Policer is not working on SRX series devices.

February 1, 2018, 10:38 am

≫ Next: GRE tunnel is switching over via SRX series devices.

≪ Previous: Analog Security Screen features in CISCO ISR 4xxx

$

0

0

Hello,

I am running 12.3X48-D51 code SRX240 and having issue, policer is not working correctly.

Please see the attached graph, this circuit is configured for 29 M but the graph is showing it is not limiting the traffic to 29 MB.

Anyone has any idea or  suggestion to correct this issue?

 

set firewall family inet filter 29M-POLICER term police then accept
set firewall family inet filter 10M-POLICER term police then policer POLICE-10MB
set firewall family inet filter 10M-POLICER term police then accept
set firewall policer POLICE-29MB if-exceeding bandwidth-limit 29m
set firewall policer POLICE-29MB if-exceeding burst-size-limit 300k
set firewall policer POLICE-29MB then discard
set firewall policer POLICE-10MB if-exceeding bandwidth-limit 10m
set firewall policer POLICE-10MB if-exceeding burst-size-limit 100k
set firewall policer POLICE-10MB then discard

---

GRE tunnel is switching over via SRX series devices.

February 1, 2018, 11:09 am

≫ Next: Re: Cannot identify Log message RT_FLOW: FLOW_REASSEMBLE_FAIL: FCB ageout before all fragments arrive

≪ Previous: Policer is not working on SRX series devices.

$

0

0

We have issues our customer is making there GRE tunnels using SRX port but, we do the fail over test customer's tunnels are not failing over.

Our SRX are in cluster configured. Let me explain my topology:

We have two sites where both sites have dual CPEs in cluster. Basically we have our vpn tunnels between SRX to SRX3600 bot sites and it goes via MPLS cloud to reach to destination. Clien is building GRE tunnels between two sites by connecting to SRX ports.

When we do switchover the traffic from primary node to backup, our tunnels switches over fine but client's tunnel doesn't switchover.

Also can we do some kind of capture to find the root cause because GRE is going via our vpn tunnels and I think we can't capture tunnel traffic.

Any suggestion?

Can anyone please provide me  good link how to create trace options in SRX?

Re: Cannot identify Log message RT_FLOW: FLOW_REASSEMBLE_FAIL: FCB ageout before all fragments arrive

February 1, 2018, 11:44 am

≫ Next: SRX 1400 ISSU upgrade Erorr

≪ Previous: GRE tunnel is switching over via SRX series devices.

$

0

0

What is the traffic is valid and it is causing issues.  In my case this is DNS replies from the internet.

SRX 1400 ISSU upgrade Erorr

February 1, 2018, 11:44 am

≫ Next: Re: MACsec silently fails on SRX300 -- security hole?

≪ Previous: Re: Cannot identify Log message RT_FLOW: FLOW_REASSEMBLE_FAIL: FCB ageout before all fragments arrive

$

0

0

Fo SRX1400 ISSU cluster upgrade I am getting below error:

Any suggestion to resolve the issue?

 

root@SDBRONRS04W> ...unos-srx1k3k-12.3X48-D50.6-domestic.tgz
Checking compatibility with configuration
Initializing...
cp: /etc/iri_ipsec_key.db: No such file or directory
Using /var/tmp/junos-srx1k3k-12.3X48-D50.6-domestic.tgz
chroot: /bin/sh: No such file or directory
ERROR: validate-config: junos/+REQUIRE fails
WARNING: Current configuration not compatible with /var/tmp/junos-srx1k3k-12.3X48-D50.6-domestic.tgz

 

I am upgrading the code from 12.1X46-D40.2 to  12.3X48

Re: MACsec silently fails on SRX300 -- security hole?

February 1, 2018, 11:55 am

≫ Next: Re: Policer is not working on SRX series devices.

≪ Previous: SRX 1400 ISSU upgrade Erorr

$

0

0

Supposedly on D100 its supported on the 2 SFP uplinks.  Haven't tried it myself, but setting up a lab soon to give it a go.

 

Release notes from D100

Re: Policer is not working on SRX series devices.

February 1, 2018, 12:17 pm

≫ Next: Re: Policer is not working on SRX series devices.

≪ Previous: Re: MACsec silently fails on SRX300 -- security hole?

$

0

0

In the part of the config you posted; the policer is not assinged to any thing.

Posting the entire config would help.

You can also read this:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161

Re: Policer is not working on SRX series devices.

February 1, 2018, 12:25 pm

≫ Next: Re: Policer is not working on SRX series devices.

≪ Previous: Re: Policer is not working on SRX series devices.

$

0

0

---

wrote:

In the part of the config you posted; the policer is not assinged to any thing.

Posting the entire config would help.

You can also read this:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161

---

set interfaces reth8 unit 0 family inet policer input POLICE-29MB
set interfaces reth9 unit 0 family inet policer input POLICE-29MB
set interfaces reth10 unit 0 family inet policer input POLICE-29MB
set interfaces reth11 unit 0 family inet policer input POLICE-29MB
set interfaces reth12 unit 0 family inet policer input POLICE-29MB
set firewall family inet filter 29M-POLICER term police then policer POLICE-29MB
set firewall family inet filter 29M-POLICER term police then accept
set firewall family inet filter 10M-POLICER term police then policer POLICE-10MB
set firewall family inet filter 10M-POLICER term police then accept
set firewall policer POLICE-29MB if-exceeding bandwidth-limit 29m
set firewall policer POLICE-29MB if-exceeding burst-size-limit 300k
set firewall policer POLICE-29MB then discard
set firewall policer POLICE-10MB if-exceeding bandwidth-limit 10m
set firewall policer POLICE-10MB if-exceeding burst-size-limit 100k
set firewall policer POLICE-10MB then discard

Re: Policer is not working on SRX series devices.

