Totally makes sense now, thank you so much for the help!

sahilsha,

Thank you for the suggestions!
I will try to run these commands and get back to you.

When you say "Initiate pings to 8.8.8.8 from the Source", by the Source you mean 10.1.0.0/24 my "network_101"?
Or just the private IP of that Linux box connected to ge-0/0/0?

Thank you!

lyndidon,
Thank you for the reply!

I already had this in my configuration:

set chassis cluster reth-count 3

And after that I applied this:

set interfaces ge-0/0/2 gigether-options redundant-parent reth2
set interfaces ge-3/0/2 gigether-options redundant-parent reth2

no idea what went wrong.

I'm trying to setup a client to LAN based VPN to a web server behind SRX100. Tunnel is not coming up and I'm getting following error when collecting traceoptions for the tunnels - 

[May 24 14:33:53]ikev2_packet_allocate: Allocated packet e0d800 from freelist
[May 24 14:33:53]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:53]ike_get_sa: Start, SA = { b76149a8 bb4f7250 - 00000000 00000000 } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:53]ike_sa_allocate: Start, SA = { b76149a8 bb4f7250 - ba1ee5c3 23a0bb27 }
[May 24 14:33:53]ike_init_isakmp_sa: Start, remote = 10.128.137.2:500, initiator = 0
[May 24 14:33:53]ike_decode_packet: Start
[May 24 14:33:53]ike_decode_packet: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f} / 00000000, nego = -1
[May 24 14:33:53]ike_decode_payload_sa: Start
[May 24 14:33:53]ike_decode_payload_t: Start, # trans = 3
[May 24 14:33:53]ike_st_i_vid: VID[0..20] = 01528bbb c0069612 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..20] = 1e2b5169 05991c7d ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 4048b7d5 6ebce885 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = fb1de3cd f341b7ea ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 26244d38 eddb61b3 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = e3a5966a 76379fe7 ...
[May 24 14:33:53]ike_st_i_sa_proposal: Start
[May 24 14:33:53]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr IKE_GW for remote dynamic peer, sa_cfg[IPSEC_VPN]
[May 24 14:33:53]ike_isakmp_sa_reply: Start
[May 24 14:33:53]ike_state_restart_packet: Start, restart packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:33:53]ike_st_i_sa_proposal: Start
[May 24 14:33:53]ike_st_i_cr: Start
[May 24 14:33:53]ike_st_i_cert: Start
[May 24 14:33:53]ike_st_i_private: Start
[May 24 14:33:53]ike_st_o_sa_values: Start
[May 24 14:33:53]ike_policy_reply_isakmp_vendor_ids: Start
[May 24 14:33:53]ike_st_o_private: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_encode_packet: Start, SA = { 0xb76149a8 bb4f7250 - 647ce0e5 7e90125f } / 00000000, nego = -1
[May 24 14:33:53]ike_send_packet: Start, send SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:53]ikev2_packet_allocate: Allocated packet e0dc00 from freelist
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:53]ike_get_sa: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ike_decode_packet: Start
[May 24 14:33:53]ike_decode_packet: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f} / 00000000, nego = -1
[May 24 14:33:53]ike_st_i_nonce: Start, nonce[0..48] = d34cca05 729d990b ...
[May 24 14:33:53]ike_st_i_ke: Ke[0..128] = a3b1ac42 37aeee0e ...
[May 24 14:33:53]ike_st_i_cr: Start
[May 24 14:33:53]ike_st_i_cert: Start
[May 24 14:33:53]ike_st_i_private: Start
[May 24 14:33:53]ike_st_o_ke: Start
[May 24 14:33:53]ike_st_o_nonce: Start
[May 24 14:33:53]ike_policy_reply_isakmp_nonce_data_len: Start
[May 24 14:33:53]IKED-PKID-IPC Failed to delete cert chain patricia node
[May 24 14:33:53]ikev2_fb_get_cas_kid_cb: CA lookup failed, error 'Crypto operation failed'
[May 24 14:33:53]ike_policy_reply_get_cas: Start
[May 24 14:33:53]ike_state_restart_packet: Start, restart packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:33:53]ike_st_o_private: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_st_o_calc_skeyid: Calculating skeyid
[May 24 14:33:53]ike_encode_packet: Start, SA = { 0xb76149a8 bb4f7250 - 647ce0e5 7e90125f } / 00000000, nego = -1
[May 24 14:33:53]ike_send_packet: Start, send SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:53]ikev2_packet_allocate: Allocated packet e20000 from freelist
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:53]ike_get_sa: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f } / e8a5c6d8, remote = 10.128.137.2:500
