Yes, IP monitoring can be configured on reth interfaces.
↧
Re: Ip monitoring on SRX 240
↧
Re: Fabric link for SRX 240
When you create the cluster with only one fabric link what is the output of these:
show chassis cluster status
show chassis cluster interfaces
show chassis cluster statistics
And what is the fabric configuration
show configuration interface fab0
show configuration interface fab1
↧
↧
Re: Policy configuration SRX3600
Quotas on logical systems are generally configured limits. Check what you have in profiles here:
show configuration system security-profile
↧
Re: Dynamic VPN
Starting with 15.1x49D80 you can now get SSL VPN on certain models of SRX. The details are here.
↧
Re: SRX240 Need Help with vlan Routing
Hi Patryk,
I didn't know that VRRP is not supported on reth interfaces. Sorry for confusing you.
If you really need L2 across data centers the only solution that I can think of is single cluster with one node in DC1 and second node in DC2.
Regards, Wojtek
↧
↧
Re: SRX100 Packet Capture: limited to 1500 bytes?
1500 bytes is a maximum packet size that can be captured (so no jumbo frames). By default maximum-capture-size is the first 68 bytes of the packet.
The whole capture can be of maximum 10000 files 100MB each.
Regards, Wojtek
↧
Re: IDP signature update and Protect-RE filter
This turned out to be a DNS issue.
↧
SRX240 ASAv IKEv2 VPN
Hi all,
I seem to be having a peculiar issue.
Namely, I have a functioning IKEv2 negotiated IPsec VPN between an SRX240 (running 12.3X48-D45.6) and an ASAv.
The problem occurs when I try to add a subnet to the crypto ACL on the Cisco side (access-list CRYPTO-MAP permit a.b.c.0 0.0.0.255). The VPN stays UP but the SRX spawns log messages as though the VPN were failing to negotiate.
Any insights would be greatly appreciated.
Here are the configs on the SRX side:
# show security ike policy ANYCONN_DELIVERY_VPN
mode main;
proposals AES256_SHA1_G2;
pre-shared-key ascii-text "$9$-wd2aji.5z6qm6Au1yrLxNdYgaZUH.PJZ9A"; ## SECRET-DATA
# show security ike gateway ANYCONN_DELIVERY_VPN
ike-policy ANYCONN_DELIVERY_VPN;
address 10.2.1.97;
external-interface reth1.3000;
version v2-only;
# show security ipsec vpn ANYCONN_DELIVERY_VPN
bind-interface st0.0;
ike {
gateway ANYCONN_DELIVERY_VPN;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
}
ipsec-policy ANYCONN_DELIVERY_VPN;
}
establish-tunnels immediately;
# show interfaces st0 unit 0
description ASAv-ANYCONNECT-DELIVERY;
family inet;
# show security ipsec policy ANYCONN_DELIVERY_VPN
perfect-forward-secrecy {
keys group2;
}
proposals ESP_AES256_SHA1;
# show routing-instances ANYCONNECT_VR routing-options
static {
route 10.10.86.0/24 next-hop st0.0;
route 0.0.0.0/0 next-hop p.u.b.l.i.c;
route 10.62.25.0/24 next-hop st0.0;
}
The Cisco side
crypto map inside_map0 1 match address CRYPTO-MAP0 crypto map inside_map0 1 set pfs crypto map inside_map0 1 set peer 10.2.1.1 crypto map inside_map0 1 set ikev2 ipsec-proposal AES256 crypto map inside_map0 interface inside crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 access-list CRYPTO-MAP0; 1 elements; name hash: 0xc5493e5f access-list CRYPTO-MAP0 line 1 extended permit ip 10.10.86.0 255.255.255.0 any4 (hitcnt=8255) 0x362e2cfe access-list CRYPTO-MAP0 line 1 extended permit ip 10.62.25.0 255.255.255.0 any4 (hitcnt=35) 0xd1ac230b tunnel-group 10.2.1.1 type ipsec-l2l tunnel-group 10.2.1.1 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****
------------------------------------------------------------------------------------------------
The SRX according to the IKE debugs, seems to be coughing up blood with regards to the P2 SA.
