Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Link connection between two Virtual Router on SRX220

January 4, 2017, 1:40 am
$
0
0

Hi all,

My scenario is seperate SRX220 to two Virtual Router :

 

Host 1 --> ge-0/0/1.0   ---SRX220---  ge-0/0/2.0 <-- Host 2

From Host 1 traffic can reach to Host 2 and reverse. But with series SRX220, logical lt- interface do not support, so do have any solution to connect two VRs? 

Can i use physical connection between two VRS by using two ports for each VR? What interface can support?

Or, Rib Groups can route traffic between them?

 

The other scenario is create one VR and route traffic between VR and master routing-instance.

Is it in the same solution?

 

Many thanks! 

Search

Re: SRX340 High CPU temperature

January 4, 2017, 1:10 am
$
0
0

Hi Python,

 

Thanks for your response.

Actually both SRX'es weren't optimally placed, both the side-to-side cooled SRX240 and the front-to-back cooled SRX340 get their air from the warm side of the rack, hence the RE temperatures being the same (around 44-45C) (The classic problem with network-interfaces of systems always located at the back of systems, not the front)

The warm side is not that hot by the way, inlet temperature is around 25C if I had to guess.

 

Can you tell me anything about a healthy temperature for the RE CPU?

The fan-speed is normal, I've seen no alert, but I'm still a bit worried since the CPU temp is over 70C and way higher than that of previous models.

 

 

Re: Link connection between two Virtual Router on SRX220

January 4, 2017, 1:19 am

Re: SRX 1500 Chassis Cluster meshing to F10

January 4, 2017, 1:28 am

Re: SRX340 High CPU temperature

January 4, 2017, 1:33 am
$
0
0

Hi,

 

not specifically a SRX340 but I have a SRX300 at home put inside a drawer together with an EX2200-C-12P-2G. CPU temperature on the SRX is just around 76-77C and has been running like this for more than 6 months without any issues.

 

 

I have a friend who has a SRX340 chassis cluster where they are positioned correctly in regards to airflow and there the CPU temperature is just around 40C - so agreed your boxes are rather hot but I wouldn't be concerned before they go above 80C on the CPU (personal experience, not official Juniper recommendation).

 

 

Re: QOS on ST0 interfaces?

January 4, 2017, 1:40 am
$
0
0

I was waiting for this feature and it is available from the new version 15.1x49-D70 onwards...

 

CoS support for the st0 interface for SRX Series devices and vSRX instances—Starting with Junos OS 15.1X49-D70, class of service (CoS) features such as classifier, policer, queuing, scheduling, shaping, rewriting markers, and virtual channels can now be configured on the secure tunnel interface (st0) for point-to-point VPNs.

 

https://www.juniper.net/techpubs/en_US/junos15.1x49-d70/information-products/topic-collections/release-notes/15.1x49-d70/topic-116565.html

 

Best Regards,

Valter

https://howdoesinternetwork.com/welcome

 

 

 

Re: Link connection between two Virtual Router on SRX220

January 4, 2017, 1:49 am

SRX removal from Cluster

January 4, 2017, 3:22 am
$
0
0

Hello,

 

I have a had a quick look and it appears it can be done with the command  'set chassis cluster disable reboot

 

I take it this needs to be done individually on both nodes ? Would the interfaces go from Reths back to individual interfaces automatically? or would some reconfiguration be required ?

 

Many Thanks!

Search

Re: SRX removal from Cluster

January 4, 2017, 3:35 am
$
0
0
You need to do this individually on both nodes. Regarding reth, you will have to remove the configuration and then configure normal Ethernet ports. Other config like security policies /zones can be retained.

Trouble with excecute netconf on a srx 1400

January 4, 2017, 4:19 am
$
0
0

I have a jtac case on this, but just incase anyone have had the same problem.

When we try to excecute commands on the device (we have accessed it with ssh blah@1.1.1.1 -s netconf), the srx closes the connection. Normal ssh works so its seems to be something on the srx.

 

It looks like this when i try to excecute to commands.