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ike_alloc_negotiation: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}
[May 24 14:33:53]ike_decode_packet: Start
[May 24 14:33:53]ike_decode_packet: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f} / e8a5c6d8, nego = 0
[May 24 14:33:53]<none>:500 (Responder) <-> 10.128.137.2:500 { b76149a8 bb4f7250 - 647ce0e5 7e90125f [0] / 0xe8a5c6d8 } Info; Trying to decrypt, but no decryption context initialized
[May 24 14:33:53]<none>:500 (Responder) <-> 10.128.137.2:500 { b76149a8 bb4f7250 - 647ce0e5 7e90125f [0] / 0xe8a5c6d8 } Info; Error = No SA established (8194)
[May 24 14:33:53]ike_send_notify: Notification to informational exchange ignored
[May 24 14:33:53]ike_delete_negotiation: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = 0
[May 24 14:33:53]ike_free_negotiation_info: Start, nego = 0
[May 24 14:33:53]ike_free_negotiation: Start, nego = 0
[May 24 14:33:54]ikev2_packet_allocate: Allocated packet e20400 from freelist
[May 24 14:33:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:54]ike_get_sa: Start, SA = { 4a5ec625 c426a0c8 - 00000000 00000000 } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:54]ike_sa_allocate: Start, SA = { 4a5ec625 c426a0c8 - e5e208da 0210ad6b }
[May 24 14:33:54]ike_init_isakmp_sa: Start, remote = 10.128.137.2:500, initiator = 0
[May 24 14:33:54]ike_decode_packet: Start
[May 24 14:33:54]ike_decode_packet: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553} / 00000000, nego = -1
[May 24 14:33:54]ike_decode_payload_sa: Start
[May 24 14:33:54]ike_decode_payload_t: Start, # trans = 3
[May 24 14:33:54]ike_st_i_vid: VID[0..20] = 01528bbb c0069612 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..20] = 1e2b5169 05991c7d ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 4048b7d5 6ebce885 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = fb1de3cd f341b7ea ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 26244d38 eddb61b3 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = e3a5966a 76379fe7 ...
[May 24 14:33:54]ike_st_i_sa_proposal: Start
[May 24 14:33:54]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr IKE_GW for remote dynamic peer, sa_cfg[IPSEC_VPN]
[May 24 14:33:54]ike_isakmp_sa_reply: Start
[May 24 14:33:54]ike_state_restart_packet: Start, restart packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:33:54]ike_st_i_sa_proposal: Start
[May 24 14:33:54]ike_st_i_cr: Start
[May 24 14:33:54]ike_st_i_cert: Start
[May 24 14:33:54]ike_st_i_private: Start
[May 24 14:33:54]ike_st_o_sa_values: Start
[May 24 14:33:54]ike_policy_reply_isakmp_vendor_ids: Start
[May 24 14:33:54]ike_st_o_private: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_encode_packet: Start, SA = { 0x4a5ec625 c426a0c8 - ffd18544 6524a553 } / 00000000, nego = -1
[May 24 14:33:54]ike_send_packet: Start, send SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:54]ikev2_packet_allocate: Allocated packet e20800 from freelist
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:54]ike_get_sa: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ike_decode_packet: Start
[May 24 14:33:54]ike_decode_packet: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553} / 00000000, nego = -1
[May 24 14:33:54]ike_st_i_nonce: Start, nonce[0..48] = 52daa00e c8bc3ef0 ...
[May 24 14:33:54]ike_st_i_ke: Ke[0..128] = b418102a e5a211d8 ...
[May 24 14:33:54]ike_st_i_cr: Start
[May 24 14:33:54]ike_st_i_cert: Start
[May 24 14:33:54]ike_st_i_private: Start
[May 24 14:33:54]ike_st_o_ke: Start
[May 24 14:33:54]ike_st_o_nonce: Start
[May 24 14:33:54]ike_policy_reply_isakmp_nonce_data_len: Start
[May 24 14:33:54]IKED-PKID-IPC Failed to delete cert chain patricia node
[May 24 14:33:54]ikev2_fb_get_cas_kid_cb: CA lookup failed, error 'Crypto operation failed'
[May 24 14:33:54]ike_policy_reply_get_cas: Start
[May 24 14:33:54]ike_state_restart_packet: Start, restart packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:33:54]ike_st_o_private: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_st_o_calc_skeyid: Calculating skeyid
[May 24 14:33:54]ike_encode_packet: Start, SA = { 0x4a5ec625 c426a0c8 - ffd18544 6524a553 } / 00000000, nego = -1
[May 24 14:33:54]ike_send_packet: Start, send SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:54]ikev2_packet_allocate: Allocated packet e20c00 from freelist
