Hi sahilsha,
Thanks for your feedback. I will ask the SIEM vendor to do packet capture on their side and keep update this issue to make sure in the future if anyone have same issue then they know the solution.
Thanks again
↧
Re: SIEM cannot received log when SRX using stream mode?
↧
issue with static nat ip in ipsec vpn not reachable
Hello,
I have ipsec tunnel configured on Juniper SRX240 on interface st0.2 with static nat to internal server of same ip range. VPN is up and i could ping interface ip from remote however natted ip is not pingable. You help is highly appreciated.
St0.2 is on VPN zone with interface ip 10.232.146.17/29
internal server ip 10.10.0.103 natted to 10.232.146.18
Remote ip : 10.38.21.235
Below shows on security flow session
Session ID: 104580, Policy name: VPN_Server/16, Timeout: 52, Valid
In: 10.38.21.235/2245 --> 10.232.146.18/1;icmp, If: st0.2, Pkts: 1, Bytes: 60
Out: 10.10.0.103/1 --> 10.38.21.235/2245;icmp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Session ID: 104652, Policy name: VPN_Server/16, Timeout: 46, Valid
In: 10.38.21.235/2240 --> 10.232.146.18/1;icmp, If: st0.2, Pkts: 1, Bytes: 60
Out: 10.10.0.103/1 --> 10.38.21.235/2240;icmp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Session ID: 104692, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 10.38.21.235/2253 --> 10.232.146.17/1;icmp, If: st0.2, Pkts: 1, Bytes: 60
Out: 10.232.146.17/1 --> 10.38.21.235/2253;icmp, If: .local..0, Pkts: 1, Bytes: 60
Trace log shows below.
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:<10.38.21.235/1866->10.232.146.18/1;1> matched filter f0:
192.168.56.50 ->172.20.123.2
Dec 24 11:02:55 11:02:55.847083:CID-0:RT
acket [60] ipid = 4790, @0x4368dac0
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x4368d880, rtbl_idx = 0
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: in_ifp <VPN:st0.2>
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6902ecc0
Dec 24 11:02:55 11:02:55.847083:CID-0:RTkt out of tunnel.Proceed normally
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: st0.2:10.38.21.235->10.232.146.18, icmp, (8/0)
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: find flow: table 0x59ab7460, hash 22810(0xffff), sa 10.38.21.235, da 10.232.146.18, sp 1866, dp 1, proto 1, tok 8
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: no session found, start first path. in_tunnel - 0x5d53fd20, from_cp_flag - 0
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: flow_first_create_session
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: flow_first_in_dst_nat: in <st0.2>, out <N/A> dst_adr 10.232.146.18, sp 1866, dp 1
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: chose interface st0.2 as incoming nat if.
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:flow_first_rule_dst_xlate: packet 10.38.21.235->10.232.146.18 nsp2 0.0.0.0->10.10.0.103.
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.38.21.235, x_dst_ip 10.10.0.103, in ifp st0.2, out ifp N/A sp 1866, dp 1, ip_proto 1, tos 0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT
oing DESTINATION addr route-lookup
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: routed (x_dst_ip 10.10.0.103) from VPN (st0.2 in 0) to ge-0/0/1.0, Next-hop: 10.10.0.103
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:flow_first_policy_search: policy search from zone VPN-> zone Trust (0x114,0x74a0001,0x1)
Dec 24 11:02:55 11:02:55.847385:CID-0:RTolicy lkup: vsys 0 zone(8:VPN) -> zone(6:Trust) scope:0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: 10.38.21.235/2048 -> 10.10.0.103/17937 proto 1
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: permitted by policy VPN_Server(16)
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: packet passed, Permitted by policy.
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: dip id = 0/0, 10.38.21.235/1866->10.38.21.235/1866 protocol 0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: choose interface ge-0/0/1.0 as outgoing phy if
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 10.10.0.103, rtt_idx:0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf : Alloc sess plugin info for session 34359960738
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1, impli mask(0x8), post_nat cnt 222370 svc req(0x0)
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:-jsf : no plugin interested for session 34359960738, free sess plugin info
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:flow_first_service_lookup(): natp(0x635f3448): app_id, 0(0).
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: service lookup identified service 0.
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: flow_first_final_check: in <st0.2>, out <ge-0/0/1.0>
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:flow_first_complete_session, pak_ptr: 0x59404e38, nsp: 0x635f3448, in_tunnel: 0x5d53fd20
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:construct v4 vector for nsp2
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: existing vector list 0x1204-0x5264fd58.
