Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Dual Control link SRX5800 not working

January 25, 2018, 3:28 am
$
0
0

Hi Kzet, 

 

What is the version of Junos running of the  RE1 (secondary RE) ? You have to explicitly console onto the RE1 to view the version. 

 

You could check this KB30371 which mentions that certain versions of RE needs to be be upgraded to the non-affected versions in order to bring up the secondary control link, 

 

The affected versions are, 

 

  • 12.1X47-D10  through 12.1X47-D30
  • 12.1X48-D10 through 12.1X48-D25
  • 15.1X49-D10 through 15.1X49-D30

I would also recommend you to check / swap the SFPs , fibre to rule out any HW issues.  

Search

Re: Dual Control link SRX5800 not working

January 25, 2018, 3:50 am
$
0
0

I read similar article therefore i ve upgraded both RE1 recently:

 

RE0 : Model: srx5800
Junos: 15.1X49-D110.4
JUNOS Software Release [15.1X49-D110.4]

RE1:

root> show version
Model: olive
JUNOS Software Release [12.3X48-D60.2]

 

If i understood it correctly, this version is free of error. I will check cable again( which are completly new )  but i do not have more idea for now Smiley Happy

 ps. version of junos can be different on RE1 inn compare to RE0? as far as i know yes, but maybe i did not read something

Proxy-Arp vs interface address

January 25, 2018, 4:28 am
$
0
0

Can anyone explain me the difference between proxy-arp or a address assigned to a interface?

 

I hava a SRX 300 connected to a /28 subnet

I want to 1:1 nat some adresses to the inside

The GE-0/0/0.0 interface has an address of 1.1.1.1/28

The GE-0/0/5.0 interface has an address of 192.168.1.2/24

 

For example i 1:1 nat the following 2 addresses 1.1.1.2 <-> 192.168.1.2

 

Now i have 2 options.

1) Proxy-Arp 1.1.1.2 on interface GE-0/0/0.0

2) Add address 1.1.1.2 on interface GE-0/0/0.0

 

Both options works but what is technically the difference between those 2 ?

 

Regards,

 

Robbert

 

 

 

Re: Proxy-Arp vs interface address

January 25, 2018, 5:45 am

Re: Proxy-Arp vs interface address

January 25, 2018, 5:47 am
$
0
0

and the interface address add would be more of static approach

 

Re: SRX320 VDSL/ADSL Module Configuration

January 25, 2018, 6:42 am
$
0
0

Hey Steve. Thank you for getting back to me on this. I have been trawling the Juniper KB and have already tried everything I could find including the PPOA example link you posted, but still no joy. I also found and tried this article https://kb.juniper.net/InfoCenter/index?page=content&id=KB25400, and the set of customised commands I ended up with are as follows:-

 

set interfaces at-1/0/0 description ADSL
set interfaces at-1/0/0 unit 0 description PPPoA
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 encapsulation atm-pvc atm-options vpi 0
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux vci 0.38
set interfaces at-1/0/0 unit 0 ppp-options chap access-profile ADSL client zen@zen
set access profile ADSL client zen@zen chap-secret 1234567
set interfaces at-1/0/0 unit 0 ppp-options chap passive
set interfaces at-1/0/0 unit 0 ppp-options pap default-password 1234567
set interfaces at-1/0/0 unit 0 ppp-options pap local-name zen@zen
set interfaces at-1/0/0 unit 0 ppp-options pap local-password 1234567
set interfaces at-1/0/0 unit 0 ppp-options pap passive
set interfaces at-1/0/0 unit 0 family inet address 8x.7x.x9.x1/32
set routing-options static route 0.0.0.0/0 next-hop at-1/0/0.0
set security zones security-zone Internet interfaces at-1/0/0.0 host-inbound-traffic system-services all
set security zones security-zone Internet interfaces at-1/0/0.0 host-inbound-traffic protocols all

 

This is a known good working connection i.e. as soon as I take the modem cable and plug it into an SSG5 it works. I have triple checked my username and password for typos and checked the exact detailed ISP requirements. I note on the SSG5 the Authentication type is set to Auto; in the above config. there's reference to both PAP and CHAP. The ISP says it doesn't matter which is used, but if one needs to be specified then I was instructed to use CHAP.

Re: Dual Control link SRX5800 not working

January 25, 2018, 6:56 am
$
0
0

i changed cables from control link 0 which was working fine to control link 1 and in opposite way from 1 to 0... and the same situation.. :


    Control link 0:
        Heartbeat packets sent: 25605
        Heartbeat packets received: 24465
        Heartbeat packet errors: 0
    Control link 1:
        Heartbeat packets sent: 25605
        Heartbeat packets received: 0
        Heartbeat packet errors: 0

 

in both nodes. So i think that i can exclude cable issue. I will power off cluster and replug re1 on both nodes, after again check system version etc and reconnect cables. If it will not help, i am affraid that only jtac can help..


What do you think ?

 

Re: SRX320 VDSL/ADSL Module Configuration

January 25, 2018, 7:14 am
$
0
0

P.s. it's worth mentioning that on the MPIM there is a solid green SYNC LED and intermittent activity on the Rx/Tx LED.

Search

Re: Dual Control link SRX5800 not working

January 25, 2018, 7:16 am
$
0
0
You need to reboot the secondary RE after unplug of cables, if I remember correctly the secondary control link is not hot swappable.

Problem with VOIP phone and MGCP.

January 25, 2018, 9:45 am
$
0
0

Hi all,

 

We've been having issues getting a VOIP phone to work through our SRX340.

