Thank you so much, looks like SRX-4000 has even lower specs than SRX-3400/SRX-3600 (SRX-5400 is an overkill for us, but we got a bundled pricing from a VAR so it is not significantly more expensive than SRX-3600), I will talk to the VAR, SRX-4000 may be a perfect fit if it is cheaper than SRX-3400/SRX-3600.
↧
Re: Juniper SRX or Cisco ASR 1000
↧
Re: Juniper SRX or Cisco ASR 1000
You can also "Request a Quote" and get the expert advice,
https://www.juniper.net/uk/en/how-to-buy/request-a-quote.page
↧
↧
Re: TSB16954 - Routing Engines (RE) might consistently reboot due to compact flash (CF) lock up
Can you please confirm if you trying to run the script with root credentials as below,
root@:~ # whoami
root
root@:~ #
Else, do su to login as root
%
% su
Password:
root@:~ #
↧
Re: Strange port forwarding issue - SRX320
Thanks for replying lyndidon
Unfortunatelly the boss became so frustrated with me not being able to get this working, and the complete lack of Juniper support locally (Aberdeen, Scotland - doesn't seem to be any company able to offer support), that yesterday afternoon he had a local support company supply, configure & install a high end Draytek which they'll support within an hour should anything go wrong.
Overall prob a good idea as if anything were to go wrong with the SRX when I was on holiday they'd be screwed.
So on that note.
Anyone in the UK looking for a nearly new boxed SRX320 with JSB licence?
Open to realistic offers.
↧
Re: Strange port forwarding issue - SRX320
Sorry to hear that. I am big fan of Juniper...er Juniper Switches and SRX. What you have experienced is sad and I am trully sorry. But on the other hand, you now have a chance to do a little consultanting on the side. If you can find a buyer, for fee offer to set it up. 
And you could recoup your losses and at the same time learn more about the SRX. You could be the one
↧
↧
Re: Strange port forwarding issue - SRX320
Sounds like an excelent plan to me 
From what I've seen I'm a big fan of their capabilities, just not the seemingly long winded way to do what other devices handle very simply.
I was always planning on working through the online training after the Christmas / New Year madness subsided so you might be onto something, and once completed, I'm sure my mind would be rewired in a way not to find the procedures complicated in any way.
Just wouldn't have a device to practice with if we manage to shift this one.
NOTE:
As it turns out the port forwards may well have been working perfectly well all along.
the 33899 > 3389 redirect I couldn't get working didn't initially work on the new router either until the network card was restarted on the server (thinking a Winblows update for the card drivers knackered this as there was one applied the end of last week and no reboot since), and the sip issue was another matter.
Our provider was adament that it was setup correctly, as it was tested with a test number over sip whilst running our main system fed from our analogue PBX before migration, but it turns out that no matter what I tried it wouldn't have worked, as the old system only passed a 4 didgit number to the phones where the sip was passing 6 (so the phones didn't know what to do with the data), and whenever we dialed 9 for an outside line our sip pbx was trying to route the call via the old analogue pbx and not the sip provider.
The boss is rightfully fuming with them, and for my own sanity i'm going to hook the SRX up over the weekend to see if it now works!
↧
Re: Strange port forwarding issue - SRX320
I scanned the configuration and it looked pretty good to me, nothing jumped out. As far as the SIP phone issue, that should not be a problem. This is the likely configuration you need:
You can get the vSRX for a trial period, I think 30/60 days. This is another sore point. People may not have time to consistently test over 30 day but 60 is more reasonable. It requires dual CPU to work. I am with you; fire up that bad boy over the weekend and test it out. Also look at the config and see if you have that set up. Another important factor sometimes could be the ordering of the rules, terms and policies, so always take a look at that. Keep us posted if the test works, and better yet get the coffee and sta awake out..until it works You will behappy you did. For sure there are a lot of configurations that can be done in few minutes with a few drag'n drops a few clicks and it is done quickly in other systems. The key to Juniper is to a have a working config saved which you can then modify as needed without having to type the whole thing out. In fact before you zeroize that box, run these 2 command at the very top of the heirarchy so you can save the config in two formats;
user@SRX#show | display set | save srx-config1
user@SRX#show | no-more | save srx-config2
Both files will be in the root directory of the logged in user or you can specify a path to save to an ftp/scp server
Except for passwords, the rest of the config is in plaintext.