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:54]ike_get_sa: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 } / cc53a520, remote = 10.128.137.2:500
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ike_alloc_negotiation: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}
[May 24 14:33:54]ike_decode_packet: Start
[May 24 14:33:54]ike_decode_packet: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553} / cc53a520, nego = 0
[May 24 14:33:54]<none>:500 (Responder) <-> 10.128.137.2:500 { 4a5ec625 c426a0c8 - ffd18544 6524a553 [0] / 0xcc53a520 } Info; Trying to decrypt, but no decryption context initialized
[May 24 14:33:54]<none>:500 (Responder) <-> 10.128.137.2:500 { 4a5ec625 c426a0c8 - ffd18544 6524a553 [0] / 0xcc53a520 } Info; Error = No SA established (8194)
[May 24 14:33:54]ike_send_notify: Notification to informational exchange ignored
[May 24 14:33:54]ike_delete_negotiation: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = 0
[May 24 14:33:54]ike_free_negotiation_info: Start, nego = 0
[May 24 14:33:54]ike_free_negotiation: Start, nego = 0
[May 24 14:34:03]ike_retransmit_callback: Start, retransmit SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:03]ike_send_packet: Start, retransmit previous packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:04]ike_retransmit_callback: Start, retransmit SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:04]ike_send_packet: Start, retransmit previous packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:13]ike_retransmit_callback: Start, retransmit SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:13]ike_send_packet: Start, retransmit previous packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:14]ike_retransmit_callback: Start, retransmit SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:14]ike_send_packet: Start, retransmit previous packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:23]P1 SA 4019557 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x300.
[May 24 14:34:23]iked_pm_ike_sa_delete_done_cb: For p1 sa index 4019557, ref cnt 2, status: Error ok
[May 24 14:34:23]ike_remove_callback: Start, delete SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:23]10.128.63.195:500 (Responder) <-> 10.128.137.2:500 { b76149a8 bb4f7250 - 647ce0e5 7e90125f [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[May 24 14:34:23]ike_delete_negotiation: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:23]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[May 24 14:34:23]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[May 24 14:34:23]ike_sa_delete: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:34:23]ike_free_negotiation_isakmp: Start, nego = -1
[May 24 14:34:23]ike_free_negotiation: Start, nego = -1
[May 24 14:34:23]IKE SA delete called for p1 sa 4019557 (ref cnt 2) local:10.128.63.195, remote:10.128.137.2, IKEv1
[May 24 14:34:23]P1 SA 4019557 reference count is not zero (1). Delaying deletion of SA
[May 24 14:34:23]ike_free_sa: Start
[May 24 14:34:23]iked_pm_ike_sa_done: UNUSABLE p1_sa 4019557
[May 24 14:34:23] IKEv1 Error : Timeout
[May 24 14:34:23]iked_pm_p1_sa_destroy: p1 sa 4019557 (ref cnt 0), waiting_for_del 0xa332c0
[May 24 14:34:24]P1 SA 4019558 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x300.
[May 24 14:34:24]iked_pm_ike_sa_delete_done_cb: For p1 sa index 4019558, ref cnt 2, status: Error ok
[May 24 14:34:24]ike_remove_callback: Start, delete SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:24]10.128.63.195:500 (Responder) <-> 10.128.137.2:500 { 4a5ec625 c426a0c8 - ffd18544 6524a553 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[May 24 14:34:24]ike_delete_negotiation: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:24]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[May 24 14:34:24]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[May 24 14:34:24]ike_sa_delete: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:34:24]ike_free_negotiation_isakmp: Start, nego = -1
[May 24 14:34:24]ike_free_negotiation: Start, nego = -1
[May 24 14:34:24]IKE SA delete called for p1 sa 4019558 (ref cnt 2) local:10.128.63.195, remote:10.128.137.2, IKEv1
[May 24 14:34:24]P1 SA 4019558 reference count is not zero (1). Delaying deletion of SA
[May 24 14:34:24]ike_free_sa: Start
[May 24 14:34:24]iked_pm_ike_sa_done: UNUSABLE p1_sa 4019558
[May 24 14:34:24] IKEv1 Error : Timeout
[May 24 14:34:24]iked_pm_p1_sa_destroy: p1 sa 4019558 (ref cnt 0), waiting_for_del 0xdf9f60

