Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: NAT on multiple network interfaces on server removes internet!

January 23, 2018, 4:18 pm
$
0
0

"But policy uses address objects so you will need to create address objects for each ip address.  You can then use these directly in your policy or put them into an address set and create one policy with that address set instead.

 

  destination-address 10.5.1.7/32;

https://www.juniper.net/documentation/en_US/junos/topics/example/zone-address-book-configuring-cli.h...

 "

Yes the interface ge-0/0/0 is /27 so icnludes the ips for the proxy arps (by the way i have ge-0/0/0 and not ge-0/0/0.0 , is that ok or i do need the 0.0 instead of just 0 at the end?)

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 145.10.5.100/27;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }

Yes From above, i do not see how to set destination-address for my current configuration

 

Do you mind providing an example from the code i posted that shows how and where the destination-address part should look like? I use the CLI editor so that way i can just edit and make changes for all the static NATs i have using the example template you provide.

 I just want to map the addresses and open all ports, i will use firwall on OS to block ports.

 

Thanks a lot.

Will really appreciate it

Search

Re: DHCP option 121. how to specify /16 mask?

January 24, 2018, 1:40 am
$
0
0

Hi,

I know this thread is half year old but as no answer was written I'll post it for future reference and for all those who come here from Internet.

So, quickly said:

  • we use HEX format for addresses and subnet masks
  • Order is subnet mask - address - next hop
  • If you want to send several routes, use array

Examples:

Send route 10.12.0.0/16 through 10.125.125.1

  • subnet mask 16 - 0x10
  • address 10.12.0.0  - 0x0A0C (consider only most significant bits)
  • next hop 10.125.125.1 - 0x0A7D7D01

When put together we get 100A0C0A7D7D01 (remember about order, mask-address-next hop).

For Juniper config we should write

set access address-assignment pool TEST family inet dhcp-attributesoption 121 hex-string 100A0C0A7D7D01

 

Something more complicated

send route 100.200.150.0/26 through 10.125.125.1

  • subnet mask 26 - 0x1A
  • address 100.200.150.0 - 0x64C89600
  • next hop - 0x0A7D7D01

When put toghether we get 1A64C896000A7D7D01

 

If you want to send several routes use array of hexes instead of hex-string like in example below where I put together two above routes

set access address-assignment pool TEST family inet dhcp-attributesoption 121array hex-string [ 100A0C0A7D7D01 1A64C896000A7D7D01 ]

 

I've tested it on SRX 320 with Junos 15.1X49-D50.3 and Windows 7 and it works without problems.

Re: NAT on multiple network interfaces on server removes internet!

January 24, 2018, 2:34 am
$
0
0

I work via the cli with set commands and don't easily have a way to accurately reproduce that format.

 

Re: SRX320 VDSL/ADSL Module Configuration

January 24, 2018, 3:05 am
$
0
0

I apologize.  My config sample was from a SRX220 using this mini pim

https://www.juniper.net/us/en/local/pdf/datasheets/1000311-en.pdf

 

After looking more closely the DSL process and card are different on the SRX300 series using this card.

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/concept/mpim-vdsl2-srx300-series-srx550-m-overview.html

 

And I see in the documentation that at interfaces are no longer supported.  

 

Looking again at your ScreenOS working example this is PAP with PPOA or PPOE.  For the SRX300 these are on the same page here.

 

PPPOA example

https://www.juniper.net/documentation/en_US/junos/topics/example/adsl-pim-security-interface-configuring.html#jd0e170

 

PPPOE example

https://www.juniper.net/documentation/en_US/junos/topics/example/adsl-pim-security-interface-configuring.html#jd0e1251

 

 

OS upgrade on low memory SRX

January 24, 2018, 3:08 am
$
0
0

Hi,

 

Pune srx.JPG

JUNOS Software Release [12.1X44-D35.5]

 

Can i go for latest Junos OS upgrade on this device. Is there any impact.

 

Thank you...

 

Re: OS upgrade on low memory SRX

January 24, 2018, 7:40 am

Re: OS upgrade on low memory SRX

January 24, 2018, 8:02 am

Re: SRX3600 Major alarm

January 24, 2018, 10:32 am
$
0
0

Thank You Karand for your response. The issue was hardware related and was resolved by replacing the fan tray of the device.

Search

Filter-Based Forwarding on the Source Address and Per-Packet Load Balancing

January 24, 2018, 4:56 pm
$
0
0

Dear ALL,

I would like to know  Filter-Based Forwarding on the Source Address and Per-Packet Load Balancing can run in same SRX 340 ?

i have 2 wan link and 3 local networks.I would like use filte-based forwarding on the source address to the one network forward to ISP1 permently and others networks must use per-packet load balancing.

So can i run this two method in same SRX 340 ? is it any disadvantage? how can i configure?

 

Which SRX to replace SSG5?

January 24, 2018, 5:02 pm
$
0
0

I work for a small ISP. We have a customer that hosts their web and database infrastructure with us, we also operate their firewall. Currently they use a Juniper SSG5. They are in need of more site to site VPNs and have asked us for recommendations for a new firewall. I am not familiar with the SRX product line and have to say it is a bit daunting. Looking at the specs the SRX100 looks adequate for this application. Is this correct or do I need to look at a different box?

