Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: SRX300 Active/Backup

January 26, 2017, 3:12 am
$
0
0

Hi Shailesh,

 

my switches are connected by a trunk (1gbps), if I setup a reth0 as you said:

 

{primary:node0}[edit]
user@host# set interfaces ge-0/0/0 gigether-options redundant-parent reth0
user@host# set interfaces ge-0/0/1 gigether-options redundant-parent reth0
user@host# set interfaces ge-1/0/0 gigether-options redundant-parent reth0
user@host# set interfaces ge-1/0/1 gigether-options redundant-parent reth0
 
Assuming node0 in active state, I get working ge-0/0/0 and ge-0/0/1 and so I need LAG or not?
Search

Re: Site To Site

January 26, 2017, 3:30 am
$
0
0

this is the syntax error i get when im trying to set the policy for the ipsec

 

root@Globalogik# set security ipsec policy ipsec-policy-cfgr proposal-set userDefined
^
syntax error, expecting <data>.

Re: Site To Site

January 26, 2017, 3:40 am
$
0
0

Hi Avino,

 

You are facing and issue when configuring the following :-

 

 

set security ipsec policy ipsec-policy-cfgr proposal-set userDefined

 

The issue here is :-

 

  • "userDefined" is not present in your configuration.

I see that you have another statement :-

 

 

set security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr
set security ipsec policy ipsec-policy-cfgr perfect-forward-secrecy keys group1

 

 

  • You will not be able to call one proposal and one proposal-set in the same ipsec policy.
  • The statement "set security ipsec policy ipsec-policy-cfgr proposal-set userDefined" is not needed.

 

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Re: advertise OSPF static routes into stub/t-stub

January 26, 2017, 5:03 am
$
0
0

Hello,

 

Andrewmiller wrote:

 

also # 3 would work im sure I'm assuming i would have to write a policy for it to work ? 

 

 

like this ? 

set policy-options policy-statement exportstatic1 term exportstatic1 from protocol static
set policy-options policy-statement exportstatic1 term exportstatic1 then external type 1
set policy-options policy-statement exportstatic1 term exportstatic1 then accept

No. For my option #3 You have to:

1/ duplicate Your statics as connected. I.e. if You have static 203.0.113.0/24 then pick an intreface that is always up, like lo0 and assign 203.0.113.254/24 to it. Repeat for every static route.

2/ add this interface into OSPF. Use a separate area and filter these connecteds from going into area 0 with "area-range" or "network-summary-import" 

3/ Add anotther routing instance and import area 0 OSPF routes into it.

4/ Add FBF to from-SOHO-ingress interface to send all traffic from SOHO into that routing instance.

HTH

Thx
Alex

Re: Security log flow time zone not same with syslog time zone in SRX58000?

January 26, 2017, 8:15 am

Route-lookup for x.x.x.x yielded reject NH

January 26, 2017, 9:30 am
$
0
0

Hi all,

 

I'm having some issues with traffic through an SRX3600 cluster.  The traffic is between Active Directory servers in two different zones on directly connected subnets.  Looking through a traceoptions capture I find the following:

 

Jan 26 11:05:10 11:05:10.436369:CID-01:FPC-08Smiley TongueIC-00:THREAD_ID-24:RT:Route-lookup for 10.64.0.72 yielded reject NH

Jan 26 11:05:10 11:05:10.436391:CID-01:FPC-08Smiley TongueIC-00:THREAD_ID-24:RT:flow_ipv4_firstpath_route_lookup: no route to dest 10.64.0.72

Jan 26 11:05:10 11:05:10.436417:CID-01:FPC-08Smiley TongueIC-00:THREAD_ID-24:RT: jsf drop pak pid 20, jbuf 0x8e869b90, release hold 0, sess_id 0

Jan 26 11:05:10 11:05:10.436442:CID-01:FPC-08Smiley TongueIC-00:THREAD_ID-24:RT:[JSF] set ext handle 0x0 for plugin 20 on session 1069446912804

Jan 26 11:05:10 11:05:10.436459:CID-01:FPC-08Smiley TongueIC-00:THREAD_ID-24:RT: After jsf gate hit. sid 0xdb24, pid 20, cookie 0x37, jbuf 0x8e8643d0. rc = 16

Jan 26 11:05:10 11:05:10.436481:CID-01:FPC-08Smiley TongueIC-00:THREAD_ID-24:RT: packet dropped, denied by gate_hit callback

Jan 26 11:05:10 11:05:10.436491:CID-01:FPC-08Smiley TongueIC-00:THREAD_ID-24:RT:denied by gate_hit callback

 

And I'm not sure what it all means.  10.64.0.0/22 is a directly connected subnet:

10.64.0.0/22 *[Direct/0] 22:29:16
> via reth50.0

 

Anyone know what the "Route lookup... yeilded reject NH" and the "denied by gate_hit callback" messages are referring to?

