Dears,
I have SRX320 with JSB version, and I want to use some MPLS functionality. Can I upgrade or install JSE on the same HW?
or the SW is one time installation?
↧
SRX320-JSB
↧
Re: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation
I am not sure if the Cisco ASA can have an interesting traffic acl with 0.0.0.0/0 for both local and remote traffic. I have set them up with 0.0.0.0/0 for remote traffic with local traffic specific.
But the basic premise here is that the proxy id must match between the Juniper and the Cisco. If you don't configure a proxy id via traffic selectors on the Juniper then it will send the open 0.0.0.0/0 for both local and remote.
What is the interesting traffic ACL on the Cisco ASA right now?
The command lyndidon is suggesting isa debug command to generate more details logs in a file, not security.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19943
↧
↧
Re: How to bounce back node 1 to join cluster without reboot it ?
Hi rsuraj,
Below log as pe requested.
{primary:node0}
test@srx5800> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA
0 em0 Up Disabled
1 em1 Down Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-10/1/0 Up / Up
fab0 ge-11/1/0 Up / Up
fab1 ge-22/1/0 Up / Up
fab1 ge-23/1/0 Up / Up
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
Interface Monitoring:
Interface Weight Status Redundancy-group
ge-23/1/1 255 Up 1
ge-11/1/1 255 Up 1
ge-22/1/1 255 Up 1
ge-10/1/1 255 Up 1
↧
Re: Error when commit in LSYS SRX5800 Chasiss Cluster?
Hi rsuraj,
Are u referring to commit from:
set cli logical-system LSYS-1
edit
commit
or
edit logical system LSYS-1
commit
Thanks and appreciate your feedback
↧
Re: How to bounce back node 1 to join cluster without reboot it ?
Hi rsuraj,
after done some try en error then cluster already back to normal. I'm just do some configuration change and commit it again then it back to normal. JTAC said sometimes cluster not syncronize within box during config change and need config change one more time with commit.
Thanks
↧
↧
Re: new subnet needed on SRX220H2
In long term most proper way is to change your existing /24 subnet to /23 (255.255.254.0) Thus your new IP range will be 10.196.24.0 - 10.196.25.255
Only downside you have to consider - that subnet should be adjusted for existing x.x.24.x hosts.
dhcp server setup:
↧
Re: SRX320-JSB
Hi Hamdy,
since september 2016, MPLS features has been included in JSB so nothing needs to change.
Duly note: Currently the JSB/JSE features are honor based and will first be enforced when Junos 17.x is released. Therefore it's important to keep your authcode for SRX320-JSB. Otherwise you will have a firewall without a valid software license 
↧
Re: How to bounce back node 1 to join cluster without reboot it ?
Hi,
The sync could be the reason.
You could check the jsrpd logs to see what actually happened if you have the timestamps. It might provide you some insight.
↧
Re: Error when commit in LSYS SRX5800 Chasiss Cluster?
set cli logical-system LSYS-1
edit
commit
edit
commit
↧
↧
Re: Webserver not working
Configure the port forwarding rule for webserver server. Create an address book ewntry for it in the zone where the Webserver resides
set security zones security-zone trust address-book address Webserver
set security nat destination pool Webserver1 address x.x.x.x/32 port 80 <==== translated IP
Configure the port forwarding rule for webserver server.
set security nat destination rule-set Web1 rule rule1 match destination-address public IP
set security nat destination rule-set Web1 rule rule1 match destination-port YY <===port to be used
set security nat destination rule-set Web1 rule rule1 then destination-nat pool Webserver1
Create security policy to allow traffic
set security policies from-zone untrust to-zone trust policy Allow-webserver match source-address any
set security policies from-zone untrust to-zone trust policy Allow-webserver match destination-address Webserver
set security policies from-zone untrust to-zone trust policy Allow-webserver match application junos-http HTTP
then permit
if not working enable traceoptions
when finished, delete or deactivate traceoptions
#deactivate security flow traceoptions
For the Branch Office SRX series packet capture - Using basic-datapath debug
#set security flow traceoptions file trace-debug-basic-dp
#set security flow traceoptions flag basic-datapath
#set security flow traceoptions packet-filter pckt-in source-prefix <prefix/length>
#set security flow traceoptions packet-filter pckt-out destination-prefix <prefix/length>
↧
Re: Webserver not working
Worked like a charm...
thank you very much!!!