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: Session (id:222370) created for first pak 1204
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: flow_first_install_session======> 0x635f3448
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: nsp 0x635f3448, nsp2 0x635f34c8
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: make_nsp_ready_no_resolve()
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: route lookup: dest-ip 10.38.21.235 orig ifp st0.2 output_ifp st0.2 orig-zone 8 out-zone 8 vsd 0
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: route to 10.38.21.235
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:no need update ha
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:Installing s2c NP session wing
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: Error : get sess plugin info 0x635f3448
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: Error : get sess plugin info 0x635f3448
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: flow got session.
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: flow session id 222370
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: vector bits 0x1204 vector 0x5264fd58
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:flow_xlate_pak
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:flow_handle_icmp_xlate
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:xlate_icmp_pak
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: post addr xlation: 10.38.21.235->10.10.0.103.
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: post addr xlation: 10.38.21.235->10.10.0.103.
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: encap vector
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: no more encapping needed
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:mbuf 0x4368d880, exit nh 0x210010
↧
↧
Re: issue with static nat ip in ipsec vpn not reachable
Does the server and the entire return path from the server to the SRX have the route for 10.38.21.235?
I assume you have a route out the tunnel on the SRX. But after it forwards the packet towards the server is the return route in place.
↧
Re: Changing default LDAP port to 636
You can change the port from the access configuration for instance :
set access profile profile1 ldap-server 10.10.10.30 port 5000
↧
GRE tunnel ping drop
Hi everyone, I have deployed GRE tunnels between Juniper routers MX104, with simple configuration, I am facing ping drop frequently, every 10 to 15 mintues time of span, from LAN to LAN and from Router to Router both side,
my traffic data flow as follows:
LAN ---> SSG550(IPSEC VPN) ---> MX-Router(GRE) <---ISP cloud---> MX-Router(GRE) ---> SSG550(IPSEC VPN) ---> LAN
Pl. suggest.
↧
↧
Re: GRE tunnel ping drop
Hello,
What are the MTU settings on the Router interfaces?
And what are MSS values configured on Firewalls?
Regards,
Rushi
↧
Re: GRE tunnel ping drop
Dear Rushi
MTU settings on the Router interfaces is 1476
MSS values on Firewalls flow tcp-mss 1350
-Saleem
↧
Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag
no i suppose.
How does it relate to our traceoptions?
↧
Root Password reset Juniper SRX100 (Defaulting the boxes)
Good day,
I purchased two SRX100 devices on EBAY for pursuit of JNCIS-SEC cert. The devices however was not defaulted. I tried changing the root password by entering watchdog disable and the Loader prompt followed by the boot -s option command. The device then comes up with a password for the single mode sign on as well so I was not able to enter the recovery option. If I depress the reset config button for 15 seconds, the LED lights changes from orange to amber but it does nothing to default the box.
Can anyone assist in defaulting these boxes?
↧
↧
SRX340 High CPU temperature
Dear fellow Juniper-users,
I recently replaced a SRX240HE2 with a SRX340, using the same configuration in the same environment.
All works fine, I have no alarms, but I do see a rather high CPU temperature of over 70C.
The SRX240HE2 used to have CPU temps of around 44C, as you can see the temp of the routing engines is the same.
I can't find a temperature threshold for the CPU itself (only for the RE).
The CPU load is very low (Today it hasn't been over 10,4%) and the fan speed is normal.
Is this normal behaviour for a SRX340, having CPU temperatures far above that of a SRX240, or could it be a hardware/manufacturing problem?
