Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

SRX240 to SRX340 conversion

$
0
0

I'm moving from an SRX240 to an SRX340.  

Since the configuration file is fairly large, I'd like to preserve as much as possible of it.

I'm getting lots of errors at Commit.

Some are: "reserved identifier".

 

I'm a bit stuck as to how to proceed as the error messages sure aren't like a debugger.  I can't even find the first offending line!!

 

What should I be doing?  How might one proceed?


Re: SRX Cluster Interface for NM

FILTERING VLAN BASED TRAFFIC ON SRX 550 CLUSTER

$
0
0

Hello Guys,

 

I have set up an SRX on a stick, with vlan tagging and subinterfaces representing VLAN 10 -SERVERS, VLAN 20 - FINANCE and VLAN 30 -IT and their corresponding IP's configured on the Reth interface connected to a Cisco switch. Using firewall policies I need to allow access to the SERVER VLAN from both IT VLAN and FINANCE VLAN, but prevent traffic to the IT VLAN from the FINANCE VLAN, finally permit internet access to all VLANS. 

 

Thanks

 

Re: FILTERING VLAN BASED TRAFFIC ON SRX 550 CLUSTER

Re: SRX240 to SRX340 conversion

Re: HIGH SESSION UTILIZATION IN SRX 1400

$
0
0

Hi Swati,

 

As updated earlier, SPC cards are not hot swapable and hence you need to shut down the devise and then install the card.

reboot the devise and thats done.

No other pre-requisite for the activity.

 

 

regards,

Guru Prasad

Re: IKE negotiation failed with error: SA unusable - VPN SRX BEHIND NAT DEVICE

$
0
0

Hi 

Re: FILTERING VLAN BASED TRAFFIC ON SRX 550 CLUSTER

$
0
0

Thanks! the links have all the info i need.


Dynamic GRE Tunnels

$
0
0

Hello- i have a SRX installed as a head-end device and there are many remote devices that have  GRE tunnels setup to it. Now we need to support clients that will have dynamic address assigned to the extenal interfaces from a  say /16. Is there a way to allow these devices to create tunnels to the headend device by allowing that /16? i know MX routers allows this with contrail hosts creating dynamic tunnels..
thanks

Re: Dynamic GRE Tunnels

$
0
0

Hi

 

Juniper vSRX supports dynamic GRE starting from Junos 12.1X47. Not sure about your hardware model though. The support is similar to one on MX. So you need a BGP route with next-hop from a particular subnet - then it builds a GRE tunnel. For example configs see this thread:

 

https://forums.juniper.net/t5/Routing/Dymanic-GRE-Tunnel-VPN/td-p/92212

 

Having said that, I'm not sure if you can apply the feature to your use case.

 

Re: Dynamic GRE Tunnels

$
0
0

Hardware is SRX340...i will give it a shot.

IPSEC VPN Troubleshooting

$
0
0

Having trouble with this VPN, config is attached.  IKE appears to be up along with IPSEC:

 

show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
5592930 UP     4502a0161874bf61  d769db9a07cc0dc9  Main           6.1.1.85

show security ipsec security-associations
Total active tunnels: 1
ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
<131073 ESP:aes-256/sha256 5d58a0a5 129/ unlim - root 500   6.1.1.85>131073 ESP:aes-256/sha256 4ae220aa 129/ unlim - root 500   6.1.1.85<131073 ESP:aes-256/sha256 c8378713 1557/ unlim - root 500  6.1.1.85>131073 ESP:aes-256/sha256 4ae220ad 1557/ unlim - root 500  6.1.1.85

Cannot ping across the tunnel from the local address 10.24.12.118 to the peer address 10.24.12.117 nor can we access resources on the other side.

 

Traffic to the peer address appears to be egressing the interface created for the vpn st0.0:

 

show route 10.24.12.117

inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

ISP1.inet.0: 15 destinations, 16 routes (14 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

ISP2.inet.0: 13 destinations, 14 routes (12 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

SERVER-Traffic.inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

Any help is greatly appreciated.

Re: IPSEC VPN Troubleshooting

$
0
0

Hi,


The other peer is SRX as well ?

