Does it happen only after cluster failover?
What is the platform and Junos version?
Can you post cluster and interfaces configuration?
Can you check arp table on the host and compare SRX mac address during/after problem is resolved?
Regards, Wojtek
↧
Re: Client loosing connectivity to SRX intermittently
↧
SRX in proxy mode
1)does SRX support proxy mode ????
i know that SRX can act as a proxy for TCP connection, i found this feature in screen option chapter ,
2)However i don't know how to enablt this feature ???
3) can SRX support proxy for other features like SSL, AnitVirus and so on ???
↧
↧
Re: Dynamic VPN
So what would be the advantage ???
>in either case the client will install a vpn software, create virtual adaptor, traffic to the resources behind the SRX will be dircted through the virtual adaptor ....
what would be the difference both SSL & IPSEC, the remote user instal a VPN software
↧
Re: SRX300 PROBLEMS TO PROPAGATE DHCP WITH VLANS
Note -
You cannot mix JDHCP and DHCP on the same machine - DHCP is being phased out, so better to adapt to JDHCP.
My isolated guest network clients gets passed straight through from AP to switch to SRX and out to the internet via PPPoE. The APs allocate the guest IPs. If I need to look at what is going on with the guests, they have a separate management system, which also handles the analytics.
↧
Dynamic VPN help
I have looked through several tutorials and made many attempts, now sure where I am missing the boat.
Following is my most recent attempt, no dice. (I have removed non-relevant information)
With each attempt I am received the same error.
"Error 1110: Unable to communicate with the server."
Pulse secure on Windows 7 system.
## Last changed: 2017-08-04 13:02:23 EDT
version 15.1X49-D60.7;
system {
host-name atlanta-srx;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ ge-0/0/1.0 st0.3 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
}
}
security {
ike {
proposal ike-dyn-prop-ATL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
}
policy ike-dyn-pol-ATL {
mode aggressive;
proposals ike-dyn-prop-ATL;
pre-shared-key ascii-text "$9$KnCMWXdb2JGirewg4aHk.P5z9tp01ylvbsaUjkQzEcSeLx7-Vb24W8GDkqTQcylMX-UDk5T3IE7VwYGUFn/90IEhrevLO1RcleXxdbs24ZjHmTF/"; ## SECRET-DATA
}
gateway gw-dyn-ATL {
ike-policy ike-dyn-pol-ATL;
dynamic {
hostname atlanta-srx;
connections-limit 2;
}
external-interface ge-0/0/0.0;
xauth {
access-profile ATL-dyn-vpn;
}
}
}
ipsec {
proposal dyn-prop-ATL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-dyn-pol-ATL {
perfect-forward-secrecy {
keys group2;
}
proposals dyn-prop-ATL;
}
vpn vpn-dyn-ATL {
ike {
gateway gw-dyn-ATL;
ipsec-policy ipsec-dyn-pol-ATL;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1379;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy dyn-vpn-pol-ATL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
bgp;
}
}
interfaces {
ge-0/0/1.0;
st0.3;
st0.1;
st0.2;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ping;
ike;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 11.22.33.44/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.xx.xxx/24;
}
}
}
}
protocols {
l2-learning {
global-mode switching;
}
}
access {
profile ATL-dyn-vpn {
client TEST {
firewall-user {
password "$9$WjYLXNwYoUjqKM2aJG.mfTznt0O1Eev8YgGjH.QzEcSeLx7-Vb24W8GDkqTQcylMX-UDk5T3IE7VwYGUFn/90IEhrevLO1RcleXxdbs24ZjHmTF/"; ## SECRET-DATA
}
}
address-assignment {
pool ATL-POOL;
}
}
address-assignment {
pool ATL-POOL {
family inet {
network 192.168.200.0/24;
range ATL-dyn-ip-range {
low 192.168.200.20;
high 192.168.200.50;
}
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile ATL-dyn-vpn;
}
}
}
↧
↧
aggregate multiple interface srx 1440
Dears,
I need to create mulitple subinterface on the aggregate interface with vlan tagging on srx series 1440 which will connected to cisco switch, what has to be done but from srx i dont know, can anybody share with me a step by step document to create a sub interfaces on the aggregate interface.
↧
Re: Loosing Connectivity to SRX
I will grab the cluster information when i go bcak to the site.
Thanks for confirming about link aggregation on the switch.
↧
Re: Client loosing connectivity to SRX intermittently
Does it happen only after cluster failover?