We are not using Juniper certs, rather a certificate we signed. I have similar cert on my desktops signed by same CA. I also configured NTP to make sure that SRX and my WS point to same NTP server. Below is my VPN config. Security policies are wide open (basically any/any allowed). My WS is Windows10. 

Please suggest if something is wrong with my config

set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group2
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE_PROP lifetime-seconds 3600
set security ike policy IKE_POL mode main
set security ike policy IKE_POL proposals IKE_PROP
set security ike policy IKE_POL certificate local-certificate srx001
set security ike policy IKE_POL certificate peer-certificate-type x509-signature
set security ike gateway IKE_GW ike-policy IKE_POL
set security ike gateway IKE_GW dynamic distinguished-name wildcard C=CA
set security ike gateway IKE_GW local-identity inet 10.128.63.195
set security ike gateway IKE_GW external-interface fe-0/0/0.0
set security ike gateway IKE_GW version v1-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 3600
set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group2
set security ipsec policy IPSEC_POL proposals IPSEC_PROP
set security ipsec vpn IPSEC_VPN bind-interface st0.0
set security ipsec vpn IPSEC_VPN ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL

Certificate details on SRX:

root@FOCFAS01> show security pki local-certificate
Certificate identifier: srx001
Issued to: focfas01, Issued by: C = CA, O = ABC Inc., CN = ABC Issuing CA SHA256
Validity:
Not before: 05-12-2017 21:38 UTC
Not after: 05-11-2022 21:38 UTC
Public key algorithm: rsaEncryption(2048 bits)

Hi Sahilsha I appreciate your assistance. Yes I am inputing those command and that's where I'm seeing the engine report it's not doing anything.

I have another SRX with the AV license turned on with the default config and it's not reporting any scans either. 

Here's a picture of those commands.

Thank you,

Could you provide

>show security policies

Do you know how many Dynamic VPN connections can be establish simultaneously? I remember that 2 connections was by defaul and for more i should buy e.g SRX-RAC-5-LTU license, right?

