Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: SRX240H Power Loss: Cannot Login

September 27, 2017, 11:55 am
$
0
0

Hello:

 

Thanks for the information.

 

I did get in via console.  The system didn't have a root password anymore, so it just dropped me straight in.

 

When I tried to regenerate the keys, the /etc/ssh directory was missing (which is actually hidden behind a couple of symlinks and is like /var/db/ssh or something similar).  Anyway, once I regenerated these, ssh works.

 

The problem is now that I cannot set any user passwords, either through JWeb or the CLI.  Both methods give me a success AND a successful commit, but when I log out, and then log back in, the root password is just blank.  It's even allowing root login from the GUI with no password.  Not good.

 

Any idea how I can force it to set passwords or what the fix might be?

 

Note that the whole config is there, policies are working, the users are listed, and even if I pull them up in CLI Point and Click, they show an encrypted password.  It just doesn't seem the logins are working.  Perhaps a service is down that I don't know about?


Thanks,

Don

Search

Re: SRX240H Power Loss: Cannot Login

September 27, 2017, 12:07 pm
$
0
0

Hello:

 

Also, as a note, I tried this.

 

root@fwwa> restart firewall-authentication-service
warning: firewall-authentication-service subsystem not running - not needed by configuration.

root@fwwa> restart general-authentication-service
warning: general-authentication-service subsystem not running - not needed by configuration.

Re: SRX240H Power Loss: Cannot Login

September 27, 2017, 6:23 pm
$
0
0

Looks like the power outage corrupted the db. I would recommend you try another reboot or do a Junos re-install and then reboot. You can try installing same Junos version or do an upgrade.

Re: ipv6 vlan interface

September 27, 2017, 7:14 pm
$
0
0

I dont think that limitation is there on 12.1X releases. PFB.

 

Output from 10.2 release, inet6 is not available for VLAN

 


root@Router-4> show version
Hostname: Router-4
Model: srx650
JUNOS Software Release [10.2R3.10]

root@Router-4> configure
Entering configuration mode

[edit]
root@Router-4# set interfaces vlan unit 10 family ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> inet                 IPv4 parameters
> mpls                 MPLS protocol parameters
> tcc                  Translational cross-connect parameters
> vpls                 Virtual private LAN service parameters
[edit]
root@Router-4#     

 

 

Output from 12.1X46 , shows inet6

 

root@Router-4> show version
Hostname: Router-4
Model: srx210he
JUNOS Software Release [12.1X46-D35.1]

root@Router-4> configure
Entering configuration mode

[edit]
root@Router-4# set interfaces vlan unit 10 family ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> bridge               Layer-2 bridging parameters
> inet                 IPv4 parameters
> inet6                IPv6 protocol parameters
> mlfr-end-to-end      Multilink Frame Relay end-to-end protocol parameters
> mlfr-uni-nni         Multilink Frame Relay UNI NNI protocol parameters
> mlppp                Multilink PPP protocol parameters
> mpls                 MPLS protocol parameters
[edit]
root@Router-4#

Re: SRX tunnel to Cisco ASR configured for EZVPN?

September 27, 2017, 8:53 pm
$
0
0

EZVPN, is the VPN client ? if thats true you cannot have a VPN with SRX.

CF ACT LED SRX650

September 28, 2017, 1:35 am
$
0
0

Hello Community,

I recently purchased two external compact flash memory cards for an SRX650 chassis cluster.

Using a CF to USB convertor cable, I successfully managed to take a snapshot from the internal CF to USB (In this case the USB device was the compact flash memory cards purchased).

Once done, I inserted the CF cards in the CF slot of at the back of the SRX650s.

My confusion is however that the CF ACT LED at the back does no light when I insert the compact flash card.

From Junos documentation, I expected the following behaviour for the LED;


The CF ACT LED has the following indicator colors:
>Red and steadily on indicates that a CompactFlash is inserted and functioning normally.
>Red and blinking indicates that the CompactFlash is being accessed.
?Off indicates no CompactFlash is inserted

But the CF ACT LED remains off in my case even when the CompactFlash is inserted.


Also from the documentation for configuring external CompactFlash card for the SRX650, the below is mentioned;

By default, only the internal CF is enabled and an option to take a snapshot of the configuration from the internal CF to the external CF is not supported. This can be done only by using a USB storage device.

So does the CF ACT LED in my case remain off because the external CF is disabled by default or am I missing something ?

