will the current memory impact services?
system storage status in this o/p which filesystem needs to be checked from service perspective?
↧
Betreff: please confirm if system storage is ok or it can hamper services
↧
Betreff: please confirm if system storage is ok or it can hamper services
Hi Swati,
These 2 are the main folders which are used in the devise.
/cf 891M 576M 243M 70% /junos/cf
/var/log 12G 615M 10G 6% /jail/var/log
I can see enough space in that for the devise to function properly.
However as updated in my previous update, if you are planning to upgrade the devise then you need to free us space in the below directory.
/cf 891M 576M 243M 70% /junos/cf
the latest image requires 260 MB of space however you only have about 243 MB free.
other than that I do not think there is any issues.
regards,
Guru prasad
↧
↧
Re: HIGH SESSION UTILIZATION IN SRX 1400
Hi Swati,
The SPC cards are not hot swappable and hence you need to halt the devise and then install the card into the desired slot.
once the card is install reboot the devise and its done.
By adding the SPC card you are not decreasing teh session utilization rather you are increasing the number of sessions the devise can have.
So it will ease out the load on the SPC which was there earlier and will start load-balancing the session between multiple SPCs in the devise..
regards,
Guru Prasad
↧
SRX Cluster Interface for NM
I'm new to Juniper and learning the OS and devices as we have a SRX 240 cluster and need to monitor some interfaces with our network monitoring software (SolarWinds). Given our configuration below do we monitor the reth5 or reth5.0 interface?
Thanks for any help.
set interfaces ge-0/0/5 gigether-options redundant-parent reth5
set interfaces ge-5/0/5 gigether-options redundant-parent reth5
set interfaces reth5 description **Core_Switch_UPLINK**
set interfaces reth5 redundant-ether-options redundancy-group 1
set interfaces reth5 unit 0 family inet sampling input
set interfaces reth5 unit 0 family inet sampling output
set interfaces reth5 unit 0 family inet address 10.176.0.1/24
reth5 up up
reth5.0 up up inet 10.176.0.1/24
↧
Re: SRX Cluster Interface for NM
Hi,
You are missing that part :
set forwarding-options sampling input rate 1000
set forwarding-options sampling family inet output flow-server solarwinds-ip port 2055
set forwarding-options sampling family inet output flow-server solarwinds-ip source-address source-ip
set forwarding-options sampling family inet output flow-server solarwinds-ip version 5
Regards.
↧
↧
Re: SRX Cluster Interface for NM
Abdellah:
We have that in our config but I didn't include in my post. My question is: with SolarWinds you have to select in their software which interfaces to monitor. Do I place the sampling commands on interface reth5 or reth5.0 as both show as up in SolarWinds? This help which interface to select in SolarWinds.
Thanks again.
Jeff
↧
Re: SNMP on SRX - Limiting information send to specific community.
Thank you very much Matt.
Regards,
Marcelo.
↧
Setting up PPPoE with username and password
hello
im now to the fourms so excuse me if my information is wrong or i sound 'dumb'
ive recently got my hands on a SRX210-HM and ive decided it would be a good idea to use it as the new bussiness router for security reasons howerver my isp doesnt support internal network problems so im left to ask the fourms some pretty dumb questions.
the question is pretty simple my isp will only provide me a PPPoE username and password. unfortunaly im not verry familiar with the SRX's PPPoE interface so im not sure where the information goes and wether its even enough to use the gateway.
Thanks FileFinish180
↧
Re: Setting up PPPoE with username and password
Hi,
Please see configuration example for PPPoE on SRX:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15736&actp=METADATA
Cheers,
Ashvin
↧
↧
Re: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Is the firewall the only router at the spoke site or is there more networking devices downstream?
Is this behavior consistent or intermitent?
The data is showing a packet encrypted and sent from the hub to the spoke with no reply coming back from the spoke device. We need to confirm:
The packets are delivered to the end device
And the replies can route back to the firewall for encryption and return
So the steps above verify you have the active route to the tunnel interface so if the packet is seen it will get forward
It verifies you have a policy to permit the traffic.
If there are layer 3 devices between the firewall and the device we need to confirm symmetrical routing back to the firewall.
Perhaps a packet capture on the device will also verify ultimate delivery of all the packets and replies being sent.
