if your SRX is in cluster please follow KB shared by Steve, if you dont have cluster you can follow any of below URLS
https://www.fir3net.com/Firewalls/Juniper/juniper-srx-how-do-i-configure-lacp-8023ad.html
Replace interface type ge/fe with xe
↧
Re: HOW TO BUNDLE LAYER 3 INTERFACES ON SRX 1500
↧
Re: SRX240 only one IPSec tunnel is slow in one direction.
Can you do a ping test with size 1500 and no-fragment flag on both direction and check if its working fine? If its failing on both direction try reducing the size by 50 bytes and continue.
↧
↧
Re: download limit policer issue
WIth current config what happens is "192.168.1.211+192.168.1.213+192.168.1.218" gets the 2M cap. For example if .211 is sending/reciving 1.5M data the other 2 will get only .5M
So you have to create 3 seperate terms on the firewall filter for these 3 IPs and apply Policer on each terms
Something like below and apply it on Output direction on LAN interface
set firewall filter Policer term 1 from destination-address 192.168.1.211/32
set firewall filter Policer term 1 then policer Limit-2M
set firewall filter Policer term 2 from destination-address 192.168.1.213/32
set firewall filter Policer term 2 then policer Limit-2M
set firewall filter Policer term 3 from destination-address 192.168.1.218/32
set firewall filter Policer term 3 then policer Limit-2M
set firewall filter Policer term 4 then accept
↧
Re: SRX - MPLS as primary path / IPSEC VPN as secondary path
Tks for repply.
The endpoints vpn doesn´t run BGP. They aren´t Juniper devices.
Some other sugestion?
Tks,
João Victor
↧
Group VPN
i studied Group VPN and i have made a revision , but i dont get the idea of IP-preservation
How it is suppose to be an advantage . i think it is the opposite .
making every host in my LAN has its own public IP is a waste of IP addresses
would someone please explain to me the advantage of IP preservation , can i overcome it by using NAT ??
↧
↧
SRX Hacking?
Hi there,
Today my connection site-to-site was down and I checked some logs.
I found something wierd, please tell me what it means.
Are the logs below normal? I can see a lot of tentatives of root login failed from IPs that I don't know.
is there anyone trying to hack my srx device?
Jun 9 15:39:23 rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired Jun 9 15:39:48 rotem_brazil_aqa sshd[3155]: Failed password for root from 116.31.116.27 port 62338 ssh2 Jun 9 15:39:48 rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27' Jun 9 15:39:53 rotem_brazil_aqa sshd[3155]: Received disconnect from 116.31.116.27: 11: [preauth] Jun 9 15:40:23 rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired Jun 9 15:40:53 rotem_brazil_aqa sshd[3160]: Failed password for root from 116.31.116.27 port 42071 ssh2 Jun 9 15:40:53 rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27' Jun 9 15:40:58 rotem_brazil_aqa sshd[3160]: Received disconnect from 116.31.116.27: 11: [preauth] Jun 9 15:41:23 rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired Jun 9 15:42:02 rotem_brazil_aqa sshd[3162]: Failed password for root from 116.31.116.27 port 17492 ssh2 Jun 9 15:42:02 rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27' Jun 9 15:42:07 rotem_brazil_aqa sshd[3162]: Received disconnect from 116.31.116.27: 11: [preauth] Jun 9 15:42:23 rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired Jun 9 15:42:28 rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '84.38.211.151' Jun 9 15:42:28 rotem_brazil_aqa sshd[3164]: Failed password for root from 84.38.211.151 port 4869 ssh2 Jun 9 15:42:50 rotem_brazil_aqa sshd[3164]: fatal: Read from socket failed: Connection reset by peer [preauth] Jun 9 15:43:10 rotem_brazil_aqa sshd[3166]: Failed password for root from 116.31.116.27 port 49758 ssh2 Jun 9 15:43:10 rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27' Jun 9 15:43:15 rotem_brazil_aqa sshd[3166]: Received disconnect from 116.31.116.27: 11: [preauth] Jun 9 15:43:23 rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired Jun 9 15:44:17 rotem_brazil_aqa sshd[3168]: Failed password for root from 116.31.116.27 port 30031 ssh2 Jun 9 15:44:17 rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27' Jun 9 15:44:22 rotem_brazil_aqa sshd[3168]: Received disconnect from 116.31.116.27: 11: [preauth] Jun 9 15:44:23 rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired
Kind regards.