Kindly help me understand (Junos version is 12.3X48-D30.7, chassis is SRX650)

Leo

Re: ipv6 vlan interface

September 28, 2017, 4:02 am
$
0
0
Yes I know .. but when I configured ipv6 on vlan interface I got a rejected route ..
Thats why I asked Smiley Happy

Enabling TPM blocks any Junos upgrade on SRX

September 28, 2017, 5:15 am
$
0
0

Enabling TPM makes any Junos upgrade on SRX impossible. If you enable TPM / MEK – the box needs to be rebuild from scratch using a local console access. There is no other way to disable TPM or do an upgrade.

 

It seems that if you enable TPM on an SRX (http://www.jnpr.net/documentation/en_US/junos/topics/concept/trusted-port-module-security-understanding.html)  it makes an upgrade impossible. If you try to install D110 on the box it will give you a validation error.  To clear the TPM you need to clear it in uboot and rebuild the box from scratch - and clearing the uboot is possible only from the local console – so no remote upgrade possible.

 

To sum it up:

  • There is no other method to install/upgrade Junos on a SRX with TPM/MEK enabled then to clear the TPM/MEK before the install/upgrade.
  • There is no other method to clear the TPM then to use a LOCAL console access (need to access uboot).
  • After clearing the TPM using uboot the box requires full (manual) reinstall/rebuild.

 

I am having a JTAC case and trying to find a solution, but the situation is outrageous...

 

Regards,

Pawel Mazurkiewicz

Search

Downloadable access-list via radius

September 28, 2017, 9:55 am
$
0
0

Hi All

 

I'm new in this forum and in general to Juniper SRX.

I struggling to find any documentation that can show me if SRX340 supports downloadable access-list per user vpn

via radius entries, and if how.

Or if not is there a platform that does support it.

 

/Arne

STATIC DESTINATION NAT Question

September 28, 2017, 7:08 pm
$
0
0

 

Hi everyone.

 

I have some questions about STATIC NAT.

 

On Cisco Platform:

 SERVER--10.10.10.1------10.10.10.10  -F1-(INSIDE)--R1-F2-(OUTSIDE)-----INTERNET

 

R1 is configured with STATIC NAT  to translate destination IP 199.199.199.10 to 10.10.10.10 for all packets received on OUTSIDE interface f2.

As a byproduct of using this command all packets that are sourced 10.10.10.10 destined to Internet will have SRC IP replaced by 199.199.199.10 i.e we do not need to create STAIC SOURCE NAT. This also allows SERVER to be the intiator f as well . 

 

Now we take this scenario and apply on SRX:

 

Server 10.10.10.10--10.10.10.1--ZONE A-F1--SRX--F2 -ZONE B

 

Assume all traffic is allowed from Zone B to Zone A and vice versa

 

SRX is configured to  perform Static destination NAT where all traffic received from ZONE B and destined to 199199.199.10, will have destination IP natted to 10.10.10.10

 

Questions:

1) Do we need to configure SOURCE NAT for return traffic? I believe we do not, but I just want to confirm. 

 2)  This Static NAT ( destination)  creats static entry in NAT table, does it also mean Server 10.10.10.10 can also initiate traffic to Internet  i.e Server is the intiator  i.e for such tarffic SRC IP will be  natted to 199.199.199.10 . The key word is" Intiator"

 

Am I correct or missed something?

 

 

Thanks

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Re: STATIC DESTINATION NAT Question

September 28, 2017, 10:14 pm
$
0
0

 

Questions:

1) Do we need to configure SOURCE NAT for return traffic? I believe we do not, but I just want to confirm. 

 

No.

 2)  This Static NAT ( destination)  creats static entry in NAT table, does it also mean Server 10.10.10.10 can also initiate traffic to Internet  i.e Server is the intiator  i.e for such tarffic SRC IP will be  natted to 199.199.199.10 . The key word is" Intiator"

 Yes.

Am I correct or missed something?

 You are correct, you have not missed anything. To confirm, here is some links for you:

https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-static-understanding.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-static-rule-understanding.html

 

For additional extensive information:

https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-rule-set-and-rule-understanding.html

 

Error when commit static nat two public ip into one private IP?

September 28, 2017, 11:09 pm
$
0
0

Hi all,

 

How i can translate the screen os below config into srx. It get error when i do commit.

 

On netscreen

 

set interface "ethernet1/1:1" mip 71.10.11.30 host 192.168.10.1 netmask 255.255.255.255 vr "trust-vr"   ---> https, tcp_400
set interface "ethernet1/1:1" mip 71.10.11.31 host 192.168.10.1 netmask 255.255.255.255 vr "trust-vr"  ----> http, tcp_200

 

SRX

 

[edit security nat static]
test@srx# commit
error: static nat rule STATIC-PUB-36 prefix overlaps with static nat rule STATIC-PUB-13 prefix
error: configuration check-out failed

 

Thanks and appreciate any feedback

 

Re: Enabling TPM blocks any Junos upgrade on SRX

September 29, 2017, 1:07 am
$
0
0

Hello,

The link You supplied gives 404 error.