Output SRX340: ====================================================================================
> show chassis routing-engine
Routing Engine status:
Temperature 44 degrees C / 111 degrees F
CPU temperature 72 degrees C / 161 degrees F
Total memory 4096 MB Max 1188 MB used ( 29 percent)
Control plane memory 2624 MB Max 682 MB used ( 26 percent)
Data plane memory 1472 MB Max 486 MB used ( 33 percent)
5 sec CPU utilization:
User 6 percent
Background 0 percent
Kernel 5 percent
Interrupt 0 percent
Idle 89 percent
Model RE-SRX340
Serial ID
Start time
Uptime
Last reboot reason
Load averages: 1 minute 5 minute 15 minute
0.03 0.09 0.08
> show chassis environment
Class Item Status Measurement
Temp Routing Engine OK 44 degrees C / 111 degrees F
Routing Engine CPU OK 72 degrees C / 161 degrees F
Fans SRX340 Chassis fan 0 OK Spinning at normal speed
SRX340 Chassis fan 1 OK Spinning at normal speed
SRX340 Chassis fan 2 OK Spinning at normal speed
SRX340 Chassis fan 3 OK Spinning at normal speed
Power Power Supply 0 OK
> show chassis temperature-thresholds
Fan speed Yellow alarm Red alarm Fire Shutdown
(degrees C) (degrees C) (degrees C) (degrees C)
Item Normal High Normal Bad fan Normal Bad fan Normal
Chassis default 35 45 50 40 75 65 100
Routing Engine 35 45 50 40 75 65 100
> show system software
Information for junos:
Comment:
JUNOS Software Release [15.1X49-D70.3]
====================================================================================
Output SRX240HE2: ====================================================================================
> show chassis routing-engine
Routing Engine status:
Temperature 45 degrees C / 113 degrees F
CPU temperature 44 degrees C / 111 degrees F
Total memory 2048 MB Max 1208 MB used ( 59 percent)
Control plane memory 1072 MB Max 504 MB used ( 47 percent)
Data plane memory 976 MB Max 712 MB used ( 73 percent)
CPU utilization:
User 6 percent
Background 0 percent
Kernel 3 percent
Interrupt 0 percent
Idle 91 percent
Model RE-SRX240H2
Serial ID
Start time
Uptime
Last reboot reason
Load averages: 1 minute 5 minute 15 minute
0.02 0.05 0.05
pbelt@pbelt-router> show chassis environment
Class Item Status Measurement
Temp Routing Engine OK 45 degrees C / 113 degrees F
Routing Engine CPU OK 44 degrees C / 111 degrees F
Fans SRX240 PowerSupply fan 1 OK Spinning at normal speed
SRX240 PowerSupply fan 2 OK Spinning at normal speed
SRX240 CPU fan 1 OK Spinning at normal speed
SRX240 CPU fan 2 OK Spinning at normal speed
SRX240 IO fan 1 OK Spinning at normal speed
SRX240 IO fan 2 OK Spinning at normal speed
Power Power Supply 0 OK
> show chassis temperature-thresholds
Fan speed Yellow alarm Red alarm Fire Shutdown
(degrees C) (degrees C) (degrees C) (degrees C)
Item Normal High Normal Bad fan Normal Bad fan Normal
Chassis default 35 45 50 40 75 65 100
Routing Engine 35 45 50 40 75 65 100
> show system software
Information for junos:
Comment:
JUNOS Software Release [12.3X48-D35.7]
====================================================================================
↧
Re: Root Password reset Juniper SRX100 (Defaulting the boxes)
Hi,
You can try to recover from an USB drive.
Place the correct JunOS image on a FAT32 formatted USB drive.
Create a junos-config.conf on this drive as well with the following content: (root password is lab123)
system {
root-authentication {
encrypted-password "$1$qGd4t8fX$pvFswSbgV/5rvLqNY8Ksp1"; ## SECRET-DATA
}
}And load the image from this USB drive on boot.
Afterwards you should be able to default the device.
Good luck!
↧
Re: Root Password reset Juniper SRX100 (Defaulting the boxes)
Hi,
The procedure which pvandenbelt has suggested is explained in detail in the following link :-
https://kb.juniper.net/InfoCenter/index?page=content&id=KB23882&actp=RSS
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
↧
Re: SRX340 High CPU temperature
Hi Folks,
If you are replacing a SRX240 with a SRX340 in the same rack; i would suggest to double check the environment conditions. Since the air-flow pattern differs for both the boxes as below.
Can you please check if there is proper allowance in the front/back of the SRX340 chassis as the fans draw air through vents on the front of the chassis and exhaust the air through the back of the chassis.
SRX240 Services Gateway Cooling System
The fans draw air from the right side of the chassis (when the chassis is viewed from the front) and exhaust the air at the left side of the chassis (when the chassis is viewed from the front)
Airflow Through the SRX240 Services Gateway Chassis
SRX340 Services Gateway Cooling System
The cooling system for the SRX340 Services Gateway includes four fixed fans. The fans draw air through vents on the front of the chassis and exhaust the air through the back of the chassis.
Airflow Through the SRX340 Services Gateway Chassis
-Python
↧
↧
Re: SRX340 Dynamic VPN
Hi degel3030, how you access the vpn? are you accessing the https://wanip/dyanmic-vpn or something?
