Please try upgrade via CLI. I would say anything less than D70 as comparatively unstable version.
↧
Re: help with transparent mode
↧
Re: failover or bgp vpn between SRX (Site A) to SRX & SSG5 (at same site with same Internal but different ISP )
Hello there,
wrote: Hi
where do you want me to give this DPD configuration ?
1) is it in eshtablished tunnel b/w srx & ssg5 ??
Yes.
wrote:
if it is possible can you send me config file with below details ( bgp routing from site A along with DPD , giving Site B established vpn details , need to configure srx with same intranet and bringup policy based or route based vpn ) to test i will bring down 1 ISP )
I can give You additional config to apply to Site-A SRX210. Obviously You already have a working Site-A SRX-Site-B SSG, so this additional config would be:
## Site-A SRX additonal config: set security ike gateway <Whatever is the name> address <whatever is the Site-B SSG IP> ## existing line set security ike gateway <Whatever is the name> address <whatever is the Site-B SRX IP> ## NEW line set security ike gateway <Whatever is the name> dead-peer-detection always-send ## NEW line set security ike gateway <Whatever is the name> dead-peer-detection threshold 3 ## NEW line
On the Site-B SRX, You need to enable DPD with same lines (obviously, use a different name and different IP) towards Site-A SRX.
Finally, on the Site-B SSG side You'd need to enable DPD as well:
set ike gateway <whatever the name for Site-B SRX> address <whatever is the Site-A SRX IP> ## existing line set ike gateway <whatever the name for Site-B SRX> dpd-liveness interval 10 ## NEW line set ike gateway <whatever the name for Site-B SRX> dpd-liveness always-send ## NEW line
As for BGP & the rest, I suggest You hire someone to do it for You.
HTH
Thx
Alex
↧
↧
Re: SRX110 VDSL Configuration pp0.0 down inetHi
Hi,
Many Thanks for your response.
There's no a lot of activity when I run this command:
hostname@srx# ...erface pt-1/0/0 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on pt-1/0/0, capture size 96 bytes
19:06:42.619406 Out PPPoE PADI [Host-Uniq UTF8] [Service-Name]
19:06:45.654042 Out PPPoE PADI [Host-Uniq UTF8] [Service-Name]
19:06:50.711805 Out PPPoE PADI [Host-Uniq UTF8] [Service-Name]
Shall I run with the detail or extensive outputs?
I did find VDSL configs on various Juniper documents with an Access profile. Would this be required?
Many Thanks,
Tom
↧
Re: SRX110 VDSL Configuration pp0.0 down inet
Hi,
Looking into this further I think it's because I'm not tagging the vlan on the interface.
When I configure my cisco device I have to specify the vlan tagging, 101 in my case.
When I try and set this on the srx pt-1/0/0 interface it's saying I can't configure it. It complains about vlan tagging only being able to configure tagging on an ethernet interface:
[edit interfaces pt-1/0/0]
user@SRX110H-VA-House# set vlan-tagging
[edit interfaces pt-1/0/0]
user@SRX110H-VA-House# commit
[edit interfaces]
'pt-1/0/0'
INTERFACES_TYPE_VLAN_TAGGING: vlan tagging can only be specified on ethernet interfaces
error: configuration check-out failed
Any ideas how I configure vlan tagging on a VDSL interface?
Thanks,
Tom
↧
Proxy ARP doesnt work
Hi.