A. This is what i suspect. I physically turned off Node0 (primary) and the node1 become active (at least what show cluster status said) , then the host lost the connection but can still browse to the SRX WebUI. Restarted Node0 and after a long wait, the host started working again
What is the platform and Junos version?
A. 15.1 R5.5 D90.7
Can you post cluster and interfaces configuration?
A.
version 15.1X49-D90.7;
groups {
node0 {
system {
host-name MTMFW01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.0.10/24;
}
}
node1 {
system {
host-name MTMFW02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.0.9/24;
}
}
apply-groups "${node}";
********************************
chassis {
cluster {
reth-count 8;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
preempt;
}
**************
interfaces {
xe-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
xe-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
xe-0/0/2 {
gigether-options {
redundant-parent reth2;
}
}
xe-0/0/3 {
gigether-options {
redundant-parent reth3;
}
}
xe-0/0/4 {
gigether-options {
redundant-parent reth4;
}
}
xe-0/0/5 {
gigether-options {
redundant-parent reth5;
}
}
xe-0/0/6 {
gigether-options {
redundant-parent reth6;
}
}
xe-0/0/7 {
gigether-options {
redundant-parent reth7;
}
}
xe-7/0/0 {
gigether-options {
redundant-parent reth0;
}
}
xe-7/0/1 {
gigether-options {
redundant-parent reth1;
}
}
xe-7/0/2 {
gigether-options {
redundant-parent reth2;
}
}
xe-7/0/3 {
gigether-options {
redundant-parent reth3;
}
}
xe-7/0/4 {
gigether-options {
redundant-parent reth4;
}
}
xe-7/0/5 {
gigether-options {
redundant-parent reth5;
}
}
xe-7/0/6 {
gigether-options {
redundant-parent reth6;
}
}
xe-7/0/7 {
gigether-options {
redundant-parent reth7;
}
}
reth0 {
description ADMIN-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.10.0.1/24;
}
}
}
reth1 {
description WLAN-ZONE;
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
vlan-id 20;
family inet {
address 10.20.0.1/24;
}
}
unit 1 {
vlan-id 21;
family inet {
address 10.21.0.1/24;
}
}
unit 2 {
vlan-id 22;
family inet {
address 10.22.0.1/24;
}
}
unit 3 {
vlan-id 23;
family inet {
address 10.23.0.1/24;
}
}
}
reth2 {
description LEARNING-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.30.0.1/24;
}
}
}
reth3 {
description CCTV-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.40.0.1/24;
}
}
}
reth4 {
description TELEPHONE-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.50.0.1/24;
}
}
}
reth7 {
description UNTRUST-ZONE;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.36.245/24;
}
}
Can you check arp table on the host and compare SRX mac address during/after problem is resolved?
A. i will get this when i go back to the site. I had a looked on the host ARP cache when i was troubleshooting it and the MAC-address was the same.
What really made me nuts is that if i change the IP address the host starts working again, this could be related to firewall blocking the IP address for some reason?
Thanks Wojtek for taking time to help me.
↧
aggregate interface srx 1440
Dears,
I need to create mulitple subinterface on the aggregate interface with vlan tagging on srx series 1440 which will connected to cisco switch, what has to be done but from srx i dont know, can anybody share with me a step by step document to create a sub interfaces on the aggregate interface.
↧
↧
Re: aggregate interface srx 1440
#set chassis aggregated-devices ethernet device-count 5 < number of ae interfaces want to create between srx and cisco>
#set interfaces ae0 aggregated-ether-options lacp active< dynamic monitor the LAG>
# set interfaces ge-1/0/0 gigether-options 802.3ad ae0 < bindign the phyical interfaces into ae>
# set interfaces ge-2/0/0 gigether-options 802.3ad ae0
#set interface ae0 vlan-tagging unit 100 vlan-id 100 family inet address 10.0.0.1/30 < vlan tagging and sub interface configuration and binding the ip address>
#set interface ae0 vlan-tagging unit 200 vlan-id 200 family inet address 20.0.0.1/30
↧
Re: Dynamic VPN
The advantage that SSL VPN has is that many public network locations and some USA wireless carriers block IPSEC on their networks. Thus you cannot connect to IPSEC VPN while there.
These wireless carriers then turn around and sell a "business" plan for an additional fee per month that allows such connections on the network.
SSL has to be allowed by the nature of the internet so it will never be blocked.
↧
Re: SRX in proxy mode
The SRX is not a forward or reverse proxy server.