The working link is https://www.juniper.net/documentation/en_US/junos/topics/concept/trusted-platform-module-security-understanding.html

And what JUNOS version You are upgrading from?

If You enable TPM on JUNOS version older than D110, and then try to upgrade to D110, Your JUNOS regular installation will fail as described at the above link:

Note: If the installed software version is older than Junos OS Release 15.1X49-D110 
and the master encryption password is enabled, then installation of Junos OS 
Release 15.1X49-D110 will fail. You must backup the configuration, certificates, 
key-pairs, and other secrets and use the TFTP/USB installation procedure.

 

HTH

Thx
Alex

 

Re: Enabling TPM blocks any Junos upgrade on SRX

September 29, 2017, 3:12 am
$
0
0

Hi Alex,

 

D110 is the newest one, so basically any version anyone might want to upgrade is affected. In my case its D90/D100. 

 

If You enable TPM on JUNOS version older than D110, and then try to upgrade to D110, Your JUNOS regular installation will fail

 

Yes - and to upgrade you need to access the box locally using a console (!)  and clear TPM. Then you need to reinstall Junos from USB/TFTP. After that you need to rebuild the box from scratch using backed up config, secrets etc. 

 

We have quite a lot SRX devices with TPM / master passwords set and they are in remote location (VPN spokes). It makes the requirement of local access very difficult as we will need to send a technician to every one of them. Not to mention that the simple task of upgrading Junos now will require a lot of work (full box rebuild). Probably it would have been easier to RMA them, then to do that. Smiley Wink

 

Before D110 was realesed there was no information that enabling TPM might cause that kind of restrictions/problems. 

 

Regards,

Pawel Mazurkiewicz

 

 

Re: Juniper SRX 3600 how to define GRE and PPTP applications

September 29, 2017, 3:27 am
$
0
0

 

root>show configuration groups junos-defaults applications
Search

Re: STATIC DESTINATION NAT Question

September 29, 2017, 7:17 am
$
0
0

Appreciated Lyndidon,

 

Have a nice weekend!!

Re: SRX210 behind ISP Modem

September 29, 2017, 3:03 pm
$
0
0
I have found that a simple ping will kill an srx. You must have a solid setup for pings. Have you tried static arp???

Split assigned /29 Subnet into two /30

September 29, 2017, 3:46 pm
$
0
0

I have a SRX that I am running in packet mode and am attempting some test configurations on it while I await my IP assignment from ARIN. The assigned subnet I have been given at the moment is a /29 - supposed to be a /27, but there was an error in the order so I am waiting for it to be corrected. 

 

That being said, for testing I am trying to split my assigned /29 into two /30's to split across two interfaces, basically putting the SRX between the provider and my NAT router which is another device. My subnet is not routed to me over a PTP, rather the subnet assigned is directly connected and the first useable address is the provider gateway. 

 

Lets assume I was assigned 10.0.0.176/29. 

I have split it into 10.0.0.176/30 and 10.0.0.180/30 

 

ge-0/0/1 {
description Provider_PTP;
unit 0 {
family inet {
address 10.0.0.178/30;
}
}
}
ge-0/0/2 {

description LAN_PTP

unit 0 {
family inet {
address 10.0.0.181/30;

 

routing-options {
}
}
static {
route 0.0.0.0/0 {
next-hop 10.0.0.177;
resolve;

 

I am able to ping the direct interfaces back and forth, but I have no outward reachability from the router which is assigned the 10.0.0.182 address to the internet. 

 

Provide gateway is of course configured as 10.0.0.176/29 however as long as the addresses in there are reachable over the link it is on, it should get through the SRX to the 0/0/2 interface should it not? 

 

 

Re: Split assigned /29 Subnet into two /30

September 29, 2017, 9:35 pm
$
0
0

10.0.0.182's default gateway in this context must be in the same subnet, so in this case 10.0.0.181. 10.0.0.177 is two hops away and is not directly reachable.

Re: SRX210 behind ISP Modem

September 30, 2017, 9:40 am
$
0
0
If you publish the Mac and ip it will be STATIC. Proxy arp is like what I said, PROXY.... I do not mean to use these instead of proxy arp, but rather WITH. Another thing. That modem really should be getting an internet address. 172.x.x.x is internal. Pinging with the srx can break connections. It will not MAKE it work. It needs to already be working properly so you can ping. You maybe dropping the connection by using ping, because you have an improper setup. My first thought is that your 172.x.x.x number is wrong.
Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>