Hi Ahmed,

srx is establishing tunnel with a different devise lets say an ASA where

Lan-- SRX(2.2.2.2) ge-0/0/0----> Internet---> ge-0/0/0 (1.1.1.1)ASA-- LAN

here you have a loopbakc interface with IP address 2.2.2.3/32 and you want to use the 2.2.2.3 ip to bring the tunnel up.

In the ASA the peer address would be 2.2.2.3 and on the SRX your external interface would be ge-0/0/0 however under the gateway parameters you will configure the local-address as 2.2.2.3 otherwise the srx will use the ip address of the external interface to initiate the traffic or to respond to the traffic.

no other configuration required however one thing to remember is that the loopback Ip should be reachable to the ASA otherwise the initiation packet would never reach the devise.

this setup is use ful when you have multiple ISP and you want to bring the tunnel up when any of the ISP is up.

hope this helps you in understanding.

regards,

Guru Prasad

Hi Nooto,

Just checked on the SRX320 box and it is not allowing more than 1024.

Here is the error that i got.

root# commit check
[edit security nat source]
  'pool'
    Source NAT pools contain too many addresses (Current: 2560 > Capacity: 1024)
error: nat-pat-address quota exceeded (usage 2560 > max 1024)
error: configuration check-out failed

[edit]
root# run show version
Model: srx320-poe
Junos: 15.1X49-D70
JUNOS Software Release [15.1X49-D70]

regards,

Guru Prasad

thx GURU 

this is my first time to know about the local ip configured under the IKE gateway and now i understand it ...

but would you please an extra explanation how does this benefit when connecting to multiple SPs??

i though the best practice when connecting to multiple SP is use the Lo interface as external interface so when the physical interface facing one SP goes down i dont have to manually specify to other physical interface facing the other SP

Hi all,

Please advise how to log all traffic information (source and destination IP addresses, ports, Pkts, Bytes, date, time) passing SRX3600.

If I configure J-Flow with rate 1, it will be CPU intensive and slow down performance.

Are there other ways ?

Thanks

I have an existing VPN which traffic passes through just fine.

I need to add a few more IP's to route through this tunnel that are on the same remote subnet

While I can ping original 10.16.199.49/32 a new IP added 10.16.199.82/32 I cannot.

I did add the new routes directly into the config via j-web if that makes a difference.

Here's what I did;

Added the static routes pointing to the correct interface and they all show up in "show route" and look good.

Next added the new IP's to correct zone policies. Commited all but still can't ping the new IP's

Basically did what I did for the original IP's that do ping.

Keep thinking I'm missing a step but for the life of me don't see what it could be?

I am using a simple static NAT rule but that shouldn't be the issue and as I said the original IP's connect through just fine.

route 10.16.199.53/32 next-hop st0.2; current and pings through
route 10.16.199.51/32 next-hop st0.2; current and pings through
route 10.16.199.49/32 next-hop st0.2; current and pings through
route 10.16.199.39/32 next-hop st0.2; current and pings through
route 10.16.199.181/32 next-hop st0.2; current and pings through
route 10.16.199.82/32 next-hop st0.2; new and doesn't ping
route 10.16.199.204/32 next-hop st0.2; new and doesn't ping
route 10.16.199.205/32 next-hop st0.2; new and doesn't ping
route 10.16.199.92/32 next-hop st0.2; new and doesn't ping
route 10.16.199.93/32 next-hop st0.2; new and doesn't ping

Policy

policy policy_out_remote {
match {
source-address INT;
destination-address [ addr_10_16_199_53 addr_10_16_199_51 addr_10_16_199_49 addr_10_16_199_39 vpn addr_10_16_199_181 addr_10_16_199_82 10_16_199_92 10_16_199_93 10_16_199_204 10_16_199_205 ];
application any;
}
then {
permit;

Same for policy_in

Thanks in advance

Hi, I am following exactly the steps to configure redundant IKE gateway:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB29211

When I deactivate the active gateway, SRX-300 running 15.1 code fails to negotiate IKE with standby IKE gateway

kmd[5592]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local:1.1.1.2/500, Remote: 3.3.3.1/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

There is zero information about "KE gateway configuration lookup failed during negotiation", if I remove primary IKE gateway , the IPsec negotiation will succeed without problem, so there is no issue with configuration itself, what could be the problem?

