Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Does entire session will re-establish back if we change MTU on physical interface?

December 19, 2017, 9:01 pm
Search

Re: Link failure detection

December 19, 2017, 9:09 pm

Re: Is there any hidden command that can verify both cluster synchronize the the config?

December 19, 2017, 9:17 pm

Re: ISIS And new VR Routing Instance

December 19, 2017, 9:27 pm

Re: Manual failovers too LONG on SRX550 with bdf or lacp

December 19, 2017, 9:44 pm
$
0
0

Hi Folks,

Just my 2 cents on this..

 

Manual failover by cli is the not the right way to simulate the issue, please

 

  • Give a break from transmission
  • Do laser off

Re: Show chassis routing-engine command

December 19, 2017, 10:09 pm
$
0
0

Hi Folks,

Just my 2 cents on this..

 

[M/MX/T-series] Troubleshooting Checklist - Routing Engine High CPU is a good one…

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26261

 

To do some analysis, capture the data equivalent to “show system process extensive” from router shell and analyze the behavior…

 

5 Days with snapshot for every 5 seconds

top -s 5 -d 86400 -n 100 >> /var/tmp/top.txt &

 

2 Days with snapshot for every 5 seconds

top -s 5 -d 34560 -n 100 >> /var/tmp/top.txt &

 

24 HOURS with snapshot for every seconds

top -s 1 -d 86400 -n 100 >> /var/tmp/top.txt &

 

24 HOURS with snapshot for every 5 seconds

top -s 5 -d 17280 -n 100 >> /var/tmp/top.txt &

 

1 HOUR with snapshot for every seconds

top -s 1 -d 3600 -n 100 >> /var/tmp/top.txt &

 

1 HOUR with snapshot for every 5 seconds

top -s 5 -d 720 -n 100 >> /var/tmp/top.txt &

 

 

Re: What are mean Invalidated sessions?

December 19, 2017, 10:46 pm
$
0
0

Hi,

 

Im read that KB given. But the command show security flow session session identifier is use when u already know the session id that the invalid session. But in my issue is how to the session is too much. Even i'm use command "show secucity flow session | match invalid" but nothing output appear. So any command that can use to identify which session id is invalid session.

 

Thanks

Re: Jflow COnfiguration on SRX1400

December 20, 2017, 12:08 am
$
0
0

Hi Python,

Thanks for your answer. I already used the configuration of that knowledge base article but it doesn't work... Do you know if I can "route" netflow traffic on my fxp0.0 interface?

Regards,

Luis

Search

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

December 20, 2017, 12:55 am
$
0
0

For testing, can you try moving dynamic VPN policy to the top?

 

edit security policies from-zone untrust to-zone trust
insert policy DYN_VPN before policy FNGR-PRNT
commit

Re: What are mean Invalidated sessions?

December 20, 2017, 4:14 am
$
0
0 
show security flow session extensive | match "Session ID|Current timeout|Fin state: 2"

 

See if there are any with timeout greater than 2s. This will indicate software bug.

 

Regards, Wojtek

Re: Jflow COnfiguration on SRX1400

December 20, 2017, 8:20 am
$
0
0

Just for the record now that I've created a new interface on the SRX1400 I can send Jflow traffic with the configuration that Python sent me to check. It seems netflow is not "routable" through fxp0.0 interface so I changed it to another interface and it works. The problem now is that I'm receiving the following error in nfsen:

 

Dec 20 17:15:25 localhost sfcapd[1853]: SFLOW: unexpected datagram version number#012 (source IP = X.X.X.X) 00-09-00-03-<*>-5A-8D-80-1F-5A-3A-8B-49-00-00-00-07-01#01200-00-00-00-01-00-18-01-00-00-04-00-08-00-01-00#01200-00-23-00-01-00-22-00-04-00-00-01-00-00-0C-02#01200-00-00-64-00-00-00-00-00-00-5C-01-04-00-15-00#01208-00-04-00-0C-00-04-00-05-00-01-00-04-00-01-00#01207-00-02-00-0B-00-02-00-20-00-02-00-0A-00-04-00#01209-00-01-00-0D-00-01-00-10-00-04-00-11-00-04-00#01212-00-04-00-06-00-01-00-0E-00-04-00-0F-00-04-00#01201-00-04-00-02-00-04-00-16-00-04-00-15-00-04-00
Dec 20 17:15:25 localhost sfcapd[1853]: SFLOW: caught exception: 2

Does anyone know why?

