Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Split assigned /29 Subnet into two /30

September 30, 2017, 9:56 am
$
0
0

Hey there, 

 

Thanks for the reply. I understand there is a bit of an issue from that regard, so I was trying to work around it. Normally I am routed a subnet as opposed to being directly connected, but this ISP is a bit... different with their policies. 

 

Regardless, proxy arp would have solved the problem but it is in packet mode, and proxy-arp is a NAT feature, however I did find that I could allow unrestricted proxy-arp on the interface in question, and that allowed the model to work. 

 

Like I said, this is only temporary and I am just playing with this link until I get my subnet, but I wanted to be able to pass some traffic into a lab environment from outside over this connection. 

 

Cheers. 

Search

Re: SRX210 behind ISP Modem

September 30, 2017, 11:04 am
$
0
0

I understand that publishing will make it static. But the idea is there are a number of IPs in the 10.20.15 range (namly 129-191) that will need to be nat'd. I don't want to publish them all especially when they aren't all on or setup all the time. So I'm guessing that you are suggesting that I publish some other IP rather than the entire network.

 

Re: the modem comment; did you look at the network diagram I attached? The 172... is the inside interface of the modem. The outside is getting a public from the ISP. Sorry for the confusion.

 

While I don't disagree with you on the ping, I can assure you that I was able to duplicate the problem and fix. From this desktop (1.20.15.130), I would lose connection to the internet. My default gateway is the SRX ge-0/0/1.0 (10.20.15.254) and my default DNS is a vm running in my network (10.20.15.172). The DNS has a forwarder of the ISP's DNS address which is how I resolve outside addresses. The SRX has a default route of 0.0.0.0/0 to next-hop of 172.20.15.1 which is the inside address of the modem. When I lose connection on the .130 machine, simply pinging the 172.20.15.1 address restores internet connection - usually the first ping or two will time out. While connection was NOT working, verifying NAT and routing using the traceoptions looks exactly as it does when the connection IS working which is why I started thinking arp. Monitoring the ge-0/0/0.0 interface traffic would show constant ARP requests for 172.20.15.130 by no responses. If you have something else I could look at to troubleshoot, I'd appreciate it. But for now, I've just changed it to interface nat which seems to have fixed it.

Re: SRX210 behind ISP Modem

September 30, 2017, 11:09 am
$
0
0

Though this is a side topic, is it the GUI that crashed or the SRX that simply core dumped and stopped processing packets? You may be experiencing a bug from that old completely unsupported verion. We are now at version 15.X. And the GUI today is completely different in tems of features, reliability and support. It is the very first time I have heard this. But can you tell exactly the steps to reproduce this?

Re: SRX210 behind ISP Modem

September 30, 2017, 11:19 am
$
0
0

I realize the GUI question was directed at the previous comment but just to clarify, I am doing all of my configuration via SSH/putty session or direct console and not via jweb.

 

Also, running JUNOS 12.1X46-D67 built 2017-07-12 01:39:21 UTC as that is the latest recommeded from JTAC for the SRX210H.

Re: Subinterfaces vs VLAN interfaces

September 30, 2017, 11:25 am
$
0
0

Hi,

What do I understand that you want to know what is the difference in creating a vlan interface and subinterface without vlan ?

Re: SRX tunnel to Cisco ASR configured for EZVPN?

September 30, 2017, 11:26 am
$
0
0

Is EZVPN just a wizard that setups the Cisco site to site configuration?

 

If so, then all you need is to note the phase 1 and phase 2 parameters chosen by the wizard and match these when you create the VPN on the SRX.

