Hi,
Configuration looks good to me.
Please check the remote side as well for any issues.
Also upgrade the devise to atleast 12.1X46 code, you are running very old code.
regards,
Guru Prasad
↧
Re: IPSEC VPN Troubleshooting
↧
PPPoE making handshake but not giving username and password
hello
after finding the required instructions on the juniper website i configured a pp0 interface and set out to connect it to the isp's network.
i found that no internet was given. according to the isp the srx210 is sending the handshake but then not giving any username or password.
im posative ive set up the configuration correctly but that doesnt seem to be the case ive attached the configuation and im hoping to find this problem out quickly so i can use this gateway soon.
also the isp said they can both use chap and pap for authentication.
regards FileFinish180
↧
↧
Re: IPSEC VPN Troubleshooting
Attached are the kmd-logs, is it normal for phase1 to keep cycling so often?
↧
Re: SRX1400 sh chassis fpc high cpu usage
How did you get cpp0 processes statistics?
↧
Re: SRX image for GNS
Hi Steve,
I am looking for any vSRX .OVA files to run on GNS3 VM
May you please assist where I can find these vSRX .OVA files to download, as Juniper has removed these evaluation versions.
Thanky you
Regards
Phuc Le
↧
↧
Re: PPPoE making handshake but not giving username and password
Hi,
I have checked the configuration and if the ISP suggests that they can go with either of CHAP and PAP then i would need you to enter the below commands as well in the configuration and see if PAP helps you to bring the interface UP.
# set interfaces pp0 unit 0 ppp-options pap passive
# set interfaces pp0 unit 0 pppoe-options client\
# commit.
Once committed please check if the interface comes up. If not please provide the output of below commands-
> monitor traffic interface ge-0/0/0 no-resolve extensive
Hope this helps. 
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 
↧
Re: Advertise NAT pools to BGP
Just saw your response (I know it's been a few years), but I've been working through the same solution for a customer that has two upstream routers:
I think the reason that this works is that traffic TO the source-nat prefix would always be part of an existing session (eg: outbound traffic has already been source-NATted, return traffic is coming back to the advertised prefixes), so in the SRX Order of Operations, it would skip straight to the Existing Sessions section and avoid route look-up.
↧
PEM 0 Not Present
Hi there.
I got my hands on a not-so-new SRX1500 to do some testing/learning/whatever. And it seems eithere I'm a bit daft or there's something strange. The device is supposed to have been cleared to factory defaults and I got informed that it always had one PSU only. But the device shows red alert LED all the time and there are two alerts active all the time.
root> show chassis alarms
2 alarms currently active
Alarm time Class Description
2017-05-04 12:34:23 UTC Minor FPC 0 PEM 0 Removed
2017-05-04 12:34:20 UTC Major PEM 0 Not Present
I found no way of convincing the SRX that the situation is perfectly normal and it shouldn't look for the other PEM. And, just for checking, I swapped the PEM to the other slot - didn't help just PEM number in the alert changed.
Anyone can help me to a relevant docs or help troubleshooting this issue?
Best regards,
Kruma Pawar
↧
Re: IKEv1 main mode
Hi Ahmed,
First of all i would like to say that you understanding in the first part of your post is almost accurate.
- Nonces and pre-shared key are the inputs to PRF (HMAC in this case) to derive the initital SKEYID which is used to dervie other keys i.e. SKEYID_d, SKEYD_a, SKEYID_e.
- DH shared secret is generated on each end of the VPN tunnel using the DH public value exchanged in packet no.3 and 4 and this shred secret along with SKEYID , cookies and number are used to generate the 3 keys SKEYID_d, SKEYD_a, SKEYID_e.
- Once the SKEYID_e is generated it is used to encrypt the ID and Hash Payload in packet no.5 and 6. If both the ends are able to decrypt the packets sent to each other, it authenticates the DH exchange and the keys are identical.
- As mentioned above both identity and Hash Payload are encrypted using SKEYID_e. Both payloads contain the information calculated as below. Fore more details Section 5 Page No.8,9)
ID Payload- IP address/Hostname of the sendor.
Hash Payload- PRF (ID+SKEYID+Cookies+Pre-shared-key+SA Payload).
