Hello,

Has anyone seen this error before. This is from the KMD.log file.

[Sep 24 02:21:04]KMD_INTERNAL_ERROR: kmd_read_securitycfg: dax_get_object_by_pat
h() returned FALSE, secop: 0x0.
[Sep 24 02:45:10]KMD_INTERNAL_ERROR: kmd_read_securitycfg: dax_get_object_by_pat
h() returned FALSE, secop: 0x0.
[Sep 24 06:06:02]KMD_INTERNAL_ERROR: kmd_read_securitycfg: dax_get_object_by_pat
h() returned FALSE, secop: 0x0.
[Sep 24 09:39:21]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Sep 24 10:37:37]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received

I have a SRX300 and a older Cisco router in which I had a configured a IPSec tunnel btwn them. My tunnel dropped and I started checking all my configurations (IKE and IPSec) on both devices to see what could be wrong.  Configurations have not changed and the tunnel was up before. Is there any DEBUGS that could be done to to see phase 1 negotiations? I can attach configurations if needed.

Thanks

Hi Lyndon,

may i know the reason i need create the new directory? Do u have faces this similar issue on srx1500 previously?

Thanks and appreciate anyone feedback

Hi all,

Anyone can share info for this internal PR  PR 1236354.

Thanks

Hi,

I have multipe zones on my SRX5400 and I want to log Accept and Reject packets.

security-zone ZONE1 {
    interfaces {
        reth0.4 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }
}
security-zone ZONE2{
    interfaces {
        reth0.5 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }
}

from-zone ZONE2 to-zone ZONE1 {
    policy PermitAll {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

from-zone ZONE1 to-zone ZONE2 {
    policy PermitAll {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

show configuration system syslog
user * {
    any emergency;
}
file messages {
    any notice;
    authorization info;
}
file interactive-commands {
    interactive-commands any;
}

In my lab, I accept everything. In the future, there will be somes deny rules.

I want to log them. For example, I want From @IP To @IP REJECT match rules T1 ...

I did somes research on internet, juniper.net, but nothing for my case.

Do you have a solution for me ?

A documentation ?

Thank you for your time

Hi,

please add "then log session-init"

please make sure u configure security log mode stream.

Thanks

I know how to setup the interface based NAT and considered that. I'll try and post.

Before I do, I want to ensure I capture what you are looking for. This is what I have been using for the traceoptions; is that what you wanted?

set security flow traceoptions file TRACE_FLOW
set security flow traceoptions file size 1m
set security flow traceoptions file files 3
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter FLTR_SOURCE source-prefix 10.20.15.130/32
set security flow traceoptions packet-filter FLTR_SOURCE destination-prefix 75.75.75.75/32

10.20.15.130 is a desktop on the home-lan and 75.... is the ISP primary DNS. When I was troubleshooting before, I did see that the packet was accepted and properly natted. If this is what you're looking for, I can do this with 1 ping while it is working and 1 ping when it times out and again using the interface nat. Is that sufficient?

Did you ever find a solution to this problem? I am experiencing exactly the same thing. I know it's a pretty outdated post, but any information would be helpful. 

This thing is not only affecting traffic that is routed through vSRX, but also when you try to ping the vSRX itself.

Hi, thank you.

I think security log mode stream is my problem. I don't know how to configure it.

Thank you

Hi All

I have a wired problem when using LACP from a pair of Juniper SRX 1500's and connecting to a Pair of Juniper EX4200 and Extreme Networks Summit  X460-G1 Stacks. 

The problem is when I have both connection from SRX's node0 Reth1 connected to the Extreme Stack 1, web sites that are hosted from windows machines on the 4200 VC have speed issue's and random drops of data which causes the site to display an error message.  If I remove one of the connection, so basically turning it back to a single connection RETH interface everything seems to work perfectly fine.

I installed a Pair of SRX 1500 into a Chassis Cluster a couple of months ago to replace a SRX240 Cluster.  At the time I had the wrong XFP's in the EX4200 Virtual Chassis so I could not connect from the 1500's to the EX4200 at 10GB so had to leave these on 1GB links running LACP.  I have 2 Extreme Network stacks with 3 switches in each stack, 2 X460's and 1X440 per stack.  The X460's have a 10GB module in the back, which I have connect to the 1500's and then setup LACP on both the Firewall’s and the switches.  When I first installed the new Firewall's I connected the node0 to 1 Extreme stack and node 1 to the second stack, when I did this we had the problem I described above so at the time I just dropped the extra connection from the firewall's.  Last night I went into our data centre and replaced the XFP's in the Virtual Chassis and connected up the VC to SRX Cluster with redundant links from the SRX's to the VC and configured LACP.  I also reconnected the redundant links from the SRX's to the Extreme stack's.

I had several users working from home to test the web sites and they all complained of speed issue's and getting error's on the web sites.  As it was getting very late I removed the redundant links for both the EX VC and Extreme Stacks, so basically each firewall is back down to a single connection from the firewall to the switches.