Here is an exerpt of the debug:
ikev2_state_child_responder_in_sa: Calling select_ipsec_sa [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Selecting IPSec SA payload for local:10.2.1.1 remote:10.2.1.97IKEv2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Peer's proposed IPSec SA payload is SA([0](id = 1) protocol = ESP (3), spi_len = 4, spi = 0x51827d72, AES CBC key len = 256, HMAC-SHA1-96, HMAC-MD5-96, 1024 bit MODP, No ESN; ) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Inside iked_pm_phase2_sa_cfg_lookup [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_allocate: Allocated ts 0x1142220, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_allocate: Allocated ts 0x11422e0, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Peer's proposed traffic selectors is his local: none() his remote: none() [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Peer's proposed ts_r local_in_ts: ipv4(10.62.24.5),ipv4(0.0.0.0-255.255.255.255) ts_i remote_in_ts: ipv4(10.62.25.1),ipv4(10.62.25.0-10.62.25.255) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Configured traffic selectors is local: ipv4(0.0.0.0-255.255.255.255) Remote: ipv4(0.0.0.0-255.255.255.255) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_allocate: Allocated ts 0x1142380, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_free: ts 0x1142380, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_allocate: Allocated ts 0x1142380, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_free: ts 0x1142380, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_free: ts 0x1142220, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_ts_free: ts 0x11422e0, ref_cnt 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Found SA-CFG ANYCONN_DELIVERY_VPN by ip address for local:10.2.1.1, remote:10.2.1.97 IKEv2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Found SA-CFG ANYCONN_DELIVERY_VPN for phase 2 for local:10.2.1.1, remote:10.2.1.97 IKEv2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Configured IPSec SA payload is SA([0](id = 1) protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, HMAC-SHA1-96, 1024 bit MODP, No ESN; ) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_sa_select: SA_SELECT: Selecting IKEv2 proposal. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_sa_select: SA_SELECT: Considering policy proposal 1 and input proposal 1. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Considering policy transform type 1, id 12 attribute 256 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Selected matching input transform index 0 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_select_proposal_transforms: SA_SELECT: Selecting transform type 1 id 12 attribute 256. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Considering policy transform type 3, id 2 attribute 0 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 0 of type 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Selected matching input transform index 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_select_proposal_transforms: SA_SELECT: Selecting transform type 3 id 2 attribute 0. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Considering policy transform type 4, id 2 attribute 0 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 0 of type 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 1 of type 3 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 2 of type 3 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Selected matching input transform index 3 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_select_proposal_transforms: SA_SELECT: Selecting transform type 4 id 2 attribute 0. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Considering policy transform type 5, id 0 attribute 0 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 0 of type 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 1 of type 3 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 2 of type 3 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Skipping input transform index 3 of type 4 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_find_matching_transform_index: SA_SELECT: Selected matching input transform index 4 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_select_proposal_transforms: SA_SELECT: Selecting transform type 5 id 0 attribute 0. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_ikev2_sa_select: SA_SELECT: Proposal 1 chosen. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Setting lifetime 86400 and lifesize 0 for IPSec SA [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_select_sa_reply: [1012000/1115c00] SA selected successfully [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_state_child_responder_in_ts: Calling narrow [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_pm_ike_narrow_traffic_selectors: Not a CP tunnel, TS Narrow not needed [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_reply_cb_child_responder_narrow: [1012000/1115c00] Traffic selectors narrowed successfully [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_reply_packet_allocate: [1012000/1115c00] Allocating reply packet [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_packet_allocate: Allocated packet 1013800 from freelist [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_packet_allocate: [1013800/0] Allocating [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ssh_set_thread_debug_info: ikev2_reply_packet_allocate: set thread debug info - local 10.2.1.1 remote 10.2.1.97 neg 0x0 neg->ike_sa 0x0 ike_sa 0x1115c00 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_reply_packet_allocate: [1012000/0] Allocated reply packet [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_udp_window_update: Window update (fwd=111d3a0, rev=111d300): m-id 203 R; sent [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_udp_window_make_space: Free old packet 1010c00. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_packet_done: [1010c00/0] Scheduling packet (m-id=202) to be freed [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_packet_done: [1010c00/0] Not destroyed; running to end state and terminating there. [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_udp_window_update: Packet in window (or cause slide): m-id 203 left 203 right 203 size 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_ha_check_ike_sa_activeness_by_rg_id:RG 1 is active on this chassiss [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_prepare_phase1_mod_msg: window_i_to_r Req 0(203,203) and Rep 0(0,0) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_prepare_phase1_mod_msg: window_r_to_i Req 0(0,0) and Rep 0(203,203) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Updating Phase 1 mod blob for cookie SPI-I f826c4e1 72141c0c [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_udp_window_update: Stored packet into window 111d3a0 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_packet_destroy: [1012000/0] Destructor [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_packet_destroy: [1010c00/0] Destructor [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_packet_free: [1010c00/0] Freeing [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_state_child_responder_out_sa: [1013800/1115c00] Adding SAr2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_create_nonce_and_add: [1013800/1115c00] Adding NONCE [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_add_ke: [1013800/1115c00] Starting Diffie-Hellman using group = 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_get_group: DH Group type dl-modp [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_get_group: DH Group size 1024 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_get_group: DH Group 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_generate_sync: Requested DH group 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_add_ke_dh_setup_cb: [1013800/1115c00] Diffie-Hellman done using group = 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_add_ke_dh_setup_cb: [1013800/1115c00] Adding KEi [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_generate: Generated DH keys using hardware for DH group 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] juniper_dlp_diffie_hellman_generate_async: DH Generate Secs [0] USecs [9571] [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] juniper_dlp_diffie_hellman_generate_async: Generated DH using hardware [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_state_child_responder_out_ts: [1013800/1115c00] Adding TSi [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_state_child_responder_out_ts: [1013800/1115c00] Adding TSr [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_add_notify: Calling notify_request [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_pm_ike_spd_notify_request Parse notification paylad in last received pkt [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Parsing notification payload for local:10.2.1.1, remote:10.2.1.97 IKEv2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_reply_cb_notify_request: [1013800/1115c00] No more notifies [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_add_vid: Calling vendor_id_request [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_reply_cb_vid_request: [1013800/1115c00] No more VIDs [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_add_private_payload: Calling private_payload_request [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Construction NHTB payload for local:10.2.1.1, remote:10.2.1.97 IKEv2 P1 SA index 359633 sa-cfg ANYCONN_DELIVERY_VPN [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg ANYCONN_DELIVERY_VPN, p1_sa=359633 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_reply_cb_private_payload_request: [1013800/1115c00] No more private payloads [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_get_group: DH Group type dl-modp [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_get_group: DH Group size 1024 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_get_group: DH Group 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_dh_compute_synch: Requested DH group 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Peer public key has length 128 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] juniper_dlp_diffie_hellman_final_async: DH Compute Secs [0] USecs [8149] [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] juniper_dlp_diffie_hellman_final_async: Computed DH using hardware [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_state_child_responder_out_install: Calling ipsec_sa_install [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_pm_ipsec_sa_install: local:10.2.1.1, remote:10.2.1.97 IKEv2 for SA-CFG ANYCONN_DELIVERY_VPN, rekey-ikev2:no [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Parsing notification payload for local:10.2.1.1, remote:10.2.1.97 IKEv2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_update_sa_cfg_port sa_cfg(ANYCONN_DELIVERY_VPN) local_port(0) and remote_port(500) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] (iked_pm_ipsec_sa_install): Duplicate CREATE_CHILD_SA Received for local:10.2.1.1, remote:10.2.1.97 , IKEv2 , SA-CFG ANYCONN_DELIVERY_VPN Existing Child SA count: 2 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Sending NO_ADDITIONAL_SA notification [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_pm_ipsec_sa_install: ipsec sa install error 1 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] iked_pm_ipsec_sa_install: Setting tunnel-event Internal Error: IPSec SA installation failed for P1-SA 359633 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_error: [1013800/1115c00] Moving to error state, error = 35 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_reply_cb_child_responder_install: [1013800/1115c00] Error: IPsec SA install failed: 35 [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_state_error: [1013800/1115c00] Negotiation failed because of error No additional SAs (35) [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_do_cleanup: [1013800/1115c00] Calling IPsec SA done callback with error [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] ikev2_do_cleanup: Calling ipsec_sa_done [Aug 3 09:15:55][10.2.1.1 <-> 10.2.1.97] Inside iked_pm_ipsec_sa_done
↧
Re: Dynamic VPN
Spuluka,
I saw this however, I am naive on this. I thought that for ssl vpn, it would require the client having ssl certs it must present to the RAS when connecting, I did not see any such configuration. Moreover it showed that it was still an IPsec vpn connection being made.
