SRX650: After the RG0 switchover, the Node 0 traffic is abnormal.

January 5, 2017, 8:22 am

≫ Next: How to prefer BGP route over IPsec VPN generated static route

Dear anyone,

The master control plane switches from Node1 to Node0. The master data plane is on Node0. Node0 traffic abnormality occurred.

SRX650 [12.3X48-D30.7];

Node0 found some log,

Dec 30 00:26:48 2016   : %PFE-3:  PFEMAN: mastership change is found. from secondary to primary. 
Dec 30 00:26:48 2016   : %PFE-3:  PFEMAN: Master socket closed 
Dec 30 00:26:48 2016   : %PFE-3:  PFEMAN disconnected; PFEMAN socket closed abruptly 
Dec 30 00:26:48 2016   : %PFE-3:  CMLC: Master closed connection (errno=0) 
Dec 30 00:26:48 2016   : %PFE-0:  CMLC: Going disconnected; Routing engine chassis socket closed abruptly    
Dec 30 00:26:48 2016   : %PFE-5:  Routing engine PFEMAN reconnection succeeded after 1 tries 
Dec 30 00:26:48 2016   : %PFE-5:  PFEMAN master RE reconnection made 
Dec 30 00:26:48 2016   : %PFE-3:  CMLC: Retrying master connection, attempt 1 to 0x1300001 
Dec 30 00:26:48 2016   : %PFE-3:  CMLC: Lost contact with master routing engine 
Dec 30 00:26:48 2016   : %PFE-3:  CMLC: Forwarding will cease in 4 minutes, 59 seconds  -----> What does this mean, abort forwarding?   
Dec 30 00:26:48 2016   : %PFE-3:  usp_trace_ipc_disconnect:Trace client disconnected. Attempting to reconnect 
Dec 30 00:26:48 2016   : %PFE-3:  usp_trace_ipc_reconnect:USP trace client cannot reconnect to server 
Dec 30 00:26:48 2016   : %PFE-3:  PFEMAN: unknown timer type 20

Dec 30 00:27:02 2016   /kernel: %KERN-3: if_pfe_peek_peer_info: Socket 0xc4be8000 error 64
Dec 30 00:27:02 2016   /kernel: %KERN-3: pfe_listener_common_task: Error. Socket 0xc4be8000 closed.
Dec 30 00:27:07 2016   : %PFE-3:  CMLC: Retrying master connection, attempt 50 to 0x1300001 
Dec 30 00:27:13 2016   flowd_octeon_hm: %USER-3: flowd_srx_i2c_read: Reading i2c data, dev 0x77 group 0x3 (ret = 1) [Resource temporarily unavailable] retry attempt 2  
Dec 30 00:27:19 2016   flowd_octeon_hm: %USER-3: flowd_srx_i2c_write: failed writing device at offset 0 (ret = -1) [Resource temporarily unavailable]

Dec 30 00:27:16 2016   eventd: %SYSLOG-3: sendto: No buffer space available

……………………6
Dec 30 00:27:46 2016   snmpd[92257]: %DAEMON-3-SNMPD_SEND_FAILURE: trap_io_send_trap_now: send to (10.0.19.37) failure: No buffer space available
Dec 30 00:27:46 2016   snmpd[92257]: %DAEMON-3-SNMPD_SEND_FAILURE: trap_io_send_trap_now: send to (10.0.19.58) failure: No buffer space available

Dec 30 00:27:26 2016   dcd[92259]: %DAEMON-3:  get_fpc_i2cid_from_ifd: Cannot determine FPC i2cidDec 30 00:27:38 2016   /kernel: %KERN-1-STP: STP IPC op 1 (ForwardingState) failed, err 1 (Unknown)  ----->What does it mean ?
Dec 30 00:27:38 2016   /kernel: %KERN-1-STP: STP IPC op 1 (ForwardingState) failed, err 1 (Unknown)
Dec 30 00:27:38 2016   : %PFE-3:  CMLC: Retrying master connection, attempt 100 to 0x1300001 

Dec 30 00:27:43 2016   : %PFE-3:  CMLC: Clearing disconnected; RE connection re-established