So I managed to contact my Provider. Apparently they're doing a vlan-id translation on their end to the Amazon's VLAN-ID. Whereas I needed to connect in accordance with their vlan-id which they provided me with afterwards and not the VLAN-ID supplied by AWS Direct Connect ViF.

In summary, all I had to do was change the vlan-id to reference by provider's VLAN-ID, All the other settings remained the same.

Also once I had gotten the bgp session up I had to also make sure that my NAT Source from my internal interface (ge-0/0/2) to my direct connect interface (ge-0/0/0.xx) rule set performed "No Source NAT" (of course this is based on the zones applied to those interface).. This basically allowed me to commuicate with my VPC subnets afterwards.

Thanks so much for you help @synackray

abrouet,

Thanks for the kind words. I'm so glad to hear you were able to work it out! Have a great week.

Hello ,

Glad that you found the doc and shared . I was trying to find this only .

hello ,

Can you share your configuration .  Also can you collect the following information  when you disable the primary IKE address :

> show security ike sa

> show security ipsec sa

> show security ipsec inactive-tunnels

Also Instead of deactivating the primary  IP address , can you stall the conenction to primary IP address ( like bring down the  peer primary IP address ) so that the DPD will detect it to be down and will bring up the secondary . Its possible that the DPD is not failing to switch it over to secondary IP  when we disable ( may be a bug ) .

Also make sure to wait till the DPD fails .

Hello ,

Have you added the policy for this new IPs to the peer device also ?  When ping can you collect the flow session details :

> show security flow session source-prifix < source IP> destination-prifix <dstIP> protocol icmp

Hello ,

Can you try configuring traffic logs in SRX and send them to syslog server :

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16506

But this will not give you Packet/byte information . For that you needed flow server :

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16677&actp=METADATA

Hello ,

Instance-type forwarding will only work  one way , reverse will not hit the filter . ie from 10.10.10.2 to 10.10.20.2 , it will never hits the filter and goes and check the route for INET .

So you need to add the routes accordingly .

Thanks for reply,

I have configured two flow-servers, but during commit  it returned:

Can't configure inline output with more than one V9 collector configured

Can I configure more than one flow-servers on SRX?

ok i figure out how to work with cisco asa finaly and thanks to every one hwo help me in it 

this i digram for the tunel between two site , and i figure out that anhtoer company had a juniper srx with traffic selector with same name as i used before   "traffic-selector "t2" " so ichange the of traffic selector to " traffic-selector "m2" " and it work as magic. here is the full configuration