 

Thanks in andvace for any help!

Jweb does not work on SRX 340

January 26, 2017, 10:52 am
$
0
0

We have SRX 340 running on 15.1X49-D60.7  and the jweb does not work. Firefox,chrome,IE,Edge all browser timeout due to multiple redirects. , Clearing the cookies does reset the certificate but accepting the cert results in "The page isn’t redirecting properly" . Https is configured correctly

 

show system services
ssh;
web-management {
    http {
        interface reth2.10;
    }
    https {
        system-generated-certificate;
        interface reth2.10;

 

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces reth2.10

 

Not sure what else am i missing here.... its accepting the connection on https ,presenting the certificate but then the browsers refuse to accept the webpage. Here's what we see on Firefox.. "

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    This problem can sometimes be caused by disabling or refusing to accept cookies."

Re: srx340 as a switch and gateway router

January 26, 2017, 11:51 am
$
0
0

i have been expierencing similar issues using a config i copied and modified from a srx210 ( i made the interfaces match up) for a srx 345. the 345 is running 15.1x49-D75.5

all we are trying to do is use the 345 to support users using dhcp. the input is a router and the users will plug into the firewall. 

as of now i am able to reach the firewall but i cannot get the user ports to connect. 

the vlan appears to only want an irb, as i have learned from reading this thread. I used the set protocols l2-learning global-mode switch command and lost remote connectivity so i changed the firewall back to transparent to get remote connectivity restored.

im no admin, so im baffled here. 

any advice would be great.

Search

[Q] SRX-100H Custom ports

January 26, 2017, 7:09 pm
$
0
0

We need to make our SRX-100's so the st0.0 has all ports and protocols blocked, except a list of about 22 ports, and 7 protocols.

 

I did not see any where that would allow for custom port numbers. 

Anyone know about this.?

 

Thanks

Re: [Q] SRX-100H Custom ports

January 26, 2017, 7:50 pm

Re: Site To Site

January 26, 2017, 11:39 pm
$
0
0

If you have defined th policy then you would use "propsals" if you use "proposal-set" then you ould use one of the predefined system proposal set

# set security ipsec policy ipsec-pol proposal-set ?
Possible completions:
basic (IPSEC basic proposal-set)
compatible (IPSEC compatible proposal-set)
standard (IPSEC standard proposal-set)
suiteb-gcm-128 (IPSec proposal-set for Suite-B-GCM-128)
suiteb-gcm-256 (IPSec proposal-set for Suite-B-GCM-256)

I have4 not looked at the rest of the config

Look at this Juniper example:

First define the parameters of the proposal named "ipsec-phase2-proposal" (this is the user defined proposal Smiley Happy

 

set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
 
Now you define the policy named " ipsec-phase2-policy" and reference the proposal "ipsec-phase2-proposal" that was just defined
 
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
 
Add some mre security if defined on the other end
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2

Re: cisco asa to juniper srx vpn site to site not working !!!!

January 27, 2017, 1:02 am
$
0
0

Can you chek if the ASA is using IKEv2 because Juniper is at IKEv1; and also ensure they are using ESP foir IPSec.

Re: Jweb does not work on SRX 340

January 27, 2017, 4:14 am
$
0
0

Hi,

 

Please try restarting the web management to make sure that the service is working as expected :-

 

>restart web-management

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX100 - Routing/Policy issue pinging IP past gateway in different Zone

January 27, 2017, 6:13 am
$
0
0

I have a SRX100 configured with several Zones, each with it's own IP range.

for this situation the following is important to know:

- Zone11 --> vlan11 --> Juniper IP 10.0.2.239 Gateway 10.0.2.250 --> Target IP (trying to reach) 10.69.76.23

- Zone54 --> vlan54 --> Juniper IP 192.168.54.239 --> Source IP (pinging from) 192.168.54.100

- Zone101 --> vlan101 --> Juniper IP 192.168.178.239 Gateway 192.168.178.1 --> Internet

- Zones 51-57 with each own vlan, all route 0.0.0.0/0 to 192.168.178.1 --> To enable internet access

 

Almost everything works as it should:

- I can reach internet from Zone51-57, including zone54.

- I have working NAT from Zone11 to several IPs in Zone51-57

- Pinging 10.69.76.23 from 10.0.2.0/24 network (facilitated by default gateway 10.0.2.250)

 

Only thing that does not work:

- Pinging 10.69.76.23 from 192.168.54.0/24 network (should be routed to 10.0.2.250)

 

Anyone that can help me out explaining what would be required to configure this to work?

Re: Jweb does not work on SRX 340

January 27, 2017, 7:51 am
$
0
0

Already did that, when i allow https by default without any specific interface it works.

Search

Re: [S2S VPN] SRX DynamicIP Cisco IOS DynamicIP

January 27, 2017, 9:27 am
$
0
0

Hello again,

I have went trough some troubleshooting and fine tuning of the configuration and now it's somewhat better.