The SRXs are beasts and perform well when there are not software bugs.Plus the added benefit of the dual root partition, so if there is a power outage and one does not have a UPS (don't laugh) and you primary partition gets corrupted, it boots up from the secondary partion and continues to function when powere is restored. And you can easily repair the corrupted partition with a simple command.
↧
Re: Strange port forwarding issue - SRX320
Mark this as resolved and select your response that you ended up using different equipment, so people will not keep clicking on it
↧
SRX240 Need Help with vlan Routing
I am new to the SRX and I am having problems routing between vlans and I hope someone can help.
This is a picture of my configuration:
I am trying to route traffic between vlan.10 and vlan.800 (between zones trust and untrust.
from the 192.168.100.2. I cannot ping any address on the 10.1.8.0 network and from 10.1.8.71. Also I cannot ping any address on the 192.168.100.0 network. From the SRX240 I can ping everything.
Here is the configuration that I am using:
root@dpr-fw> show configuration
## Last commit: 2017-01-14 00:05:23 UTC by root
version 12.3X48-D35.7;
system {
host-name dpr-fw;
root-authentication {
encrypted-password "."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface vlan.300;
}
https {
system-generated-certificate;
interface vlan.300;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.800 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
inactive: screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.10 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone fw-manage {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.300;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members utility;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-untrust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-untrust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 10 {
family inet {
address 192.168.100.88/24;
}
}
unit 300 {
family inet {
address 10.1.3.88/24;
}
}
unit 800 {
family inet {
address 10.1.8.88/24;
}
}
}
}
protocols {
igmp {
interface all;
}
stp;
igmp-snooping {
vlan all;
}
}
vlans {
utility {
vlan-id 300;
l3-interface vlan.300;
}
vlan-trust {
vlan-id 800;
l3-interface vlan.800;
}
vlan-untrust {
vlan-id 10;
l3-interface vlan.10;
}
}
If anybody can help me figure out what is wrong I would appreciate it.
↧
↧
Re: SRX240 Need Help with vlan Routing
Do a flow traceoption to see how the traffic is being handled.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110
↧
SRX-210H internal flash failure
Hi,
In the last year, our SRX has had some issues writing to flash. Sorry, I don't have the log messages on me at the moment, but from memory it had been temporarily writing it's logs to the internal flash rather than the usual syslog server, and something in them prompted me to run "nand-mediack", which returned the "all clear".
Today, during preparation for the firmware update, I tried this command in the cli:
file delete /var/tmp/junos-srxsme-12.1X46-D52.1-domestic.tgz
to free up some space on the drive, after copying over the new image failed due to out of space. The router immediately stopped responding to ssh and also to pings. The last lines in the syslog were:
Jan 14 09:44:38 r2.chip mgd[77273]: UI_CMDLINE_READ_LINE: User 'jams', command 'file delete /var/tmp/junos-srxsme-12.1X46-D52.1-domestic.tgz ' Jan 14 09:44:38 r2.chip mgd[77273]: UI_CHILD_START: Starting child '/bin/rm'
I treid connecting via serial (using "screen /dev/ttyS0 9600") and screen terminated immediate (very strange). The orange alarm light was showing on the front panel, so I did a quick power off, wait 60 seconds, power on, and connected via serial and then it said:
*********************************************************************** ** ** ** WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE ** ** ** ** It is possible that the primary copy of JUNOS failed to boot up ** ** properly, and so this device has booted from the backup copy. ** ** ** root@r2% e re-install JUNOS to recover the primary copy in case ** ** it has been corrupted. ** ** ** ***********************************************************************
We successfully ran
request system snapshot slice alternate
And that has booted from the proper partition, and everything seems OK again (apart from running from a slightly older JunOS). "nand-mediack" has reported no issues, uptime was probably around 50 days. We had performed a large config change a few days before, without any problems.
What I'm worried about is: could this be the sign that the flash is going bad (although I have nothing in the logs to suggest this, it is my primary concern), and if so, can it be replaced?