↧
SRX 550 Boot Problems
Hello ,
The device is not booting and can cause the following error ?
U-Boot 1.1.6-JNPR-2.1 (Build time: Nov 24 2011 - 05:13:40)
Initializing memory this may take some time...
Measured DDR clock 533.33 MHz
SRX_550 board revision major:1, minor:22, serial #: ACMW7502
OCTEON CN6335-AAP pass 2.2, Core clock: 1300 MHz, DDR clock: 533 MHz (1066 Mhz data rate)
DRAM: 2048 MB
Starting Memory POST...
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash: 8 MB
WARNING: Running from backup u-boot
USB: scanning bus for devices... 2 USB Device(s) found
scanning bus for storage devices... 1 Storage Device(s) found
Clearing DRAM...... done
BIST check passed.
PCIe: Initializing port 1
PCIe: Port 1 link active, 1 lanes, speed gen1
Warning!!!Last reboot reason 0x5 abnormal
Boot Media: usb internal-compact-flash
Net: octeth0
sil3132 command timed out
sil3132 soft reset command failed count=1
sil3132 command timed out
sil3132 soft reset command failed count=2
sil3132 command timed out
sil3132 soft reset command failed count=3
sil3132 command timed out
sil3132 soft reset command failed count=4
sil3132 command timed out
sil3132 soft reset command failed count=5
sil3132 command timed out
sil3132 soft reset command failed count=6
↧
Re: SRX Hacking?
Hi rdgcatell,
The logs that you have shared show two thing;
1. There was an attempt to login to the device from 116.31.116.27 and other ips seen in the logs but failed due to authentication failure.
2. Your license has expired for tor Web filtering.
regarding your second query, if the connection is via VPN (as per my understanding), you should check in the kmd logs and see if the vpn had gone down.
Otherwise if you have a file configured as 'any any' under syslog, that file would have information related to the connection down.
Regarding the 3rd query, you can restart the VPN by restarting the ike daemon;
> restart ipsec-key-management
However, this will restart any and all VPNs on the SRX.
HTH
↧
Re: Anyone seen this error before?
Hi. We have mx80 and i see log message same .
pfed: rtslib: ERROR Allocation Failure for (16384) bytes
pfed: rtslib: ERROR Failed to allocate new block of size 16384.
Must we restart juniper router? Or how can i restart pfed process?
Thanks.
↧
↧
Re: Group VPN
Hello,
IP Header preservation mitigates overlay routing. Because the IP header does not change, no additional routing need to taken into consideration.
Moreover end to end QoS capabilities and Multicast can preserved.
When there is no private network (like MPLS), IP preservation is definitely not a good idea.
Regards,
Rushi
↧
Re: SRX 550 Boot Problems
Hello,
Can you try following:
If does not work, could be a potential hardware failure so I suggest you to open a case with TAC.
Regards,
Rushi
↧
Re: Group VPN
i have been working in a SP for a couple of months and i found that most companies and banks try Hard not to advertise their Local LAN IP addresses by the use of L2 VPN for example and i think all companies use NAT and will not assign Public IP addresses to the local Hosts right ??, and i dont really see that advantage of making each host in my LAN have a public IP, that is a waste of IP addresses.
but what is the wrong with overlay routing ??
and why Group VPN is not good when dealing with non MPLS Network ???
