Re: Proxy IDs (traffic Selector) of 0.0.0.0

January 9, 2017, 11:11 am

≫ Next: Re: L2TP through SRX

≪ Previous: Proxy IDs (traffic Selector) of 0.0.0.0

$

0

0

Hi,

 

There are 2 scenarios :-

 

1. VPN tunnel is initiated from the remote end - The SRX would accept the proxy IDs and tunnel would be formed.
2. SRX initiates the VPN tunnel - The tunnel establishment would fail because the SRX is using a proxy-id of 0/0 while the other end has specific IDs configured.

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

---

Re: L2TP through SRX

January 9, 2017, 3:58 pm

≫ Next: Re: SRX IDP Policy - No counters

≪ Previous: Re: Proxy IDs (traffic Selector) of 0.0.0.0

$

0

0

Thanks for the update and the MS link.  Glad you have it working.

Re: SRX IDP Policy - No counters

January 9, 2017, 6:47 pm

≫ Next: Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

≪ Previous: Re: L2TP through SRX

$

0

0

Nice. Mark your answer and resolved so others can quickly look and see remedial measues if they have similar issue.

Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

January 9, 2017, 6:57 pm

≫ Next: Security log flow time zone not same with syslog time zone in SRX58000?

≪ Previous: Re: SRX IDP Policy - No counters

$

0

0

Remarkable!!

Security log flow time zone not same with syslog time zone in SRX58000?

January 9, 2017, 7:19 pm

≫ Next: Re: Asking about Preshared-key on VPN Remote Access

≪ Previous: Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

$

0

0

Hi All,

 

 

Is there any one facing a problem with me when SIEM received log from SRX for syslog log and security log not in same time zone?

 

Is there any way we can change the time zone on security log flow same with time zone that configured in the SRX?

 

Thanks and appreciate someone help.

Re: Asking about Preshared-key on VPN Remote Access

January 10, 2017, 7:54 am

≫ Next: Re: SFTP to External Server Issues - Network error: Software caused connection abort

≪ Previous: Security log flow time zone not same with syslog time zone in SRX58000?

$

0

0

This document should be linked on all our Dynamic VPN pages as the explanation of how it functions helped me more than most of the official docs to get my service working on SRX300 running 15.1X49-D70.3. I've submitted a request to our documentation team for exactly that.

 

Thanks for the link! 

Re: SFTP to External Server Issues - Network error: Software caused connection abort

January 10, 2017, 2:14 pm

≫ Next: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

≪ Previous: Re: Asking about Preshared-key on VPN Remote Access

$

0

0

This didn't work for me , worked via ssg , srx swap out and unable to get any response to initial connection ? Connection to server timesout ? I can connect to the server using same version of FileZilla via a ssg ? Alg enabled , and disabled ?

Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

January 10, 2017, 10:28 pm

≫ Next: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

≪ Previous: Re: SFTP to External Server Issues - Network error: Software caused connection abort

$

0

0

Hi Experts,

 

Please help me in digging how to see the matched packet as i see dropped packet if i use basic-datapath.

 

BR//

Swati

---

Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

January 10, 2017, 10:32 pm

≫ Next: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

≪ Previous: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

$

0

0

which version are you running?

 

You may try "delete security flow traceoptions" commit and then do a rollback 1 nd commit

Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

January 10, 2017, 10:50 pm

≫ Next: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

≪ Previous: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

$

0

0

version is 12.1X44-D40.2.

I have already tried to delete the traceoption and then added again but still it is same.

 

Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

January 10, 2017, 10:57 pm

≫ Next: CVE-2016-1278 Upgrades using 'partition' option may allow unauthenticated root login

≪ Previous: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

$

0

0

can you share "show log 001_check| no-more" output? How did you confirm that you are only getting dropped packets?

 

CVE-2016-1278 Upgrades using 'partition' option may allow unauthenticated root login

January 11, 2017, 4:20 am

≫ Next: Re: Security log flow time zone not same with syslog time zone in SRX58000?