Now coming to your queries here are my answers-
- To answer your first query when we configure VPN the hashing function elected in this case for ex- HMAC gets the input message and key material to generate the 3 derivated keys by the different input values on which it runs the hashing function.
For Ex- to generate SKEYID it used pre-shared key and nonces as the input, In packet no.5 and 6 all the inputs as mentioned above to generate the Hash Payload act as the input material to the hashing function.
- To answer your second query SKEYID_a is not directly used in packet no.5 and 6 but it is used to generate the SKEYID_e which is used to encrypt packet no. 5 and 6.
SKEYID_e = PRF (SKEYID+SKEYID_a+DH shared secret+ Cookies + Number)
Let me know if i was able to answer your queries. Hope this Helps
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
↧
↧
SRX 3600 reth port issue
May 2 13:28:59 NB1_SRX_Node0 rpd[1312]: Decode ifd ge-15/0/4 index 181: ifdm_flags 0xc001
May 2 13:28:59 NB1_SRX_Node0 rpd[1312]: krt_inherit_ifd_aps_flags ge-15/0/4 index 181: <> from self
May 2 13:28:59 NB1_SRX_Node0 rpd[1312]: EVENT ge-15/0/4.0 index 2684275464 address #0 0.10.db.ff.10.5
May 2 13:28:59 NB1_SRX_Node0 rpd[1312]: EVENT ge-15/0/4 index 181 address #0 0.10.db.ff.10.5
May 2 13:28:59 NB1_SRX_Node0 mib2d[1340]: SNMP_TRAP_LINK_DOWN: ifIndex 552, ifAdminStatus up(1), ifOperStatus down(2), ifName
ge-15/0/4
May 2 13:29:20 NB1_SRX_Node0 rpd[1312]: Decode ifd ge-15/0/4 index 181: ifdm_flags 0xc000
May 2 13:29:20 NB1_SRX_Node0 rpd[1312]: krt_inherit_ifd_aps_flags ge-15/0/4 index 181: <> from self
May 2 13:29:20 NB1_SRX_Node0 rpd[1312]: EVENT ge-15/0/4.0 index 2684275464 address #0 0.10.db.ff.10.5
May 2 13:29:20 NB1_SRX_Node0 rpd[1312]: EVENT ge-15/0/4 index 181 address #0 0.10.db.ff.10.5
May 2 13:29:20 NB1_SRX_Node0 mib2d[1340]: SNMP_TRAP_LINK_UP: ifIndex 552, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-15/0/4
May 2 13:29:20 NB1_SRX_Node0 mib2d[1340]: SNMP_TRAP_LINK_UP: ifIndex 638, ifAdminStatus up(1), ifOperStatus up(1), ifName
Can you suggest the reason why the interface was down looking on the below logs
↧
Re: PEM 0 Not Present
Hi Kruma,
I checked on this internally and have found a couple of PRs on this issue and it seems to be fixed on version 15.1X49-D80. The issue has been reported on confidential PRs and hence i would not be able to share much information on it.
Could you please check and let me know the current version running on SRX and upgade to 15.1X49-D80 if not already on it and then check if the alarm go away.
Hope this Helps
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
↧
Re: SRX 3600 reth port issue
Hi Swati,
Looking into the logs it looks like the interface ge-15/0/4 flapped physically.
Please check if there is any cable issue or if the connected device on that interface ran into some issues at that time when the interface was down.
Hope this helps
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
↧
Re: PEM 0 Not Present
Hi Pulkit.
Thanks for the tip. I'll probably upgrade the software after the weekend (I have D75 right now). We'll see if this helps.
Kruma Pawar
↧
↧
Re: SRX1400 sh chassis fpc high cpu usage
Hi Romeo,
Thank you for psoting your query here.
First of i would like to inform you that the command "show chassis fpc" does not gives you the CPU utlization by SRX due to traffic. The correct command is the second one you have used i.e. "show security monitoring fpc <fpc_no>"or "show security monitroing performance spu".
Command "show chassis fpc" shows the CPU usage on CPP and CPP is the control CPU monitoring status of SPC/IOC/NP.
Command "show security monitoring performance spu" or "show security monitoring fpc <fpc_no>" shows the CPU usage on SPU, SPU is the guy which processes network traffic.