 

<rpc><get-system-information/></rpc><rpc><close-session/></rpc>          debug1:                                   client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 1784, received 4280 bytes, in 5.4 seconds
Bytes per second: sent 332.3, received 797.3
debug1: Exit status 0
debug3: Wrote 192 bytes for a total of 1981
debug3: Wrote 112 bytes for a total of 2093
debug3: Wrote 96 bytes for a total of 2189
debug3: Wrote 96 bytes for a total of 2285
debug3: Wrote 80 bytes for a total of 2365
debug3: Wrote 64 bytes for a total of 2429
<!-- No zombies were killed during the creation of this user interface -->
<!-- user root, class super-user -->
<hello>
  <capabilities>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0</capability>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:candidate:1.0</capabil                                                                                                                                                             ity>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:confirmed-commit:1.0</                                                                                                                                                             capability>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:validate:1.0</capabili                                                                                                                                                             ty>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:url:1.0?protocol=http,                                                                                                                                                             ftp,file</capability>
  </capabilities>
  <session-id>25649</session-id>
</hello>
]]>]]>                                                                   debug1:                                                                                                                                                              client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)
 
debug3: channel 0: close_fds r -1 w -1 e 6 c -1
debug3: Wrote 32 bytes for a total of 2461
debug3: Wrote 64 bytes for a total of 2525
Transferred: sent 2232, received 4600 bytes, in 2.1 seconds
Bytes per second: sent 1076.7, received 2219.1
debug1: Exit status 0
 
^
So here it closes the connectioln
 
To compare with other devices
 
 
 
[admin@jump01 ~]$ ssh -vvv root@172.16.1.1 -s netconf
 
 
debug2: subsystem request accepted on channel 0
<!-- No zombies were killed during the creation of this user interface -->
<!-- user remote, class j-shb-admins -->
<hello>
  <capabilities>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0</capability>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:candidate:1.0</capability>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:confirmed-commit:1.0</capability>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:validate:1.0</capability>
    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>
  </capabilities>
  <session-id>57470</session-id>
</hello>
]]>]]>
<rpc><get-system-information/></rpc><rpc><close-session/></rpc>
debug3: Wrote 112 bytes for a total of 1901
<rpc-reply xmlns="urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X44/junos">
<system-information>
<hardware-model>srx1400</hardware-model>
<os-name>junos-es</os-name>
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
<os-version>12.1X44-D50.2</os-version>
<serial-number>BBBBBBB</serial-number>
<host-name>fw-layer9-backup.hej.ru</host-name>
<cluster-node/>
</system-information>
</rpc-reply>
]]>]]>
<rpc-reply xmlns="urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X44/junos">
<ok/>
</rpc-reply>
]]>]]>
<!-- session end at 2016-12-29 13:25:35 CET -->
 
 
Becouse of this, i cant add this device in junos space.
 
 
Anyone have had this problem?

Re: Link connection between two Virtual Router on SRX220

January 4, 2017, 10:33 am
$
0
0

Thank Anand10, rsuraj,

 

Can you give me some example use Physical link between VRs? What interface? Routing between VRs?

 

The main purpose of scenario is: traffic from Host1-->sub-VR -->main-VR--->Host2

-------------------------------------------

|                      SRX220                 |

|         sub-VR       |       main-VR |

-------------------------------------------

  ge-0/0/0              ge-0/0/2       

      |                                |                 

    Host1                   Host2          

Re: Link connection between two Virtual Router on SRX220

January 4, 2017, 11:09 am
$
0
0

Hi Folks,

I just tried the same in a MX box and please find the working config,

 

                     +----------------------+

                     |    LOOP Cable        |

                     |                      |

                     |                      |

                     |                      |

            +--------+----------------------+--------+

            |        |                      |        |

            |  +-----+------+        +------+-----+  |

            |  |ge-0/0/2.100|        |ge-0/0/3.100|  |

            |  |            |        |            |  |

<--ge-0/0/1.100    VR1      |        |    VR2     | ge-0/0/4.100--> HOST

            |  |            |        |            |  |

            |  +------------+        +------------+  |

            |                                        |

            +----------------------------------------+

 