TIA

Re: SRX 100/650 Non-Standard behavior for PIM SPARSE MODE

January 24, 2018, 6:00 pm
$
0
0

Thanks for your response

 

for me it seems that the srx does not consider NAT in the PIM part

the source is (30.30.30.30,2351.1.1) the register stop is for (10.10.10.10,253.1.1.1), therefore teh continous sending of register messages

 

Sorry capture is showing REGISTER STOP tunneled message  but inside that message we see REGISTER STOP for ( 100.100.100.100, 235.1.1.1)

 

 

 

 

same problem with the SPT from RPT to source where the join is for the 10.x SA, whereas the sRX considers the source to be 30.x

 

We see PIM Join ( 100.100.100.100, 235.1.1.1) from  as shown below .

 

root>  monitor traffic interface vlan.301 no-timestamp no-resolve matching pim detail

 

In IP (tos 0xc0, ttl   1, id 144, offset 0, flags [none], proto: PIM (103), length: 54) 10.10.10.30 > 224.0.0.13: 10.10.10.30 > 224.0.0.13Smiley TongueIMv2, length 34

        Join / Prune, cksum 0x0c15 (correct), upstream-neighbor: 10.10.10.1

          1 group(s), holdtime: 3m30s

            group #1: 235.1.1.1, joined sources: 1, pruned sources: 0

              joined source #1: 100.100.100.100(S)

Re: SRX 100/650 Non-Standard behavior for PIM SPARSE MODE

January 24, 2018, 6:02 pm
$
0
0

Thanks for your response

 

for me it seems that the srx does not consider NAT in the PIM part

the source is (30.30.30.30,2351.1.1) the register stop is for (10.10.10.10,253.1.1.1), therefore teh continous sending of register messages

 

Sorry capture is showing REGISTER STOP tunneled message  but inside that message we see REGISTER STOP for ( 100.100.100.100, 235.1.1.1)

 

 

 

 

same problem with the SPT from RPT to source where the join is for the 10.x SA, whereas the sRX considers the source to be 30.x

 

We see PIM Join ( 100.100.100.100, 235.1.1.1) from  as shown below .

 

root>  monitor traffic interface vlan.301 no-timestamp no-resolve matching pim detail

 

In IP (tos 0xc0, ttl   1, id 144, offset 0, flags [none], proto: PIM (103), length: 54) 10.10.10.30 > 224.0.0.13: 10.10.10.30 > 224.0.0.13Smiley TongueIMv2, length 34

        Join / Prune, cksum 0x0c15 (correct), upstream-neighbor: 10.10.10.1

          1 group(s), holdtime: 3m30s

            group #1: 235.1.1.1, joined sources: 1, pruned sources: 0

              joined source #1: 100.100.100.100(S)

Re: Which SRX to replace SSG5?

January 24, 2018, 6:06 pm

Re: SRX - Juniper still joking ?

January 24, 2018, 6:47 pm
$
0
0

Yes, I can not express my frustation with SRX which can not do basic stuff .  For exampple,  we have SRX 650 which shows very non standrad behavior  , for details, see the post : ( Note i used SRX 100  which showed the same behavior we observed on SRX 650)

 I can not understand how it could even pass Quality check .  I am recommending my compnay to replace SRX from our network .

 

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-100-650-Non-Standard-behavior-for-PIM-SPARSE-MODE/m-p/317895#M48390

 

 

 

Re: Filter-Based Forwarding on the Source Address and Per-Packet Load Balancing

January 24, 2018, 8:24 pm
Search

Re: Filter-Based Forwarding on the Source Address and Per-Packet Load Balancing

January 24, 2018, 9:43 pm

Re: Filter-Based Forwarding on the Source Address and Per-Packet Load Balancing

January 24, 2018, 9:52 pm
$
0
0

i have one more question. if i want to give one network to grantee bandwith (10 M) and hight piroity to internet access and others network can shared remaining bandwidthin this scenario .how can i configuration. should i use policiers ? should i use

multifield classifier?

 

Dual Control link SRX5800 not working

January 25, 2018, 1:36 am
$
0
0

Hello,

I have question wrt to dual control link. i have srx with two RE installed

Below my configuration :

 

 show configuration chassis cluster
control-link-recovery;
control-ports {
    fpc 0 port 0;
    fpc 12 port 0;
    fpc 0 port 1;
    fpc 12 port 1;

( i know that it s not recomended to use just single spc Smiley Happy anyway it must be in that configuration )

show chassis cluster control-plane statistics
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 2064
        Heartbeat packets received: 2059
        Heartbeat packet errors: 0
    Control link 1:
        Heartbeat packets sent: 2064
        Heartbeat packets received: 0
        Heartbeat packet errors: 0

 

as you can see second link is not receiving heartbeats. In cluster information looks as follows : 

    Control-link Failure Information:
        Link Status: Up
        Dual Control Link Status: Activated

 

How can i troubleshoot it? Is it possible that i missed something in configuration? As far as i know there is not more config required. I would like to check what could be the cause. Worth to notice that devices are directly connected via fiber. 

 

Thanks

Re: Dual Control link SRX5800 not working

January 25, 2018, 1:49 am
$
0
0
Can you share this output from both nodes.

show chassis cluster control-plane statistics

Re: Dual Control link SRX5800 not working

January 25, 2018, 1:55 am
$
0
0

sure, here you are :

 

node 0 :

 

how chassis cluster control-plane statistics
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 3448
        Heartbeat packets received: 3443
        Heartbeat packet errors: 0
    Control link 1:
        Heartbeat packets sent: 3448
        Heartbeat packets received: 0
        Heartbeat packet errors: 0

node 1 :

 

show chassis cluster control-plane statistics
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 7789
        Heartbeat packets received: 7594
        Heartbeat packet errors: 0
    Control link 1:
        Heartbeat packets sent: 7789
        Heartbeat packets received: 0
        Heartbeat packet errors: 0

Viewing all 17645 articles
Browse latest View live
Search