For some of the screen functions it can behave like a proxy by responding to intial syn to prevent syn flood attacks by verifying the end host does intend to complete the handshake. But if the host responds the SRX closes the connection then allows th full connection through to the end server.
The SRX can cache DNS responses and act as a DNS proxy for future requests of the same name.
And the SRX will proxy arp for addresses that use NAT within interfaces subnets.
↧
Re: Example of granular traffic control in dynamic VPNs
Hi,
I was going over your config, having failed miserably in trying to achieve a similair setup, but I don't see how the access profile is assigned to the user using dynamic-vpn.
Your config says:
6)
dynamic-vpn {
access-profile ADMIN;Am I overlooking where this access profile is defined?
All I succeed in doing is either having authentication issues or assigning users to the dynamic-vpn access-profile set in the above config-snippet's location.
My other rulesets don't do anything.
I must be missing something, and I'm hoping this is no longer impossible ( https://forums.juniper.net/t5/SRX-Services-Gateway/Dynamic-VPN-with-Multiple-Xauth-Profile-is-supported/m-p/103818#M12944 ).
Any advice would be welcome.
↧
↧
Increase packet size beyond Baby Jumbo frames
I am using an SRX300 in a small, but very mixed environment.
The SRX connects to the Internet using PPPoE, via a European/UK spec Vigor 130 (completely different firmware from US router/modem) in Bridge mode. When I carefully configure MSS/MTUs on workstation, switch, SRX and modem so that they all are optimised to pass the largest possible packets within the Baby Jumbo frame specification, web browsing proceeds with a noticeable "snap", compared to unoptimised (this is harder than it needs to be as definitions are not consistent between manufacturers or even between product lines from the same manufacturer).
My "fibre" connection is of the FTTC variety. The cabinet in question has recently been upgraded (Huawei boards) so that it can handle 9018/9022 byte (Jumbo) packets. Is there any way I can make use of this, short of waiting for a true fibre upgrade, which BT is dithering about installing?
The smaller packet size makes certain kinds of streaming unwatchable on all but the most capable workstations and laptops.
↧
I think this KB have wrong statement ..
Hi All,
refering to https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461 it said "2017-06-22: Added that no need to reboot after 15.1X49-D70." but even i'm use D80 it still need to reboot. Hopefully someone from juniper can make this correction
[edit]
root@SRX320# run show version
Hostname: SRX320
Model: srx320-poe
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]
Thanks
↧
Re: cluster active/active on firefly perimeter not working?
Hi all,
Just to update that when i test using actual SRX220H then no issue on active/active cluster setup. So it's confirm Firefly not support active/active cluster setup.
Thanks
↧
Re: I think this KB have wrong statement ..
kronicklez wrote:
[edit]
root@SRX320# run show version
Hostname: SRX320
Model: srx320-poe
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]
It appears you have a SRX320.
The article states -
Note: As of 15.1X49-D70, for the SRX1500 series, SRX4100, SRX4200, devices and vSRX, you do not need to reboot the device when you are switching modes between flow mode and packet mode. For SRX300 you do need to reboot.
Although they look to be very similar, is it possible that the mini-pims need to be rebooted?
Incidentally, as I have an issue that is currently being investigated, I have upgraded the SRX300 to D100. It feels more solid, and J-Web is much improved.
↧
↧
Junos Upgradation on SRX BRANCH devices
Hi All,
I am planning to upgrade SRX110HE and SRX210H remotely in our enterprise. It will be upgradation from JUNOS frm 12.1X44-D20.3 to 12.1X46-D65 on Branch SRXs. Need help with below queries:
- As all SRX already in dual partioning , do I need to mention "PARTION" keyword in "reqest system software add \var\tmpfilename.tgz no-copy reboot" command?
- Which partion will be having newer image of JUNOS? How can I make both partion having same JUNOS snapshot? I know " request system snapshot slice alternate" will help but still want expert inputs.
- If "reqest system software add \var\tmpfilename.tgz no-copy reboot" fails then how device will come up?
I am worried because It will be nearly impossible to go to datacenter if things go wrong?
Thank You.
↧
Re: cluster active/active on firefly perimeter not working?
Hi
Last time I tested on vSRX with Junos 15.1X49-D70.3, it was working.
↧
Re: cluster active/active on firefly perimeter not working?
Hi PK,
May be because u using vSRX but i'm test using Firefly Premiter (old vSRX).
Thanks
↧