set system host-name site-X
set system root-authentication encrypted-password "XXXX"
set system services ssh root-login allow
set system services ssh protocol-version v2
set system services telnet
set system services web-management https system-generated-certificate
set system syslog archive
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set interfaces ge-0/0/0 unit 0 family inet address X.X.111.38/29
set interfaces ge-0/0/1 unit 0 family inet address A.A.30.1/24
set interfaces lo0 unit 0 family inet address A.A.30.2/24
set interfaces st0 unit 0 family inet
set routing-options static route B.B.67.206/32 next-hop st0.0
set routing-options static route B.B.67.201/32 next-hop st0.0
set routing-options static route B.B.67.202/32 next-hop st0.0
set routing-options static route B.B.67.207/32 next-hop st0.0
set routing-options static route B.B.67.210/32 next-hop st0.0
set routing-options static route B.B.67.211/32 next-hop st0.0
set routing-options static route B.B.67.214/32 next-hop st0.0
set routing-options static route B.B.67.221/32 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop X.X.111.33
set security ike proposal site-X-ike-proposal authentication-method pre-shared-keys
set security ike proposal site-X-ike-proposal dh-group group2
set security ike proposal site-X-ike-proposal authentication-algorithm sha1
set security ike proposal site-X-ike-proposal encryption-algorithm aes-256-cbc
set security ike proposal site-X-ike-proposal lifetime-seconds 86400
set security ike policy site-X-ike-policy mode main
set security ike policy site-X-ike-policy proposals site-X-ike-proposal
set security ike policy site-X-ike-policy pre-shared-key ascii-text XXXX
set security ike gateway site-X-ike-gateway ike-policy site-X-ike-policy
set security ike gateway site-X-ike-gateway address Z.Z.219.2
set security ike gateway site-X-ike-gateway dead-peer-detection interval 10
set security ike gateway site-X-ike-gateway dead-peer-detection threshold 5
set security ike gateway site-X-ike-gateway external-interface ge-0/0/0
set security ipsec proposal site-X-ipsec-propsal protocol esp
set security ipsec proposal site-X-ipsec-propsal authentication-algorithm hmac-sha1-96
set security ipsec proposal site-X-ipsec-propsal encryption-algorithm 3des-cbc
set security ipsec proposal site-X-ipsec-propsal lifetime-seconds 3600
set security ipsec policy site-X-ipsec-policy proposals site-X-ipsec-propsal
set security ipsec vpn site-X-ipsec-vpn bind-interface st0.0
set security ipsec vpn site-X-ipsec-vpn df-bit clear
set security ipsec vpn site-X-ipsec-vpn ike gateway site-X-ike-gateway
set security ipsec vpn site-X-ipsec-vpn ike ipsec-policy site-X-ipsec-policy
set security ipsec vpn site-X-ipsec-vpn traffic-selector m1 local-ip A.A.30.0/24
set security ipsec vpn site-X-ipsec-vpn traffic-selector m1 remote-ip B.B.67.206/32
set security ipsec vpn site-X-ipsec-vpn traffic-selector m2 local-ip A.A.30.0/24
set security ipsec vpn site-X-ipsec-vpn traffic-selector m2 remote-ip B.B.67.207/32
set security ipsec vpn site-X-ipsec-vpn traffic-selector m4 local-ip A.A.30.0/24
set security ipsec vpn site-X-ipsec-vpn traffic-selector m4 remote-ip B.B.67.214/32
set security ipsec vpn site-X-ipsec-vpn traffic-selector m5 local-ip A.A.30.0/24
set security ipsec vpn site-X-ipsec-vpn traffic-selector m5 remote-ip B.B.67.201/32
set security ipsec vpn site-X-ipsec-vpn traffic-selector m6 local-ip A.A.30.0/24
set security ipsec vpn site-X-ipsec-vpn traffic-selector m6 remote-ip B.B.67.202/32
set security ipsec vpn site-X-ipsec-vpn traffic-selector m7 local-ip A.A.30.0/24
set security ipsec vpn site-X-ipsec-vpn traffic-selector m7 remote-ip B.B.67.210/32
set security ipsec vpn site-X-ipsec-vpn traffic-selector m8 local-ip A.A.30.0/24
set security ipsec vpn site-X-ipsec-vpn traffic-selector m8 remote-ip B.B.67.211/32
set security ipsec vpn site-X-ipsec-vpn establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust host-inbound-traffic system-services telnet
set security zones security-zone trust interfaces ge-0/0/1.0

 thanks agin for your helping  

Hello everyone

I have an SRX240 equipment and when I turn it on I get the following message in a repetitive way, restarting the equipment with the same message.

          U-Boot 1.1.6-JNPR-2.6 (Build time: Aug  8 2013 - 20:07:50)

          ERROR: No valid DIMMs detected on any DDR interface.!!!
          Measured DDR clock 0.00 MHz
          SRX_240H2 board revision major:2, minor:10, serial #: ACLM5636
          OCTEON CN5230R-SCP pass 2.0, Core clock: 600 MHz, DDR clock: 0 MHz (0 Mhz data rate)
           hanging, init func: 8
          ### ERROR ### Please RESET the board ###

         U-Boot 1.1.6-JNPR-2.6 (Build time: Aug  8 2013 - 20:07:50)

         ERROR: No valid DIMMs detected on any DDR interface.!!!
         Measured DDR clock 0.00 MHz
         SRX_240H2 board revision major:2, minor:10, serial #: ACLM5636
         OCTEON CN5230R-SCP pass 2.0, Core clock: 600 MHz, DDR clock: 0 MHz (0 Mhz data rate)
         hanging, init func: 8
         ### ERROR ### Please RESET the board ###

I do not have the equipment under warranty and after searching if it has a memory module inside, I have not been able to find out, the slot is empty
Anyone know how I could fix it? Do you need a memory module?
Thank you very much in advance.