I've configured nfsend like this:

%sources = (
    'JuniperSRX'        => { 'port' => '9996', 'IP' => 'X.X.X.X', 'type' => 'sflow', 'col' => '#0000ff' },
    'XR1'               => { 'port' => '9997', 'IP' => 'X.X.X.X', 'type' => 'netflow', 'col' => '#ff0000' },
);

is it sflow or netflow for Juniper???? Does anyone know??? Do i have to export it as version9 or ipfix??

Thanks in advance guys...

 

Routing-Instance and ISIS Routing

December 20, 2017, 9:09 am
$
0
0

Hi all,

 

SRX1500

 

I have created two new VRs and also, thanks to Kingsman, enabled ISIS on these VRs with the following command:

 

set routing-instance Customer-VR protocols isis interface ae2.0

set interface ae2 unit 0 family iso

set interface lo0 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

set protocols isis level 1 authentication-type md5

set protocols isis level 2 authentication-type mds

set protocols isis level 1 authentication-key xxxxxxxx

set protocols isis level 2 authentication-key xxxxxxxx

 

I have also placed ae2 into the routing-instance

 

But yet, I cannot get any ISIS routes to show in the routing tables....

 

I have configured ISIS on the second SRX that has no new defined routing-instance and it works fine.... with dual-stack

Any help would be greatly appreciated.

Thanks

 

Re: Routing-Instance and ISIS Routing

December 20, 2017, 9:08 am
$
0
0

Hi,

 

Can you paste your full configuration?

 

Did you create a physical loop to create VR and running ISIS between VR?  

 

 

Re: Routing-Instance and ISIS Routing

December 20, 2017, 9:15 am
$
0
0

No Physical loop

 

Just placed the interfaces into the VRs.

Here is the full config..

 

Clive@THW-SRX-01# run show configuration | display set
set version 15.1X49-D110.4
set system host-name THW-SRX-01
set system root-authentication encrypted-password "$5$z0x/bUE1$7a0.XL.aD8Tj4HrTCLYWvinpjKFmI79nFjbCJF8HXj4"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login user Clive uid 2000
set system login user Clive class super-user
set system login user Clive authentication encrypted-password "$5$Qx1BnOI.$haJ9bhIUBcROyvUpibcE4UkYuYSuB8qTIMufMaaA7q9"
set system login user Jim uid 2003
set system login user Jim class super-user
set system login user Jim authentication encrypted-password "$5$2jd10ZcZ$WH.lj5bRlh7P4qV3tEDJnM2hwkAiT3OAADRi3j5Wqb8"
set system login user Lee uid 2002
set system login user Lee class super-user
set system login user Lee authentication encrypted-password "$5$EGzUTmfP$9ySV5xu4jyoPAno2qfRCjjDsAg1r9hreOFSu7luLXE/"
set system login user Oliver uid 2004
set system login user Oliver class super-user
set system login user Oliver authentication encrypted-password "$5$nHRTwAfF$O.7LJxttsI8Rgb8Qd/n0oEszEKk4CsE3GyLpyVcl5y/"
set system login user Stephen uid 2001
set system login user Stephen class super-user
set system login user Stephen authentication encrypted-password "$5$okr6bMjJ$bRThHm0wAqEB6T.QmSlbv.VRx31GvaNPhlC4K.0tHmD"
set system services ssh
set system services xnm-clear-text
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-complaint
set chassis aggregated-devices ethernet device-count 2
set security log mode stream
set security log report
set security forwarding-options family inet6 mode flow-based
set security forwarding-options family iso mode packet-based
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match source-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match destination-address any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest match application any
set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy CliveTest then permit
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match source-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match destination-address any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 match application any
set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy CliveTest1 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone NineGroup-DMZ
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces ae2.0
set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server
set interfaces ge-0/0/1 unit 0 family inet
set interfaces ge-0/0/2 unit 0 family inet address 195.80.0.37/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family inet6 address 2a05:d840:0030:ffff:ffff:ffff:0000:0001/127
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.2/24
set interfaces ge-0/0/4 unit 0 family iso
set interfaces xe-0/0/16 description Group-ae2
set interfaces xe-0/0/16 gigether-options 802.3ad ae2
set interfaces xe-0/0/17 unit 0 family inet
set interfaces xe-0/0/18 description Group-ae2
set interfaces xe-0/0/18 gigether-options 802.3ad ae2
set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family inet address 195.80.0.18/30
set interfaces ae2 unit 0 family iso
set interfaces ae2 unit 0 family inet6 address 2a05:d840:002b:ffff:ffff:ffff:0000:0002/127
set interfaces fxp0 unit 0 family inet address 185.89.120.8/24
set interfaces lo0 unit 0 family inet address 195.80.0.3/32
set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0004.00
set interfaces lo0 unit 0 family inet6 address 2a05:d840:000e:ffff:ffff:ffff:0000:0001/128
set routing-options static route 172.16.16.0/24 next-hop 172.16.16.39
set protocols isis export export_statics
set protocols isis level 1 authentication-key "$9$zyOuFCuREyKWxSrxdwgUDP5QF9AuO1hyl"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "$9$Xqsxb2ZGi.fzjHz6CuEhvWLxVw24aUik"
set protocols isis level 2 authentication-type md5
set protocols isis interface lo0.0
set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept
set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set routing-instances Customer-VR instance-type virtual-router
set routing-instances Customer-VR interface ae2.0
set routing-instances Customer-VR protocols isis level 1 authentication-key "$9$29gGiPfz6CuQFu1EyW8VwYgZUik.5z3"
set routing-instances Customer-VR protocols isis level 1 authentication-type md5
set routing-instances Customer-VR protocols isis level 2 authentication-key "$9$lOzeLNsYoGjq4aqfQnpuhSre8XNdb2oJ"
set routing-instances Customer-VR protocols isis level 2 authentication-type md5
set routing-instances Customer-VR protocols isis interface ae2.0
set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0
set routing-instances NineGroup-VR protocols isis interface ge-0/0/2.0

