Thanks for the update.  Seems a strange physical problem then would have been a long time before I guessed that.

You can specify a source address for the flow records to be sent from.  That is step for in this outline.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16677

Thank you for your reply. Below are the commands with output you requested. I did notice that the sh route terse command didn't include any subnets for the tunnel I'm trying to build - it would be a 172.x.x.x subnet.

NS-ADMIN@NAWEPRLHVP00z# run show security ipsec next-hop-tunnels
node1:
--------------------------------------------------------------------------
Next-hop gateway interface IPSec VPN name Flag IKE-ID XAUTH username
172.31.128.11 st0.1 JAXS Static 138.162.72.44 Not-Available

NS-ADMIN@NAWEPRLHVP00z> show security ipsec statistics index 131090
node0:
--------------------------------------------------------------------------

ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

node1:
--------------------------------------------------------------------------

ESP Statistics:
Encrypted bytes: 6640736
Decrypted bytes: 3156848
Encrypted packets: 69171
Decrypted packets: 70273
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

show route terse | match st0
* ? 192.168.50.0/24 D 0 >st0.1
* ? 192.168.100.0/24 D 0 >st0.20
* ? 192.168.100.0/24 D 0 >st0.20
* ? 192.168.250.0/24 D 0 >st0.250
* ? 192.168.160.0/24 D 0 >st0.160
* ? 192.168.150.0/24 D 0 >st0.150

show security flow session destination-prefix 138.162.72.44
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:
Total sessions: 0

{primary:node1}
NS-ADMIN@NAWEPRLHVP00z> show security flow session destination-prefix 172.31.128.11
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:

Hey Team,

Topology: 

Spoke A ------------ipsec tunnel-------------Hub-------------ipsec tunnel------------Spoke B

Scenario: Migration from SSG to SRX

When sending traffic from spoke A to Spoke B Lan side, there is packet loss between 10-20% over the VPN. No packet loss is observer when pinging Hub side using MPLS addresses on which Ipsec vpn runs. Route based vpn.

All three devices are SRXes. 

Spoke A: 

PING 172.24.11.33 (172.24.11.33): 56 data bytes

64 bytes from 172.24.11.33: icmp_seq=2 ttl=252 time=69.842 ms

64 bytes from 172.24.11.33: icmp_seq=3 ttl=252 time=60.986 ms

64 bytes from 172.24.11.33: icmp_seq=6 ttl=252 time=59.521 ms << seq 4 and 5 never made it.

On Hub side:

I see three being processed in traces:

May 16 03:26:23 03:26:23.381298:CID-01:FPC-01IC-00:THREAD_ID-26:RT:<172.24.8.93/3->172.24.11.33/3712;1> matched filter pf1:

May 16 03:26:23 03:26:23.381341:CID-01:FPC-01IC-00:THREAD_ID-26:RTacket [84] ipid = 35815, @0xf8cbc914

but then traces move to seq 6: 

May 16 03:26:26 03:26:26.384147:CID-01:FPC-01IC-00:THREAD_ID-10:RT:<172.24.8.93/6->172.24.11.33/3712;1> matched filter pf1:

May 16 03:26:26 03:26:26.384182:CID-01:FPC-01IC-00:THREAD_ID-10:RTacket [84] ipid = 35846, @0xfc31f114

===============

Also, 

Also, policy denied counters were increasing consistently on hub side when SRX devices were being used on the spoke side instead of SSG from which we migrated during the window:

 run show interfaces st0.28 statistics detail | match policy     

      Bytes permitted by policy :        152998034129

      Bytes permitted by policy :        170287121600 

      Policy denied:                     24433

run show interfaces st0.28 statistics detail | match policy    

      Bytes permitted by policy :        152998051349

      Bytes permitted by policy :        170287132067 

      Policy denied:                     24436

But nothing in the policies which would drop the traffic. 

=======================================

Spoke B is communicating fine with other Spokes and no packet loss.

=======================================

When change is rolled back on Spoke A side not to use SRX and go back to SSG no more packet loss and those counters dont increase any more. To rollback move the cabes, disable enable interfaces and update vpn monitoring on hub rest configuration including st0 interfaces stays same on hub side.

Both Spoke A , Hub are running 12.3X48 D 50.6 which is standard across all the devices. 

Any help would be really appreciated. 

Hi, somebody can help me knowing if an SRX345 has the Remote Access VPN Service active. I can´t see this license in the output of Show system license.

