Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: SRX100H2 Factory Reset Help Required

December 8, 2017, 7:06 am
$
0
0

yes.

performed nand format and reinstall, zeroize, and reconfigure via CLI. when I reboot-the old config comes back. cannot access JWEB or enable it no matter what I try. can only access management via the console port, so all of the old config is somehow being saved or reloaded. Notice in my screencap above the secrtion about reinstalling,rebooting and loading config:

 

I think its doing it here:

Mounted junos package on /dev/md1...

D

automatic reboot in progress...

** /dev/da0s1a (NO WRITE)

** Last Mounted on /

** Root file system

** Phase 1 - Check Blocks and Sizes

** Phase 2 - Check Pathnames

** Phase 3 - Check Connectivity

** Phase 4 - Check Reference Counts

** Phase 5 - Check Cyl groups

161 files, 75850 used, 236336 free (56 frags, 29535 blocks, 0.0% fragmentation)

mount reload of '/' failed: Operation not supported

 

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

-a: not found

Checking integrity of BSD labels:

  s1: Passed

  s2: Passed

  s3: Passed

  s4: Passed

** /dev/bo0s3e

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 23569 free (25 frags, 2943 blocks, 0.1% fragmentation)

** /dev/bo0s3f

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 313159 free (87 frags, 39134 blocks, 0.0% fragmentation)

Checking integrity of licenses:

Checking integrity of configuration:

  rescue.conf.gz: No recovery data

Loading configuration ...

mgd: commit complete

Setting initial options: .

Starting optional daemons:  usbd.

Doing initial network setup:.

Initial interface configuration:

 

Is the above snip a normal factory default boot process?? 

 

Search

SRX real lab with ability to ping from win10 machine

December 8, 2017, 7:49 am
$
0
0

hey,

 

was looking to set up a real lab with routers and switches where i could ping from a windows 10 machine and also use wireshark to learning purposes.  i was thinking about buying a 4 port PCIe card for my windows desktop and connecting them for 4 differnet networks on junipers srx's.  my question is is that possible and will it work for what i need.  also is there a cheaper option that will work thru vm workstqation.  i have googled where i see learning videos of switches connected to other switches and they have workstations on a vm.  Basically, how would i connect a vm where i can ping from to a vsrx.  overall i would like to save money by not having to buy laptops just to ping networks / policies.

 

 

thank you and suggestions are much welcomed.  also the 4port PCIe ethernet port link is below is what i was thinkin about too as an option

 

http://www.dell.com/en-us/work/shop/accessories/apd/a8755068?cid=302824&st=&gclid=CjwKCAiAjanRBRByEiwAKGyjZacOlrMyh-hvCIAWRQxIDYyEIc7t40P7qoz1lZ4o1Anmp7-m4b0GkhoCmqYQAvD_BwE&lid=5758064&VEN1=skGBkzprR,112781467989,901q5c14135,c,,A8755068&VEN2=,&dgc=st&dgseg=so&acd=12309152537501410&VEN3=502203864378610526

Re: What the main reason when have "error bad UDP checksum" ?

December 9, 2017, 9:02 am
$
0
0

Thats one possible reason. Can you try making the the MTU same on MX and SRX ?

Re: GRE over Policy-Based IPsec Problem

December 9, 2017, 9:11 am
$
0
0

GRE over IPSec is explained on https://kb.juniper.net/KB19372

 

GRE over IPsec has a few limitations in Junos (flow mode):

  • IPSec tunnel needs to be route based.


  • GRE end point and ipsec end point cannot be same to make sure that GRE packets goes over the IPsec.

You can address these issues in the following ways:

    • Use a numbered interface in st0 and the st0 IP address as the GRE end point.

  • Use a loop back interface as the GRE endpoint and route this IP address to st0.