 

Thank you

Re: Routing-Instance and ISIS Routing

December 20, 2017, 9:25 am
$
0
0
Hi,

Do you see isis adjacency up in the VR? I don’t see any iso address configured in VR.

Create one loopback, assign ISO address to it and add in Customer-VR

Set interface lo0.10 family iso address 49.xxxx.xxxx.xxxx.xxxx.00

set routing-instance Customer-VR interface lo0.10


Let us know if it still doesn’t work.
Search

Re: Routing-Instance and ISIS Routing

December 20, 2017, 12:20 pm
$
0
0

Hi,

 

You can also configure the ISO address in ae2 interface at both end. Below is the sample config:

 

set routing-instances VR2 instance-type virtual-router
set routing-instances VR2 interface ge-0/0/0.0
set routing-instances VR2 protocols isis interface ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family iso address 49.0001.1950.0080.0004.00

 

set routing-instances VR1 instance-type virtual-router
set routing-instances VR1 interface ge-0/0/0.0
set routing-instances VR1 protocols isis interface ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family iso address 49.0001.1950.0080.0005.00

 

show isis adjacency instance VR2
Interface System L State Hold (secs) SNPA
ge-0/0/0.0 R1_re0-VR1 1 Up 8 56:68:a3:17:57:32
ge-0/0/0.0 R1_re0-VR1 2 Up 7 56:68:a3:17:57:32

 

[KUDOS PLEASE! If you think I earned it!

If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

 

 

Re: Routing-Instance and ISIS Routing

December 20, 2017, 12:26 pm
$
0
0
Yeah,

Well we can assign it to any interface but loopback is the best practice.

Re: Routing-Instance and ISIS Routing

December 20, 2017, 12:37 pm

Re: What are mean Invalidated sessions?

December 21, 2017, 12:55 am
$
0
0

Hello

The invalidated sessions can be seen by logging into the SPU during some special cases. Any reason why this is a concern?
 

> In environments where there is a lot of short lived sessions invalidated sessions is also normal.

> As long as the count of invalidated sessions does not keep increasing it is not a concern

> You can also consider some other options but would be better to check with JTAC before applying any of these:

    set security flow tcp-session
       fin-invalidate-session Immediately end session on receipt of fin (FIN) segment
       rst-invalidate-session Immediately end session on receipt of reset (RST) segment
       time-wait-state Session timeout value in time-wait state, default 150 seconds


Regards,


Vikas

Re: Routing-Instance and ISIS Routing

December 21, 2017, 2:00 am
$
0
0

Hi,

 

Thank you guys for the responses.... awesome..... I have not yet had a chance to configure this, but will be completing this morning. As another quick quesiton regarding this configuration.....

 

If I create a new Loopback sub-int....i.e lo0.10  .... would I also assign the IPv4 and IPv6 addresses to this loopback subint rather than the main lo0?

So I should end up with

 

set interfaces lo0.10 unit 0 family inet address 192.168.1.10/32

set interfaces lo0.10 unit 0 family inet6 address 4a06:334a:0049:ffff:ffff:ffff:0000:0001/128

set interfaces lo0.10 unit 0 family iso address 49.0001.xxxx.xxxx.xxxx.00

 

and then assign that subint to the VR with:

 

set routing-instance Customer-VR interface lo0.10

 

Thanks in advance

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>