↧
Re: How to use maximum RIB/FIB sizein SRX340/345?
I asked about this to the Japan Pre-sales team and received a response from them.
=========================================================================
<RIB/FIB> <RIB/FIB>
the feature: Disable -> Enable
SRX340: 600K / 400K --> 1M / 600K
SRX345: 600K / 400K --> 1M / 600K
<Inportant>
If the feature will be change to turn on or to turn off, The device is needed to reboot.
If licenses (UTM/IDP) are already installed, this feature can not be turn on (can not commit).
After turned on this feature (after commit), these licenses can be installed.
However, UTM/IDP features will not be active.
This is because enhanced-routing-mode feature uses the free memory area by stopping the UTM / IDP daemon.
*This is not documented about UTM/IDP.
also nothing in datasheet.
I already feedbacked to doc team.
No method to confirm current size of RIB or FIB and possible to confirm the feature is active or not active only.
<how to enable this feature>
=====
[edit security]
flow {
enhanced-routing-mode;
}
=====
*this method is not documented.
japan pre-sales team already asked to create a document about this method to doc team.
<confirm the feature status>
=====
<root@srx345> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Enhanced route scaling mode: Enabled <------- Disable(default) / Enable
=====
↧
Re: new subnet needed on SRX220H2
As Algarz notes, if you want the SAME gateway for the additional addresses then you must expand the netmask and then add an additional pool to the dhcp range.
Another option is to add a secondary ip address with the new subnet gateway to the same interface. Then create a new dhcp setup for that range. This will work but does put the broadcast domain for two diferent subnets into the same vlan which would be considered non-standard.
Another option is to add a new vlan for this subnet. This can be done by using another port or by adding a vlan tag to an existing port down to your switches. Changes would be needed on both the switches and SRX for this and would depend on if you are using a dedicated port or trunk port for the setup.
If you let us know which version you want to pursue, post your current configuration for the interfaces and dhcp and we can asist with making the changes needed.
↧
↧
SRX240 cluster with LACP through a Cisco switch
Hi everyone!
I would like to ask for some help. We are trying to put together 2 SRX240 firewalls in a cluster with a Cisco switch between them and with LACP between them on the reth interfaces.
The control and the fabric link won't work through the switch only when we connect them together. The management link works fine through the switch. Also the LACP wont aggregate, there's no connection between the two firewalls through these links.
Here is the config from the SRXs and the switch:
set groups node0 interfaces fxp0 unit 0 family inet address 10.X.Y.2/24 set groups node1 interfaces fxp0 unit 0 family inet address 10.X.Y.3/24 set chassis cluster reth-count 1 set chassis cluster redundancy-group 1 node 0 priority 200 set chassis cluster redundancy-group 1 node 1 priority 100 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/14 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/15 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-5/0/15 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-5/0/14 weight 255 set security zones security-zone MGMT host-inbound-traffic system-services ping set security zones security-zone MGMT host-inbound-traffic protocols all set security zones security-zone MGMT interfaces reth1.100 set security zones security-zone MGMT interfaces reth1.104 set security zones security-zone MGMT interfaces reth1.108 set security zones security-zone MGMT interfaces reth1.254 set interfaces ge-0/0/14 gigether-options redundant-parent reth1 set interfaces ge-0/0/15 gigether-options redundant-parent reth1 set interfaces ge-5/0/14 gigether-options redundant-parent reth1 set interfaces ge-5/0/15 gigether-options redundant-parent reth1 set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-5/0/2 set interfaces reth1 vlan-tagging set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 redundant-ether-options minimum-links 1 set interfaces reth1 redundant-ether-options lacp passive set interfaces reth1 redundant-ether-options lacp periodic slow set interfaces reth1 unit 100 vlan-id 100 set interfaces reth1 unit 100 family inet address 10.X.Y.1/24 set interfaces reth1 unit 104 vlan-id 104 set interfaces reth1 unit 104 family inet address 10.X.Y.1/22 set interfaces reth1 unit 108 vlan-id 108 set interfaces reth1 unit 108 family inet address 10.X.Y.1/23 set interfaces reth1 unit 254 vlan-id 254 set interfaces reth1 unit 254 family inet address 10.X.Y.1/24