 

Re: I have a problem with ip-monitoring and rpm in fail-over route default

December 9, 2017, 9:30 am

Event option and change of config

December 9, 2017, 1:36 pm
$
0
0

HI everyone,

 

I want SRX 100  to do this:

If RPM for 10.10.10.1 fails, install static route 8.8.8.8/32 next hop 10.10.10.2 using EVENT -OPTION

 

SET UP:

 

SRX 10.10.10.6----SW-----10.10.10.1F1 R1

                                    ------10.10.10.2 F1 R2

 

 

 

 

 

Below is my config :

 

set services rpm probe A test PING-A-1 probe-type icmp-ping
set services rpm probe A test PING-A-1 target address 10.10.10.1
set services rpm probe A test PING-A-1 test-interval 3
set services rpm probe A test PING-A-1 thresholds successive-loss 3

 

set event-options policy A events ping_test_failed
set event-options policy A within 100 trigger on
set event-options policy A within 100 trigger 1
set event-options policy A attributes-match ping_test_failed.test-owner matches A
set event-options policy A attributes-match ping_test_failed.test-name matches PING-A-1
set event-options policy A then execute-commands commands "set routing-option static route 8.8.8.8/32 next-hop 10.10.10.2"

 

 

Below  I have shutdown the inerface on R1 f0/0 10.10.10.1 , as expecetd SRX shows PROBE fails:

root> show services rpm probe-results
Owner: A, Test: PING-A-1
Target address: 10.10.10.1, Probe type: icmp-ping, Test size: 1 probes
Probe results:
No route to target, Sat Dec 9 21:33:00 2017
Results over current test:
Probes sent: 1, Probes received: 0, Loss percentage: 100
Results over last test:
Probes sent: 1, Probes received: 0, Loss percentage: 100
Results over all tests:
Probes sent: 1015, Probes received: 905, Loss percentage: 10
Measurement: Round trip time
Samples: 905, Minimum: 3988 usec, Maximum: 31554 usec,
Average: 10959 usec, Peak to peak: 27566 usec, Stddev: 3859 usec,
Sum: 9917737 usec

 

 

But I do not see the command " set routing-option static route 8.8.8.8/32 next-hop 10.10.10.2" executed.

 

root> show route protocol static

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

root>

 

1) What am I missing?

2)  what is 100 bel;ow is it in seconds ?

set event-options policy A within 100 

 

Thanks and have a nice weekend!!

Show chassis routing-engine command

December 9, 2017, 4:02 pm
$
0
0

Hi everyone

 

When we use the command show below, we see " USER" ,  what does USER mean below?

user@host> show chassis routing-engine

Routing Engine status:
    Temperature                 38 degrees C / 100 degrees F
    CPU temperature             36 degrees C / 96 degrees F
    Total memory               512 MB Max   435 MB used ( 85 percent)
      Control plane memory     344 MB Max   296 MB used ( 86 percent)
      Data plane memory        168 MB Max   138 MB used ( 82 percent)
    CPU utilization: User                       8 percent
      Background                 0 percent
      Kernel                     4 percent
      Interrupt                  0 percent
      Idle                      88 percent

 

Thanks and have a nice weekend

Re: Show chassis routing-engine command

December 9, 2017, 7:34 pm
Search

SRX Per-unit-scheduling

December 10, 2017, 12:56 am
$
0
0

I am having a bit of trouble replicating some orginal cisco qos configuration. I am in routed mode on the SRX.

 

In summary, I have a physical wan interface with multiple dot1q sub-interfaces which are on different units.

 

 I want the qos Scheduling to apply to all of them as a whole. I also want the shaper to apply on the physical Interface and not to individual units.

 

Is there any way to achieve this ? I am bit new to juniper but I have noticed that this is possible on  EX switches.

 

Many thanks

Re: SRX Per-unit-scheduling

December 10, 2017, 1:39 am
$
0
0

I just noticed this :

 

root@SRX-300-TESTING# set class-of-service interfaces ge-0/0/5 unit ?
Possible completions:
<interface_unit_number> Logical unit number (0..1073741823)
* Wild card, all logical units for this interface
1 Logical unit number
[edit]
root@SRX-300-TESTING# ...terfaces ge-0/0/5 unit * shaping-rate 978m

 

 

So answers my question !

Re: Event option and change of config

December 10, 2017, 4:49 am

Possible to prioritise BGP keepalive messages ?

December 10, 2017, 6:46 am
$
0
0

By default, SRX sends as best-effort. Is it possible to set the prority to Network control ?  I have a qos policy on the outbound, I assume keepalive messages will be subject to this ?

 

 

Thanks

Re: Possible to prioritise BGP keepalive messages ?

