Unfortunately you cannot copy the configuration there are a number of differences.
1-SRX100 is fe interfaces and the SRX300 series are ge interface
2-there is a major change in how layer 2 configurations work. Junos has merged the MX version of layer 2 into the SRX chain. The new system is called ELS (enhanced layer 2 services). Here is the documentation on getting started with the changes.
Thanks for the guide. To simplify it further, do I use the ELS translator tool to translate my old configuration, from there, manually checked if the translated configuration is correct?
Not sure if this helps but my common black magic options are:
set system internet-options gre-path-mtu-discovery
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set security flow force-ip-reassembly
At least on SRX300 with 15.1X49-D130.6 its fine then:
# run ping 100.64.255.1 source 100.64.255.2 size 7000 do-not-fragment
PING 100.64.255.1 (100.64.255.1): 7000 data bytes
7008 bytes from 100.64.255.1: icmp_seq=0 ttl=64 time=25.415 ms
7008 bytes from 100.64.255.1: icmp_seq=1 ttl=64 time=23.142 ms
7008 bytes from 100.64.255.1: icmp_seq=2 ttl=64 time=23.199 ms
7008 bytes from 100.64.255.1: icmp_seq=3 ttl=64 time=23.296 ms
HI Everyone,
I'm relatively new to Junos but have had plenty of experience with ScreenOS. However I'm trying to solve a problem and i'm not sure if it's even possible in the current state or if i need changes prior to implementation.
we have a client we want to setup a site to site vpn with. however they are providing the device they would like to use to create the vpn with. (Check Point L-61i)
I originally requested an internal LAN IP (172.31.0.#) on the wan side of the device which I was going to static nat to with an external IP. however they setup the WAN with the external IP I was going to NAT with and used the gateway of the SRX.
Problem one.
Are current setup has our ISP bringing in 2 feeds (Fiber and Microwave) which connects to a gatway that manages the failover of service in the event we lose either of the connections. that gateway is .177 and I through a swith in front in order to connect multiple external connection to test internet connectivity. however i feel that because it's using the gateway of the SRX (.181) traffic is getting stuck at the interface level. I've been able to get outbound with this configuration using static route rules but traffic inbound is not proceeding to the check point device.
would this setup work? or would I just bypass the SRX and put the Check Point on the outside and get them to modify the gateway from .181 to .177?
Next, on LAN side. i would like to route traffic from our internal to 172.31.x.x to 172.25.21.x (which is the lan of the Check Point).
i first modified a free interface as 172.25.21.2 with the appropriate Zone (created an open policy between our local lan and the new zone for testing purposes) and from within the srx are able to ping the device locally however i'm not able to get to the check point device from my 172.31. network.
i hope this makes sense. the gist of it is I have an SRX, which i would like to add a checkpoint vpn into the mix and then route traffic from my internal network through the the check-point tunnel to our clients network. (maybe I should have started with this... 
thank you,
Franco
Yes that would work. I didn't mention the ELS translator because I was not able to reach it and wasn't sure if that was just a permission change or if the tool was no longer public.
Also note the interface name changes across all services in the configuration as well.
Please specify the routing instance under DNS config.
root@jsrx# show system name-server
10.215.194.50 routing-instance TEST;
Hello,
Is there a way to clear a single policy hit count?
the only cli command I found allows to clear the hit count of all the policies within a given zone-to-zone.
Thank you for your help.
Good evening everyone.
A number of months back, I purchased a second hand SRX210 with a VSDL2-A mPIM. Now NBN Co. (Australian National Broadband Network) are due to roll out in the next 6-12 months are they provide vectoring with the VDSL2 and I'd like to be as ready as possible before my ADSL2+ connection disappears and we move over to VDSL2.
I have been trying to locate the correct file(s) to enable me to upgrade the VDSL2-A mPIM's Firmware from 2.10 to 2.16 which is what I am lead to believe, is required for vectoring on VDSL2.
I have included some system details below.
Now, I have searched high and low to try and locate to correct file but I come up empty handed. Some posts suggest that the Firmware updates should be included with the SRX210's software update file, but I'm not finding that to be true. I also keep finding differences in the naming of the files with some being 'jfirmware-srxsme.....' and the other, 'junos-srxsme....'
I suspect that I NEED the 'jfirmware' files but for the life of me, I cannot locate them on the Juniper website with correct or same revision number that I require. The only file I seem to be able to locate and download, are the junos-srxsme... files. Am I missing something??
Any help in locating the file(s) required to allow my to upgrade the Firmware of the VDSL2-A mPIM would be very muchly appreciated.
Thank you in advance.
