Any firewall filters?
↧
Re: unable to ssh from outside
↧
Re: unable to ssh from outside
ssh is working with intranet ip but issue is with public ip
↧
↧
Re: unable to ssh from outside
i posted security zones here
↧
Re: SSH to FXP0
I already enabled on group node. Must I enable at global configuration again?
↧
Re: unable to ssh from outside
root@> show interfaces ge-0/0/0 brief
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled,
Auto-negotiation: Enabled, Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
Logical interface ge-0/0/0.0
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Security: Zone: Internet
Allowed host-inbound traffic : ping ssh ike
inet 2.2.2.3/19
↧
↧
Re: SRX Cluster - IP Monitoring doesn't work
Good morning,
here is the output of the show route command:
root@lzg1srx4100-ha> show route
inet.0: 656 destinations, 656 routes (656 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 6d 11:45:58
> to 10.0.0.1 via reth0.0
10.0.0.0/29 *[Direct/0] 6d 11:45:58> via reth0.0
10.0.0.5/32 *[Local/0] 6d 11:45:58
Local via reth0.0The route should be okay, isn't it?
↧
Re: BFD issues
BFD is only running on the interfaces connected between the primary connections between each router. We have had some issues with the microwaving linking dropping in QAM rates which was cauing the odd flap. These odd flap caused us great issues due to the change over ospf holdover timers. BFD is set to 2 seconds which might be a little too agressive. I mentioned this in the desing meeting. The issue is that the equipment we are running see more then a 4 second flag it implments its own failover procresses.
↧
Re: SSH to FXP0
I missed that before can you verify the ssh applies
show configuration system services | display inheritance
And check the routing as noted by Suraj. If you enter the fxp port but the return route is out another port the ssh will fail.
↧
Re: Dynamic VPN with NCP remote client
Hello,
Thanks for your reply. I found the error: The gateway setting on the SRX i.e. ike-user-type "group-ike-ide" does not work with NCP Client, unlike with the Juniper Pulse Secure Client, "shared-ike-id" works instead, and the IKE-ID should be user-at-hostname and not hostname.
↧
↧
fxp0 and reth in the same subnet
Hello,
I have a SRX3400 cluster with fxp0 in 172.16.0.0/16 for OOB management.
The firewall has 3 zones, public reth0, DC reth1 and Corporate reth2.
I want to create a 4th zone for the OOB management network itself, in such way some devices from Corporate zone can access devices in OOB network under some policies.
I have created the zone Mgmt and asigned interface reth3 with an ip address under the same subnet that fxp0 has. The result is I have two interfaces fxp0 and reth3 under the same subnet, with different ip addresses.
I cant ping the reth3 interface from OOB network. What could be the cause?
Is this the right approach to achieve initial objective or what would be the right one?
Thanks in advance,
Miguel
↧
Re: SRX100 as PPTP-client
I am also interested to know the way. Please help us with configuration
↧
SRX220h2 error log message
Hi
Model: srx220h2
JUNOS Software Release [12.1X44-D30.4]
We got these kind of error message .
Anybody let me know what's wrong and how can I stop it ?
Apr 24 09:35:30 MRAC-RTR-FIG PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=85
Apr 24 09:38:57 MRAC-RTR-FIG PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=100
Apr 24 10:35:20 MRAC-RTR-FIG PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=97
Apr 24 11:34:11 MRAC-RTR-FIG PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=96
Apr 24 11:41:11 MRAC-RTR-FIG PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=100
↧
Re: SRX100 as PPTP-client
The SRX cannot be a PPTP client.
↧
↧
Re: SRX220h2 error log message
The last time I saw this message, on one of my SRX220s, it was the result of trying to push more IPsec traffic through an SRX than it could handle (which was substantially less than the optimistic published IPsec numbers on the "spec sheet")
↧
Re: SRX220h2 error log message
This messages means your Dataplane/PFE CPU us high . If the CPU is continuously staying high it will affect the device performance.
A dataplane CPU usually goes high with high traffic. Please monitor the current CPU using “show security monitoring performance spu”
Use “show security monitoring performance session” to check the session rate.
Use “monitor interface traffic” command to see if any interfaces receive busrty traffic which can contribute to this probem.
A dataplane CPU usually goes high with high traffic. Please monitor the current CPU using “show security monitoring performance spu”
Use “show security monitoring performance session” to check the session rate.
Use “monitor interface traffic” command to see if any interfaces receive busrty traffic which can contribute to this probem.
↧
Re: fxp0 and reth in the same subnet
you cannot keep fxp0 and reth in same subnet. You can put all reth interfaces in a routing-instnace and keep fxp0 alone in default routing instnace to achieve this.
KB30863 may give some details on why the configuration you are tryig is not working
↧
nameserver configuration with Routing-Instance.
I have a question. I have a plan to connect the SRX to the DNS server toward Internet. Let just say that the DNS is 8.8.8.8. SRX that i have configured is already have an RI that provide for internet connection. Since i read this article.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15656&actp=METADATA
It is written
NOTE: Name resolution will not work for SRX if the DNS server is only reachable via a VR (Virtual Router). The SRX cannot source the DNS queries from a VR type routing instance.
Then it might not possible to create new route table on master (the inet.0) because it is already assigned to the RI (which it is has 0.0.0.0/0 route). Several questions is came for the way...
- What is the interface for egress to the nameserver based on the configuration? I am guessing of fxp0, am i correct?
- Can i made the route way for fxp0 using stateless firewall? Since i have an experience creating the FBF (or PBR perhaps) that i able to manipulate the use for route table. Can it to be possible to assign it to output filter on fxp0 interface?
Or any idea would be appreciated. I need to configure the DNS for auto-update on my IDP signature.
↧
↧
Re: HOW IS ASYMMETRIC ROUTING reflected in log session-end message
If in a-sync traffic the syn in seen but the syn-ack is not because of a direct path, two things will hapen:
A) The session is created with a intial time-out of 20 sec.
B) When the the syn-ack is not seen with this timeframe the session is closed with reason age-out.
So when you see sessions in your log with close reason age-out and a duration between 19 and 21 seconds (the 20 is not allways exact) you can savely assume you have async routing somewhere. Think second router on same subnet, think loadbalancer doing "half-nat".
↧
Re: SRX100 and Unifi AP - 2 subnets on 1 interface required
Thanks for your reply.
It is vlan1 and "Office" that needs to be on the same subnet. Home needs to be separated from the rest of the network. I wan't sure if I can have fe-0/0/7 interface aded to the same zone and vlan as other interfaces and then have another "subinterface" on fe-0/0/7 on another zone/subnet. I thought that the only way to achieve what I neeed was by having 2 vlans on fe-0/0/7 interface but now I know I was wrong.
Thanks for dhcp/nat commands; I'll try them next week once I'm in the Office.
↧
Migrating SRX100H2 to SRX300
I have a really old SRX100H2 firewall. I would like to migrate to SRX300.
Is the migration as easy as exporting and importing the config?
Some migration tips would help greatly.
Thank you very much.
↧