Re: SRX210 behind ISP Modem

September 30, 2017, 11:30 am
$
0
0
Ok, of course we must give short explanations, so vagueness is a given. Hope I helped at least a little. To jar thinking. An address of 1.x.x.x is rather a small scalar address and the fact that you had problems is a sign of either incompleteness(short on config work) or an outright hardware failure. I see that NAT would correct and now see why you think of proxy. In my vlan for arp I did not include it's own address. I now think of NDP. It has noticeable failure in comparison.

proxy-ndp {
interface vlan.0 {
address {
2601:204:ce00:5550::1/128 to 2601:204:ce00:5550:ffff:ffff:ffff:ffff;
2001:558:5516:37::1/128 to 2001:558:5516:37:ffff:ffff:ffff:ffff;
fe80::1/128 to fe80::ffff:ffff:ffff:ffff;
}
}
interface sp-0/0/0.0 {
address {
2601:ffff:7016:9685::1/128 to 2601:ffff:7016:9685:ffff:ffff:ffff:ffff;
2001:ffff:7016:9685::1/128 to 2001:ffff:7016:9685:ffff:ffff:ffff:ffff;
fe80::ffff:7016:9685:2279/128 to fe80::ffff:ffff:ffff:ffff;

ranges are important here.

Re: ipv6 vlan interface

September 30, 2017, 11:34 am
$
0
0

Is the VLAN interface admin up link down?

 

Routes for VLAN interfaces will show reject when the status is up down and VLAN intefaces will be link down unless one of the physical interfaces assigned to the VLAN group is link up.

Search

Re: SRX210 behind ISP Modem

September 30, 2017, 11:35 am
$
0
0
Plz share if you use this, with results.

Re: SRX210 behind ISP Modem

September 30, 2017, 11:37 am
$
0
0
The internal ping dropped the internet connection and froze the web interface. Killed the srx, needed reboot.

Re: SRX210 behind ISP Modem

September 30, 2017, 11:39 am
$
0
0
At times it killed the whole deal at times you could still configure. Maybe prolly better luck with console methods.

Re: Downloadable access-list via radius

September 30, 2017, 11:42 am
$
0
0

No, the SRX access lists for remote access VPN are only by configuration on the SRX not dynamic from another source.

 

If you are looking to setup role based access lists for SSL VPN Pulse Secure - Connect Secure product has a lot of flexibility.

 

https://www.pulsesecure.net/connect-secure/overview/

 

But even here they use group membership or other attributes to map users to access role profiles that are configured on the SSL VPN server rather than getting an ACL directly from the RADIUS server.

Re: SRX210 behind ISP Modem

September 30, 2017, 11:45 am
$
0
0

Yeh Strange. Get the latest version on a USB, back up your config and install from the usb so it properly formats the drive and create the dual root partition. It would be surprising to see that happening now.  That is absolutely a major bug which I would imagine has been fixed now. Management and the GUI is processed in the CP, in separate memory space, so it should never affect PFE functions. Additionally Screens should also take care of pings. Thanks for the info.

Re: Error when commit static nat two public ip into one private IP?

September 30, 2017, 11:46 am

Re: SRX210 behind ISP Modem

September 30, 2017, 11:49 am
$
0
0
I have an srx240b2. I have no H units.
Search

Re: SRX address book: Global address book and Zone address book

September 30, 2017, 11:51 am
$
0
0

When you define an address under the zone it can only be seen and utilized by rules in that zone.

 

When the address is defined as global it can be seen and used by all zones.

Re: Subinterfaces vs VLAN interfaces

September 30, 2017, 11:59 am
$
0
0

Not sure of the question so this may be the wrong answer.

 

Generally if you have only one connection to the SRX for the VLAN then simply putting the address on the subinterface is best.

 

But if you have multiple interfaces on the SRX that need to participate in the VLAN creating the VLAN interface and group is best.