February 1, 2018, 12:38 pm

≫ Next: Re: need help on configuring AWS direct on SRX4100

≪ Previous: Re: Policer is not working on SRX series devices.

$

0

0

I am used to apply policers the way discribed in de KB article.

So
- Apply firewall filter to an interface
- Then in the firewall filter based on terms send the traffic to the actual policers

---

Re: need help on configuring AWS direct on SRX4100

February 1, 2018, 12:58 pm

≫ Next: Re: SRX300 DHCP wrong address when moving clients between vlans

≪ Previous: Re: Policer is not working on SRX series devices.

$

0

0

Thanks for your reply.  I'm still trying to bring up this connection on SRX.  At the moment, I'm not able to ping AWS side that I'm supposed to peering with for BGP.  I'm trying to work with AWS to find out what else needs to be done here.

Re: SRX300 DHCP wrong address when moving clients between vlans

February 1, 2018, 1:07 pm

≫ Next: Re: How to turn off "The SRX no longer provides hosting of the Pulse Client for direct download."

≪ Previous: Re: need help on configuring AWS direct on SRX4100

$

0

0

Hi Dominic,

Good to hear that you found a solution.

Re: How to turn off "The SRX no longer provides hosting of the Pulse Client for direct download."

February 1, 2018, 6:43 pm

≫ Next: Re: Policer is not working on SRX series devices.

≪ Previous: Re: SRX300 DHCP wrong address when moving clients between vlans

$

0

0

can i have dynamic VPN and http access at the same time?

Re: Policer is not working on SRX series devices.

February 1, 2018, 9:43 pm

≫ Next: Re: GRE tunnel is switching over via SRX series devices.

≪ Previous: Re: How to turn off "The SRX no longer provides hosting of the Pulse Client for direct download."

$

0

0

Hi Ehsan,

 

Input statistics will be calculated before applying the input filter. 

 

Regards,

Rahul

Re: GRE tunnel is switching over via SRX series devices.

February 2, 2018, 12:13 am

≫ Next: Re: How to turn off "The SRX no longer provides hosting of the Pulse Client for direct download."

≪ Previous: Re: Policer is not working on SRX series devices.

$

0

0

Can you paste your config?

I have tested the setup on one end SRX  cluster and other end Linux router and make it working.

 

When you are switching traffic from primary to secondary, does your GRE destinations remain reachable to SRX?

Or were those prefixes are available in routing table of SRX initiating GRE tunnels?

 

Hope you have used two seperate IP ranges for GRE interfaces to build redudant tunnels.

Re: How to turn off "The SRX no longer provides hosting of the Pulse Client for direct download."

February 2, 2018, 12:28 am

≫ Next: Re: Unable to get SNMP working remotley

≪ Previous: Re: GRE tunnel is switching over via SRX series devices.

$

0

0

I think you can do this way.

As per my understanding, you can not access (config portal) J-web on outside interface had you enabled an remote access vpn.

 

Hence to achieve dynamic vpn + srx web acess for config.. - you can specifically create a client with SRX trust IP only in dynamic vpn.

 

you may use the same client to access srx via j-web post connecting dynamic vpn.

 

Directly you will not be able to access j-web portal of config if you had configured dynamic vpns.

 

 

Re: Unable to get SNMP working remotley

February 2, 2018, 2:59 am

≫ Next: Re: SRX 1400 ISSU upgrade Erorr

≪ Previous: Re: How to turn off "The SRX no longer provides hosting of the Pulse Client for direct download."

$

0

0

Assuming the SRX is in flow mode, you also need to make sure the interface that your snmp poller hits for the requests is in a zone that allows snmp in the zone settings

 

security zones security-zone ZONENAME host-inbound-traffic system-services snmp

 

On the routing side, make sure the return routes to the snmp pollers are going out the SRX in the desired direction. 

And you might need to explicitly set the source interface for the traffic if it is not working to make sure it is using the desired one.

 

snmp interface

snmp trap-options source-address

 

---

Re: SRX 1400 ISSU upgrade Erorr

February 2, 2018, 5:44 am

≫ Next: Re: SRX 1400 ISSU upgrade Erorr

≪ Previous: Re: Unable to get SNMP working remotley

$

0

0

Re: SRX 1400 ISSU upgrade Erorr

February 2, 2018, 5:45 am

≫ Next: Re: Potential slow peers Minor alarm

≪ Previous: Re: SRX 1400 ISSU upgrade Erorr

$

0

0

Hi,

Please use no-validate in the end of command.

Thanks

Re: Potential slow peers Minor alarm

February 2, 2018, 6:31 am

≫ Next: Re: SRX300 series VLAN interface

≪ Previous: Re: SRX 1400 ISSU upgrade Erorr

$

0

0

Hello,

 

Did you get a response to your question? I have the same alarm:

Potential slow peers are: FWDD0 FWDD1 

Re: SRX300 series VLAN interface

February 2, 2018, 8:10 am

≫ Next: Re: Unable to get SNMP working remotley

≪ Previous: Re: Potential slow peers Minor alarm

$

0

0

Hello everyone im new here and im having a simmilar issue with a SRX320. This is my first time configuring a juniper router and i have installed the latest software on the juniper router. Im having a hard time getting an IRB interface in a security zone. Now i have already set my IRB interfaces to vlans. Im just not sure how to get the IRB's into security zones.

 

I also applogize if this is not how you reply to a thread.

 

Thank you

Re: Unable to get SNMP working remotley

February 2, 2018, 8:56 am

≫ Next: Re: Policer is not working on SRX series devices.

≪ Previous: Re: SRX300 series VLAN interface

$

0

0

The below was my issue!

 

security zones security-zone ZONENAME host-inbound-traffic system-services snmp