↧
Re: SRX340 Dynamic VPN
After restart, i can access https://<wan ip>/dynamic-vpn. but the page said it doesn't offer pulse client to download.
i did download the pulse client for my android mobile, what url should i enter? i tried https://<wanip>/dynamic-vpn or https://<wanip> also not working
↧
Re: SRX340 Dynamic VPN
I'm not sure if the mobile client works towards an SRX - but if it do, you just have to put in the IP address. No need for "https://" in front.
You can download a client for Windows and Mac OS X here: http://www.juniper.net/support/downloads/?p=pulse
↧
Re: Dual ISP Failover - RPM probe config issue
Hi,
I have been same configured but I was unbale to revert back to primary line once it is up. have you any idea for this issue
Thanks in advance
Soph_Juniper wrote:Hello,
In our test environment I am testing a setup using a dual-ISP connection with automatic failover using RPM Probes. I used this article as a guideline:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB25052
I have 1 ISP connected to ge-0/0/0.0 (the main ISP) and another on ge-0/0/1.0 (fallback ISP).
There seems to be an issues with this part of my configuration:
-----------
destination-interface ge-0/0/0.0;
next-hop 10.4.0.1;----------
The ICMP-Ping RPM probe keeps reporting a 'request timed out', even though I am 100% sure that the server 8.8.8.8 is pingable from that interface 0/0/0.0 (using next-hop 10.4.0.1, being the primary ISP router).
When I remove that section of the configuration, the probe reports OK response from 8.8.8.8. However this is not a workable solution because I need to specify that interface so the probe will only check this resource using my primary ISP. (otherwise in a failover scenario 8.8.8.8 becomes reachable again via the 2nd ISP and the failover is reverted, even when the primary ISP is not back online again)
Am I missing something?
here is my configuration (bear in mind this is a test setup):
## Last changed: 2012-11-29 17:42:04 UTC
version 11.2R4.3;
system {
host-name SRXTest;
root-authentication {
encrypted-password "$1erdG1";
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user infra {
uid 2000;
class super-user;
authentication {
encrypted-password "/";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ vlan.0 ge-0/0/1.0 ];
}
https {
system-generated-certificate;
interface [ vlan.0 ge-0/0/1.0 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.4.0.88/16;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.150/24;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.100.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.4.0.1;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
ge-0/0/1.0;
}
}
}
}
services {
rpm {
probe example {
test test-name {
probe-type icmp-ping;
target address 8.8.8.8;
probe-count 3;
probe-interval 15;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/0.0;
next-hop 10.4.0.1;
}
}
}
ip-monitoring {
policy test {
match {
rpm-probe example;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 192.168.1.1;
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
↧
↧
Re: SRX340 Dynamic VPN
finally, i did success using windows version pulse secure, it is just enter my wanip as the url.
However, i still cannot connect using the adroid version pulse secure.
↧
Re: SRX340 Dynamic VPN
As stated, it wouldn't expect that to works as I only recon it as a SSL VPN client and currently the SRX only provides IPsec VPN-client connectivity.
I know an ssl-based VPN client is planned for the SRX series within the next 6 months - but I cannot say anything more specific at the moment.
↧
SRX 1500 Chassis Cluster meshing to F10
I have two new SRX 1500s that I've configured in a chassis cluster (using the 10-gig SFP xe-0/0/19 as fabric), which appears to be functioning, and which are going to replace two Cisco ASA 55xx series that are heavily overtaxed and outdated.
The Ciscos are also in an active-passive HA pair, and are meshed into a pair of core switches through creating a redundant ethernet device across two of the physical ethernet ports on each firewall, split into sub-interfaces per vlan.
I am hoping to do something similar here: create a fully meshed connection between the two SRX and the two switches. From my research, it appears that the proper method is to create a "reth" (seems to be similar to the redundant ethernet interfaces I currently use on the Cisco) consisting of the pertinent ethernet interfaces from node 0 and node 1. Something like:
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-0/0/2 gigether-options redundant-parent reth1
set interfaces ge-7/0/1 gigether-options redundant-parent reth1
set interfaces ge-7/0/2 gigether-options redundant-parent reth1
Then add a logical interface to reth1 for each vlan? The part where I'm a bit lost is how I'm actually going to go about connecting reth1 via those four ports to the core switches. I'm assuming that at some point I need to set up a LAG between them (however the SRX side doesn't appear to like setting up a LAG using several physical ports from both node 0 and 1).
Am I on the right track at all?
↧