Thanks

Thanks for posting your results .  I just got a 320 POE running 15.1X49-D130.6  that is  used as branch office and its running temp of 66

If I close the cabinet *not rack rmounte * the temp goes up to 70C.   I have not see any issues as of yet.

Another thing i noticed.. My temperature-thresholds have different values.

show chassis environment
Class Item Status Measurement
Temp Routing Engine OK 45 degrees C / 113 degrees F
Routing Engine CPU OK 66 degrees C / 150 degrees F
Fans SRX320 Chassis fan 0 OK Spinning at normal speed
SRX320 Chassis fan 1 OK Spinning at normal speed
Power Power Supply 0 OK

show chassis temperature-thresholds
Fan speed Yellow alarm Red alarm Fire Shutdown
(degrees C) (degrees C) (degrees C) (degrees C)
Item Normal High Normal Bad fan Normal Bad fan Normal
Chassis default 45 55 60 50 70 60 90
Routing Engine 45 55 60 50 70 60 90

show chassis fan
Item Status RPM Measurement
SRX320 Chassis fan 0 OK 3720 Spinning at normal speed
SRX320 Chassis fan 1 OK 3720 Spinning at normal speed

I have a number of remote Juniper SRX sites that connect back to a data center. At the data center there are two Cisco routers. The SRX is configured with IPSec tunnels to both routers. OSPF is being used as the IGP. The goal is to have the remote SRX use the primary tunnel unless it is down, if it is it should use the secondary tunnel. What appears to be happening is that the SRX will just get stuck on one or the other. It will failover but if tunnel 1 comes back up, it won't switch back over to that tunnel, it will instead stay on number 2.

I figured that by using OSPF metrics I could direct which tunnel to use but that doesn't seem to work. What is the best method to achieve this? Should I use some kind of tracking mechanism (I'm thinking like Cisco IP SLA type of thing).

Yes, the branch SRX300 series comes with 2 user connect license for dynamic VPN.  

https://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf

Hi,

To send the traffic through the tunnel, you should have a route for the remote networks pointed towards next-hop-tunnel ip. Same way, remote site should have a route pointed towards to the tunnel for your local networks

e.g:-

set routing-options static route 172.16.1.0/24 next-hop 172.31.128.11

Remote Network : 172.16.1.0/24

Remote st0 ip: 172.31.128.11

I have two SRX 550 in which VRRP method of failover is configured. Our client is saying for failover testing to check setup is working fine.

Can anybody help me how to perform failover testing ? Thanks in advance.

Primery FW Log:
Track route         State       Cost    Interface  Group   Cfg   Run   VR State
0.0.0.0/0           up            75    ae0.201        0   200   200   master

secondery Fw Log:

Interface     State       Group   VR state VR Mode   Timer    Type   Address
ae0.201       up              0   backup   Active      D  3.055 lcl    X.X.X.X 
                                                                vip    X.X.X.X
                                                                mas    X.X.X.X

Hi,

As per the given output, tracking for 0.0.0.0/0 route  is enabled for VRRP.  Hope this default route is a static one. You can deactivate/remove the static route configuration (commit confirmed <desired time in minute>) and check vrrp master is switched to secondary FW.

Hello

I'm confused wether this is an SRX issue or microsoft issue ..

We have three networks :

2xLAN: 172.19.224/226

SQL: 172.21.25.10

Between the first two LANs and the SQL is two SRX devices , configured with allow any policies "temporary" just to debug the issue .

The thing is that RPC is not working fine and sending error message

If I take SQL server resist on the same LAN "172.19.x.x" it is working just fine .

RPC is not working between LAN 172.19.226.0/24" and SQL 172.21.25.10 . But it is working fine from 172.19.224.0/24 to SQL 172.21.25.10.

I've also followed KB23730 , but still ,problem is exist .

I've captured the flow on PCs from both LANs and this is the only difference:

not sure what is IRemUnknown or IOXIDResolv ....

Another thing  I forgot to mention is that between the two LANs and the SQL server is GRE tunnel .

admin@SRX550> show route 172.19.224.0 

inet.0: 62 destinations, 67 routes (56 active, 0 holddown, 6 hidden)
+ = Active Route, - = Last Active, * = Both

172.19.224.0/24    *[BGP/170] 22:38:47, localpref 600
                      AS path: 64513 I
                    > to 172.21.255.2 via gr-0/0/0.0

Yep, I had the routes to the tunnel minterface networks. Still not able to ping.

Hi Guys

I have one issue an interesting one, please support

I have one EX 9208 switch shaving 16 GB of memory out of which only 1 GB isused and remaining 2 GB is showing n free memory and remamining memory in inactive memory around 12 GB, ideal process is memory should stayu in free memory but in my case it is showing in inact memory. can someone please help me out on it.?

