Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Two Residential circuits SRX failover solution? Possible?

December 25, 2017, 2:06 pm
$
0
0

I currently have 2 different ISPs residental circuts and one SRX 240 when I work from home.

My goal is to utilize the 2 different carrier circuits for continuous connectivity and/or separate traffic, if possible.

Since they are residential circuits the SRX receives a DHCP address which it can hold forever as long as device is on, which it is (with UPS).

 

1. Can I have a failover solution for two ISPs on the same SRX device? (let's say ISP A on ge0/0 and ISP B on ge0/1)

 

2. Furhtermore, can i route heavy traffic like streaming, music, games, etc through one circuit and light traffic like VOIP, email, web throught the other? (Lets say Zone: Phone, Web, DMZ, LAN, Email)

 

Any suggestions are greatly appreciated.

Thanks.

 

Search

Re: SRX210H CPU exceedes, limitation of PPPoE tunnel bandwith

December 25, 2017, 2:57 pm

Re: Two Residential circuits SRX failover solution? Possible?

December 25, 2017, 8:44 pm
$
0
0

Hi Clubber, 

 

It is possible to have two ISPs terminating on 2 individual interfaces on the SRX by configuring Filter Based Forwarding and have them to route different type of traffic. They can also act as primary and backup ISPs and hence providing redundancy. 

 

Please refer to this KB artcile which explains this with example. -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 

 

Let me know if you have any queries

Re: SRX210H CPU exceedes, limitation of PPPoE tunnel bandwith

December 25, 2017, 9:25 pm
$
0
0

Hi serdar, 

 

The messages you see are related to the dataplane CPU utilization. This is always related to the traffic pattern hitting the device at that point. It could be that the rate of traffic hitting the SRX is reaching its device limitation in terms of packets per second (pps) and bytes per second (bps) .

 

Do you know when you being the speed test , what are the pps and bps values of traffic hitting the SRX? 

 

When you run the speed test, capture the below data at least 3-5 times from the CLI of SRX and attach the outputs here, 

 

set cli timestamp

show security monitoring performance spu

show security monitoring performance session 

show interfaces extensive | no-more 

 

In Realtime you can run the command "monitor interface traffic" to see the pps / bps hitting each interface . 

 

Re: Fail-over to an alternate router

December 26, 2017, 12:43 am
$
0
0

Hi badgerdata,

 

I understand your current set up and requirement is , 

default route to internet is via ge-0/0/0 part of Internet security zone 

LAN facing interface is ge-0/0/1 part of Internal security zone

 

During failure of primary route, the default route points to 192.18.0.2 which is reachable via ge-0/0/1.

 

In that case you would need a security policy from-zone Internal to-zone Internal and allow the corresponding subnets and application to pass through as traffic from LAN ingresses the SRX on ge-0/0/1, does a route lookup and needs to egress again back via ge-0/0/1.

 

Try adding a security policy as mentioned above to see if it works fine.  

Re: Using vlan interface for source nat?

December 26, 2017, 8:39 am
$
0
0

I could only get it to source NAT when using family inet / physical interface in my nat1 zone instead of l3-interface / vlan. When I tried putting it together like the above, I couldn't get it to work, but I will reload the config and see if vlan.30 is up/up. Thank you!

Re: Two Residential circuits SRX failover solution? Possible?

December 26, 2017, 10:25 am

Re: SRX210H CPU exceedes, limitation of PPPoE tunnel bandwith

December 26, 2017, 10:56 am
$
0
0

Hi Folks,

 

My 2 cents on this…

 

We need to identify the top talkers and suggest customer to put in a firewall filter to discard this traffic to see if that helps to improve CPU/PPS

 

Search

Re: SRX210H CPU exceedes, limitation of PPPoE tunnel bandwith

December 26, 2017, 11:02 am

Re: Two Residential circuits SRX failover solution? Possible?

December 26, 2017, 5:40 pm
$
0
0

It would be nice to have a physical diagram attached to the article KB17223  so one can see how things are connected.

In addition, one must remember that these are DHCP interfaces. If one interfaice fails, in order to reset the connection one must break the lease with ISP.

 

Does the solution requires the use of another device like switch? What's happening here:

fe-0/0/2 {
        unit 0 {
            description ISP1;
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description ISP2;
            family inet {
                address 10.2.2.1/24;   

 

I am not sure I understand the redundancy aspect in this article since some traffic is routed on one ISP and the rest on the other. If one ISP goes doesn what happens to its traffic?

 

 

Re: Two Residential circuits SRX failover solution? Possible?

December 26, 2017, 7:05 pm
$
0
0

with regards to 'In addition, one must remember that these are DHCP interfaces. If one interfaice fails, in order to reset the connection one must break the lease with ISP.', this can be accomplished using RPM and FBF as in KB22052.