Dec 30 00:43:58 2016   : %PFE-3:  usp_ipc_server_send: failed to send message via ipc pipe 
Dec 30 00:43:59 2016   : %PFE-3:  usp_ipc_server_msg_handler: failed to send eom message

Dec 30 00:27:20 2016   /kernel: %KERN-4: ge-0/0/0:tag-protocol-id not configurable on this interface
Dec 30 00:27:20 2016   /kernel: %KERN-4: ge-0/0/1:tag-protocol-id not configurable on this interface
…………
Dec 30 00:27:21 2016   /kernel: %KERN-5-KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-1/0/4 - DETACHED state - will not carry traffic
Dec 30 00:27:21 2016   : %PFE-3:  JBCM(1/0):jbcm_sfp_eeprom_read: write to i2c switch failed 
Dec 30 00:27:21 2016   /kernel: %KERN-4: ge-1/0/6:tag-protocol-id not configurable on this interface
Dec 30 00:27:21 2016   : %PFE-3:  JBCM(1/0):jbcm_sfp_eeprom_read: write to i2c switch failed 
Dec 30 00:27:21 2016   : %PFE-3:  JBCM(1/0):jbcm_sfp_eeprom_read: write to i2c switch failed 
Dec 30 00:27:21 2016   : %PFE-3:  CMLC: Lost contact with master routing engine 
Dec 30 00:27:21 2016   : %PFE-3:  CMLC: Forwarding will cease in 4 minutes, 26 seconds 
Dec 30 00:27:22 2016   /kernel: %KERN-1-RT_PFE: NH IPC op 11 (DELETE NEXTHOP) failed, err 7 (Doesn't Exist) peer_class 0, peer_index 0 peer_type 10
Dec 30 00:27:22 2016   /kernel: %KERN-1-RT_PFE: NH IPC op 11 (DELETE NEXTHOP) failed, err 7 (Doesn't Exist) peer_class 0, peer_index 0 peer_type 10

What is happening ? Where is the problem ? Software or hardware ?

Who encountered a similar problem?

thank you very much

↧

How to prefer BGP route over IPsec VPN generated static route

January 5, 2017, 1:41 pm

≫ Next: Re: L2TP through SRX

≪ Previous: SRX650: After the RG0 switchover, the Node 0 traffic is abnormal.

Hi, all,

I have a unique situation I don't have an obvious answer for. We have the need to interconnect with a customer by using MPLS-VPN circuit as the primary and IPsec VPN as backup, say we advertise subnet A and customer advertise subnet B to MPLS VPN provider (via BGP of course), everything is good, now we want to set up an IPsec VPN as a backup, unfortunately cutomer side VPN device (Cisco ASA) only supports "policy based" VPN, so I have to explicity configure traffice-selector in SRX vpn configuration listing subnet A as local-ip and subnet-B as remote-ip on SRX, not a problem ... the problem is SRX automatically injects a static route for subnet-B to routing table and SRX would prefer IPsec VPN to reach the customer, how to get around this dilema?

Thanks,

↧

Re: L2TP through SRX

January 5, 2017, 1:46 pm

≫ Next: Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

≪ Previous: How to prefer BGP route over IPsec VPN generated static route

I have just seen this thread

https://forums.juniper.net/t5/SRX-Services-Gateway/Destination-NAT-Port-Forwarding-Passthrough-for-VPN/td-p/264271

Would this be the solution?

↧

Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

January 5, 2017, 5:00 pm

≫ Next: SRX 320 Client VPN - number of clients limitation?

≪ Previous: Re: L2TP through SRX

Hi all,

Thanks for this wonderfull pdf with all the information!!!