Cheers, Colin.
root@XXXXXXXX> show version
Hostname: XXXXXXXX
Model: srx210he2
JUNOS Software Release [12.3X48-D50.6]
root@XXXXXXXX> show system firmware
Part Type Tag Current Available Status
version version
FPC 1
PIC 0 VDSLBCM 10 2.10.0 OK
Routing Engine 0 RE BIOS 0 2.8 2.8 OK
Routing Engine 0 RE BIOS Backup 1 2.8 2.8 OK
root@XXXXXXXX> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis XXXXXXXXXXXX SRX210HE2
Routing Engine REV 06 750-048672 ACLG3448 RE-SRX210HE2
FPC 0 FPC
PIC 0 2x GE, 6x FE, 1x 3G
FPC 1 REV 19 750-025184 ACLN4438 FPC
PIC 0 1x VDSL2 Annex A
Power Supply 0
Hi,
last week I configured one dynamic VPN profile for VPN client access.
It was working perfectly, 
but after one weekend of changes, I came back to re-connect in VPN from remote location and I found that VPN clients are not any longer able to connect on internal resources.
In the specific:
1) Pulse is connected correctly
2) Connecting on internal resources are not working.
Extract of the configuration:
set security dynamic-vpn access-profile remote_access_profile set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.0.0.0/8 set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn set security dynamic-vpn clients wizard-dyn-group user vpn123
set access profile remote_access_profile client test123 firewall-user password "$9$Lyoxdb4aUji.hSlvW8dV/9A0IcLX-w2aFnRSeWN-4oJGjq/9pOBE" set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool set access address-assignment pool dyn-vpn-address-pool family inet network 172.16.0.0/24 set access address-assignment pool dyn-vpn-address-pool family inet range d-range low 172.16.0.150 set access address-assignment pool dyn-vpn-address-pool family inet range d-range high 172.16.0.200 set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 10.20.20.100/32 set access firewall-authentication pass-through default-profile remote_access_profile set access firewall-authentication web-authentication default-profile remote_access_profile
set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 from zone CONTACT-INSIDE set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 to zone INTERNET set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client match source-address-name vpn-clinet_net set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client match destination-address-name HQ_net set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client then source-nat off
set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match source-address any set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match destination-address any set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match application any set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then permit tunnel ipsec-vpn wizard_dyn_vpn set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then log session-close set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then count
Maybe more relvant, (but I didn't find something of specific), is the debug trace log:
Apr 27 11:48:52 11:48:52.496206:CID-0:RT:jsf sess close notify Apr 27 11:48:52 11:48:52.496206:CID-0:RT:flow_ipv4_del_flow: sess 7775, in hash 32 Apr 27 11:48:52 11:48:52.496206:CID-0:RT:flow_ipv4_del_flow: sess 7775, in hash 32 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:<172.16.0.165/33539->10.10.10.254/1;1> matched filter filter1: Apr 27 11:48:53 11:48:53.820725:CID-0:RT:packet [60] ipid = 17960, @0x43e77e5a Apr 27 11:48:53 11:48:53.820725:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x43e77c00, rtbl_idx = 0 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow process pak, mbuf 0x43e77c00, ifl 0, ctxt_type 1 inq type 6 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: in_ifp <junos-host:.local..0> Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x67099470 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:host inq check inq_type 0x6 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:tifp NULL Apr 27 11:48:53 11:48:53.820725:CID-0:RT:pkt out of tunnel.Proceed normally Apr 27 11:48:53 11:48:53.820725:CID-0:RT: pp0.0:172.16.0.165->10.10.10.254, icmp, (8/0) Apr 27 11:48:53 11:48:53.820725:CID-0:RT: find flow: table 0x5db6db28, hash 39479(0xffff), sa 172.16.0.165, da 10.10.10.254, sp 33539, dp 1, proto 1, tok 16395 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: no session found, start first path. in_tunnel - 0x6027cdf8, from_cp_flag - 0 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: flow_first_create_session Apr 27 11:48:53 11:48:53.820725:CID-0:RT:First path alloc and instl pending session, natp=0x600ae428, id=5614 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: flow_first_in_dst_nat: in <pp0.0>, out <N/A> dst_adr 10.10.10.254, sp 33539, dp 1 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: chose interface pp0.0 as incoming nat if. Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.10.10.254(1) Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_routing: vr_id 4, call flow_route_lookup(): src_ip 172.16.0.165, x_dst_ip 10.10.10.254, in ifp pp0.0, out ifp N/A sp 33539, dp 1, ip_proto 1, tos 0 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Doing DESTINATION addr route-lookup Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_ipv4_rt_lkup success 10.10.10.254, iifl 0x55, oifl 0x46 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: routed (x_dst_ip 10.10.10.254) from INTERNET (pp0.0 in 0) to vlan.10, Next-hop: 10.10.10.254 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_policy_search: policy search from zone INTERNET-> zone CONTACT-INSIDE (0x0,0x83030001,0x1) Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Policy lkup: vsys 0 zone(11:INTERNET) -> zone(6:CONTACT-INSIDE) scope:0 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: 172.16.0.165/2048 -> 10.10.10.254/51799 proto 1 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: app 0, timeout 60s, curr ageout 60s Apr 27 11:48:53 11:48:53.820725:CID-0:RT: permitted by policy VPN_Admin(41) Apr 27 11:48:53 11:48:53.820725:CID-0:RT: packet passed, Permitted by policy. Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate: incoming src port is : 33539. Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 4/0, pst_nat: False. Apr 27 11:48:53 11:48:53.820725:CID-0:RT: dip id = 0/0, 172.16.0.165/33539->172.16.0.165/33539 protocol 0 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: choose interface vlan.10(P2P) as outgoing phy if Apr 27 11:48:53 11:48:53.820725:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.10, addr: 10.10.10.254, rtt_idx:4 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:-jsf : Alloc sess plugin info for session 4294972910 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: Allocating plugin info block for plugin(6) Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF] set ext handle 0x562a62a0 for plugin 6 on session 4294972910 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]Plugins(0x40, count 1) enabled for session = 4294972910, impli mask(0x0), post_nat cnt 0 svc req(0x5) Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]c2s order list: Apr 27 11:48:53 11:48:53.820725:CID-0:RT: 6 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]s2c order list: Apr 27 11:48:53 11:48:53.820725:CID-0:RT: 6 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_service_lookup(): natp(0x600ae428): app_id, 0(0). Apr 27 11:48:53 11:48:53.820725:CID-0:RT: service lookup identified service 0. Apr 27 11:48:53 11:48:53.820725:CID-0:RT: flow_first_final_check: in <pp0.0>, out <vlan.10> Apr 27 11:48:53 11:48:53.820725:CID-0:RT:In flow_first_complete_session Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_complete_session, pak_ptr: 0x5c4f9e40, nsp: 0x600ae428, in_tunnel: 0x6027cdf8 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:construct v4 vector for nsp2 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: existing vector list 0x8284-0x5611b168. Apr 27 11:48:53 11:48:53.820725:CID-0:RT: Session (id:5614) created for first pak 8284 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:first pak processing successful Apr 27 11:48:53 11:48:53.820725:CID-0:RT: flow_first_install_session======> 0x600ae428 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: nsp 0x600ae428, nsp2 0x600ae4b8 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: make_nsp_ready_no_resolve() Apr 27 11:48:53 11:48:53.820725:CID-0:RT: reverse route is optional Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Doing jsf sess create notify Apr 27 11:48:53 11:48:53.820725:CID-0:RT:-jsf create notify: plugin id 6. rc 3 Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x600ae428): 0 SHORT_CIRCUITED: 0x00000000. Apr 27 11:48:53 11:48:53.820725:CID-0:RT:no need update ha Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Installing s2c NP session wing Apr 27 11:48:53 11:48:53.820725:CID-0:RT:first path session installation succeeded Apr 27 11:48:53 11:48:53.820725:CID-0:RT: flow got session. Apr 27 11:48:53 11:48:53.820725:CID-0:RT: flow session id 5614 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: vector bits 0x8284 vector 0x5611b168 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: ****jsf svc chain: sess id 5614, dir 