 

https://kb.juniper.net/KB22052 -[SRX] IP monitoring with FBF (filter-based forwarding in a dual ISP scenario) 

Re: I am not able to access my protected resources via Dyn VPN from public remote site.

December 26, 2017, 7:13 pm
$
0
0

Proxy ARP is required only when your remote protected resources and address assignment pool are on same subnet. As per the initial configuration you have shared, below given are the protected resources and the pool which are in diffrent subnets. In this scenario we dont need proxy ARP.

 

remote-protected-resources 10.2.72.0/28;

 address-pool 10.10.10.0/24;

 

One of the latest update from you shows remote protected resources as '10.0.0.0/8', did you made this change as part of troubleshooting or this is the correct value?

If so can you share the address pool cooresponding to this?

 

If thats also in 10/8 subnet we need proxy arp, and we can do proxy arp for whole subnet (pool) or use a different subnet for address assignment.

Re: Two Residential circuits SRX failover solution? Possible?

December 26, 2017, 8:21 pm
$
0
0

Hi Clubber, 

 

Thanks for your reply. We will integrate a diagram to the kb article to make things clear . I have attached a representational image here. 

 

"Does the solution requires the use of another device like switch? What's happening here: "

 

Fe-0/0/2 is connected to ISP1's router , a l3 device and fe-0/0/3 is connected to ISP1's router which is another physical device. There is no switch required in the upstream direction unless the SRX is a HA cluster . 

 

"I am not sure I understand the redundancy aspect in this article since some traffic is routed on one ISP and the rest on the other. If one ISP goes doesn what happens to its traffic?"

 

The redundancy aspect is also covered in this configuration by the rib groups . Rib groups help to share routes between the routing instances. 

 

In this example in the routing-instance routing-table-ISP1 , default route will be pointing out to next-hop 10.1.1.2 (ISP1's gateway IP)which is most preferred route and then next preferred route is via 10.2.2.2 (ISP2's gateway IP). So when the interface fe-0/0/2 goes down, the default route will point to  10.2.2.2 . And similarly in the routing-table-ISP2 also the routing preference is configured for the ISP1 route to take over when fe-0/0/3 goes down. 

 

 

Re: Active sessions timeout @ 14,400 seconds (4 hours)

December 26, 2017, 8:25 pm
$
0
0

whats the Phase 1 and Phase 2 life time configured?

Re: Two Residential circuits SRX failover solution? Possible?

December 27, 2017, 12:04 am
$
0
0

Thank you. The diagram helps a lot.

Just to clarify, how does failover works if one circuit goes down since that same circuit only handles part of the traffic i.e. 8080 etc.

 

Please explain Rib groups and their purpose.

Search

Need help understanding setup of EWF on SRX

December 28, 2017, 3:06 pm
$
0
0

Hello,

 

I am new here and new to the sophisticated router our SRX320.

This may not be the correct forum to ask this but, I have limited knowledge of installing and configuring

the UTM package that I purchased. Also, that it was brought to my attention the support is only break and fix, therefore

Juniper does not help with setting up the device. I was told that Dell would assist you through the setup process but I

was told that the Juniper was a better product and had better support.

Any help would be greatky appreciated,

Thank You

CharlieC

Re: Need help understanding setup of EWF on SRX

December 29, 2017, 3:56 am
$
0
0

Welcome to the SRX with UTM features.  Sorry you seem to be getting the run around from your vendor and support.  I have moved this to the correct forum category.

 

This general overview may help with understanding all the features in your license for UTM.

 

https://www.juniper.net/assets/uk/en/local/pdf/books/day-one-poster-utm.pdf

 

For the enhanced web filtering, these would be the basic setup instructions.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/security-utm-enhanced-web-filtering-configuring.html

 

But you also need to be aware that many web sites these days use ssl instead of plan http.  This means the url is encrypted and cannot be read without decryption.  So you likely will also want to setup a ssl forward proxy on the SRX in order to control access to ssl sites.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB31122

 

As you are new to the SRX you may want to sign up for the free version of Junos Genius and check the tutorials available here.

 

https://cloud.contentraven.com/junosgenius/login

 

Server Radius and Srx1400 problem with Pass-Through Authentication

December 29, 2017, 5:58 am
$
0
0

Hi all, im going to be mad, i cannot authenticate user on radius server with Pass-Through authentication on my SRX1400 cluster.

Below configuration and some outputs.

 

Thanks in advance... if someone can help me!