Interested Config:

set routing-instances VR1 instance-type virtual-router

set routing-instances VR1 interface ge-0/0/2.100

set routing-instances VR1 protocols ospf area 0.0.0.0 interface ge-0/0/2.100

 

set routing-instances VR2 instance-type virtual-router

set routing-instances VR2 interface ge-0/0/3.100

set routing-instances VR2 protocols ospf area 0.0.0.0 interface ge-0/0/3.100

 

set interfaces ge-0/0/1 unit 100 family inet address 10.10.10.2/30

set interfaces ge-0/0/4 unit 100 family inet address 40.40.40.2/30

 

set interfaces ge-0/0/2 flexible-vlan-tagging

set interfaces ge-0/0/2 encapsulation flexible-ethernet-services

set interfaces ge-0/0/2 unit 100 family inet address 20.20.20.2/30

set interfaces ge-0/0/2 unit 100 vlan-id 100

 

set interfaces ge-0/0/3 flexible-vlan-tagging

set interfaces ge-0/0/3 encapsulation flexible-ethernet-services

set interfaces ge-0/0/3 unit 100 family inet address 20.20.20.1/30

set interfaces ge-0/0/3 unit 100 vlan-id 100

 

lab> show ospf neighbor instance all    

Instance: VR1

Address          Interface              State     ID               Pri  Dead

20.20.20.1       ge-0/0/2.100           Full      20.20.20.1       128    34

 

Instance: VR2

Address          Interface              State     ID               Pri  Dead

20.20.20.2       ge-0/0/3.100           Full      20.20.20.2       128    32

 

lab>

 

-Python

___________________________________

Accept as Solution = cool !

Accept as Solution+Kudo = You are a Star !

Re: L2TP through SRX

January 4, 2017, 12:55 pm
$
0
0

Ditto, i have a real issue with this...

 

Want to move from pptp to l2tp... pptp is working fine but i cannot get l2tp to work no matter what i try Smiley Sad

SRX IDP Policy - No counters

January 4, 2017, 1:06 pm
$
0
0

Hello,

I setup my SRX220 IDP for the 1st time today. I wonder why I don't see counters on traffic outbound? Do I also need to setup an inbound Policy? The Guest Network listed is an internal wifi network.  I used the Recomended Option for the IDP.

My Config and outcome shown below. Thank you in adavance - Scott

 

> show security idp status
State of IDP: Default, Up since: 2016-04-15 17:03:27 EDT (37w4d 23:41 ago)

Packets/second: 0 Peak: 0 @ 2016-12-30 11:31:18 EST
KBits/second : 0 Peak: 0 @ 2016-12-30 11:31:18 EST
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2016-12-30 11:31:18 EST]
TCP: [Current: 0] [Max: 0 @ 2016-12-30 11:31:18 EST]
UDP: [Current: 0] [Max: 0 @ 2016-12-30 11:31:18 EST]
Other: [Current: 0] [Max: 0 @ 2016-12-30 11:31:18 EST]

Session Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name : Recommended
Running Detector Version : 12.6.160161014

-------------------------------------------------------------------

#set security policies from-zone Guest to-zone Internet policy idp-app-policy-1 match source-address any destination-address any application any
#set security policies from-zone Guest to-zone Internet policy idp-app-policy-1 then permit application-services idp

 

> show security policies
From zone: Guest, To zone: Internet
Policy: Guest, State: enabled, Index: 13, Scope Policy: 0, Sequence number: 1
Source addresses: any-ipv4
Destination addresses: any-ipv4
Applications: any
Action: permit
Policy: idp-app-policy-1, State: enabled, Index: 12, Scope Policy: 0, Sequence number: 2
Source addresses: any
Destination addresses: any
Applications: any
Action: permit, application services

Re: SRX IDP Policy - No counters

January 4, 2017, 3:50 pm
$
0
0

Think I got it. I re-ordered the Polices for the Guest Network putting iDP First.