Hi!

We're getting  occasional panics and are out of thoughts. It started suddenly and we opened RMA and got replacement 340. Let me shed some lights - before it was running half a year without problem. None. It is weird that even replacement hardware panics every hour. It doesn't matter if i rack it or running on my desk. Finally it will panic.  If more debugging are needed then we're happy to provide it.

Thanks in advance,

A.

JUNOS 15.1X49-D130.6 #0: 2018-03-04 17:25:09 UTC
builder@ralenth.juniper.net:/volume/build/junos/15.1/service/15.1X49-D130.6/obj/octeon/junos/bsd/kernels/JSRXNLE/kernel
real memory = 4294967296 (4194304K bytes)
avail memory = 2621882368 (2500MB)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
Security policy loaded: Junos MAC/veriexec (mac_veriexec)
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
MAC/veriexec fingerprint module loaded: SHA1
MAC/veriexec fingerprint module loaded: SHA256
netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
cpu0 on motherboard
: CAVIUM's OCTEON 70XX/71XX CPU Rev. 0.2 with no FPU implemented
L1 Cache: I size 78kb(128 line), D size 32kb(128 line), thirty two way.
L2 Cache: Size 512kb, 4 way
obio0 on motherboard
uart0: <Octeon-16550 channel 0> on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
set clock 0x58
xhci0: <Cavium Octeon 7xxx xHCI Host Driver> on obio0
usb0: <USB bus for xHCI Controller> on xhci0
usb0: USB revision 3.0
uhub0: vendor 0x0000 XHCI root hub, class 9/0, rev 3.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
xhci1: <Cavium Octeon 7xxx xHCI Host Driver> on obio0
usb1: <USB bus for xHCI Controller> on xhci1
usb1: USB revision 3.0
uhub1: vendor 0x0000 XHCI root hub, class 9/0, rev 3.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
cpld0 on obio0
pcib0: <Cavium on-chip PCIe HOST bridge> on obio0
Disabling Octeon big bar support
pcib0: Initialized controller
pci0: <PCI bus> on pcib0
pci0: <network, ethernet> at device 0.0 (no driver attached)
pci0: <network, ethernet> at device 0.1 (no driver attached)
ahci0: <Cavium Octeon AHCI> on obio0
ahci0: AHCI v1.30 controller with 2 6Gbps ports, PM supported
ata0: <Cavium Octeon AHCI Channel> on ahci0
ata1: <Cavium Octeon AHCI Channel> on ahci0
gblmem0 on obio0
octpkt0: <Octeon RGMII> on obio0
cfi0: <Macronix MX25L64 - 8MB> on obio0
cfi1: <Macronix MX25L64 - 8MB> on obio0
octagl0: <Octeon AGL> on obio0
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
miibus0: <MII bus> on octagl0
brgphy0: <BCM54616S 10/100/1000baseTX PHY> on miibus0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
Timecounter "mips" frequency 1600000000 Hz quality 0
Registered AMT tunnel Encap with UDP Tunnel!
Loading Redundant LT driver
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
Kernel thread "wkupdaemon" (pid 53) exited prematurely.
Trying to mount root from ufs:/dev/da0s2a
MFSINIT: Initialising MFSROOT
Process-1 beginning MFSROOT initialization...
Creating MFSROOT...
/dev/md0: 20.0MB (40956 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 5.00MB, 320 blks, 640 inodes.
super-block backups (for fsck -b #) at:
32, 10272, 20512, 30752
Populating MFSROOT...
Creating symlinks...
Setting up mounts...
Continuing boot from MFSROOT...
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md1...
M
WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
mount: /dev/bo0s3f : Operation not permitted
** /dev/bo0s3f
** Last Mounted on /cf/var
** Phase 1 - Check Blocks and Sizes
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Time and ticks drifted too much, resetting synchronization...
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
panic: Hardware watchdog timeout
cpuid = 0
KDB: stack backtrace:
SP 0: not in kernel
uart_sab82532_class+0x0 (0,0,0,0) ra 0 sz 0
pid 30, process: swi5: cambio
Uptime: 8m14s
Cannot dump. No dump device defined.
Automatic reboot in 15 seconds - press a key on the console to abort