I'm having only issue at one of the last step with the configuration of the srx. I tried every possible combi but none did work. Im runnning SRX210H with 12.1R1.9

I did add in the following range:

First interface st0, routing-options, ike proposal, ike policy, acces profile, security flow, ike gateway. So far so good, after every part i did commit with completion. But when i did add the ipsec vpn part, it got bumped. Can someone please advise me whatever is going wrong?

serdar@SRX210# commit
[edit security ipsec vpn picotest ike gateway]
  'gateway gw_picotest'
 Shared or group ike policy cannot refer to route-based vpn
error: commit failed: (statements constraint check failed)

[edit]
serdar@SRX210# show | compare
[edit security ipsec]
+    vpn picotest {
+        bind-interface st0.2;
+        ike {
+            gateway gw_picotest;
+            proxy-identity {
+                local 192.168.0.0/16;
+                remote 0.0.0.0/0;
+                service any;
+            }
+            ipsec-policy ipsec_pol_picotest;
+        }
+    }


serdar@SRX210> show configuration security ike

gateway gw_picotest {
 ike-policy ike_pol_picotest;
 dynamic {
 hostname .local;
 ike-user-type group-ike-id;
 }
 local-identity hostname xxxxxxxxxx.org;
 external-interface ge-0/0/0.0;   ## this is my interface facing to my ISP
 xauth access-profile picotest;
 version v2-only;
}

↧

SRX 320 Client VPN - number of clients limitation?

January 5, 2017, 5:38 pm

≫ Next: Re: How to prefer BGP route over IPsec VPN generated static route

≪ Previous: Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

Hi all,

I was trying hard to clarify if the 2 concurrent client VPN-s is still a limitation in

Model: srx320
Junos: 15.1X49-D45

I remembered I had to buy and install licenses for a customer who needed more than 2 concurrent Client VPN users on SRX240.

Please advise,

Thanks in advance!

Alex

↧

Re: How to prefer BGP route over IPsec VPN generated static route

January 5, 2017, 10:14 pm

≫ Next: Re: SRX 320 Client VPN - number of clients limitation?

≪ Previous: SRX 320 Client VPN - number of clients limitation?

Hi there,

Easy, as always with JUNOS :-)

Under Your BGP group add this line:

preference <number less than reverse static route preference>

I can't remember what is the reverse static route preference for IPSec VPN with traffic selectors, but default static route preference in JUNOS is 5, so Your line above should look like "preference 4".

HTH

Thx

Alex

↧

Re: SRX 320 Client VPN - number of clients limitation?

January 5, 2017, 10:17 pm

≫ Next: Re: SRX 320 Client VPN - number of clients limitation?

≪ Previous: Re: How to prefer BGP route over IPsec VPN generated static route

Yes, you need to buy license for additional users. AFAIK, you can transfer the existing licenses from existing SRX1XX and SRX2XX to the SRX3XX devices. You may call the Juniper customer care for the same.

↧

Re: SRX 320 Client VPN - number of clients limitation?

January 5, 2017, 10:36 pm

≫ Next: Re: SRX 320 Client VPN - number of clients limitation?

≪ Previous: Re: SRX 320 Client VPN - number of clients limitation?

rsuraj is right, 2 concurrent users is still the limitation without buying extra licenses.

Please note that dynamic vpn is only present on SRX300 series from 15.1X49-D60 an onwards - so you won't find the feature before an upgrade as you are currently running 15.1X49-D45.

↧

Re: SRX 320 Client VPN - number of clients limitation?

January 5, 2017, 10:43 pm

≫ Next: Re: SRX 320 Client VPN - number of clients limitation?

≪ Previous: Re: SRX 320 Client VPN - number of clients limitation?

If there will be more than two simultaneous user connections, install a Dynamic VPN license in the device. Dynamic VPN is a licensed feature for SRX-Branch devices. By default, a two user evaluation license is provided free of cost and it does not expire.

Note: If using only two users, you will not see an entry for the dynamic-vpn license. By default, it will allow you to connect with two dynamic vpn. In cases where there are more than two users that need to connect concurrently, a license is required.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17292&actp=search
http://www.juniper.net/documentation/en_US/junos12.1x44/topics/example/vpn-security-dynamic-example-configuring.html
http://www.juniper.net/documentation/en_US/junos12.1x44/topics/concept/security-license-overview.html

-Python
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.

↧

Re: SRX 320 Client VPN - number of clients limitation?

January 5, 2017, 10:48 pm

≫ Next: Re: SRX 320 Client VPN - number of clients limitation?