Cisco side seems to work as expected. It is creating ike aggressive mode requests and sends them to the SRX.

But there are no logs on the SRX.

What is interesting is when I change:

 

gateway ike_gw-SPOKE {
    ike-policy ike-ext_sites_SPOKE;
    dynamic hostname SPOKE.domain.com;
    local-identity hostname HUB.domain.com;
    external-interface ge-0/0/0;
}

to this:

gateway ike_gw-SPOKE {
    ike-policy ike-ext_sites_SPOKE;
    address x.x.x.x; ##real IP address resolved from FQDN
    local-identity hostname HUB.domain.coml;
    remote-identity hostname SPOKE.domain.com;
    external-interface ge-0/0/0;
}

Tunnel goes up and everything works fine.

 

Any ideas what could be the root cause?

 

----EDIT-----

And there is one more thing. I was previously not aware, that FQDN in aggressive mode cannot be longer than 20 characters (https://kb.juniper.net/InfoCenter/index?page=content&id=KB21716&actp=search).

Well, in my scenario tunnel goes up even though the FQDN is 22-character long :-)

But I have tried with a shorter FQDN. At first the packet has been processed with "No proposal chosen" error, but after ipsec-key-management restart and CRYPTO engine restart on cisco side - packets are no longer seen on the SRX.

[JSRX 210] How to completly remove/delete destination NAT?

January 27, 2017, 2:43 pm
$
0
0

Recently I configured my JSRX210 with the following destination NAT rules:

 

edit security
set zones security-zone trust address-book address companyserver1 y.y.y.y/32
exit

edit security policies from-zone untrust to-zone trust
set policy companyserver1-access match source-address any destination-address [ companyserver1 ] application any
set policy companyserver1-access then permit
exit

edit security nat destination
set pool dst-nat-pool-1 address y.y.y.y port 443
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address x.x.x.x
set rule-set rs1 rule r1 match destination-port 443
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
exit

edit security nat
set proxy-arp interface ge-0/0/0.0 address x.x.x.x

commit confirmed 60
commit

edit security nat destination
set pool companyserver1-dst-nat-pool-1 address y.y.y.y port 1110
set rule-set rs1 from zone untrust
set rule-set rs1 rule r2 match destination-address x.x.x.x
set rule-set rs1 rule r2 match destination-port 1110
set rule-set rs1 rule r2 then destination-nat pool companyserver1-dst-nat-pool-1

commit confirmed 60
commit

 

And I need to completly remove the changes I made. I know I can simply rollback to prevoius config, but the thing is, I haven't saved it. I do not want to restore default config either.

 

Is there a simple set of commands, which will let me just revert the changes I made, delete / remove the rule sets, pooles, the whole destination NAT I made? Thank you.

Re: SRX firewall routing configuration

January 27, 2017, 3:36 pm
$
0
0

Hi SSN,

 

i thought down 1 to 4 routing-options, will not function at all, as the next hop is not part of 10.80.90.0/27, which is defined at the routing-instances , as

set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

 

routing-options static route 10.62.170.190/32 next-hop 10.80.93.1  >> 1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1      >> 2
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1      >> 3
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1    >> 4

 

is this right? or could you help me to understand the different functionality of the 2 definitions

1- set routing-instances Main-VR routing-options static route

2- routing-options static route

Re: SRX firewall routing configuration

January 27, 2017, 3:43 pm
$
0
0

Hi vMicroMe,

 

In your reply,

“All those traffic that will arrive to srx interface other then reth0.0 use global defination.”

 

Where to find this global definition

Re: [JSRX 210] How to completly remove/delete destination NAT?

January 28, 2017, 3:35 am
$
0
0
tk2 wrote:

I know I can simply rollback to prevoius config, but the thing is, I haven't saved it.

What does this mean? Your config is saved when you commit. You can do a rollback 4 and commit.

 

Otherwise

 

edit security
del zones security-zone trust address-book address companyserver1 y.y.y.y/32
exit

edit security policies from-zone untrust to-zone trust
del policy companyserver1-access match source-address any destination-address [ companyserver1 ] application any
del policy companyserver1-access then permit
exit

edit security nat destination
del pool dst-nat-pool-1 address y.y.y.y port 443
del rule-set rs1 from zone untrust
del rule-set rs1 rule r1 match destination-address x.x.x.x
del rule-set rs1 rule r1 match destination-port 443
del rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
exit

edit security nat
del proxy-arp interface ge-0/0/0.0 address x.x.x.x
exit

edit security nat destination
del pool companyserver1-dst-nat-pool-1 address y.y.y.y port 1110
del rule-set rs1 from zone untrust
del rule-set rs1 rule r2 match destination-address x.x.x.x
del rule-set rs1 rule r2 match destination-port 1110
del rule-set rs1 rule r2 then destination-nat pool companyserver1-dst-nat-pool-1

commit
Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>