NMI Exception on core:0
Watchdog status, core 0: 0xfffecbffffb
FPA INT Summery: 0x2000000000000
Err EPC: 0x80a6d7dc
Trapframe Register Dump:
zero: 0000000000000000 at: fffffffffffffffe v0: 0000000050c808e5 v1: 0000000022bd85ae
a0: 00000000000186a0 a1: ffffffff80dc06b0 a2: 00000000ffff8010 a3: 0000000000000067
t0: 00000000508008a1 t1: 0000000000000000 t2: ffffffff80011800 t3: 0000000000000800
ta0: 0000000000000000 ta1: 0000000000000001 ta2: 0000000000000000 ta3: 0000000000000000
t8: 0000000023c34600 t9: 000000006f35bed1 s0: 000000000537dace s1: 0000000009896800
s2: 000000001d85aaec s3: ffffffffc6e3a14c s4: ffffffff80a90000 s5: 0000000000000100
s6: 0000000000000001 s7: ffffffffc6ee3000 k0: 00bb3f24808b1101 k1: 0034002000040028
gp: ffffffff80ca2a80 sp: ffffffffeafab5d8 s8: ffffffff80b423cc ra: ffffffff8079a9cc
sr: 0000000050c808e5 mullo: 000000000f023000 mulhi: 0000000019000000
pc: ffffffff8015f7bc cause: 0000000040008408 badvaddr: ffffffffc6efa0dc
ErrPC: 0000000000000840
Current ticks/softticks 492920/10854, curproc [30] swi5: cambio
Core0: CacheErr(I/D: current: 0x2000000000000000/0xffffffffffff0000)

PCPU dump:
cpuid = 0
curthread = 0xc6ee3000: pid 30 "swi5: cambio"
ipis = 0x0
cpuid = 1
curthread = 0xc6e61000: pid 20 "idle: cpu1"
ipis = 0x0
cpuid = 2
curthread = 0xc6e5dc60: pid 19 "idle: cpu2"
ipis = 0x0
cpuid = 3
curthread = 0xc6e5da50: pid 18 "idle: cpu3"
ipis = 0x0
cpuid = 4
curthread = none
ipis = 0x0
cpuid = 5
curthread = none
ipis = 0x0
cpuid = 6
curthread = none
ipis = 0x0
cpuid = 7
curthread = none
ipis = 0x0
cpuid = 8
curthread = none
ipis = 0x0
cpuid = 9
curthread = none
ipis = 0x0
cpuid = 10
curthread = none
ipis = 0x0
cpuid = 11
curthread = none
ipis = 0x0
Memory dump of 1024 words starting at 0x80000000
0x80000000: 0829b8e3 401a4000 00000000 00000000
0x80000010: 00100000 00000000 00000000 00000000
0x80000020: 00000000 00000000 00000000 00000000
0x80000030: 00000000 00000000 00000000 00000000
0x80000040: 00000000 00000000 00000000 00000000
0x80000050: 00000000 00000000 00000000 00000000
0x80000060: 00000000 00000000 00000000 00000000
0x80000070: 00000000 00000000 00000000 00000000
0x80000080: 0829b8e3 401a4000 00000000 00000000
0x80000090: 00000000 00000000 00000000 00000000
0x800000a0: 00000000 00000000 00000000 00000000
0x800000b0: 00000000 00000000 00000000 00000000
0x800000c0: 00000000 00000000 00000000 00000000
0x800000d0: 00000000 00000000 00000000 00000000
0x800000e0: 00000000 00000000 00000000 00000000
0x800000f0: 00000000 00000000 00000000 00000000
0x80000100: 3c1b80df 277b2910 7c1a003b 001ad0c0
0x80000110: 035bd821 403ad801 ff7a0000 401a6000
0x80000120: 335a0002 17400005 00000000 3c1a80a7
0x80000130: 275af740 03400008 00000000 3c1a807c
0x80000140: 275aa92c 03400008 00000000 1000ffff
0x80000150: 00000000 42000018 00000000 00000000
0x80000160: 00000000 00000000 00000000 00000000
0x80000170: 00000000 00000000 00000000 00000000
0x80000180: 401a6000 401b6800 335a0010 001ad0c0
0x80000190: 337b007c 037ad825 3c1a80c9 275ac180
0x800001a0: 035bd021 8f5a0000 00000000 03400008
0x800001b0: 00000000 00000000 00000000 00000000
0x800001c0: 00000000 00000000 00000000 00000000
0x800001d0: 00000000 00000000 00000000 00000000
0x800001e0: 00000000 00000000 00000000 00000000
0x800001f0: 00000000 00000000 00000000 00000000
0x80000200: 00000000 00000000 00000000 00000000
0x80000210: 00000000 00000000 00000000 00000000
0x80000220: 00000000 00000000 00000000 00000000
0x80000230: 00000000 00000000 00000000 00000000
0x80000240: 00000000 00000000 00000000 00000000
0x80000250: 00000000 00000000 00000000 00000000
0x80000260: 00000000 00000000 00000000 00000000
0x80000270: 00000000 00000000 00000000 00000000
0x80000280: 00000000 00000000 00000000 00000000
0x80000290: 00000000 00000000 00000000 00000000
0x800002a0: 00000000 00000000 00000000 00000000
0x800002b0: 00000000 00000000 00000000 00000000
0x800002c0: 00000000 00000000 00000000 00000000
0x800002d0: 00000000 00000000 00000000 00000000
0x800002e0: 00000000 00000000 00000000 00000000
0x800002f0: 00000000 00000000 00000000 00000000
0x80000300: 00000000 00000000 00000000 00000000
0x80000310: 00000000 00000000 00000000 00000000
0x80000320: 00000000 00000000 00000000 00000000
0x80000330: 00000000 00000000 00000000 00000000
0x80000340: 00000000 00000000 00000000 00000000
0x80000350: 00000000 00000000 00000000 00000000
0x80000360: 00000000 00000000 00000000 00000000
0x80000370: 00000000 00000000 00000000 00000000
0x80000380: 00000000 00000000 00000000 00000000
0x80000390: 00000000 00000000 00000000 00000000
0x800003a0: 00000000 00000000 00000000 00000000
0x800003b0: 00000000 00000000 00000000 00000000
0x800003c0: 00000000 00000000 00000000 00000000
0x800003d0: 00000000 00000000 00000000 00000000
0x800003e0: 00000000 00000000 00000000 00000000
0x800003f0: 00000000 00000000 00000000 00000000
Stack trace:
R4K_GetCOUNT+0xc (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x8079a9cc sz 0
DELAY+0x54 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801dc318 sz 32
shutdown_panic+0x54 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801dd608 sz 32
boot+0x7a4 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801ddee4 sz 48
panic+0x580 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x807b43b4 sz 64
panic_on_watchdog_timeout+0x78 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x807da754 sz 32
re_srxsme_watchdog_intr+0x158 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x8078aaac sz 24
mips_handle_this_interrupt+0x8c (0x186a0,0x1,0x80010700,0x508008a1) ra 0x8078ab38 sz 40
mips_handle_interrupts+0x58 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x8078af5c sz 48
mips_interrupt+0x224 (0x186a0,0x1,0x80010700,0x508008a1) ra 0x80a6ed14 sz 32
MipsKernIntr+0x140 (0x1,0,0x80a8969c,0xd5) ra 0x80121e84 sz 368
dadone+0x1a8 (0x1,0,0x80a8969c,0xd5) ra 0 sz 776
pid 30, process: swi5: cambio
Resetting the system now...
cpu_reset: Stopping other CPUs
timeout stopping cpus