December 10, 2017, 6:53 am

Multiple site to site vpns

December 10, 2017, 9:33 am
$
0
0

Hi All,

 

Please forgive my newbness, i will most likely be outsourcing this unless i can get on some training but i'm after some confirmation.

 

I need to link 5 facilities together.  i was initially thinking MPLS or Ethernet Services from our ISP (not ruled out yet).  anothet suggestion has been ipsec vpns.

 

most sites are using Juniper SRX (220 and 320), although one as on a palo alto and another is on Smoothwall, so will change them if needed, but...

each site has between 900 and 1800 users (about 200-600 active concurrently.  The sites will house half a dozen servers which will regularly replicate to a DC.  Facilities currently have a 300mbps internet connection (looking to upgrade in the future, but i'm wondering if SRX's are sufficient for this use and will they support this of vpn topology

 

sitetositetopology.PNG

Re: Show chassis routing-engine command

December 10, 2017, 12:23 pm
$
0
0

Hi,

 

CPU utilization

Information about the Routing Engine's CPU utilization:

  • User—Percentage of CPU time being used by user processes.
  • Background—Percentage of CPU time being used by background processes.
  • Kernel—Percentage of CPU time being used by kernel processes.
  • Interrupt—Percentage of CPU time being used by interrupts.
  • Idle—Percentage of CPU time that is idle.
Search

Does entire session will re-establish back if we change MTU on physical interface?

December 10, 2017, 3:43 pm
$
0
0

Hi all,

 

i have some question and it contridict with what JTAC said to me. Below is the log that appear when i commit the change. During the commit all the session that login (application) has been kick out and need to be login back. JTAC said when we change the MTU "MTU size change WOULD NOT affect the current sessions and only new sessions. The only change that would affect current sessions would be MSS value which is a per policy/flow session."

 

But

 

{primary:node1}
test@srx2> show log messages | last 300 | no-more
Dec 6 20:00:30.000 2017  srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: iff_handle_ifa_delete: deletion of address on  IFL reth8 has resulted in the removal of primary source address
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 last message repeated 15 times
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.32767 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.700 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.711 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.722 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.721 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.720 not found!
Dec 6 20:00:30.000 20177  srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 last message repeated 15 times
Dec 6 20:00:30.000 2017 srx2: %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: lage_iffconfig: reth8.32767 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: lage_iffconfig: reth8.700 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: lage_iffconfig: reth8.711 not found!

 

Thanks and appreciate some feedback

Re: Does entire session will re-establish back if we change MTU on physical interface?

December 10, 2017, 5:29 pm
$
0
0

What commands were used to change the MTU?

 

This suggests the family inet address was deleted on the interface which would likely affect sessions.

 

deletion of address on  IFL reth8 has resulted in the removal of primary source address

 

Re: Multiple site to site vpns

December 10, 2017, 5:36 pm
$
0
0

The SRX can handle this as either IPSEC or carrier ethernet.  The use of IPSEC does limit the bandwidth capacity of the platform to cover the encryption overhead.  So the SRX320 would be fine for the carrier ethernet with headroom to grow to 500 meg it would not really handle a full 300 Meg IMIX with IPSEC.

 

Here's the per platform spec sheet comparison chart.

 

https://www.juniper.net/us/en/local/pdf/datasheets/1000265-en.pdf

 

You should be able to find similar specs for other platforms too.

 

Re: Does entire session will re-establish back if we change MTU on physical interface?

December 10, 2017, 6:36 pm
$
0
0

Hi spuluka,

 

 

i'm using command "set interface reth8 mtu 9192"

 

Thanks

Is there any hidden command that can verify both cluster synchronize the the config?

December 12, 2017, 4:28 am
$
0
0

Hi all,

 

Let's say previously i have setup the chassis cluster. But due to certain issue the Node1 need to be power off almost 3 weeks. So all the updated config on Node0. So when i join back the node 1 to cluster then may i know whether it have some hidden command that can verify the Node1 have same updated config with Node0?  I'm understand when node1 join cluster all the latest config will sync to Node1 but just as precution to make it same both node.

 

Thanks and appreciate any feedback

Viewing all 17645 articles
Browse latest View live
Search