Regards

Hi

I have just acquired a SRX300 for my home office.

I am not a network engineer, or a systems administrator, if I scan a generated configuration, the errors don't leap out at me.

I do not have my licence details, yet (it seems that the goose-boy hasn't been out to pluck a quill from which the keeper of the pen-knife can fashion a nib to hand to the clerk of chancery that then issues the parchment upon which is scribed the required information), so I have no idea what is going on in my device as far as AV/anti-malware etc are concerned, and cannot upgrade software and firmware.

I have had great difficulty creating a configuration (through J-Web) that is usable. Some of the time the generated configuration was not committed.

In order to eliminate as much noise as possible from what was occurring, I decided to set up an internet zone, an internal zone, and two other zones for later testing. For the purposes of testing I configured the communication between the Internal Zone and the Internet Zone to allow everything through in both directions, and enabled - ping, dhcp, http, https, ssh and telnet, I even disabled httpsEverywhere.

This morning, after resetting the SRX I built a configuration that was initially rejected when I tried to commit it, but I resubmitted it, without change, and it was accepted. For about 40 minutes, everything appeared to work; briefly, even the link between Outlook and the remote Exchange server was functioning. I could synch files with my remote OneDrive. But gradually, everything became so slow it became unusable.

I did check that ping performance was acceptable, both from a connected workstation, and from the SRX300 itself, even when browsing was not possible. I gracefully rebooted the SRX and the workstation but to no avail. I did notice that some websites loaded before I finished a mug of coffee, but the spinner on the tab usually continued spinning. Meraki, strangely, loaded comparatively quickly, Juniper did not.

I connect to a FTTC VDSL2 service from BT (Infinity 2) 80/20. I use a Vigor 130 modem configured for PPPoE in Bridging mode (suggested by Draytek for BT connections with multicast). I am uncertain as to what the MTU should be as far as the SRX is concerned, I leave it at 1492, for now.

The browing performance, and inability to connect to the Exchange Server mean that the SRXis not currently usable. Unfortunately, I do not have the knowledge to put my finger on the problem, although I have bought what feels like half the Morgan Library and a new packet of highlighters. Any suggestions welcome. I have a copy of the configuration if required.

The above is the long version of HELP ;-((

Hi there,

You might want to try lowering the TCP-MSS on the SRX. 

user@srx#set security flow tcp-mss all-tcp mss 1350

---

MMcD wrote:

Hi there,

 

You might want to try lowering the TCP-MSS on the SRX. 

 

user@srx#set security flow tcp-mss all-tcp mss 1350

---

Before setting tcp-mss all-tcp mss to 1350, I checked what the existing value was; it was not set at all. So,presumably it is whatever the default is for BSD?

The good news is that setting this value to 1350 made browsing acceptable, and the link to the Exchange Server is viable.

Unfortunately, it is not all good news.

I went into YouTube and played a 1080p@60fps video. well it wasn't a video, it was an audio with an unchanging video frame. I switched back to the old ISP supplied router and it played 1080p@60fps.

Unfortunately I have a requirement to run 2160p@60fps.

Before diving in to learn how to address this problem, I discovered that with MSS set to 1350 only 480p gives smooth video playback, which isn't going to fly. Whilst researching, I came across this article. IP MTU and TCP MSS Missmatch

I quickly looked at the parms for my laptop ethernet card, couldn't find MSS, but I did find default Win 10 information.

I guess I need to find out what the value is that BT/OpenReach regard as an acceptable maximum, I'm not optimistic on discovering this value. However, BT-TV UHD Sports channel functions without any issues when I connect the playout device to the old BT HomeHub. BT-TV is multicast. The non-(U)HD test channel can be checked using VLC media player and selecting the video stram at rtp://234.81.130.4:5802.

This cannot be difficult if givaway ISP grade kit can hack it, but I prepared to believe that it may take some digging.

A big thank-you to MMcD. 

R+C

hi , 

this happened after a software failure, we couldn't reinstall Junos using neither loader or Uboot, the only method that fixed the issue is by creating a USB snapshot from another srx 210.
this SRX 210 comes with 2 APs license, they vanished after this accident.
how can I redownload these licences?

Thanks