≪ Previous: Re: SRX 320 Client VPN - number of clients limitation?

Hi Python,

not entirely true. In later releases you can see the 2 concurrent users via 'show system license':

jh@fw> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  dynamic-vpn                           0            2           0    permanent

jh@fw>

↧

Re: SRX 320 Client VPN - number of clients limitation?

January 5, 2017, 11:02 pm

≫ Next: Re: SRX340 High CPU temperature

≪ Previous: Re: SRX 320 Client VPN - number of clients limitation?

Yes, jonashauge. You are right with the "show outputs". My earlier statement with show outputs was confined to legacy Junos; which got modified later.

-Python
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.

↧

Re: SRX340 High CPU temperature

January 6, 2017, 12:21 am

≫ Next: Re: SIEM cannot received log when SRX using stream mode?

≪ Previous: Re: SRX 320 Client VPN - number of clients limitation?

Hi Folks,

Please find the recommended SRX340 Services Gateway Environmental Specifications,

https://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/services-gateway-srx340-environmental-specifications.html

The fan speed changes at the threshold when going from a low speed to a higher speed. As the threshold is not yet met for the routing-engine as a whole; the fans are at normal speed in your case. Moreover, the "Routing Engine CPU" which picks up the temperature sensor of the CPU. It is always recommended to place the box in right Environmental conditions! However, you can also track the alarms Yellow alarm/Red alarm in the box and react on the worst case to avoid any system shutdown due to High Temperature.

srx340> show chassis temperature-thresholds

Fan speed Yellow alarm Red alarm Fire Shutdown

(degrees C) (degrees C) (degrees C) (degrees C)

Item Normal High Normal Bad fan Normal Bad fan Normal

Chassis default 35 45 50 40 75 65 100

Routing Engine 35 45 50 40 75 65 100

srx340> show chassis fan

Item Status RPM Measurement

SRX340 Chassis fan 0 OK 6540 Spinning at normal speed

SRX340 Chassis fan 1 OK 6540 Spinning at normal speed

SRX340 Chassis fan 2 OK 6420 Spinning at normal speed

SRX340 Chassis fan 3 OK 6360 Spinning at normal speed

srx340> show chassis routing-engine

Routing Engine status:

Temperature 38 degrees C / 100 degrees F

CPU temperature 60 degrees C / 140 degrees F

Total memory 4096 MB Max 1311 MB used ( 32 percent)

Control plane memory 2624 MB Max 735 MB used ( 28 percent)

Data plane memory 1472 MB Max 559 MB used ( 38 percent)

5 sec CPU utilization:

User 6 percent

Background 0 percent

Kernel 1 percent

Interrupt 0 percent

Idle 93 percent

Model RE-SRX340

Serial ID xxxxxxxxxxxxxx

Start time 2016-12-27 17:39:54 UTC

Uptime 9 days, 22 hours, 27 minutes, 39 seconds

Last reboot reason 0x1 Smiley Tongue ower cycle/failure

Load averages: 1 minute 5 minute 15 minute

0.00 0.05 0.06

-Python

#Please mark my solution as accepted if it helped, Kudos are appreciated as well.

↧

Re: SIEM cannot received log when SRX using stream mode?

January 6, 2017, 12:45 am

≫ Next: Re: How to prefer BGP route over IPsec VPN generated static route

≪ Previous: Re: SRX340 High CPU temperature

Hi sahilsha,

Why when i change the security log mode stream then i cannot see syslog such as login in and login out. I can see log RT-FLOW only. Is it because the stream mode on forwarding plane only but cannot control plane syslog?

Thanks and appreciate your feedback

↧

Re: How to prefer BGP route over IPsec VPN generated static route

January 6, 2017, 4:17 am

≫ Next: Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

≪ Previous: Re: SIEM cannot received log when SRX using stream mode?