Now the process bcmCNTR.0 becasue of which "show chassis fpc" shows high CPU actually is a thread which scan the counters and state of SPC/IOC/NP and hence even when the traffic is not high it can show high utlization as it is running to collect the counter and state information for the various cards and chips.
To summarize the CPU utilization you are seeing in the output of "show chassis fpc" can be said to be actually expected. Moreover if you want to know the CPU utilization on SRX due to traffic please use the other two commands as suggested above.
Hope this Helps.
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
↧
Merge internet lines
Hi,
Good Day,
I have a customer have five internet lines with 8Mbps,
He want to merge the five lines to appear as 40Mbps, Is this possible ?
If yes,He want make traffic shaping on 40Mbps In which assign 16Mbps for specific subnet and 12Mbps for another subnet and so on, Is this possible?
If yes, Is there any document tell me how to configure both ?
Thanks in advance.
↧
Re: Merge internet lines
Hi Fathy,
Thanks for posting your query here.
I would like to inform you that merging 5 different interfaces is possible using LAG with LACP. Please refer the below documents for understanding and configuring the same-
- https://www.juniper.net/documentation/en_US/junos/topics/concept/interface-security-aggregated-ethernet-understanding.html (Understanding)
- https://www.juniper.net/documentation/en_US/junos/topics/example/chassis-cluster-lag-lacp-configuring-cli.html (Configuration Example)
Now to acheive your traffic shaping requirement please refer the below KB article one the merging has happened using the above documents-
https://kb.juniper.net/InfoCenter/index?page=content&id=KB31497
Hope this helps .
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
↧
Re: IPSEC VPN Troubleshooting
Is it normal for security flow traceoptions logs to have the "invalid session id 00000" entry?
May 4 23:06:21 23:06:21.589636:CID-0:CTRL:flow9: Rate limit changed to 0 May 4 23:06:21 23:06:21.589636:CID-0:CTRL:flow9: Destination ID set to 2 May 4 23:06:21 23:06:21.589636:CID-0:CTRL:flow10: Rate limit changed to 0 May 4 23:06:21 23:06:21.589636:CID-0:CTRL:flow10: Destination ID set to 2 May 4 23:06:21 23:06:21.589636:CID-0:CTRL:flow11: Rate limit changed to 0 May 4 23:06:21 23:06:21.589636:CID-0:CTRL:flow11: Destination ID set to 2 May 4 23:07:23 23:07:23.661148:CID-0:RT:SPU invalid session id 00000000 May 4 23:07:26 23:07:26.680953:CID-0:RT:SPU invalid session id 00000000 May 4 23:07:30 23:07:29.984699:CID-0:RT:SPU invalid session id 00000000 May 4 23:07:33 23:07:32.992140:CID-0:RT:SPU invalid session id 00000000
set security flow traceoptions file DebugTraffic set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter MatchTraffic interface st0.0
↧
↧
Re: IPSEC VPN Troubleshooting
Far end is a fortigate, not seeing packets through the tunnel
1.1.1.142:0 selectors(total,up): 1/1 rx(pkt,err): 40/40 tx(pkt,err): 5/0
↧
Re: IPSEC VPN Troubleshooting
Hi,
Not sure, but could you try to add this policy :
set security policies from-zone corp-vpn to-zone corp-vpn policy intra match source-address any set security policies from-zone corp-vpn to-zone corp-vpn policy intra match destination-address any set security policies from-zone corp-vpn to-zone corp-vpn policy intra match application any set security policies from-zone corp-vpn to-zone corp-vpn policy intra then permit
Also lets try capturing the traffic with wireshark if you don't mind to share the output:
set forwarding-options packet-capture file filename packetcapture
set firewall family inet filter CAPTURE term 1 from source-address 3.3.3.3/32
set firewall family inet filter CAPTURE term 1 from destination-address 2.2.2.2/32
set firewall family inet filter CAPTURE term 1 then sample
set firewall family inet filter CAPTURE term 2 then accept
set interfaces st0 unit 0 family inet filter CAPTURE
after replicating the issue disable it :
set forwarding-options packet-capture disable
and share the output please .
↧
Re: IPSEC VPN Troubleshooting
No change after adding the security policy. Will start packet capture momentarily.
Thank you for the assistance.
↧