vlan 100 name MGMT vlan 104 name whatever vlan 108 name whatever108 vlan 33 name control vlan 34 name fabric vlan 254 name vlan254 interface Port-channel10 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,104,108,254 switchport mode trunk ! interface Port-channel20 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,104,108,254 switchport mode trunk ! interface GigabitEthernet0/1 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/2 switchport access vlan 33 switchport mode access ! interface GigabitEthernet0/3 switchport access vlan 34 switchport mode access ! interface GigabitEthernet0/13 switchport access vlan 100 switchport mode access ! interface GigabitEthernet0/14 switchport access vlan 33 switchport mode access ! interface GigabitEthernet0/15 switchport access vlan 34 switchport mode access interface GigabitEthernet0/37 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,104,108,254 switchport mode trunk channel-group 10 mode active ! interface GigabitEthernet0/38 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,104,108,254 switchport mode trunk channel-group 10 mode active ! interface GigabitEthernet0/47 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,104,108,254 switchport mode trunk channel-group 20 mode active ! interface GigabitEthernet0/48 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,104,108,254 switchport mode trunk channel-group 20 mode active ! interface Vlan100 ip address 10.X.Y.50 255.255.255.0 ! ip default-gateway 10.X.Y.1
And here is how the devices are connected together:
Juniper SRX 240 primary side: SRX -> Cisco SW ge-0/0/0 -> GigabitEthernet0/1 (mgmt) ge-0/0/1 -> GigabitEthernet0/2 (control) ge-0/0/2 -> GigabitEthernet0/3 (fabric) ge-0/0/14 -> GigabitEthernet0/37 (lacp) ge/0/0/15 -> GigabitEthernet0/38 (lacp) Juniper SRX 240 secondary: ge-0/0/0 -> GigabitEthernet0/13 (mgmt) ge-0/0/1 -> GigabitEthernet0/14 (control) ge-0/0/2 -> GigabitEthernet0/15 (fabric) ge-0/0/14 -> GigabitEthernet0/47 (lacp) ge/0/0/15 -> GigabitEthernet0/48 (lacp)
So what am I missing? The fabric and control links are not supposed to be access ports but rather trunk ports?
I'd appriciate any help and thanks for your help in advance.
Best regards,
Tihi
↧
Re: SRX240 cluster with LACP through a Cisco switch
On switch for control and fab vlans disable igmp-snooping and make mtu 9014 (or the max available) to allow jumbo frames - This change needs on the physical interface level on all memeber interfaces of control and fab vlans
↧
Re: new subnet needed on SRX220H2
Putting subnet as a secondary is the easiest path to go. But you won't be able to satisfy your "..pointing to the same gateway .." requirement.
And also you might face a bunch of limitations secondary subnet causes. As a prime example - you will have problems in case you will want to issue dhcp addresses on both subnets simultaneously.
↧
same (sticking ) ip assignment for user in dynamic vpn
i have done the configuration for dyanmic vpn on srx 650 and able to connect the user to private network.
how can i restrict a user to get the same ip address each time he connects from the pool.
regards
↧
↧
Re: same (sticking ) ip assignment for user in dynamic vpn
↧
IDP ( ip actions)
i have a confusion regarding IP-actions which stop future attacks with matching attributes...
why do i need to use it when the IDP policy itself stop the attack and record the target source address ???
↧
Re: IDP ( ip actions)
Hi !
IDP policy evaluation going through all rules is a quite time and CPU-cycle consuming task.
If the same attack ( same packet) comes in again and again, with IP-action the attack is stopped without further evaluation of the IDP rules.
( it is like a cached result you are using before evaluating the packet further)
regards
Alexander
↧