Perhaps someone was faced with a similar problem. I'm trying to set up dest nat with proxy arp but in doesnt work. Some parts of config:
#reth1.0:
family inet {
}
address a.b.c.66/28;
}
#show security nat destination
pool dst-server-1 {
address 10.115.9.2/32 port 443;
}
rule-set rs1 {
from interface reth1.0;
rule r1 {
match {
destination-address a.b.c.76/32;
destination-port {
443;
}
}
then {
destination-nat {
pool {
dst-server-1;
}
}
}
}
}
#show security nat proxy-arp
interface reth1.0 {
address {
a.b.c.76/32;
}
}
From untrust to internal zone
policy server-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
>show route
a.b.c.64/28 *[Direct/0] 8w0d 04:44:30
> via reth1.0
a.b.c.66/32 *[Local/0] 8w0d 04:44:31
Local via reth1.0
a.b.c.76/32 *[Static/1] 01:33:03
Receive
When i try to connect to a.b.c.76:443 nothing happen. I cant find anything in security flow session or in trace .
node0:
--------------------------------------------------------------------------
Total destination-nat rules: 1
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
node1:
--------------------------------------------------------------------------
Total destination-nat rules: 1
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
↧
↧
SRX100 and Unifi AP - 2 subnets on 1 interface required
Hello everybody
I have following setup
modem --> SRX100--> Netgear GS716Tv3 switch--> (rest of th network including Hyper-V infrustructure, DC/DHCP, and Unifi WAP)
On SRX100 I have folllowing interfaces that are all part of vlan1 configured with an ip address of 192.168.1.254/24 and Windows Server (DC) is a DHCP server for this subnet.
fe-0/0/1 - fe-0/0/6
Interface fe-0/0/7 is currently configured with ip address 10.0.20.1/24 and SRX100 is DHCP for this subnet (Unifi Access Point is plugged in to and ir works fine).
Here is what I need to do:
interfaces fe-0/0/1 - fe-0/0/6 are ok -no changes needed
I want to have 2 subnets on interface fe-0/0/7 - one of this sunets (10.0.20.1/24) will be used for home Wi-Fi and second must be the same as existing subnet on interfaces fe-0/0/1 - fe-0/0/6 (192.168.1.254/24)
I tried to change interface fe-0/0/7 to vlan-tagging and created two vlans on this interface but once I added 192.168.1.254/24 site lost access to the Internet.
My question is: How to create 2 subinterfaces (or Vlans) on fe-0/0/7 intarface so that Unifi AP that is conncted to this interface has two Wi-Fi networks on two different subnets (one of them able to communicate with office hyper-V infrsutructure on 192.168.1.0/24 subnet)?
I'm new to Juniper cli so please support your suggestions with commands to run if possible.
Any help would be much appreciated. Thank you.
↧
SRX Cluster - IP Monitoring doesn't work
Hello all,
i have problems to implemtent IP monitoring on my juniper chassis cluster.
At first, i' ll explain my environment and my configurations (see picture below).
The link from node 0 will be connected soon. At the moment, the traffic will be redirected over node 1 and this connection works.
The switch and the router aren't belongs to me and i can't configure them. But the connection over the switches to the router is working.
My configurations are:
chassis {
cluster {
control-link-recovery;
reth-count 2;
redundancy-group 1 {
node 0 priority 254;
node 1 priority 1;
gratuitous-arp-count 4;
interface-monitor {
xe-7/0/7 weight 128;
xe-0/0/7 weight 128;
xe-0/0/6 weight 128;
xe-7/0/6 weight 128;
}
ip-monitoring {
global-weight 255;
global-threshold 255;
retry-interval 3;
retry-count 5;
family {
inet {
10.0.0.1 {
weight 255;
interface reth0.0 secondary-ip-address 10.0.0.4;
}
}
}
}
}
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
}
}
interfaces {
reth0 {
traceoptions {
flag all;
}
redundant-ether-options {
redundancy-group 1;
flow-control;
minimum-links 1;
}
unit 0 {
family inet {
rpf-check fail-filter rpf-filter;
address 10.0.0.5/29;
}
}
}
}
firewall {
filter rpf-filter {
term default {
then {
count rpf-failed-count;
reject;
}
}
}
}
=========================================================================
But my IP-Monitoring status is failed:
root@lzg1srx4100-ha> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 254 primary no no None
node1 1 secondary no no None
Redundancy group: 1 , Failover count: 2
node0 0 secondary no no IF IP