↧
Re: Group VPN
Hello,
No IP address changes. No extra IPs (NATed) to be routed. So existing routing is sufficient.
You can use Group VPN even in non MPLS network.
Regards,
Rushi
↧
↧
Re: Group VPN
I think it is the concept of the word preserve that is problematic. The word does not indicate saving IP address, but maintaining or keeping the same original IP address, hence the word preserve. And as indicated by the others who have responded, this is an explanation from the Juniper docs:
"The group members use the Encapsulating Security Payload (ESP) protocol in tunnel mode to secure the traffic. However, in Group VPN the tunnel mode is modified. Because there is no direct association between the group members, it is not necessary to use special IP addresses in the outer IP header (that is, IP addresses of IPsec gateways). Every group member can decrypt the traffic of every other group member. Thus, the inner IP-Header is copied to the outer IP-Header, and the underlying routing infrastructure and QoS infrastructure can be used. This feature is called Header Preservation."
The other thing is to look at this feature as one of many features to offer flexibility in different environments. So because this feauture is available, does not mean it should be considered for use and to find a way to use it. So in the environment where the devices are using Public Address and they wish to deploy VPNs in a mesh, this is suitable. In environments using NAT, IPSec VPN is suitable and so forth. When evaluating features, look at the environment first and what you need, then search for the feature to meet that goal. It would be a stress on the brain, to look at a feature first then try to formulate a plan to use it, or speculate how can I use this in my environment, and if it can't be used, then, as some have done, is to question the usefulness of such a feature and why can't it be modified to use in my environment. Not saying this is the case, but just expanding out on the logical follow up discussion.
↧
Re: Digital Certificate exchange
Welcome to the real world. To be honest, sometimes "the other vendor" has a very clear and easy explanation of standard features. Which after getting a clear understanding, you just need to see how said feature is implemented on Junos.
↧
Re: SRX240 Change the Broadband IP
Thanks for your recommendation!!!
But I want to knwo the NAT source and dest rule set
if I NAT source rule is 192.168.100.3 -> 172.20.18.33
Would I add one more rule is 192.168.100.3 -> 172.20.20.88
the 2 rule can be same time or not?!
Thanks!!!
↧
Re: SRX240 Change the Broadband IP
You can have the same address NAT to two differerent ip addresses but only if you are also specifying specific ports for each NAT rule. Otherwise only the first rule in the NAT group will be hit.
↧
↧
Security Policy source-address-excluded
I'm unclear on how to exclude a single IP from a security policy (without creating a duplicate policy with reject). How do I match any IP except for one in a security policy?
Is this the correct way to get this working?:
policy my-security-policy {
match {
source-address any;
source-address-excluded block-this-ip;
destination-address endpoint1;
application [ http https ];
}
then {
accept;
count;
}
}
↧
SRX 240 - Interface is not authorized for HTTP access
Hi
I have problem with web-interface configuration. I am not able to connect to web managemnt.
Every time i get: Interface is not authorized for HTTP access
Device: SRX240 (JUNOS Software Release [12.1X44-D30])
web-management {
http {
port 80;
interface vlan.201;
}
https {
port 443;
system-generated-certificate;
interface vlan.201;
}
}show configuration interfaces vlan.201
family inet {
sampling {
input;
output;
}
address 10.15.1.1/24;
}...iguration security zones security-zone PT-ZA-mgmt
address-book {
address za-mgmt-range 10.15.1.0/24;
}
host-inbound-traffic {
system-services {
ssh;
ping;
snmp;
http;
https;
}
protocols {
all;
}
}
interfaces {
vlan.201 {
host-inbound-traffic {
system-services {
ping;
ssh;
snmp;
http;
https;
}
protocols {
all;
}
}
}
} rules are any to any
Thanks for help
↧
Re: SRX 240 - Interface is not authorized for HTTP access
Ok solved 
missing interface st0.0 (tunnel to branch) under system services.
↧