SRX config

Reth1 - connects to Extreme Stacks

Reth1 interfaces xe-0/0/16(Connects to stack1 port 1:30), xe-0/0/17(Connects to stack1 port 2:30), xe-7/0/16(Connects to stack2 port 1:30) and xe-7/0/17(Connects to stack2 port 2:30).

Reth1 redundant-ether-options lacp passive

Reth1 redundant-ether-options lacp periodic slow

Reth0 - Connects to Juniper EX4200 VC

Reth1 interfaces xe-0/0/18, xe-0/0/19, xe-7/0/18 and xe-7/0/19.

Reth0 redundant-ether-options lacp passive

Reth0 redundant-ether-options lacp periodic slow

EX4200 AE2 connects to node0 interface xe-0/0/18 and xe-0/0/19 and AE3 connects to node1 interfaces xe-7/0/18 and xe-7/0/19

xe-0/1/0 ether-options 802.3ad ae2

xe-1/1/0 ether-options 802.3ad ae2

xe-0/1/1 ether-options 802.3ad ae3

xe-1/1/1 ether-options 802.3ad ae3

ae2 aggregated-ether-options lacp active

ae2 aggregated-ether-options lacp periodic slow

ae3 aggregated-ether-options lacp active

ae3 aggregated-ether-options lacp periodic slow

Extreme X460 Sharing Stack 1 connects to Node 0

enable sharing 1:30 grouping 1:30,2:30

configure sharing 1:30 lacp

Extreme X460 Sharing Stack 2 connects to Node 0

enable sharing 1:30 grouping 1:30,2:30

configure sharing 1:30 lacp

As you can see on the Extreme stacks I don't have the LACP mode configured or the time out configured.  Could this be the issue?

When I check the timeout values for Extreme LACP and Juniper LACP, Extreme have either a 3 second timeout or a 90 second timeout and juniper have either a 1 second timeout or a 30 second timeout.

One the Juniper SRX's I have 15.1X49-D75.5 installed.  On the Extreme stacks I am running 16.1.3.6 running.

I think the problems are all caused by LACP between SRX's and Extreme stacks, so if any one has any suggestion or has configured SRX to Extreme networks before any help would be grate full.

I can create a diagram if that would help

Richard

Hi

I had a very simular issue on my 1500 cluster when I was trying to updated it a couple off months ago and if I remeber correctly it was down to something like having the USB ports disabled under system.  I will try and dig out the original configuration I had added to the cluster and then see what changes I have made since for the system section in the config file.

Richard

Sorry just looking back at the change log and the problem was on an SRX345 cluster running 15.1X49-D50.3 and I was trying to upgrade to 15.1X49-D75.5.  I had "set usb storage disable" was causing the problem.

The error I was getting was

"newfs: /dev/da0s1a: could not find special device"
"ERROR: Could not format alternate root"

Sorry no help, but maybe check to see if you have something like usb storage has been disabled.

Richard

Not an expert on Juniper but having all interfaces in one redundancy group has always caused me problem, even if you want an Active/Passive setup the RG's are controlled by the node priority, just set the node you want as active to a higher priority then the passive node and all the interfaces should stay on the active node.

What you got to think of is if you have 1 link goes down to you want all your interfaces to move over to the Passive node, if you do then go with 1RG, if you don't then put all the interfaces into different RG's.

Pre-sales kind of expression

I'll really appreciate if you describe me a real world usecase of a-symmetric routing based on active-passive design (by means of SRX )

Active-Active scenario will be helpful if we have geographically stretched cluster of 2 SRX devices (this is a supported I think configuration at least I've read something like that a year ago) or in most used situations where we have more than one ISPs and dynamic routing protocol between ISPs and SRX HA Cluster

For example:

DC1 | ISP1 - SRX1.Cluster1 | --- long distance DF or Layer 2 link b/n datacenteres --- | SRX2.Cluster1 - ISP2 | DC2

In this example Can I have active dynamic routing with both ISPs to advertise them my APP-SRV IP sitting behind SRX?

Or another one:

same DC and same rack - 2x SRX in HA Cluster setup + 2 ISP. Where I should terminate links from ISP1 and ISP2  to avoid device single point of failure ? ISP1 on node0 and ISP2 on node1 ? What happen with my dynamic routing then (as node1 will not terminate any traffic) ?  Adding minimum 2 (EX ?) switches in VC/VCF/whatever_stacking and terminate Internet link there - too costly solution

All righty then. Changed the nat to interface and it's been working without a hitch for hours - just finished cutting the grass and it's still working.

Anyway, so I guess I need to decide to leave it like that and move on or try to learn why it didn't work with source nat using the same IP range as the exit interface and the ISP modem (172.20.15.x)? Suggestions? Thoughts?