You would have to use switches in between SRXes. For example

SRX1 (DC1)------1G------VC                                             VC-------1G---------SRX2 (DC2)

                                                  ==2G MC LAG Trunk==

SRX3 (DC1)------1G------VC                                              VC-------1G--------SRX4 (DC2)

Hi Guru,

Thanks for your clarification. But for the traffic selector, is it necessary to configure? I `ve checked relate document that indicates the system will use a default proxy-id of use 0.0.0.0/0 for local and remote and ‘any’ for service when traffic selector is not configured. I am so curious on this. Kindly please advise.

Best Regards,

Dylen

Ok it's UDP traffic so changing mss will not help. Usually when some traffic works over VPN and other doesn't it's a fragmentation problem.

You can try to change st0.0 mtu. If the problematic hosts support path MTU discovery they should negotiate lower MTU for UDP traffic

#set interface st0.0 family inet mtu 1340 (your mss 1300 + 40 for TCP/IP haders)

You should also consider updating Junos as your version is over 3 years old.

Please run the test and capture
>show security monitoring performance spu

Sure.

root@SRX> show security policies
Default policy: deny-all
From zone: Production, To zone: VOIP
  Policy: All_Production_VOIP, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Production, To zone: MGMT
  Policy: All_Production_MGMT, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Production, To zone: Internet
  Policy: All_Production_Internet, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Production, To zone: Creative
  Policy: All_Production_Creative_Printers, State: enabled, Index: 22, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: obj-Creative-Printer-Set
    Applications: any
    Action: permit
From zone: Accounting, To zone: Production
  Policy: All_Accounting_Production, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Accounting, To zone: Internet
  Policy: All_Accounting_Internet, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Creative, To zone: Production
  Policy: All_Creative_Production, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Creative, To zone: Internet
  Policy: All_Creative_Internet, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Editorial, To zone: Production
  Policy: All_Editorial_Production, State: enabled, Index: 11, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Editorial, To zone: Internet
  Policy: All_Editorial_Internet, State: enabled, Index: 12, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: VFX, To zone: Production
  Policy: All_VFX_Production, State: enabled, Index: 13, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: VFX, To zone: Internet
  Policy: All_VFX_Internet, State: enabled, Index: 14, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: GuestWIFI, To zone: Internet
  Policy: All_GuestWIFI_Internet, State: enabled, Index: 15, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: VipWIFI, To zone: Production
  Policy: All_VipWIFI_Production, State: enabled, Index: 16, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: VipWIFI, To zone: Internet
  Policy: All_VipWIFI_Internet, State: enabled, Index: 17, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: VOIP, To zone: Internet
  Policy: All_VOIP_Internet, State: enabled, Index: 18, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: MGMT, To zone: Production
  Policy: All_MGMT_Production, State: enabled, Index: 19, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: MGMT, To zone: VOIP
  Policy: All_MGMT_VOIP, State: enabled, Index: 20, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: MGMT, To zone: Internet
  Policy: All_MGMT_Internet, State: enabled, Index: 21, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: Internet, To zone: VOIP
  Policy: AvayaSIP, State: enabled, Index: 23, Scope Policy: 0, Sequence number: 1
    Source addresses: obj-Vitelity-Server-Set
    Destination addresses: obj-Avaya
    Applications: junos-sip
    Action: permit
  Policy: All_Internet_VOIP-RVPN, State: enabled, Index: 24, Scope Policy: 0, Sequence number: 2
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit, tunnel
From zone: Internet, To zone: MGMT
  Policy: All_Internet_MGMT-RVPN, State: enabled, Index: 25, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit, tunnel
From zone: Internet, To zone: Production
  Policy: All_Internet_Production-RVPN, State: enabled, Index: 26, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit, tunnel
From zone: trust, To zone: untrust
  Policy: utm-security-policy, State: enabled, Index: 27, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit, application services
Global policies:
  Policy: default-deny, State: enabled, Index: 28, Scope Policy: 0, Sequence number: 1
    From zones: any
    To zones: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny, log

Thanks,

Why source-NAT evaluation occur after route look-up ??? 