BTW they are ending support for the ncp client on Juniper next year. https://www.ncp-e.com/en/products/ipsec-vpn-client-suite/juniper-vpn-client/ So sad
↧
↧
SRX300 PROBLEMS TO PROPAGATE DHCP WITH VLANS
I HAVE PROBLEMS TO SPREAD DHCP TO A SWITCH ON AN SRX 300 AND SO I CAN PROVIDE DHCP TO AN AP WITH THREE VLAN'S TRAVELING IN GE-0/0/4 PORT. AT THE BEGINNING I DO NOT PROPAGATE THE VLAN'S THROUGH THE PORT, BUT AFTER I CHANGE THE SRX TO SWITCH MODE AND I START TO SPREAD THE VLANS, BUT THE DHCP AND THE POOL ARE ALREADY ALLOCATED AND THE DHCP IS BOUND BY THE PORT GE-0/0 / 2, BUT DOES NOT THE DHCP, ANY IDEA THAT HAPPENS WITH THE SRX300?
REGARDS
↧
Re: SRX300 PROBLEMS TO PROPAGATE DHCP WITH VLANS
Can you please provide the configuration you are using? I have gotten DHCP working on my SRX 300 with vlans.
↧
Re: SRX300 PROBLEMS TO PROPAGATE DHCP WITH VLANS
dhcp {
traceoptions {
file dhcp.dbg;
flag all;
}
pool 192.168.230.192/27 {
address-range low 192.168.230.194 high 192.168.230.222;
maximum-lease-time 600;
default-lease-time 600;
name-server {
8.8.8.8;
4.2.2.2;
}
domain-search {
wirelessd;
}
router {
192.168.230.193;
}
}
pool 192.168.230.224/27 {
address-range low 192.168.230.226 high 192.168.230.254;
maximum-lease-time 600;
default-lease-time 600;
name-server {
8.8.8.8;
}
domain-search {
Wirelessc;
}
router {
192.168.230.225;
}
}
pool 192.168.230.160/28 {
address-range low 192.168.230.162 high 192.168.230.174;
maximum-lease-time 86400;
default-lease-time 86400;
name-server {
8.8.8.8;
4.2.2.2;
}
domain-search {
arrendadora;
}
router {
192.168.230.161;
}
}
pool 192.168.230.176/28 {
address-range low 192.168.230.178 high 192.168.230.190;
maximum-lease-time 86400;
default-lease-time 86400;
name-server {
8.8.8.8;
4.2.2.2;
}
domain-search {
proveedores;
}
router {
192.168.230.177;
}
}
propagate-settings ge-0/0/2;
ge-0/0/4.0 {
host-inbound-traffic {
system-services {
ssh;
all;
}
protocols {
all;
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/3.0;
interface st0.0 {
interface-type p2p;
priority 10;
}
interface st0.1;
}
area 0.0.0.1 {
interface irb.11;
interface irb.12;
interface irb.13;
interface irb.14;
interface irb.15;
interface ge-0/0/0.0;
}
}
l2-learning {
global-mode switching;
↧
Re: SRX300 PROBLEMS TO PROPAGATE DHCP WITH VLANS
I would recommend trying JDHCP instead of DHCP.