node1 0 primary no no IP
===========================================================================================
root@lzg1srx4100-ha> show chassis cluster information
node0:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: primary, Weight: 255
Time From To Reason
Nov 20 20:11:22 hold secondary Hold timer expired
Nov 20 20:11:38 secondary primary Only node present
Redundancy Group 1 , Current State: secondary, Weight: -256
Time From To Reason
Nov 20 20:11:23 hold secondary Hold timer expired
Nov 20 20:11:38 secondary primary Only node present
Apr 18 07:12:38 primary secondary-hold Monitor failed: IF
Apr 18 07:12:39 secondary-hold secondary Ready to become secondary
Chassis cluster LED information:
Current LED color: Amber
Last LED change reason: Monitored objects are down
Failure Information:
IP Monitoring Failure Information:
Redundancy Group 1, Monitoring Status: Failed
IP Address Status Reason
10.0.0.1 Unreachable no route to host
Interface Monitoring Failure Information:
Redundancy Group 1, Monitoring status: Failed
Interface Status
xe-0/0/6 Down
xe-0/0/7 Down
node1:
--------------------------------------------------------------------------
Redundancy Group Information:
Redundancy Group 0 , Current State: secondary, Weight: 255
Time From To Reason
Nov 20 21:00:23 hold secondary Hold timer expired
Redundancy Group 1 , Current State: primary, Weight: 0
Time From To Reason
Nov 20 21:00:24 hold secondary Hold timer expired
Apr 18 07:12:37 secondary primary Remote yield (1/0)
Chassis cluster LED information:
Current LED color: Amber
Last LED change reason: Monitored objects are down
Failure Information:
IP Monitoring Failure Information:
Redundancy Group 1, Monitoring Status: Failed
IP Address Status Reason
10.0.0.1 Unreachable unknown //This connection should be reachable!
I'm little confused, because i become an ICMP request when i ping the router gateway:
root@lzg1srx4100-ha> ping 10.0.0.1 source 10.0.0.5 PING 10.0.0.1 (10.0.0.1): 56 data bytes 64 bytes from 10.0.0.1: icmp_seq=0 ttl=255 time=0.513 ms 64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.612 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.791 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=0.906 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=0.566 ms ^C --- 10.0.0.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.513/11.478/54.791/21.657 ms
What's the problem here? Any ideas?
Many Thanks in advance!
↧
Re: how to block https://www.123.com/abc
It looks like you do not have routing configured
IP Monitoring Failure Information:
Redundancy Group 1, Monitoring Status: Failed
IP Address Status Reason
10.0.0.1 Unreachable no route to host
You need to set at least default route :
Example:
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
Why it is reachable with ping? - because you are pinging on the local segment (L2) so you do not need routing.
But for IP-monitoring to work you need routing be configured.
Regards
Leon Smirnov
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
↧
Re: SRX Cluster - IP Monitoring doesn't work
It looks like you do not have routing configured
IP Monitoring Failure Information:
Redundancy Group 1, Monitoring Status: Failed
IP Address Status Reason
10.0.0.1 Unreachable no route to host
To be sure run following command :
root@lzg1srx4100-ha>show route 10.0.0.1
You need to set at least default route :
Example:
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
Why it is reachable with ping - because you are pinging on the local segment (L2) so you do not need routing.
But for IP-monitoring to work you need routing be configured.
Regards
Leon Smirnov
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
↧
↧
SRX Static NAT not working
Hi,
Following static NAT is not working, any suggestions?
root@213-ROUTER> show configuration | display set | match S1
set security nat static rule-set S1 from interface ge-0/0/5.0
set security nat static rule-set S1 rule r1 match destination-address 10.213.21.177/32
set security nat static rule-set S1 rule r1 then static-nat prefix 40.1.1.11/32
set security nat static rule-set S1 rule r1 then static-nat prefix routing-instance JCShubspoke
10.213.21.177 is the IP Address configured on interface ge-0/0/5 in routing-instance JCShubspoke.
