The default VR for ScreenOS is trust. If this is how you would like to configure your SRX, then you would use inet.0. I don't have any configuration examples, but there are some really good resources in the technical docs. If you have a specific question, please ask.
↧
Re: From ScreenOS to JunOS
↧
Re: Nat'ing to public IP space before entering a route-based VPN
Kind of defeats the purpose. But it sounds like a candidate for Group VPN which use Public IP address space. Can they send you an example of how this is done with any other vendor, that way we see what the equivalent configuration on Junier side would be? I am thinking double NAT with a routing instance, but I will see what the experts on it recommend.
↧
↧
Re: tcpdump on SRX
For transit traffic, try this Using basic-datapath debug
#set security flow traceoptions file trace-debug-basic-dp
#set security flow traceoptions flag basic-datapath
#set security flow traceoptions packet-filter pckt-in source-prefix <prefix/length>
#set security flow traceoptions packet-filter pckt-out destination-prefix <prefix/length>
↧
Re: Config Dynamic DNS on SRX300
I had try this but it only has dyndns by default. How can I add no-ip on it ?
↧
Re: Mystery problems with passive FTP and SRX240
I've found it correlates with another log in syslog (severity info): "source NAT allocation failure" which was a culprit. FTP ALG was unable to obtain socket for mapping "data" connection negotiated in "command" channel on port 21.
It is somehow tricky because "source NAT allocation failure" are logged with severity info (!which is IMHO a real source of a problem - nobody checks it - it's to big!) and "FTP ALG data session NAT failed" are logged with severity error. Both are in separate files usually - firewall log are to big to keep them together.
Src NAT pool used for this outgoing traffic needs to be broaden...
↧
↧
Re: SRX5800 -->minor alarm Mixed Master and Backup RE types?
Hey guys.
Im having same issue exactly the same with thread poster.
Do we have workaround for atleast ignore the alarm? something that we ignore Fxp0 Host down issue?
↧
Re: ipv6 vlan interface
Can you share your config with us and also the the status of the interface ?
↧
Re: SYSLOG and Control plane on SRX 650
On the High End SRX the routing engine and fxp port are physically separate units. The forwarding plane and switch control boards where packets are processed live on cards in the main chassis. So to get the log data from the forwading plane out the fxp port they have to physically transit the chassis to the RE card.
With the branch series the separation of control and forwarding plane is by virtualization on the same hardware.
↧
XE- 10G Interface no Power
Hello,
We are installing a new SRX5600 and we are looking that some interface 10G are not working. [ALL SFP are Juniper]
Looking the outpower output and there is nothing:
show interfaces diagnostics optics xe-3/0/1
Physical interface: xe-3/0/1
Laser bias current : 0.000 mA
Laser output power : 0.0000 mW / - Inf dBm
Module temperature : 18 degrees C / 65 degrees F
Module voltage : 3.3390 V
Receiver signal average optical power : 0.0000 mW / - Inf dBm
Laser bias current high alarm : Off
Laser bias current low alarm : On
Laser bias current high warning : Off
Laser bias current low warning : On
Laser output power high alarm : Off
Laser output power low alarm : On
Laser output power high warning : Off
Laser output power low warning : On
Module temperature high alarm : Off
Module temperature low alarm : Off
Module temperature high warning : Off
Module temperature low warning : Off
Module voltage high alarm : Off
Module voltage low alarm : Off
Module voltage high warning : Off
Module voltage low warning : Off
Laser rx power high alarm : Off
Laser rx power low alarm : On
Laser rx power high warning : Off
Laser rx power low warning : On
Laser bias current high alarm threshold : 95.000 mA
Laser bias current low alarm threshold : 3.000 mA
Laser bias current high warning threshold : 90.000 mA
------------------------------------------------------------------------------------------
This is the hardware installed:
show chassis hardware
FPC 3 REV 09 750-061262 CAHZ1366 SRX5k IOC II
CPU REV 03 711-061263 CAJA9651 SRX5k MPC PMB
MIC 0 REV 11 750-049488 CAJA0871 10x 10GE SFP+
PIC 0 BUILTIN BUILTIN 10x 10GE SFP+
Xcvr 1 REV 01 740-021309 H3P2004895 SFP+-10G-LR
Xcvr 2 REV 01 740-021309 H3P2004630 SFP+-10G-LR
MIC 1 REV 07 750-055732 CAHX9529 20x 1GE(LAN) SFP
PIC 2 BUILTIN BUILTIN 10x 1GE(LAN) SFP
Xcvr 0 REV 02 740-011613 AM16382KQAM SFP-SX
Xcvr 1 REV 02 740-011613 AM16382KQA9 SFP-SX
PIC 3 BUILTIN BUILTIN 10x 1GE(LAN) SFP
Xcvr 0 REV 02 740-013111 H114328 SFP-T
Xcvr 1 REV 02 740-011613 AM16382KPGU SFP-SX
Xcvr 2 REV 02 740-011613 AM16382KQBB SFP-SX
Xcvr 6 REV 02 740-013111 H124469 SFP-T
Xcvr 7 REV 02 740-013111 H111051 SFP-T
Xcvr 8 REV 02 740-013111 H110681 SFP-T
Xcvr 9 REV 02 740-013111 H113404 SFP-T
-----------------------------------------------------------------------
The status of the port:
root@ROFW02> show interfaces xe-3/0/2 brief
Physical interface: xe-3/0/2, Enabled, Physical link is Down
Link-level type: Ethernet, MTU: 1500, LAN-PHY mode, Speed: 10Gbps,
Loopback: None, Source filtering: Disabled, Flow control: Enabled
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x4000
Any idea of what could be wrong?