set system services dhcp-local-server group wirelessd interface irb.x
set system services dhcp-local-server group wirelessc interface irb.y
set system services dhcp-local-server group arrendadora interface irb.z
...
set access address-assignment pool wirelessd family inet network 192.168.230.192/27
set access address-assignment pool wirelessd family inet range low low 192.168.230.194
set access address-assignment pool wirelessd family inet range low high 192.168.230.222
set access address-assignment pool wirelessd family inet dhcp-attributes domain-name wirelessd
set access address-assignment pool wirelessd family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool wirelessd family inet dhcp-attributes name-server 4.2.2.2
set access address-assignment pool wirelessd family inet dhcp-attributes router 192.168.230.193
etc. Make sure that the pool name matches the group in dhcp-local-server.
↧
↧
Request preferred IPv6 prefix with DHCPv6 client
I am migrating a Sonicwall TZ to a SRX240 using Comcast as the ISP. On the Sonicwall the DHCPv6 client was configured to send a preferred prefix and as a result my prefix never changed. However with the SRX, every time I restart the router the prefix changes. This forces me to update my router advertisements, external DNS, and restart all my devices internally. Does the SRX have a way to request a prefix using the DHCPv6 client?
This is my interface configuration. The idea is that Comcast should give me a class 60 that I carve into class 64 networks for each of my internal VLANs.
family inet6 {
dhcpv6-client {
client-type statefull;
client-ia-type ia-pd;
rapid-commit;
prefix-delegating {
preferred-prefix-length 60;
}
client-identifier duid-type duid-ll;
}
}
Thanks for the help.
↧
Re: SRX240 ASAv IKEv2 VPN
It was a few months ago since I troubleshooted VPN on the SRX so im not sure about what I see in your logs.
But since the SRX does not allow several traffic-selectors on IKEv2 (you need 15.x software for the, SRX300 or similar new hw) you need to have a 0.0.0.0 network on both sides since there will only be 1 tunnel to process traffic.
It looks like you have 2 networks on the Cisco side so that should cause that the VPN is trying to establish two SA.
Adding 0.0.0.0 on both sides and make a route for the networks that you want to go into the st0.x interface might solve your issue.
Also, check this one, not sure if the issue is with IKEv2 as well:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB20543
GL!
//Rob
↧
Re: Dynamic VPN
I think you are confusing authentication methods with actual connection protocol.
SSL VPN means that the actual tunnel connection uses tcp 443 between the client and the server. That is what is now available on the SRX instead of making the connection on UDP 4500 the IPSEC VPN standard.
Client certificates are an authentication method that can be used either instead of or along with other methods to authorize the tunnel connection. These can be used on either SSL or IPSEC tunnels as an authenticaiton option.
↧
Loosing Connectivity to SRX
Hi,
I have a very strange issue with SRX4100 configured with Active/Passive cluster. The LED status is blinking red then goes green for a short while and goes blinking red again. I know that it is a non-critical alarm but the client wanted it to be addressed and i can't get it go away. Below is the cluster configuration. Any help would be appreciated.
Do the switchports need to be aggregated to accommodate the child interfaces of the reth? (No link aggreagation is currently configured on the switch) .
Thanks in advance.