40.1.1.11 is the IP Address of the internal server, connected via inteface ge-0/0/6 in routing-instance JCShubspoke.
The IP Address of ge-0/0/6 is 40.1.1.254.
My SRX is in packet mode , so no zones required.
root@213-ROUTER> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: r1 Rule-set: S1
Rule-Id : 1
Rule position : 1
From interface : ge-0/0/5.0
Destination addresses : 10.213.21.177
Host addresses : 40.1.1.11
Netmask : 32
Host routing-instance : JCShubspoke
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
↧
IPv6 static route not working
My org has an SRX1400 running 12.1x48-D30. My ISP has started offering IPv6 and has given us a static address for the gateway, a subnet for our internal devices, and the other info needed to connect.
I can give our WAN and LAN interfaces the proper IPv6 address. However I cannot get a static IPv6 route set up.
I can give the gateway the correct command, # set routing-options rib inet6.0 static route ::/0 next-hop 2610:20:900c:4003::4, and commit it no problem. The configuration, # show routing-options, shows the new info. But the route never shows up when I run show route.
I can ping the next hop from both the gateway and my servers. I cannot ping any IPv6 destination, such as ipv6.google.com, from the gateway or my servers, though the IP address does resolve. So why doesn't the route show up?
At this time the only things I haven't done are reboot the gateway, which technically shouldn't be necessary, or upgrade it to 12.3, needs to be done but also shouldn't be necessary.
Any ideas?
↧
Re: SRX Static NAT not working
AT only works in FLOW mode not in PACKET mode
regards
alexander
↧
Re: AutoDiscovery VPN SRX (ADVPN IPsec )
link? which one?
↧
↧
Re: AutoDiscovery VPN SRX (ADVPN IPsec )
the book is USELESS
↧
Re: ADVPN basic configuration
a ok thank you such a great community!!! thanks for the help
↧
Re: SRX110 VDSL Configuration pp0.0 down inet
Hi,
I've figured this one out 
I needed to add vlan tagging onto the vdsl interface. I ran into issues with this in my last post, and this was because I was running JunOS 11.x and vlan tagging is not supported until release 12.1.
As soon as I upgraded the software bingo! so now I have a fully working firewall terminating my vdsl broadband.
I wanted to post the solution in case anyone else bumps into this issue too.
Regards,
Tom
↧
Re: IPv6 static route not working
Confirm that ipv6 flow mode is enable on the device
show security flow status
The routes will be in the inet6 table. Do you see them if you specify this.
show route table inet6.0
For transit traffic you will need security policies in place. you can verify sessions using show security flow
↧
↧
Re: Proxy ARP doesnt work
Since you get nothing in the session table or trace log that indicates the security policy is not being hit as expected.
Verify the zone name for the interface that 10.115.9.2 is associated with and confirm that reth1.0 is assigned to the untrust zone.
Verify the policy order for everyting in the untrust to internal section.
If there are no obvious errors there setup the trace options for flow outlined at the begining of this kb with the dual filters for both directions of traffic. This should show the flow processing and why the session is denied.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110
↧
Re: SRX Static NAT not working
Thanks Alex for conforming.
↧
Re: SRX Cluster - IP Monitoring doesn't work
Hello Brandmajor,
thanks for your reply.
At first, i thought its a routing problem too.
But the customer traffic is already routed. This works on node 1.
On node 0, the link isn't established, because we have to order two new ports on the switch. So the concerned links/ports are down. On this node, i get the Interface Monitoring Error and the IP Monitoring Error (no route to host) and this errors are okay.
The Problem is on node 1. There, the IP Monitoring give me an error with unknown reason:
Failure Information:
IP Monitoring Failure Information:
Redundancy Group 1, Monitoring Status: Failed
IP Address Status Reason
10.0.0.1 Unreachable unknown Again, the routing over node 1 is in function, only the IP-Monitoring on this node give me the above error.
I 'll post the
root@lzg1srx4100-ha>show route 10.0.0.1
reply next week, because I'm not at work until wednesday.
↧