1, nat_done 0, pak pid 0, first pid 6 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: plugin name junos-jdpi. action JSF_SESSION_ACTION_NONE, stbuf 0x0 Apr 27 11:48:53 11:48:53.820725:CID-0:RT: jsf sess id ignore. sess 5614, pid 6, dir 1, st_buf 0x0. Apr 27 11:48:54 11:48:53.820725:CID-0:RT: jsf sess id ignore. sess 5614, pid 6, dir 2, st_buf 0x0. Apr 27 11:48:54 11:48:53.820725:CID-0:RT:All plugins have ignored session :5614 Apr 27 11:48:54 11:48:53.820725:CID-0:RT: existing vector list 0x8204-0x5611b1c8. Apr 27 11:48:54 11:48:53.820725:CID-0:RT: existing vector list 0x8204-0x5611b1c8. Apr 27 11:48:54 11:48:53.820725:CID-0:RT:PKT-PROC for plugin junos-jdpi jbuf 0x608d6b50, sess jsf flags 0x0, rc 0 Apr 27 11:48:54 11:48:53.820725:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0 Apr 27 11:48:54 11:48:53.820725:CID-0:RT: encap vector Apr 27 11:48:54 11:48:53.820725:CID-0:RT: no more encapping needed Apr 27 11:48:54 11:48:53.820725:CID-0:RT:mbuf 0x43e77c00, exit nh 0x110010 Apr 27 11:48:54 11:48:53.820725:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x5c4f9e40 associated with mbuf 0x43e77c00 Apr 27 11:48:54 11:48:53.820725:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0) Apr 27 11:48:54 11:48:53.825226:CID-0:RT:<10.10.10.254/1->172.16.0.165/33539;1> matched filter filter2: Apr 27 11:48:54 11:48:53.825226:CID-0:RT:packet [60] ipid = 40725, @0x43e8a79a Apr 27 11:48:54 11:48:53.825226:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e8a580, rtbl_idx = 4 Apr 27 11:48:54 11:48:53.825226:CID-0:RT: flow process pak fast ifl 70 in_ifp vlan.10 Apr 27 11:48:54 11:48:53.825226:CID-0:RT: vlan.10:10.10.10.254->172.16.0.165, icmp, (0/0) Apr 27 11:48:54 11:48:53.825226:CID-0:RT: find flow: table 0x5db6db28, hash 11247(0xffff), sa 10.10.10.254, da 172.16.0.165, sp 1, dp 33539, proto 1, tok 16390 Apr 27 11:48:54 11:48:53.825226:CID-0:RT:Found: session id 0x15ee. sess tok 16390 Apr 27 11:48:54 11:48:53.825226:CID-0:RT: flow got session. Apr 27 11:48:54 11:48:53.825226:CID-0:RT: flow session id 5614 Apr 27 11:48:54 11:48:53.825226:CID-0:RT:no fto but skip rerouting since route is optional Apr 27 11:48:54 11:48:53.825226:CID-0:RT: vector bits 0x8204 vector 0x5611b1c8 Apr 27 11:48:54 11:48:53.825226:CID-0:RT:ttl vector, out_tunnel = 0x6027cdf8 Apr 27 11:48:54 11:48:53.825226:CID-0:RT:pre-frag not needed: ipsize: 60, mtu: 1422, nsp2->pmtu: 1422 Apr 27 11:48:54 11:48:53.825226:CID-0:RT: encap vector Apr 27 11:48:54 11:48:53.825226:CID-0:RT: going into tunnel 67108881 (nsp_tunnel=0x6027cdf8). Apr 27 11:48:54 11:48:53.825226:CID-0:RT: flow_encrypt: tun 0x6027cdf8, type 1 Apr 27 11:48:54 11:48:53.825226:CID-0:RT:lpak_init: lpak 0x5c775d18, paksize 60, machdr 0x0, iphdr 0x43e8a79a Apr 27 11:48:54 11:48:53.825226:CID-0:RT: ----- flow_process_pkt rc 0x11 (fp rc 0)
Any suggestion for solve this problem?
Many regards
UPDATE:
Unbelivable, but something was wrong on my windows machine or pulse secure vpn client!
I used one other PC with same Pulse Secure version and it's working correctly!! (obliviusly same configuration on the SRX)
Uninstal and re-install software on my client and the VPN started once again!!!
Then, in case it's appenning also to you... Troubleshoot first client pulse ;-)
Bye
Hi,
I`m new in juniper world. I have srx 300 have to connect with my ISP. They give me 2 vlans: one tagged vlan (vlan tag 555) for TV, which I have to bridge with some lan port, and one untagged for internet. And I have to get ip via dhcp. I dont know how to set dhcp client on native vlan. My srx version is 15.1X49-D120.3.
Hi Suraj,
Thanks for your help. It makes perfect sense. I will try and revert.
Basically I have to move all the user traffic interfaces into a new virtual router instance and then also move all the routing related config (in my case just the default route) into this new instance, right?
Kind regards,
Miguel
Of the top of my head, written in notepad, not validated
set vlans vlan555 description TV set vlans vlan555 vlan-id 555 set vlans vlan111 description INTERNET set vlans vlan111 vlan-id 111 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/0 native-vlan-id 111 set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members [ vlan111 vlan555 ] set vlans vlan111 l3-interface irb.111 set interfaces irb unit 111 family inet dhcp
Regards, Wojtek
Hi
I have configured 10+ local users in my device as "super-user"
If I want to set cli idle timeout to 10mins to all the user then I should create another user class called "super-class-local", define idle-timeout session to 10 then I should set persmission to "all" ...