 

From zone: Guest, To zone: Internet

  Policy: idp-app-policy-1, State: enabled, Index: 12, Scope Policy: 0, Sequence number: 1

    Source addresses: any

    Destination addresses: any

    Applications: any

    Action: permit, application services

  Policy: Guest, State: enabled, Index: 13, Scope Policy: 0, Sequence number: 2

    Source addresses: any-ipv4

    Destination addresses: any-ipv4

    Applications: any

    Action: permit

 

Getting IDP data now Smiley Happy

> show security idp status   

State of IDP: Default,  Up since: 2016-04-15 17:03:27 EDT (37w5d 02:37 ago)

 

Packets/second: 2               Peak: 254 @ 2017-01-04 18:32:13 EST

KBits/second  : 1               Peak: 934 @ 2017-01-04 18:32:13 EST

Latency (microseconds): [min: 0] [max: 0] [avg: 0]

 

Packet Statistics:

[ICMP: 0] [TCP: 1502] [UDP: 1136] [Other: 0]

 

Flow Statistics:

  ICMP: [Current: 0] [Max: 0 @ 2016-12-30 11:31:18 EST]

  TCP: [Current: 22] [Max: 148 @ 2017-01-04 18:32:12 EST]

  UDP: [Current: 16] [Max: 130 @ 2017-01-04 18:32:12 EST]

  Other: [Current: 0] [Max: 0 @ 2016-12-30 11:31:18 EST]

 

Search

Re: Link connection between two Virtual Router on SRX220

January 4, 2017, 6:03 pm

Re: L2TP through SRX

January 4, 2017, 6:06 pm
$
0
0

You can only do the l2tp pass through if the ip address is NOT on any SRX interface space.  You need to setup the nat forwarding with an assigned address not used directly by the SRX.

Re: Link connection between two Virtual Router on SRX220

January 4, 2017, 7:30 pm
$
0
0

ya, i know about that.

So i have plan to use the physical interfaces  for connecting a virtual router to the physical one. I've tried the idea of @python but it also not support SRX. Any other solution to inter connect?

Re: Link connection between two Virtual Router on SRX220

January 4, 2017, 7:48 pm
$
0
0

What exactly is not supported with SRX ? Can you share the session log with commit error seen during the configuration? I will try to help you with it.

 

-Python

Re: L2TP through SRX

January 5, 2017, 1:29 am
$
0
0

Hi,

 

I currently have it set up so i have another public ip proxy arp'd on the srx external interface, then i have a destination NAT rule to forward an traffic to my pptp server.

 

This is working fine. the pptp alg sees the traffic and handles everything.

 

Existing settings for pptp:

 

## external interface ##

show interfaces ge-0/0/5
per-unit-scheduler;
unit 0 {
    family inet {
        address 200.200.200.201/29;

## proxy-arp ## 

interface ge-0/0/5.0 {
 address {
 200.200.200.202/32;
 }
}


## destination nat ##

pool dst-nat-pool-1 {
    address 10.10.10.10/32;
}
rule-set rs1 {
    from interface ge-0/0/5.0;
    rule r1 {
        match {
            destination-address 200.200.200.202/32;
            destination-port {
                1723;
            }
        }
        then {
            destination-nat {
                pool {
                    dst-nat-pool-1;


## security rule from untrust to our pptp server ##

show security policies from-zone untrust to-zone Servers
policy VPN_PPTP {
    match {
        source-address any;
        destination-address DC5;
        application junos-pptp;
    }
    then {
        permit;
    }
}

I have tried so many things to get the l2tp working, enabled the alg, disabled the alg, created custom applications for ports 500, 1701, 4500 and esp protocol and it still wont work properly.

 

This is the furthest i got with it last night, i saw traffic hitting the srx but i didn't connect to the l2tp server

 

Session ID: 316147, Policy name: VPN_PPTP/40, Timeout: 36, Valid
  In: 82.132.227.76/627 --> 200.200.200.202/500;udp, If: ge-0/0/5.0, Pkts: 2, Bytes: 728
  Out: 10.10.10.10/500 --> 82.132.227.76/627;udp, If: vlan.40, Pkts: 2, Bytes: 524

Tearing my hair out with this now, if anyone can help please advise 

 

Matt

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>