root@MTMFW01> show configuration chassis cluster
reth-count 8;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
}
********************************
{primary:node0}
root@MTMFW01> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 1 secondary no no None
Redundancy group: 1 , Failover count: 1
node0 100 primary no no None
node1 1 secondary no no None
{primary:node0}
root@MTMFW01>
**********************************
root@MTMFW01> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA Security
0 em0 Up Disabled Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status Security
(Physical/Monitored)
fab0 xe-0/0/8 Up / Up Disabled
fab0
fab1 xe-7/0/8 Up / Up Disabled
fab1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 1
reth2 Up 1
reth3 Up 1
reth4 Up 1
reth5 Down Not configured
reth6 Down Not configured
reth7 Up 1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
*********************************
root@MTMFW01> show chassis cluster statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 188878
Heartbeat packets received: 186597
Heartbeat packet errors: 0
Fabric link statistics:
Child link 0
Probes sent: 374487
Probes received: 373725
Child link 1
Probes sent: 0
Probes received: 0
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 0 0
DS-LITE create 0 0
Session create 73043 0
IPv6 session create 0 0
Session close 31738 0
IPv6 session close 0 0
Session change 2269 0
IPv6 session change 0 0
ALG Support Library 0 0
Gate create 0 0
Session ageout refresh requests 0 3267
IPv6 session ageout refresh requests 0 0
Session ageout refresh replies 3208 0
IPv6 session ageout refresh replies 0 0
IPSec VPN 0 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
JSF PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0
GPRS SCTP 0 0
GPRS FRAMEWORK 0 0
JSF RTSP ALG 0 0
JSF SUNRPC MAP 0 0
JSF MSRPC MAP 0 0
DS-LITE delete 0 0
JSF SLB 0 0
APPID 181 0
JSF MGCP MAP 0 0
JSF H323 ALG 0 0
JSF RAS ALG 0 0
JSF SCCP MAP 0 0
JSF SIP MAP 0 0
PST_NAT_CREATE 0 0
PST_NAT_CLOSE 0 0
PST_NAT_UPDATE 0 0
JSF TCP STACK 0 0
JSF IKE ALG 0 0
{primary:node0}
************************************************************
root@MTMFW01> show log jsrpd | last 100
Aug 4 08:31:30 printing fpc_num h4
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface reth4 is up
Aug 4 08:31:30 reth4 from jsrpd_ssam_reth_read reth_rg_id=1
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/4 is up
Aug 4 08:31:30 printing fpc_num h5
Aug 4 08:31:30 Interface reth5 is going down
Aug 4 08:31:30 reth5 jsrpd not ready
Aug 4 08:31:30 Handle signal SIGCHLD
Aug 4 08:31:30 printing fpc_num h6
Aug 4 08:31:30 Interface reth6 is going down
Aug 4 08:31:30 reth6 jsrpd not ready
Aug 4 08:31:30 printing fpc_num h7
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface reth7 is up
Aug 4 08:31:30 reth7 from jsrpd_ssam_reth_read reth_rg_id=1
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-0/0/0 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-0/0/1 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-0/0/2 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-0/0/3 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-0/0/4 is up
Aug 4 08:31:30 printing fpc_num 0
Aug 4 08:31:30 Interface xe-0/0/5 is going down
Aug 4 08:31:30 printing fpc_num 0
Aug 4 08:31:30 Interface xe-0/0/6 is going down
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-0/0/7 is up
Aug 4 08:31:30 printing fpc_num 0
Aug 4 08:31:30 fab0 child xe-0/0/8 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-0/0/8 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/0 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/1 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/2 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/3 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/4 is up
Aug 4 08:31:30 printing fpc_num 7
Aug 4 08:31:30 Interface xe-7/0/5 is going down