↧
Connecting Two Clusters Together
Hi all experts,
I am having a pair of clustres one of SRX5400 and one of SRX3600. I want to connect these two clusters together. My goal is to ensure fole:
1. In case primary node of cluster-1 fails: there should be no effect on cluster-2.
2.In case primary node of cluster-2 fails: there should be no effect on cluter-1,
3. Services should be running smothly withuot any disruption and without the need of any human intervention for provision of services after failover. Logical scenario is attached as jpeg.
please recommend how to connect these two clusters,
how many reths will be req,?
how many interfaces in each reth?
, and will I have to use LACP?
Can I connect them directly or I need a Switch in between to connect them together.
Thnks in anticipation
↧
Re: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Thanks Spuluka. Maybe, I found troubleshoot by restart tunnel. When i restart tunnel on hub: restart ipsec-key-management, a few minutes all vpn connections are up. But the problems is only one spoke can ping to hub (and else), others spoke i must execute bellow commands to pass throught traffic:
ping ip-local-hub source ip-local-spoke
restart ipsec-key-management
If i only excute restart ipsec-key-management command then not pas throught traffic.
Anyway, traffic is not stable, sometimes i must do repeat commands as above. Maybe because spokes uses dynamic ip?
Thank you very much,
↧
Re: Transition vpn from SRX220 to SRX300
could you post configuration and Error you get !
↧
↧
Re: SRX Cluster Interface for NM
you need to use the logical interface reth5.0
↧
Re: Site-to-Site VPN Issue
hi
try to add this command
set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services ike
or delete this
set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services
and commit
↧
IKEv1 main mode
from the article https://tools.ietf.org/html/rfc2409
i understood that in phase1 HMAC is used as PRF to derive keys from DH session key... please i need an to correct my understanding.
1-nonces + pre-shared key result in seed which help in derive another keys?? is this correct
2-DH session-key +seed( nonces + pre-shared key) + both cookies + number will result in 3 derived key ( encryption, Authentcaion ,Derivative key) ???? is this correct ?
*message 5,6 are used to autheticate the DH exchange and prove the derived keys are identical by:
3-identity hash = ID (encrypted by derived encryption key) + HASH ( ID +presharedkey + other values) the other values are: nonces + DH session key + cookies ) is this correct ?????
------------------------------------------------------------------------------------------------------------------------------------------------------------------
if the above details are correct and i hope so i have two last questions:
HMAC require an input (or message ) + input key material >>>>>So
1- when HMAC is used to generate the 3 derviated keys >>and when HMAC is used is message 5,6 , How the above parameters are entered as input and input key ??????????
2-Does the derived authentiaction key (SKEYID_a) is used in message 5,6 ????
im sorry for bothering but i really need answers to this questions as it cause a headache 
↧
Re: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Maybe if you add vpn monitor to the affected site it would help. This tests the vpn and keeps it up even when there is no local traffic.
Set this up with a ping from your local lan gateway interface on the remote side as the source and a reachable ip address gateway on the tunnel as a destination.
set security ipsec vpn NAME vpn-monitor source-interface vlan.0 destination-ip 192.168.10.1 optimized
web ui article:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB10119
↧
↧
Re: IKE negotiation failed with error: SA unusable - VPN SRX BEHIND NAT DEVICE
These networks are overlapping with the local segment you declare is also inside the remote segment. This is not a valid configuration.
proxy-identity {
local 10.32.197.64/28;
remote 10.0.0.0/8;
↧
Re: Connecting Two Clusters Together
Well, connecting two sets of firewalls directly in line as your diagram indicates would be unusual. So there is no direct example for you to reference.
You can use this example of connecting the ex9200 to an SRX cluster as a starting point. Consider the dual ex9200 to be your second SRX cluster. Basically you do not connect the reth on both sides to each other because in some failover scenarios it might not be recognized. By creating the dual set of LAG as drawn you are covered then for all points of failure.
↧
Re: Transition vpn from SRX220 to SRX300
You should probably start by upgrading your Junos to the latest version. There is spotty support for dynamic VPN with the SRX300 series and this was added in sections through the early release cycles. So just upgrading may fix the issue with your current configuration.
This shows the setup for pools and local auth if the upgrade does not work.
Or you could consider going to SSL VPN that is now supported in the latest release.
↧