≪ Previous: Re: traceoptions only showing dropped packets inspite of applying basic-datapath flag

$

0

0

The issue exists with the 'partition' option of 'request system software' executed on the release from which the upgrade is being performed.  Upgrading from an affected release to a fixed release will not resolve this issue.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10753

 

CVE

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1278

Re: Security log flow time zone not same with syslog time zone in SRX58000?

January 11, 2017, 5:50 am

≫ Next: SRX300 provided by comcast/xfinity their techs no nothing

≪ Previous: CVE-2016-1278 Upgrades using 'partition' option may allow unauthenticated root login

$

0

0

Hi All,

 

Just to update..after some troubleshooting with JTAC it's look like time zone between RE and FPC not same. The solution from JTAC is to reboot the box. Is someone has expreinced that can solve without reboot the box?

 

 

Thanks

 

 

SRX300 provided by comcast/xfinity their techs no nothing

January 11, 2017, 7:22 am

≫ Next: SRX300 provided by comcast/xfinity their techs know nothing

≪ Previous: Re: Security log flow time zone not same with syslog time zone in SRX58000?

$

0

0

SRX300 provided by Comcast/Xfinity their techs no nothing.

 

they can't tell me where to do port forwarding and if it's allowed by the customer. 

and what is the unit flashed with that is different from factory? 

 

also where do you see internet outages in the logs?

SRX300 provided by comcast/xfinity their techs know nothing

January 11, 2017, 7:30 am

≫ Next: SRX3xx - High VLAN ID No.

≪ Previous: SRX300 provided by comcast/xfinity their techs no nothing

$

0

0

SRX300 provided by Comcast/Xfinity their techs no nothing.

 

they can't tell me where to do port forwarding and if it's allowed by the customer. 

and what is the unit flashed with that is different from factory? 

 

also where do you see internet outages in the logs?

---

SRX3xx - High VLAN ID No.

January 11, 2017, 7:44 am

≫ Next: Re: SRX3xx - High VLAN ID No.

≪ Previous: SRX300 provided by comcast/xfinity their techs know nothing

$

0

0

Hi,

 

As Juniper documentation expain: the VLAN IDs 3968 through 4096 are reserved and cannot be configured. On SRX3xx and SRX5xx devices.

But how on D50 version I can configure that without any problem ?

 

 

Re: SRX3xx - High VLAN ID No.

January 11, 2017, 10:10 am

≫ Next: Re: SRX300 provided by comcast/xfinity their techs know nothing

≪ Previous: SRX3xx - High VLAN ID No.

$

0

0

Did you commit the commit the configuration?

Re: SRX300 provided by comcast/xfinity their techs know nothing

January 11, 2017, 11:24 am

≫ Next: Dual Static NAT?

≪ Previous: Re: SRX3xx - High VLAN ID No.

$

0

0

Take a look at these articles, they can help you do port forwarding (look specifically at the DNAT).

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf
https://www.fir3net.com/Firewalls/Juniper/juniper-srx-destination-nat-port-forwarding.html

>show log messages

Specifically what would you want to find out about the internet outages?

Finally Juniper devices is getting some play! Too bad they techs are not being trained.

Dual Static NAT?

January 11, 2017, 10:36 am

≫ Next: Re: SFTP to External Server Issues - Network error: Software caused connection abort

≪ Previous: Re: SRX300 provided by comcast/xfinity their techs know nothing

$

0

0

Can one implement dual static NATs?

 

I have a setup where we need to do source and destination natting for several hosts bi-directionally.

 

Thanks in advance,

Chris

Re: SFTP to External Server Issues - Network error: Software caused connection abort

January 11, 2017, 11:58 am

≫ Next: Re: SRX3xx - High VLAN ID No.

≪ Previous: Dual Static NAT?

$

0

0

try some debugging:

set security flow traceoptions file SFTPTRACE
set security flow traceoptions file size 2m <====modify file size as fit
set security flow traceoptions file files 10 <===set number of log files as fit
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops <===== flag all
set security flow traceoptions packet-filter F1 source-port <> <====could also add filter for source-address
set security flow traceoptions packet-filter F2 destination-port <> <====could also add filter for destination-address

 

You will learn which policy is causing the packet drops.

 

take a look at his article, it may also help explain
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19444&actp=search