Aug 4 08:31:30 printing fpc_num 7
Aug 4 08:31:30 Interface xe-7/0/6 is going down
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/7 is up
Aug 4 08:31:30 printing fpc_num 7
Aug 4 08:31:30 fab1 child xe-7/0/8 is up
Aug 4 08:31:30 jsrpd_ifd_msg_handler: Interface xe-7/0/8 is up
Aug 4 11:50:13 ISSU state: 0
Aug 4 11:50:13 Error he.re.mcluster_ha_secure Sucess
Aug 4 11:50:26 ISSU state: 0
Aug 4 13:25:23 last message repeated 9 times
Aug 4 13:25:23 received SIGHUP, pid 1516
Aug 4 13:25:23 received SIGHUP - re-reading configuration, pid 1516
Aug 4 13:25:23 successfully set default traceoptions cfg
Aug 4 13:25:23 reading the cluster part of the config
Aug 4 13:25:23 reading the cluster member list
Aug 4 13:25:23 reading the cluster attributes
Aug 4 13:25:23 initial hold set to: 30
Aug 4 13:25:23 hardware monitoring is enabled
Aug 4 13:25:23 fabric monitoring is enabled
Aug 4 13:25:23 RG-0 failover for HW errors is enabled
Aug 4 13:25:23 schedule monitoring is disabled
Aug 4 13:25:23 Failover for loopback error is disabled
Aug 4 13:25:23 Failover for fabric nexthop error is disabled
Aug 4 13:25:23 Failover for mbuf error is disabled
Aug 4 13:25:23 data plane mode is active-active
Aug 4 13:25:23 fwdd monitoring is disabled
Aug 4 13:25:23 fabric time out is set to 0
Aug 4 13:25:23 control link recovery is disabled
Aug 4 13:25:23 ha-config-sync: feature knob is not set. Default to enabled
Aug 4 13:25:23 deleting rd ifd6 from ssam. Result = failed, 2
Aug 4 13:25:23 deleting rd ifd0 from ssam. Result = failed, 2
Aug 4 13:25:23 last message repeated 30 times
Aug 4 13:25:23 Current threshold for rg-1 is 255. Failures: none
Aug 4 13:25:23 Successfully updated GARP count for RG-1 (count 4) in to SSAM
Aug 4 13:25:23 Setting hold-down interval to 1 for RG-1
Aug 4 13:25:23 Set IP monitoring global weight to 0 global threshold to 0 for rg-1
Aug 4 13:25:23 Set IP monitoring retry interval to 0 retry count to 0 for rg-1
Aug 4 13:25:23 All global IP monitoring parameters are set to 0 because all IPs are deleted for rg-1
Aug 4 13:25:23 Current threshold for rg-1 is 255. Failures: none
Aug 4 13:25:23 Ctrl-link (1) timer started
Aug 4 13:25:23 Current threshold for rg-0 is 255. Failures: none
Aug 4 13:25:23 Current threshold for rg-1 is 255. Failures: none
Aug 4 13:28:50 ISSU state: 0
Aug 4 15:11:51 Error he.re.mcluster_ha_secure Sucess
Aug 4 15:12:41 TLV : RG_INFO
Aug 4 15:12:41 TLV send counter 188878
Aug 4 15:12:41 TLV last send Fri Aug 4 15:12:41 2017
Aug 4 15:12:41 TLV recv counter 373190
Aug 4 15:12:41 TLV last recv Fri Aug 4 15:12:41 2017
Aug 4 15:12:41 TLV RG MONITOR_OBJECT send counter 377756
Aug 4 15:12:41 TLV RG MONITOR_OBJECT recv counter 373190
Aug 4 15:12:41 TLV RG MONITOR_OBJECT err counter 0
Aug 4 15:12:41 TLV RG RG_WEIGHT send counter 377756
Aug 4 15:12:41 TLV RG RG_WEIGHT recv counter 0
Aug 4 15:12:41 TLV RG RG_WEIGHT err counter 373190
Aug 4 15:12:41 RG-0 weight :255 Remote weight 255
Aug 4 15:12:41 RG-1 weight :255 Remote weight 255
{primary:node0}
↧
↧
Client loosing connectivity to SRX intermittently
Hi,
We have a very strange problem where a set of workstation are loosing intra-zone and internet connectivity. The w/station works flawless then suddenly looses it connection, it can no longer ping the reth interface and cross into the other zone but still have connectivity to the workstation within the same zone. The fact that it works, i think that the security, NAT and routing are configured correctly.
Here is the kicker, although it can no longer connect into a different zone and cannot ping the reth interface, the workstation can browse to the SRX webUI using the reth interface IP address. What also confuses me is if i change the IP address of the workstation, the connection goes good again. This is only happen when the w/station is connected on a network with SRX.
