The jfirmware link you have below is for the bootloader which is part of the main chassis fireware not a card.
I suspect based on the kb that the firmware is rolled into the main Junos upgrade and applies during upgrade if the card is both compatible and present.
You will need to open a support case to confirm if the additional download is needed and where to get it. I don't see it on the public site.
Sorry for the confusion. What I meant was if you can create a dns entry for the srx. You can then submit a request for a certificate from a legitimate authority instead of using the self signed one.
I am assuming that the self signed certificate is why it is failling and if it had a legitimate authority certificate it would pass.
Typically in Junos once a feature is introduced it is in all the subsequent releases too unless it gets deprecated and replaced with a new feature. Feature explorer then lists the version where the feature was added by platform. This shows that vSRX should be good from version 15.1x49 and up.
https://apps.juniper.net/feature-explorer/search.html#q=selector
trying to set srx300 into global-mode transparent bridge i am following the artical https://kb.juniper.net/KB31147 and the unit will not go into the required mode how is this done
i am typing
set protocols l2-learning global-mode transparent-bridge
it says santax error
No suggestions at all? What about for a different hardware token?
If you issue 'show ethernet-switching global-information', what is listed for 'Global Mode'?
Which version of software are you using? It appears that command is available starting in 15.1X49-D40, and transparent-bridge is the default mode until 15.1X49-D100. (https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/protocols-edit-global-mode.html)
Hi,
Is there any way to graph mobile signal level into cacti from LTE Mini PIM card. Can you please advice MIB/OID used for this purpose or any other workaround.
Thanks,
Mac aging interval . 0
Mac learning .enable
Mac statistics . Disabled
Mac limit count. 0
Mac limit hit. Diasbled
Mac packet action drop . Disabled
Le aging time .1200
Le vlan aging time. 1200
Glbal mode . Not set
I'm trying to accomplish that setup in the weblink that I listed in the previous post that I made to start the thred
I this article https://www.juniper.net/documentation/en_US/junos/topics/concept/security-layer2-bridging-transparent-mode-overview.html this is exactly what I'm trying to accomplish switching mode with fiull security features I don't need the routing function I have a separate layer3 device to go between the different subnets I have in my network all I need is to secure the subnets for the secured networks from the unsecured networks but I want the edgerouter to handle the DHCP request so I would need to specify devices and protocols to allow into the secured subnets I don't care if I have to do that for each eth port I just need it to pass packets in and out but have the security inplace to keep outside subnets from accessing the secured subnets sections
I am very new to the juniper product line so I'm trying to find instructions on how to acomplish this task
Hello,
AFAIK, only Yubikey+Yubiradius can be made to work with SRX (or any other Juniper router/switch/firewall).
JUNOS supports only RADIUS and TACACS for authentication and does not support Yubico OTP Validation Server or Yubico U2F Validation Server.
HTH
Thx
Alex
We have site-site to vpn between Site A & Site B , (Site A SRX 210 , Site B SSG5 ) till now everything is perfect but now we added new SRX210 at Site B with another ISP. So now SRX210 at Site A should communicate with another Srx 210 at Site B. I want to use either of SSG5 or SRX based on ISP availability , since Site B intranet is same i am unable to configure / bring up one more vpn with srx. Site A > SRX 210 -------ISP---------- ISP--------Site B < SSG 5 Present scenario Site A > SRX 210 -------ISP---------- ISP--------Site B < SSG 5 (ISP A ) or SRX210 (ISP B) (Only 1 ISP will work but SiteA should welcome / connect SiteB network with active / passive ISP , both ssg5 and srx210 are not interconnected both are individual conneted to different ISP) (Site A n/w 192.168.1.0/24 --------Site B n/w 192.168.5.0 ) My questions are : 1) Can i bring up site - site vpn with bgp ? (so that i can bypass same network , but policy or route based vpn need target subnets in zones so but already this n/w eshtablishe with ssg5) 2) Can i configure at Site A network with dual g/w settings with same configuration on both SSG5 / SRX at Site B so that. ( only 1 ISP (SSG5) will be active all the time , if ISP 1 goes down then i will bringup ISP2 (SRX) connection 3) Site A should discover Site B's Active IP and it should allowe same intranet network on site B
Hello,
There is not enough information in Your OP to offer You a solution. The following points need to be clarified:
1/ do You expect Site A SRX210 to connect to Site B SRX 210 _ONLY_ when Site B SSG is down, or
2/ should Site A SRX 210 have 2 established IPSec tunnels to both Site B SRX 210 and Site B SSG at all times, and let the OSPF|BGP running inside IPSec tunnels figure out what is the best route from Site A to Your Site B intranet?
3/ if yes to 1 above, do You expect the Site A SRX210 to fail back to Site B SSG when Site B SSG is back up after outage? or
4/ are You happy with manual failback?
My personal preference would be [2], and I did such designs for 100+ sites with BGP across the tunnels, works fine for 3+ years.