If I do this then "super-class-local" classwill be equivalent to "super-class" class ??? The users operation/function will not be affected right ?
hi all,
I have SRX24H2 cluster on one side with 2 DPD external IP configured (the other side have 2x srx220 regular configurationion )
Hostname: SRX-RED
Model: srx240h2
JUNOS Software Release [12.1X44-D35.5]
admin@SRX240> show security monitoring fpc 0
node0:
--------------------------------------------------------------------------
FPC 0
PIC 0
CPU utilization : 41 %
Memory utilization : 66 %
Current flow session : 5038
Current flow session IPv4: 4294796042
Current flow session IPv6: 176292
Max flow session : 409600
Total Session Creation Per Second (for last 96 seconds on average): 1114
IPv4 Session Creation Per Second (for last 96 seconds on average): 1114
IPv6 Session Creation Per Second (for last 96 seconds on average): 0
node1:
--------------------------------------------------------------------------
FPC 0
PIC 0
CPU utilization : 0 %
Memory utilization : 65 %
Current flow session : 87
Current flow session IPv4: 87
Current flow session IPv6: 0
Max flow session : 409600
Total Session Creation Per Second (for last 96 seconds on average): 0
IPv4 Session Creation Per Second (for last 96 seconds on average): 0
IPv6 Session Creation Per Second (for last 96 seconds on average): 0
{primary:node0}
admin@SRX240>
sometimes multiplesVPN goes down at the same times, they stop using the primary IP (primary SRX) and try to use the second IP (secondary SRX) (Second SRX has 0.0.0.0/0 discard until it becomes the VRRP master, so it will never initiate VPN with SRX240 without being the master).
with this been said, you now know why when DPD try to use the secondary SRX till will never succeed.
my Question why this happens in the first place?
1. the first SRX is up and active so why SRX240 try to jump to the second SRX?
2. why DPD won't try back the first SRX after a couple of failed retries with the second SRX?
I'm unable to find good documentation for this, I will appreciate any help on this.
regards,
I'm confused by the description. Are the SRX in an HA cluster?
If so why is vrrp configured between the two nodes of a cluster?
Or is the vrrp between something else.
Typically a cluster has its own failover mechanisms and would not be using vrrp between the nodes.
Hello Experts,
I have noticed the the management SSH access is flapping between primary and secondary node every minutes.
{primary:node0}
root@FW-01> Write failed: Broken pipe
[user@sys ~]$ ssh root@10.10.10.10.10
Password:
--- JUNOS 15.1X49-D60.7 built 2016-09-13 23:16:14 UTC
root@FW-01% cli
{secondary:node1}
root@FW-01> I am wondering why this is happening.
root@FW-01> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 2
node0 255 primary no yes None
node1 1 secondary no yes None
Redundancy group: 1 , Failover count: 1
node0 0 secondary yes no IF
node1 0 primary yes no IF
Redundancy group: 2 , Failover count: 0
node0 254 primary yes no None
node1 1 secondary yes no None
Redundancy group: 3 , Failover count: 0
node0 254 primary yes no None
node1 1 secondary yes no None
{secondary:node1}
root@FW-01> Is there any chance its related to this error?
Apr 29 14:06:40 FW-01 /kernel: KERN_ARP_DUPLICATE_ADDR: duplicate IP address 10.10.10.10! sent from address: 44:f4:77:41:5d:1a (error count = 380) Apr 29 14:29:10 FW-01 /kernel: KERN_ARP_DUPLICATE_ADDR: duplicate IP address 10.10.10.10! sent from address: 44:f4:77:41:5d:1a (error count = 381) Apr 29 14:44:38 FW-01 /kernel: KERN_ARP_DUPLICATE_ADDR: duplicate IP address 10.10.10.10! sent from address: 44:f4:77:41:5d:1a (error count = 382)
How can I avoid both primary and secondary claiming this address?
Hi all,
There is a warning from our snmp monitoring tool. From its log:
The warning is Port Unreachable: SRX-Chassis-01 [ reth0.0 ] reth0.0 (X.Y.Z.W) ------> X.Y.Z.W is an IP address
{primary:node0}
SRX-Chassis-01> show interfaces terse | match reth0
ge-2/3/9.0 up up aenet --> reth0.0
ge-5/3/9.0 up up aenet --> reth0.0
reth0 up up
reth0.0 up up inet X.Y.Z.W/24
{primary:node0}
SRX-Chassis-01>
Can anyone have an idea about why this warning is being generating repeatly by the SNMP server as reth0.0 is up/up and where to start for troubleshooting?
Many Thanks