Re: Subinterfaces vs VLAN interfaces

September 30, 2017, 2:13 pm
$
0
0

Sorry for the confusion adwivedl. What I'm finding in researching is you can either config as:

 

Specify a new VLAN, which will be used for switching, in this case vlan 100:
user@host# set vlans vlan-100 vlan-id 100

Assign this VLAN interface as your Layer3 Interface on this VLAN:
user@host# set vlans vlan-100 l3-interface vlan.100

Configure a VLAN interface with an IP for this VLAN.   (It must be on a different L3 subnet than the other VLANs.)
user@host# set interfaces vlan unit 100 family inet address 192.168.10.1/24

  When you do that, I'm finding (if I read right) that you config the physical interface:

set interfaces ge-0/0/0 unit 0 description ge-0/0/1
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk/access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-name [names]
set interfaces ge-0/0/0 unit 0 family ethernet-switching native-vlan-id 3

The other example I've found is just configure sub-interfaces on the physical interface:

set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 native-vlan-id 100
set interfaces ge-0/0/0 unit 100 vlan-id 100
set interfaces ge-0/0/0 family inet address 192.168.1.1/24

set interfaces ge-0/0/0 unit 200 vlan-id 200
set interfaces ge-0/0/0 family inet address 192.168.2.1/24

set interfaces ge-0/0/0 unit 300 vlan-id 300
set interfaces ge-0/0/0 family inet address 192.168.3.1/24

Re: Subinterfaces vs VLAN interfaces

September 30, 2017, 3:08 pm
$
0
0

I've tried to put together a quick image of what I'm trying to connect. Hope it makes sense.

 

So SRX config would be something like:

   set interfaces ge-0/0/0 description "Trunk to Internet: SRX-210 (ge-0/0/0) to MOTOROLA SBG6580"
   set interfaces ge-0/0/0 gigether-options auto-negotiation
   set interfaces ge-0/0/0 unit 0 family inet address 172.20.15.254/24

   set interfaces ge-0/0/1 description "SRX-210 (ge-0/0/1) to TP-LINK port 1 : Gateway for HOME_LAN"
   set interfaces ge-0/0/1 gigether-options auto-negotiation
   set interfaces ge-0/0/1 unit 0 family inet address 10.20.15.254/24
   set interfaces ge-0/0/1 unit 0 family inet sampling input
   set interfaces ge-0/0/1 unit 0 family inet sampling output

   set interfaces fe-0/0/6 description "SRX-210 (fe-0/0/6) to ESXi eth2: Gateway for LAB_WORK"
   set interfaces fe-0/0/6 unit 0 family inet address 10.1.69.254/24

   set interfaces fe-0/0/7 description "SRX-210 (fe-0/0/7) to ESXi eth3: Gateway for LAB_VULN"
   set interfaces fe-0/0/7 unit 0 family inet address 10.16.36.254/24

SYSLOG and Control plane on SRX 650

September 30, 2017, 7:07 pm
$
0
0

Hi everyone.

 

I have some questions about SRX 650 after I read DAY ONE book on SRX ( great book by the way!!) 

 

More specifically following excerpt from the book:

 

"Logging behaves differently in the branch SRX platform and the high-end data center SRX devices due to their hardware architecture. Although both device platforms have data and control planes, the highend security devices make this division in hardware:  given the limited resources in the control plane and the high number of entries that these devices can potentially generate, it’s an important consideration when configuring security logging in the high-end platforms. The high-end 

SRXs are capable of so much logging, that they can quickly overwhelm the routing engine if security logging is attempted via the control plane (out the fxp0 interface). To overcome this important aspect of logging security events, an administrator can dedicate a revenue port for logging tasks. Doing so will cause logging for security events to be sent out the SRX from the data plane, rather than the control plane, resembling the behavior of the branch SRX devices that don’t have a dedicated hardware control plane. "

 

Case 1:

SRX 650 is not congigured to send SYSLOG to syslog server, rather all logs are stored locally on the hard drive.

In above case, is generating huge syslog impact control plane? If yes, what part of Control Plane is impacted  Route Engine ?

 

Case2:

SRX 650 is configured to send syslog to SYSLOG server 1.1.1.1 out of  Fxpo.

How does it impact control plane versus if we use data port( Port used by Transit traffic) to source Syslog?

 

 

Thanks and have a nice weekend!!

 

 

 

 

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>