Any idea about the error below/? Could this be related to our cluster setup? me think that when the cluster flap, the mac address confuses the switch. Anyone encountered this problem before?
Thanks in advance?
Aug 4 15:36:26 15:36:26.703516:CID-1:THREAD_ID-05:RT:flow_ipv4_rt_lkup success 10.10.0.40, iifl 0x48, oifl 0x4
Aug 4 15:36:26 15:36:26.703518:CID-1:THREAD_ID-05:RT: route lookup: dest-ip 10.10.0.40 orig ifp reth0.0 output_ifp fxp0.0 orig-zone 6 out-zone 1 vsd 1
Aug 4 15:36:26 15:36:26.703519:CID-1:THREAD_ID-05:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
Aug 4 15:36:26 15:36:26.703520:CID-1:THREAD_ID-05:RT: route to 10.10.0.40
Aug 4 15:36:26 15:36:26.773142:CID-1:THREAD_ID-10:RT: route lookup failed: dest-ip 10.10.0.40 orig ifp reth0.0 output_ifp fxp0.0 fto 0xfe8242e0 orig-zone 6 out-zone 1 vsd 1
Aug 4 15:36:26 15:36:26.773143:CID-1:THREAD_ID-10:RT: readjust timeout to 6 s
Aug 4 15:36:26 15:36:26.773143:CID-1:THREAD_ID-10:RT:ha_ifp: reth7.0
Aug 4 15:36:26 15:36:26.773144:CID-1:THREAD_ID-10:RT: packet dropped, pak dropped since re-route failed
↧
Re: Loosing Connectivity to SRX
I suggest to start with
show chassis cluster information
Look for Last LED change reason. With this information we can troubleshoot further.
Reth child interfaces must be aggregated on the switch only when you use more then one child interface per node. For example if you use 4 child interfaces you would have to configure 2 LAGs on the switch. It's better explained in SRX HA Deployment Guide https://kb.juniper.net/InfoCenter/index?page=content&id=TN260
Regards, Wojtek
↧
My VPN between two SRXs is dropping packets, how do I read JUNOS VPN trace output to debug?
My VPN between two SRX240s is dropping packets.
When pinging from the external interface of one to the other its fine.
When pinging the external interface of one to the internal interface of the other I get intermittin packet drops (ie when its entering the vpn tunnel)
Here is my config on the first SRX:
> show configuration security flow
##
## Warning: statement ignored: unsupported platform (srx220h2)
##
ipsec-performance-acceleration;
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
tcp-session {
no-sequence-check;
}
On the other side I setup tracing to trace a ping from a host on the subnet from side to the other:
> show configuration security flow
traceoptions {
file my-dropped-packets;
flag packet-drops;
flag basic-datapath;
packet-filter myfilter {
source-prefix 192.168.<from-behind-srx1>/32;
destination-prefix 192.168.<internal-interface-of-SRX2>/32;
}
}
##
## Warning: statement ignored: unsupported platform (srx220h2)
##
ipsec-performance-acceleration;
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
tcp-session {
no-sequence-check;
}
You can also see how I tried to enable ipsec-performance-acceleration to see if it would fix this but it appears to not be supported.
There are many docs on how to enable tracing with traceoptions but none I could find explaining how to actually read them for debugging VPNs.
There is this doc for example that explains how to read trace output to troubleshoot NAT issues: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21757&actp=METADATA. I want something like this for troubleshooting vpn issues. I try googling some of the messages I see in the trace but I'm lost.
What should I be looking for? I'd like to dump these logs and just search through them for important error messages, but I'm not sure I see any "error" messages.
I uploaded a 700 line trace from 4 pings from the source to the destination identified in the filter. On the third ping the request timed out, where would I see that failure in the trace, what should I look for?
Also looking through the trace I see messages like this:
Aug 4 11:11:30 11:11:30.438650:CID-0:RT:pre-frag not needed: ipsize: 60, mtu: 1438, nsp2->pmtu: 1438
This is curious because I set mss to 1350. Maybe these things are not related, but I thought the mtu would be 1350?
↧