Thanks.
↧
Dynamic VPN Network Confusion
I'm attempting to setup a Dynamic VPN for remote-access to customer networks. The first issue, I believe is that the clients local network and the remote-protected-resources network are the same. I don't see a workaround here unless one of them changes subnet?
The other point I am confused on is the address-assignment pool vs the trust networks. Is the address-assignment pool supposed to overlap networks with a trusted network interface, or can they be separate? It seems like the proxy-arp setting was only needed IF they overlap, not that it was a requirement.
I appreciate any input on the matter.
↧
Re: SRX-210H internal flash failure
Hi Folks,
Can you share the session logs or other interesting logs when this was seen in the box? To start with i would say to do a preliminary proactive checkup of storage usage in this box.
If you are going to do a J-Web installation or copy the Junos software image to the SRX, then check the flash size and purge unused files:
Check current Flash size:
show system storage | match cf
start the cleanup<<
Purge logfiles:
request system storage cleanup
If Flashsize is still lower than the size of your image, then try the following:
Clear files from the /var/log directory. Clear or remove any traceoptions files and clear any log files which are not needed.
Note that you will loose all contents of the log file after a clear is done.
clear log <log-filename>
Purge software backup.
Note that if you delete the backup software, you will not be able to rollback using the "request system software rollback" command.
request system software delete-backup
Locate directories on the flash with large amount of data
show system directory-usage /cf
To save space browse directories and erase files manually: Be careful with which file you choose to delete.
file list /var/tmp
file delete /var/tmp/xyz
↧
↧
Re: SRX240 Need Help with vlan Routing
Hi Folks,
This example shows how to set up a new zone and add three application servers to that zone. Then you provide communication between a host (PC) in the trust zone to the servers in the newly created zone and also facilitate communication between two servers within the zone.
To meet this requirement, you need an interzone security policy to allow traffic between two zones and an intrazone policy to allow traffic between servers within a zone.
↧
Re: SRX240 Need Help with vlan Routing
Are all of your hosts using x.x.x.88 as their gateways?
↧
Local Web Filtering Inconsistency
I have setup the UTM local web filtering. After much trial and error I'm able to blacklist sites such as facebook.com, pinterest.com, and netflix.com. However I do not always get the custom block message.
Going to netflix.com displays the message in Firefox, but the page isn't blocked in Safari.
Going to pinterest.com displays the message in Safari, but I get an SSL error in Firefox. (SSL_ERROR_RX_RECORD_TOO_LONG)
Going to facebook.com displays the same SSL error in Firefox and Safari fails to load with similar error.
My biggest goal was blocking Netflix, and I find it very strange to have different results based on the browser. I was wondering if anyone has had any experience blocking these or similar URLs via local web filtering?
↧
Re: Local Web Filtering Inconsistency
Custom block message is only supported for HTTP connections
↧
↧
SRX 320 site-to-site VPN problem
Hello!
I have Juniper SRX 320 with JunOS version 15.1X49-D45
I want configure policy based site-to-site vpn.
But, i have problem, when i try configure security policy for this vpn i cant write permit tunnel on policy "then" block.
set security policies from-zone trust to-zone untrust policy my-vpn-policy then permit tunnel pair-policy my-vpn-policy-2
tunnel pair-policy my-vpn-policy-2 - no way to do this on srx 320
Please, help me! how i can configure policy based vpn on my juniper srx 320?
↧
Re: Local Web Filtering Inconsistency
That might explain my Pinterest/Facebook issues. However Netflix, according the address bar defaults to https. It was also Netflix that I was experiencing the inconsistency among browsers. I'm sure Netflix is doing type of redirection, causing strange issues. I previously tried using dns entries in security policy but that would never block Netflix. I was just wondering if anyone has seem something similar?
↧
Re: Bug Reintroduced on Dynamic VPN
Hi,
I just upgraded a SRX220H2 from 12.1X47-D15.4 to 12.3X48-D40.5 and have the exact same issue (described in PR1135780). The httpd.log states that web management is not allowed from this interface.
The Pulse Secure version is 5.1.5 (61437).
Anyone else experiencing this?
Allowing web management on the public interface seems like a bad solution.
↧