HTH
Thx
Alex
Hi aarseniev ,
"" 2/ should Site A SRX 210 have 2 established IPSec tunnels to both Site B SRX 210 and Site B SSG at all times, and let the OSPF|BGP running inside IPSec tunnels figure out what is the best route from Site A to Your Site B intranet? "" this is fine for me
But since intranet is same i don't want use both at a same time , i will disconnect srx210 when ssg5 is up . when ssg5 is down i manually attach srx210 to intranet switch so that intrantet traffic will go through srx, when every ssg5 ISP comes back again i connect intranet switch to ssg5
It would be happy for me if Site A can establish 2 site -site vpn (already ssg5 vpn is up, need to bringup one more to siteB srx)
1) since already Sita A srx 210 vpn is established with site B ssg5 can i bring one more site-site vpn with site B srx with same intranet
Site A : SRX 210
ge-0/0/0 3.30.02 ( Untrust eg )
ge 0/0/1 192.168.50.0/24 (trust )
st0.1 10.11.11.11/24
Site B: SSG5
untrust : 23..5.4.7
trust : 192.168.2.0/24
tunnel 1 : 10.11.11.12/24
Now i want to bring up site-site vpn with srx with same intranet (Site A Srx configuration same)
I am getting routing issues because Site B intranet is same with both ssg5 and srx210 device .
Site B : SRX 210
trust 192.168.2.0/24
untrus : 26.7.2.1
st0.1
Hello,
wrote: Hi aarseniev ,
"" 2/ should Site A SRX 210 have 2 established IPSec tunnels to both Site B SRX 210 and Site B SSG at all times, and let the OSPF|BGP running inside IPSec tunnels figure out what is the best route from Site A to Your Site B intranet? "" this is fine for me
But since intranet is same i don't want use both at a same time , i will disconnect srx210 when ssg5 is up .
Then it is not option 2 as I described above, since once You disconnect the Site-B SRX 210, then Site A SRX210 -Site B SRX210 tunnel will go down.
And how do You plan to bring Site B SRX 210 back up? Manually? And what happens if Site A SSG is down at that time? Do You have OOB access, like via a dial-up/GSM modems plugged into both SSG and SRX serial ports?
wrote: Hi aarseniev ,
I am getting routing issues because Site B intranet is same with both ssg5 and srx210 device .
This would not be a problem if You make intranet subnet' BGP advert from Site B SSG through the tunnel more preferred that same advert from Site B SRX210 through another tunnel.
You can do it on Site A SRX210 easily with BGP import policy.
HTH
Thx
Alex
Hi all,
I still have an issue on one SRX that simply will not accept SSH connectivity. It is configured exactly the same as the other SRX does allow SSH connectivity. As this equipment is going into the Data Centres next week it is critical that I get this working before then or we will only have console access which is not part of the remit as it will be a single point of failure.....
MX240s - SSH perfectly
SRX1500 01 - SSH perfectly
SRX1500 02 - SSH not working
I have configured the following:
set system services ssh root-login deny
set system services ssh connection-limit 3
The VR that the connection comes in on is an "any any any permit" policy as per below:
set security policies from-zone Customer-Network to-zone Customer-Network policy customer match source-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy customer match destination-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy customer match application any
set security policies from-zone Customer-Network to-zone Customer-Network policy customer then permit
Does anyone have any help they could offer please?
I am assuming your running a cluster and you are configuring out-if-band management (fxp0)?
If so, there are number of reasons this will happen, for example: https://kb.juniper.net/InfoCenter/index?page=content&id=KB17161&actp=METADATA
If you search and browse the juniper articles your will probably find your problem, but a simple work around will be to login to either node from the other:
{primary:node0}
lab@host> request routing-engine login node 1
Hi Dawid,
Thank you for the response.
No, we are not utilising a cluster for a specific reason that I cannot give. But that reason overrides the need for a cluster. FXP0 not being utilised.
The direction of the SSH connectivity request is as follows:
Laptop --> SRX01 --> core01 --> Core02 --> SRX02 (customer VR)
As mentioned, if I could SSH to any of the other devices I would know the answer, but I can SSH to everything except SRX02.
As an add on, here is the configuration for the security zone:
set security zones security-zone Customer-Network host-inbound-traffic system-services all
set security zones security-zone Customer-Network host-inbound-traffic protocols all
set security zones security-zone Customer-Network interfaces ae2.0
Even from the CLI of the other devices I get the "ssh_exchange_identification: Connection closed by remote host" error....
If this is a certificate issue, I don't know where to find the certificate file to delete and renew.
Hi aarseniev,
This is my plan :
Site A srx210 site-site vpn with SSG5 is up and working now ! (ISP 1)
Site A srx210 site-site vpn with SRX210 should work now with same intranet n/w ( already i brought this up with ISP2 ) , but at Site B there is no communication between srx and ssg5 (both are parallel ) .
If ISP1 goes down SSG5 won't communicate with SiteA , so i manually connect intranet switch to SRX210 (Internet will work ) but issue with site-site vpn ( i have to eshtablish site-site vpn with SiteA srx to SiteB srx )
1) what is the best way to cofigure Site A to SiteB vpn case A) SSG5 goes down it should work with SRX . SSG is my primay
2) or can i use srx210 with dual ISP at Site B and eshtablish vpn with site A . Means Site A single GW , site B dual GW with Same intranet , Can i do this ?
I think I have found a way around this, or at least to test, but when I login to the shell as root and try and make a directory under /etc I get the followng error:
mkdir: test1: Read-only file system
Why, if I am logged into the shell as root, is it read only?
It looks like you do not have certificate.
To generate:
>start shell user root
% ssh-keygen rsa -f /etc/ssh/ssh_host_rsa_key
Regards
Leon Smirnov
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