Thanks
↧
↧
Re: arpintrq drops and CPU Threshold Exceeded
Hi all,
First of all , sorry to bring up the old thread.
May i know whether we can do some script (raise trap) that can notify which interface the broadcast storm incoming before it make RE brake the PFE.? So in other word we can identify which interface cause the FPC reboot.
Thanks and appreciate any feedback
↧
Does latest junos D110 on SRX can assign fxp0 into VR?
Hi all,
Im reading this url https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/SRX-cluster-monitoring-best-practices.pdf and i'm interested on page 79.
May i know whether using the latest junos D110 we can assign fxp0 into VR and using the same segment with reth interface. In other word we use reverse on page 79.
I'm using SRX5800 chassis cluster setup.
Thanks and appreciate any feedback
↧
Re: SRX340 SSD installation
Juniper support has been unable to assist, so I'm sharing my findings with the community. Hope this helps other avoid the troubles I've encountered...
HOW TO boot SRX340 with SSD installed:
From factory backup image on internal, snapshot to USB media w/partitioning.
Reboot from USB.
Install software upgrade w/ reboot.
Set Rescue.
(test snapshot to USB- failure to snapshot to boot device confirms we are running off USB )
Snapshot to _internal_ w/partitioning.
Reboot from _internal_
Set AutoRecovery
Power down.
remove USB device.
external: copy USB device image to SSD. (BSD image options: keep structure, no expand, change disk signature on target SSD)
install SSD in SRX device.
Power up SRX.
Device is running and responsive in less than 5 minutes.
Uncertain how it shook out, if the SSD is being labelled "internal" or what...
But at least it's able to boot up with SSD installed.
Ta-Da.
Now need to verify we can log to SSD, etc. Not quite out of the woods, but can at least see the clearing.
-clm
↧
Re: Config Dynamic DNS on SRX300
Hi,
You can refer to below old thread for the information on no-ip
HTH
↧
↧
Re: Nat'ing to public IP space before entering a route-based VPN
The nat rules are zone to zone configuration. For this setup I have configured the tunnel interface as a separate zone and then create the nat rule form the internal zone to this tunnel zone for the translation.
Since the other side is an ASA you will also need to configure proxy-id with this address and the remote side address for the Cisco to setup the tunnel.
↧
Re: SRX5800 -->minor alarm Mixed Master and Backup RE types?
Hey guys. Im having same issue exactly the same with thread poster. Do we have workaround for atleast ignore the alarm? something that we ignore Fxp0 Host down issue?
Don't know about the log message, but if you are not connecting anything to the fxp physical interface then just disable it in the configuration and the alarm will go away.
set interface fxp0 disable
↧
Re: XE- 10G Interface no Power
Laser bias current : 0.000 mA Laser output power : 0.0000 mW / - Inf dBm
If the optic is inserted and compatible, this reading generally means the optic itself is bad. There is no output laser at all here. But it is also possible the card or sfp+ slot is bad but this is less common.
↧
Re: Does latest junos D110 on SRX can assign fxp0 into VR?
Hi kronicklez,
Unfortunately not - D110 still doesn't let you add fxp0 to a routing-instance.
This feature was addded to mainline Junos in 17.1R1, so you'd need to upgrade your SRX to 17.1.
set system management-instance
Will place fxp0 into a dedicated routing-instance called mgmt_junos (you can't created a custom instance):
root@lab-srx1500> show route
inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.4.1/32 *[Local/0] 00:45:14
Reject
192.168.5.1/32 *[Local/0] 00:45:14
Reject
mgmt_junos.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.9.0/24 *[Direct/0] 00:17:20
> via fxp0.0
10.0.9.248/32 *[Local/0] 00:17:20
Local via fxp0.017.1 on the SRX (1500 at least) is still a bit fresh for deployment - while I was labbing this up, I got kicked to the db> prompt, so I wouldn't rush out to upgrade your production system just yet 
Hope this helps
↧
↧
Re: Does latest junos D110 on SRX can assign fxp0 into VR?
Hi Dfex,
Thanks for your feedback. May i know whether u already detect difference between ver 15.x D110 with 17.x. My SRX5800 will come on end of this month. If the ver 17 stable and all feature support as pe ver 15.x please let me know.
Thanks
↧
Re: Does latest junos D110 on SRX can assign fxp0 into VR?
Hi Kronicklez,
17.3R1 was released for SRX-series late august and covers all features for available in 15.1X49-D80. My impression is that this version is quite stable (at least I haven't heard about any).
So if you don't have any very special configuration I would go with 17.3R1 - and this will give you the management routing-instance you are looking for :-)
↧
Potential slow peers Minor alarm
Hello,
I've recently configured an SRX cluster. However, for one of the nodes I get the following alarm:
node1:
--------------------------------------------------------------------------
1 alarms currently active
Alarm time Class Description
2017-09-22 18:04:55 CEST Minor Potential slow peers are: FWDD0 FWDD1
Has anyone seen this before or know what this could be? The firewalls are running JUNOS Software Release [17.3R1.10]
Any help would be greatly appreciated. Thanks in advance.
↧
