: l2cpd-service is thrashing, not restarted ntpd-service is thrashing, not restarted

Hello,

Creating a discard route for the NATed IPs and then redistributing into BGP can help.

Can you try the configuration below?

routing-options {
static {
route 1.2.3.4/32 discard;
}
}

policy-options {
policy-statement Nat-to-bgp {
from {
protocol static;
route-filter 1.2.3.4/32 exact;
}
then accept;
}
}

protocols {
bgp {
export Nat-to-bgp;
}
}

Regards

Rushi

↧