I think in that case you would need to set the default preference for static routes to be higher than BGP and then your other static routes you would have to set them to prerefence 5 or whatever value you chose. So when the SRX generates the VPN static route, its default would higher

Something like this:

set routing-options static defaults preference 180

set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
set routing-options static route 0.0.0.0/0 preference 5
set routing-options static route 192.12.0.0/24 next-hop 172.18.1.2
set routing-options static route 192.12.0.0/24 preference 5

↧

Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

January 6, 2017, 5:48 am

≫ Next: IP Phone VPN at my wits end

≪ Previous: Re: How to prefer BGP route over IPsec VPN generated static route

Hi all,

Thanks for this wonderfull pdf with all the information!!!

I'm having only issue at one of the last step with the configuration of the srx. I tried every possible combi but none did work. Im runnning SRX210H with 12.1R1.9

I did add in the following range:

serdar@SRX210# commit
[edit security ipsec vpn picotest ike gateway]
  'gateway gw_picotest'
 Shared or group ike policy cannot refer to route-based vpn
error: commit failed: (statements constraint check failed)

[edit]
serdar@SRX210# show | compare
[edit security ipsec]
+    vpn picotest {
+        bind-interface st0.2;
+        ike {
+            gateway gw_picotest;
+            proxy-identity {
+                local 192.168.0.0/16;
+                remote 0.0.0.0/0;
+                service any;
+            }
+            ipsec-policy ipsec_pol_picotest;
+        }
+    }


serdar@SRX210> show configuration security ike

gateway gw_picotest {
 ike-policy ike_pol_picotest;
 dynamic {
 hostname .local;
 ike-user-type group-ike-id;
 }
 local-identity hostname xxxxxxxxxx.org;
 external-interface ge-0/0/0.0;   ## this is my interface facing to my ISP
 xauth access-profile picotest;
 version v2-only;
}

↧

IP Phone VPN at my wits end

January 6, 2017, 8:38 am

≫ Next: Re: IP Phone VPN at my wits end

≪ Previous: Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

Box is an SRX 320, v 15.1X49-D45

I'm at my wits end. I've done this before with an SRX... But I can't seem to make it work on this box. It's an Avaya phone with an IPSEC vpn client builtin trying to establish a tunnel to the SRX, a policy based VPN and local XAUTH. I get these common errors:

[Jan 7 00:28:18]ike_st_i_sa_proposal: Start
[Jan 7 00:28:18]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 7 00:28:18]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 1157000)

I hope someone can look at this and tell me what I'm missing and hopefully it's something obvious. This seems pretty simple, I don't know what I'm missing. I've checked that the client side matches all parameters and the shared secret matches of course.

↧

Re: IP Phone VPN at my wits end

January 6, 2017, 11:38 am

≫ Next: Re: IP Phone VPN at my wits end

≪ Previous: IP Phone VPN at my wits end

Hi JayNEC,

policy-based VPN was initially removed from the 15.1X49 software train but was reintroduced in 15.1X49-D50. VPN client support was also initially removed and the reintroduced in 15.1X49-D60.

If you look in the attached configuration you will also see the "unsupported platform" multiple times. In this case it's due to missing support for policy-based VPN.

So first step would be to upgrade to at least 15.1X49-D60 and preferably 15.1X49-D70. Then try again.

↧

Re: IP Phone VPN at my wits end

January 6, 2017, 1:03 pm

≫ Next: Recommended IKE and IPSEC Security Parameters

≪ Previous: Re: IP Phone VPN at my wits end

Oh. My. God.

I didn't notice those blocks.

Thank you.

↧

Recommended IKE and IPSEC Security Parameters

January 6, 2017, 1:57 pm

≫ Next: Re: SIEM cannot received log when SRX using stream mode?

≪ Previous: Re: IP Phone VPN at my wits end

What are the recommend security parameters (authentication, encryption, dh groups, etc.) for the IKE and IPSEC VPN phases?

↧

Re: SIEM cannot received log when SRX using stream mode?

January 6, 2017, 6:29 pm

≫ Next: Re: Recommended IKE and IPSEC Security Parameters

≪ Previous: Recommended IKE and IPSEC Security Parameters

Hi,

In stream mode logging, the traffic logs (RT_FLOW) are sent directly from the PFE to the syslog server in order to offload the RE from processing these.

Hence you will not be able to see them in local files on the SRX as they are not reaching the RE which is responsible for writing these logs to the files.

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

↧