Try to open two sessions to the SRX , on one run ping to 10.24.12.117 , the second one run the 'show security flow sesssion destination-prefex 10.24.12.117' and attach the output . If the other side is SRX also , run the same command as well .

Run the 'show route' on the other side .

Re: IPSEC VPN Troubleshooting

$
0
0

Hi,

 

Please share the output of the show security flow session destination-prefix 10.24.12.117

also on the other side run the same command for the destination ip.

Show route output from the other side as well and also check the outputs of the below command on both the sides to see if the encryption and decryption are incrementing.

show security ipsec statistic index 131073.

if the other side is also an SRX then check the index number ofr this tunnel and then run the same command and replace the index number with the one that you see on the other side.

this will tell us wether there is increment in encryption and decryptions happening on both the sides.

 

 

regards,

Guru Prasad

Re: IPSEC VPN Troubleshooting

$
0
0

Other side is not a SRX.  We do have other SRXs successfully connected and passing traffic to other firewall. 

 

When they ping .118 from .117 I do not see the traffic show up.

 

ping source 10.12.12.118 10.24.12.117

monitor traffic interface st0.0 size 1500

13:05:20.272371 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 0, length 64
13:05:21.283020 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 1, length 64
13:05:22.293573 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 2, length 64
13:05:23.304082 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 3, length 64

With the manner our routing and access lists are setup.  Do you see any reason incoming traffic over the VPN would be blocked or sent to another elsewhere?

 


Re: IPSEC VPN Troubleshooting

$
0
0

Hi,

 

Which vendor is the remote side. you should be able to see the Ipsec statistics somehow on that.

please check the route back on the remote devise.

flow session on the devise will also tell us whether the packet is received or not.

 

 

regards,

Guru Prasad

 

 

Re: IPSEC VPN Troubleshooting

$
0
0

 

show security ipsec statistics index 131073

ESP Statistics:
  Encrypted bytes:           406024
  Decrypted bytes:                0
  Encrypted packets:           2999
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0
show security flow session destination-prefix 10.24.12.117
Session ID: 8471, Policy name: self-traffic-policy/1, Timeout: 60, Valid
  In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp, If: st0.0, Pkts: 0, Bytes: 0

show security flow session session-identifier 8471
Session ID: 8471, Status: Normal
Flag: 0x40
Policy name: self-traffic-policy/1
Source NAT pool: Null
Maximum timeout: 60, Current timeout: 30
Session State: Valid
Start time: 11422631, Duration: 30
   In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp,
    Interface: .local..0,
    Session token: 0x2, Flag: 0x0x31
    Route: 0x580722, Gateway: 10.24.12.118, Tunnel: 0
    Port sequence: 0, FIN sequence: 0,
    FIN state: 0,
    Pkts: 1, Bytes: 84
   Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp,
    Interface: st0.0,
    Session token: 0x9, Flag: 0x0x20
    Route: 0x200010, Gateway: 10.24.12.116, Tunnel: 537001985
    Port sequence: 0, FIN sequence: 0,
    FIN state: 0,
    Pkts: 0, Bytes: 0
Total sessions: 1

Only time I see sessions is when I send pings across the tunnel.

 

Re: IKE negotiation failed with error: SA unusable - VPN SRX BEHIND NAT DEVICE

$
0
0

Hi,

 

The first thing that you need to configure is the local identity of the devise in the Ike gateway since you are doing NAT on another devise.

set security ike gateway IKE-GATEWAY local-identity inet 192.168.1.5

 

regards,

Guru Prasad

Re: IPSEC VPN Troubleshooting

$
0
0

Hi,

 

From the output it is clear that the SRX is continuously encrypting the packets and is not receiving any reply from the remote side.

Please check on the remote side as well and the ipsec statistics for the same and you should be seeing decryption continuosly increasing.

if its a cisco devise, you can run the command

show crypto ipsec sa (peer address)

 

 

regards,

Guru Prasad

 

Re: IPSEC VPN Troubleshooting

$
0
0

Do you see anything in our config that would be causing this?

Viewing all 17645 articles
Browse latest View live