Sorry for bringing up such old thread but for those who still not havig their answers of that question : https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf

Point 4 - 6 from agenda clearly explain what have to be done

ello all,

I try to connect a Juniper SRX with a Cisco 1841. The first one is connected with a VLAN interface:

reth0 {
        description "Link to Cisco 1841";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 81 {
            vlan-id 81;
            family inet {
                address 192.168.81.254/24;
            }
        }
    }

and a second:

interface FastEthernet0/1/0
 switchport access vlan 81
 no ip address

interface Vlan81
 ip address 192.168.81.1 255.255.255.0

At this moment I not able to ping the interface in a both ways, but I do a "show arp" on the both equipment:

3c:8a:b0:2a:32:b0 30.17.0.2       30.17.0.2                 fab0.0              permanent
50:c5:8d:33:f6:30 30.18.0.1       30.18.0.1                 fab1.0              permanent
3c:8a:b0:2a:32:47 130.16.0.1      130.16.0.1                fxp1.0              none
00:17:95:dc:49:48 192.168.6.1     192.168.6.1               fxp0.0              none
00:0a:b8:51:b9:c1 192.168.6.10    192.168.6.10              fxp0.0              none
a4:93:4c:ee:5f:a6 192.168.111.1   192.168.111.1             reth1.0             none

Cisco:

Internet  192.168.81.1            -   0018.7345.de88  ARPA   Vlan81
Internet  192.168.81.254          0   0010.dbff.1000  ARPA   Vlan81

and I don't understand why I see the entries in the Cisco equipment and It's empty into the Juniper equipment.

And I suppose this is for that the both equipment don't communicate.

I put for you all configuration for you see all configuration:

version 12.1X47-D35.2;
groups {
    node0 {
        system {
            host-name EROS;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.6.30/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name HADES;
        }
        interfaces {
            fxp0 {
                unit 0 {                
                    family inet {
                        address 192.168.6.31/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    domain-name xxxx.corp;
        root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
    }
    name-server {
        192.168.100.4;
    }
    login {
        user xxxx {
            uid 2000;
            class super-user;
            authentication {            
                encrypted-password "xxxxxxxxxxxxxxxx"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh {
            root-login deny;
            protocol-version v2;
            rate-limit 2;
        }
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface fxp0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;              
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 192.168.111.1 prefer;
    }
}
chassis {
    cluster {
        reth-count 2;                   
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
            interface-monitor {
                fe-0/0/1 weight 255;
                fe-1/0/1 weight 255;
                fe-0/0/2 weight 255;
                fe-1/0/2 weight 255;
            }
        }
    }
}
interfaces {
    fe-0/0/1 {
        description "Link to Cisco 1841 Fe0/1/0";
        fastether-options {
            redundant-parent reth0;
        }
    }                                   
    fe-0/0/2 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fe-1/0/1 {
        description "Link to Cisco 1841 Fe0/1/1";
        fastether-options {
            redundant-parent reth0;
        }
    }
    fe-1/0/2 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                fe-0/0/0;
            }
        }
    }                                   
    fab1 {
        fabric-options {
            member-interfaces {
                fe-1/0/0;
            }
        }
    }
    reth0 {
        description "Link to Cisco 1841";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 81 {
            vlan-id 81;
            family inet {
                address 192.168.81.254/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;         
        }
        unit 0 {
            family inet {
                address 192.168.111.30/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    zones {
        security-zone Trusted {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                reth0.81;
            }
        }                               
        security-zone Untrusted {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                reth1.0;
            }
        }
        security-zone MGMT;
    }
}
routing-instances {
    RI-VR-LAN {
        instance-type virtual-router;
        interface reth0.81;
        routing-options {
            static {
                route 192.168.100.0/24 next-hop 192.168.81.1;
            }
        }
    }                                   
}[

Thank you for your help...

What version of Junos are you using?

You may find this command helpful when troubleshooting arp issues:

show system statistics arp

Regards, Wojtek

It will allow the system to use a different folder for temporarill extracting the installation file. You can see that you have over 14 GBS and 13GBs free disk space. You can try it. But this is critical, so I suggest you open a ticket with Juniper asap to figure out what is happening. Maybe they need to change the size of specific directories.

Your problem is a mismatch regarding vlan-tagging on the Cisco and the SRX.

The SRX is sending packets with vlan tag 81 but the Cisco router has been configured as an access port in vlan 81 meaning it sends out packets without any vlan tag. This makes the SRX ignore the packet as there is no matching interface for traffic without vlan tags.

Two solutions:

1. remove vlan-tagging on reth0 and vlan-id 81 on 'unit 81' on your SRX making the link send packets without any vlan id.

2. Change the port on the Cisco router to 'trunk' ('switchport mode trunk' and 'switchport trunk encapsulation dot1q' - last one depending on IOS version) allowing vlan tagged packets to be sent out of this interface.