Hi !

Just to save CPU cycles, as it makes no sense to do a source NAT when the destination is not reachable or the security policy is not permitting the traffic.

To anticipate your next question: destination NAT has to be done before, otherwise you cannot do a lookup of the destination

regards

alexander

root@j> show security monitoring performance spu
fpc  0  pic  0
Last 60 seconds:
 0:   6   1:   5   2:   4   3:   4   4:   8   5:   5
 6:   5   7:   7   8:   6   9:   5  10:   5  11:   5
12:  13  13:  16  14:  19  15:  13  16:  15  17:  14
18:  17  19:  13  20:   4  21:   4  22:   6  23:   6
24:   4  25:   4  26:   6  27:   4  28:   4  29:   5
30:   4  31:   4  32:   4  33:   4  34:   5  35:   6
36:   4  37:   9  38:   5  39:   5  40:   5  41:   5
42:   6  43:   4  44:   7  45:  10  46:   9  47:   8
48:   6  49:   5  50:   6  51:   6  52:   5  53:   7
54:   6  55:   5  56:   8  57:  11  58:   4  59:   4

Hi, 

This simple script to simplify the function of downloading the IDP signatures for SRX offline, you'll need to define your device model / os version / buildn number , and this script will let you know the latest available version and download it. 

Here's the link for the script & it'll be updated with other functions, I'm also attaching the script if you just need this download part. 

https://github.com/mmento/idpofflineupdate/blob/master/idpofflineupdate.py

You can run it on unix based machines or mac os, for win it will download the files but it won't unzip them. 

hope this will help  

BR,
Mahdy

SRX300 licencing requires one of three different licences - 

• SRX300-JSB - SRX300 Junos Software Base with Firewall, NAT, IPSec, Routing, MPLS and Switching Services
• SRX300-JSB-L - SRX300 Junos Software Base with performance limited to 200Mbps of Routing / Firewall and 40 Mbps of IPSec or IPS performance. Includes MPLS services
• SRX300-JSE - SRX300 Junos Software Enhanced with Firewall, NAT, IPSec, Routing, Switching, MPLS and Application Security Services

and from the data sheet

Application Security Services*

• Application visibility and control
• Application-based firewall
• Application QoS
• SSL inspection

Threat Defense and Intelligence Services**

• Intrusion prevention
• Antivirus
• Antispam
• Category/reputation-based URL filtering
• Spotlight Secure threat intelligence

*   - Available as part of Juniper Secure Edge (JSE) software package or advanced security subscription licenses

** - Offered as advanced security services subscription licenses

Your memory is correct.  By default you get two connections for the Dynamic VPN connections and more on the Branch SRX required a license key.

When the SRX300 was first released Dynamic VPN was not in the code, it is now.  But the data sheet still does not list this as a feature.

https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000550-en.pdf

And I don't see it listed for the SRX on the box sites like CDW either.  I would contact your reseller to get the final word on the availability of this license for the SRX300.

Feature explorer still only lists EX platform as supporting this feature.  I have not been tracking this as I don't use the feature.

Your best bet is to contact your sales engineer.  Roadmap plans are generally only shared in private under NDA.  You could find out if this is on the roadmap and if not how to push for its inclusion.

Here is the documentation.

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/layer-2-services-bridge-domains-as-switches-for-layer-2-trunk-ports-configuring.html

You create a bridge domain that can act as a switch to connect multiple vlans on a trunk port into the same layer 2 domain.

And example would be you have a l2circuit at multiple remote sites as a management vlan for equipment.  

The other side the the circuit lands on the trunk port.  

Each site needs a unique interface unit and vlan tag to share the port.

But all are the same management vlan so you create the bridge group to tie them together.