 

The phone is a Panasonic KX-NT551. It connects to the network ok and we are able to make a single phone call which works fine. After that any subsequent phone calls don't have any audio in either direction.

 

The phone uses MGCP ALG rather than SIP ALG. Under the MGCP monitoring we can see packets been dropped and flagged under transaction errors and the 300-999 category. 

 

The only error we can find in the flow logs is this one.

 

Jan 25 17:10:22 17:10:22.246987:CID-0:RT:<188.65.102.86/1->213.106.91.222/1;1,0x0> :

Jan 25 17:10:22 17:10:22.246987:CID-0:RTSmiley Tongueacket [56] ipid = 48751, @0x43e67f1c

Jan 25 17:10:22 17:10:22.246987:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43e67d00, rtbl_idx = 0

Jan 25 17:10:22 17:10:22.246987:CID-0:RT: flow process pak fast ifl 103 in_ifp ge-0/0/0.0

Jan 25 17:10:22 17:10:22.246987:CID-0:RT:  ge-0/0/0.0:188.65.102.86->213.106.91.222, icmp, (3/3)

Jan 25 17:10:22 17:10:22.246987:CID-0:RT: find flow: table 0x5323f850, hash 42940(0xffff), sa 192.168.4.251, da 213.106.91.222, sp 21006, dp 16708, proto 17, tok 6, conn-tag 0x00000000

Jan 25 17:10:22 17:10:22.246987:CID-0:RT:  packet dropped, no session found for embedded icmp pak

Jan 25 17:10:22 17:10:22.246987:CID-0:RT:  flow find session returns error.

Jan 25 17:10:22 17:10:22.246987:CID-0:RT:flow_proc_rc: -1.

Jan 25 17:10:22 17:10:22.246987:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

 

The source address 192.168.4.251 is a complete unknown to us, I can only imagine its something encapsulated in the packet from the remote endpoint that MGCP is suppose to know about and deal with.

 

The config is long but will post if required.

 

Been pulling my hair out with this so any help or suggestions would be appreciated.

 

Rich.

 

 

need help on configuring AWS direct on SRX4100

January 25, 2018, 11:56 am
$
0
0

This is my first AWS direct connection to SRX4100.  We have configured a pair of SRX4100 in our data center.  And, I'm trying to bring in a AWS direct connect.  AWS direct connection is terminated on a swtich as L2 and that switch connected to SRX 4100.  The config I got from AWS is for one single FW.  I have a redundant pair.  I don't understand what interface I have to this config under.  The physical interface are xe-0/0/2 and xe-7/0/2.  The redudant interface is reth2.  The following is the actual suggested config from AWS.  I can't set some of these under reth2 interface only IP address.  I'll appreciate any help.  Thanks.  

 

edit interfaces ge-0/0/1
set description "Direct Connect to your Amazon VPC or AWS Cloud"
set flexible-vlan-tagging
set mtu 1522
edit unit 100
set vlan-id 100
set family inet mtu 1500
set family inet address 169.X.X.X/30

Re: SRX - Juniper still joking ?

January 25, 2018, 2:54 pm
$
0
0

You're going to recommend your company go through an entire firewall migration because your EOL hardware running 7-year old code has a multicast bug? Come on man...

Re: Which SRX to replace SSG5?

January 25, 2018, 3:05 pm

added interface in zone not working in vpn

January 25, 2018, 7:32 pm
$
0
0

hi,

 

i have created a vpn connection with each side an internal zone containing one interface and that works fine.

i added another interface to the zone but that interface doesn't work

all policies and inbound services etc are set to allow, from and to.

working interface = ge-0/0/1

not working interface = ge-0/0/2

please see config files

 

what may be the cause?

 

regards

Re: added interface in zone not working in vpn

January 25, 2018, 7:34 pm
Search

Re: need help on configuring AWS direct on SRX4100

January 25, 2018, 10:19 pm
$
0
0

Hi,

Remove flexible-vlan-tagging and and vlan-tagging under reth2 interface

edit interfaces reth2
set description "Direct Connect to your Amazon VPC or AWS Cloud"
set vlan-tagging
set mtu 1522
edit unit 100
set vlan-id 100
set family inet mtu 1500
set family inet address 169.X.X.X/30

 

Re: Dual Control link SRX5800 not working

January 26, 2018, 2:06 am
$
0
0

I am affraid that i did everything and unfortunately it still not working.  I will open jtac.

 

what i did :

 

Upgrade of RE0 to newest version : 15.1X49-D120.3

Upgrade  of RE01 to :12.3X48-D60

changed cable

changed sfp

reboot re1

power off - replug re01-power on

 

still the same beheaviour, heartbeats are being sent but not received on both side

Re: SRX320 VDSL/ADSL Module Configuration

January 26, 2018, 2:47 am
$
0
0

Are you assigned a static ip address on this service?  I had been assuming it was dhcp but noticed this in your SSG config

 

set interface adsl1/0 ip 8x.7x.5x.8x/32
set interface adsl1/0 route

You may need to set the family inet on the interface directly

Route/nat mode does not apply to the SRX

 

I also notice this is a /32 so I'm not sure how your outbound static default route will work in this setup.  I've not seen that before.

 

These we converted to host inbound services.
set interface adsl1/0 ip manageable
set interface adsl1/0 manage ping

 

Re: Dual Control link SRX5800 not working

January 26, 2018, 3:01 am

Re: SRX320 VDSL/ADSL Module Configuration

January 26, 2018, 3:02 am
$
0
0

When I try to ping an external IP address from the console I receive the following error message: "no route to host". Does this help get me closer to a resolution?

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>