 

me@JUNRM01> show configuration access  
profile PROFILO-RADIUS {
    authentication-order radius;
    radius-server {
        192.168.16.108 {
            secret "xxxxxxxxxxxxxx"; ## SECRET-DATA
            source-address 192.168.2.112;
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile PROFILO-RADIUS;
        http {
            banner {
                login "PREGO INSERIRE CREDENZIALI DI ACCESSO";
                success "LOGIN ESEGUITA";
                fail "NOME UTENTE O PASSWORD ERRATI";
-------------------------------------------------------------------

POLICY to be matched

match {
    source-address PC_MAT_MMARASSI_10.198.1.20;
    destination-address any;
    application [ junos-http junos-http-ext junos-https ];
    source-identity any;
}
then {
    permit {
           firewall-authentication {
            pass-through {
                access-profile PROFILO-RADIUS;
            }
        }
    }
    count;
sh log radius

Dec 29 14:43:39.914243 ###################################################################
Dec 29 14:43:39.914279 ########################### AUTH REQ RCVD #########################
Dec 29 14:43:39.914314 ###################################################################
Dec 29 14:43:39.914392 Auth-FSM: Process Auth-Request for session-id:9261371437884501280
Dec 29 14:43:39.914446 Framework: Starting authentication
Dec 29 14:43:39.914489 authd_advance_module_for_aaa_request_msg: result:0
Dec 29 14:43:39.914544 Authd module start
Dec 29 14:43:39.914582 authd_radius_start_auth: Starting RADIUS authentication
Dec 29 14:43:39.914696 authd_radius_build_basic_auth_request: got params  profile=PROFILO-RADIUS, username=mberardi
Dec 29 14:43:39.914743 radius-access-request: User-Name added: mberardi
Dec 29 14:43:39.914780 radius-access-request: User-Password added: ""
Dec 29 14:43:39.914852 Verify source address c0a80270 (192.168.2.112) in routing instance index=0
Dec 29 14:43:39.915223 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
Dec 29 14:43:39.915293 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.915346 UserAccess:mberardi session-id:9261371437884501280 state:start
Dec 29 14:43:39.992978 Radius result is CLIENT_REQ_STATUS_SUCCESS
Dec 29 14:43:39.993089 Framework - module(radius) return: FAILURE
Dec 29 14:43:39.993128 authd_advance_module_for_aaa_response_msg: result:3
Dec 29 14:43:39.993174  authd_auth_update_local_server_address :Smiley Frustratedearching access profile PROFILO-RADIUS for local DNS Server
Dec 29 14:43:39.993236 Auth-FSM: reinterpretFsmEvent 4 to 5
Dec 29 14:43:39.993284 AuthFsm::current state=AuthStart(1) event=5 astEntry=0x208806c aaa msg=0x1f1106c
Dec 29 14:43:39.993324 Auth-FSM: Post the Auth-Response and clean up. session-id:9261371437884501280
Dec 29 14:43:39.993372 UserAccess:mberardi session-id:9261371437884501280 access-denied
Dec 29 14:43:39.993429 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.993479 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 60
Dec 29 14:43:39.993574 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 62
Dec 29 14:43:39.993623 Framework: auth result is 2. Performing post-auth operations
Dec 29 14:43:39.993661 Framework: result is 2.
Dec 29 14:43:39.993703 authd_auth_send_answer: conn=2d3e000, reply-code=2 (FAIL), result-subopcode=2 (SESSION_ACTIVATE), sub-id=9261371437884501280, cookie=44, rply_len=3972, num_tlv_blocks=0
Dec 29 14:43:39.993790 Delete session:9261371437884501280
Dec 29 14:43:39.993842 Subscriber session-id:9261371437884501280 not found
Dec 29 14:43:39.993886 ../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:2480 Could not find the requested authd attribute 10124
Dec 29 14:43:39.993934 UserAccess:mberardi session-id:9261371437884501280 state:log-out
Dec 29 14:43:39.994029 Removing client snapshot
Dec 29 14:43:39.994197 authd_auth_aaa_msg_destroy
Dec 29 14:43:39.994253 authd_auth_aaa_msg_destructauth_aaa_msg: 0x1f1106c
Dec 29 14:43:39.994294 authd_write_conn: response is 0x2d3e05c, total len is 3972 and sent is 0
Dec 29 14:43:39.994370 authd_write_conn: response is 0x2d3e05c, wrote 3972 bytes
Dec 29 14:43:40.098675 serviceRadiusRequestQueues Serviced 1 RADIUS requests
Dec 29 14:43:40.098792 serviceRadiusRequestQueues Queue PROFILO-RADIUS has 0 requests, peak is 0

 

 show network-access aaa radius-servers

 

Profile: PROFILO-RADIUS
    Server address: 192.168.16.108
      Authentication port: 1812
      Accounting port: 1813
      Status: UP


 

How to limit download and upload speeds on Juniper SRX100

December 31, 2017, 7:21 am
$
0
0

Hello everyone,

 

How can I limit download and upload speed on Juniper SRX100? I am trying to limit the download speed for all connected devices to about 20-25 Mbps and limit the upload speed to about 3-4 Mbps. I read that some people do it with firewall and whatnot but I am not sure how I can do it myself. Please help thank you!

Re: How to limit download and upload speeds on Juniper SRX100

December 31, 2017, 8:17 am
Viewing all 17645 articles
Browse latest View live
Search