I'm moving from an SRX240 to an SRX340.
Since the configuration file is fairly large, I'd like to preserve as much as possible of it.
I'm getting lots of errors at Commit.
Some are: "reserved identifier".
I'm a bit stuck as to how to proceed as the error messages sure aren't like a debugger. I can't even find the first offending line!!
What should I be doing? How might one proceed?
Thank you for the help.
Hello Guys,
I have set up an SRX on a stick, with vlan tagging and subinterfaces representing VLAN 10 -SERVERS, VLAN 20 - FINANCE and VLAN 30 -IT and their corresponding IP's configured on the Reth interface connected to a Cisco switch. Using firewall policies I need to allow access to the SERVER VLAN from both IT VLAN and FINANCE VLAN, but prevent traffic to the IT VLAN from the FINANCE VLAN, finally permit internet access to all VLANS.
Thanks
There was a major change in how layer 2 configurations are done with the SRX and EX last year. Try running your existing configuration through the translator here and see if it is able to recognize what would need to change.
https://www.juniper.net/customers/support/configtools/elstranslator/
Hi Swati,
As updated earlier, SPC cards are not hot swapable and hence you need to shut down the devise and then install the card.
reboot the devise and thats done.
No other pre-requisite for the activity.
regards,
Guru Prasad
Hi spuluka,
Thank you for your response. In my case, we still have VPN site to site which local is just like a subnet of remote ip range.
it works in my configuration with draytek and ssg20 as well. Now we change to SRX. 
Thanks! the links have all the info i need.
Hello- i have a SRX installed as a head-end device and there are many remote devices that have GRE tunnels setup to it. Now we need to support clients that will have dynamic address assigned to the extenal interfaces from a say /16. Is there a way to allow these devices to create tunnels to the headend device by allowing that /16? i know MX routers allows this with contrail hosts creating dynamic tunnels..
thanks
Hi
Juniper vSRX supports dynamic GRE starting from Junos 12.1X47. Not sure about your hardware model though. The support is similar to one on MX. So you need a BGP route with next-hop from a particular subnet - then it builds a GRE tunnel. For example configs see this thread:
https://forums.juniper.net/t5/Routing/Dymanic-GRE-Tunnel-VPN/td-p/92212
Having said that, I'm not sure if you can apply the feature to your use case.
Hardware is SRX340...i will give it a shot.
Having trouble with this VPN, config is attached. IKE appears to be up along with IPSEC:
show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5592930 UP 4502a0161874bf61 d769db9a07cc0dc9 Main 6.1.1.85 show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:aes-256/sha256 5d58a0a5 129/ unlim - root 500 6.1.1.85>131073 ESP:aes-256/sha256 4ae220aa 129/ unlim - root 500 6.1.1.85<131073 ESP:aes-256/sha256 c8378713 1557/ unlim - root 500 6.1.1.85>131073 ESP:aes-256/sha256 4ae220ad 1557/ unlim - root 500 6.1.1.85
Cannot ping across the tunnel from the local address 10.24.12.118 to the peer address 10.24.12.117 nor can we access resources on the other side.
Traffic to the peer address appears to be egressing the interface created for the vpn st0.0:
show route 10.24.12.117
inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
10.24.12.116/30 *[Direct/0] 02:10:51
> via st0.0
ISP1.inet.0: 15 destinations, 16 routes (14 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
10.24.12.116/30 *[Direct/0] 02:10:51
> via st0.0
ISP2.inet.0: 13 destinations, 14 routes (12 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
10.24.12.116/30 *[Direct/0] 02:10:51
> via st0.0
SERVER-Traffic.inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
10.24.12.116/30 *[Direct/0] 02:10:51
> via st0.0Any help is greatly appreciated.
Hi,
The other peer is SRX as well ?
Try to open two sessions to the SRX , on one run ping to 10.24.12.117 , the second one run the 'show security flow sesssion destination-prefex 10.24.12.117' and attach the output . If the other side is SRX also , run the same command as well .
Run the 'show route' on the other side .
Hi,
Please share the output of the show security flow session destination-prefix 10.24.12.117
also on the other side run the same command for the destination ip.
Show route output from the other side as well and also check the outputs of the below command on both the sides to see if the encryption and decryption are incrementing.
show security ipsec statistic index 131073.
if the other side is also an SRX then check the index number ofr this tunnel and then run the same command and replace the index number with the one that you see on the other side.
this will tell us wether there is increment in encryption and decryptions happening on both the sides.
regards,
Guru Prasad
Other side is not a SRX. We do have other SRXs successfully connected and passing traffic to other firewall.
When they ping .118 from .117 I do not see the traffic show up.
ping source 10.12.12.118 10.24.12.117 monitor traffic interface st0.0 size 1500 13:05:20.272371 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 0, length 64 13:05:21.283020 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 1, length 64 13:05:22.293573 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 2, length 64 13:05:23.304082 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 3, length 64
With the manner our routing and access lists are setup. Do you see any reason incoming traffic over the VPN would be blocked or sent to another elsewhere?
Hi,
Which vendor is the remote side. you should be able to see the Ipsec statistics somehow on that.
please check the route back on the remote devise.
flow session on the devise will also tell us whether the packet is received or not.
regards,
Guru Prasad
show security ipsec statistics index 131073 ESP Statistics: Encrypted bytes: 406024 Decrypted bytes: 0 Encrypted packets: 2999 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
show security flow session destination-prefix 10.24.12.117
Session ID: 8471, Policy name: self-traffic-policy/1, Timeout: 60, Valid
In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp, If: st0.0, Pkts: 0, Bytes: 0
show security flow session session-identifier 8471
Session ID: 8471, Status: Normal
Flag: 0x40
Policy name: self-traffic-policy/1
Source NAT pool: Null
Maximum timeout: 60, Current timeout: 30
Session State: Valid
Start time: 11422631, Duration: 30
In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp,
Interface: .local..0,
Session token: 0x2, Flag: 0x0x31
Route: 0x580722, Gateway: 10.24.12.118, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp,
Interface: st0.0,
Session token: 0x9, Flag: 0x0x20
Route: 0x200010, Gateway: 10.24.12.116, Tunnel: 537001985
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 0, Bytes: 0
Total sessions: 1Only time I see sessions is when I send pings across the tunnel.
Hi,
The first thing that you need to configure is the local identity of the devise in the Ike gateway since you are doing NAT on another devise.
set security ike gateway IKE-GATEWAY local-identity inet 192.168.1.5
regards,
Guru Prasad
Hi,
From the output it is clear that the SRX is continuously encrypting the packets and is not receiving any reply from the remote side.
Please check on the remote side as well and the ipsec statistics for the same and you should be seeing decryption continuosly increasing.
if its a cisco devise, you can run the command
show crypto ipsec sa (peer address)
regards,
Guru Prasad
Do you see anything in our config that would be causing this?