SPI stage 1 bootloader (Build time: Dec 9 2017 - 13:45:17)

U-Boot 2013.07-JNPR-3.5 (Build time: Dec 09 2017 - 13:45:17)

SRX_340 board revision major:1, minor:13, serial #: CY5016AF0253
OCTEON CN7130-AAP pass 1.2, Core clock: 1600 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10fc00000, size: 0x400000
DRAM: 4 GiB
Clearing DRAM...... done
Using default environment

SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Found valid SPI bootloader at offset: 0x80000, size: 1377808 bytes

U-Boot 2013.07-JNPR-3.5 (Build time: Dec 09 2017 - 13:47:20)

Using DRAM size from environment: 4096 MBytes
SATA0: not available
SATA1: not available
SATA BIST STATUS = 0x0
SRX_340 board revision major:1, minor:13, serial #: CY5016AF0253
OCTEON CN7130-AAP pass 1.2, Core clock: 1600 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10f000000, size: 0x1000000
DRAM: 4 GiB
Clearing DRAM...... done
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
PCIe: Port 0 link active, 1 lanes, speed gen2
PCIe: Link timeout on port 1, probably the slot is empty
PCIe: Port 2 not in PCIe mode, skipping
Net: octrgmii0
octeon_fdt_broadcom_config: Unknown broadcom phy for octrgmii0
Interface 4 has 1 ports (AGL)
Type the command 'usb start' to scan for USB storage devices.

Boot Media: eUSB usb
Found TPM SLB9660 TT 1.2 by Infineon
TPM initialized
Hit any key to stop autoboot: 0
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 1048576 bytes @ 0x200000 Read: OK
## Starting application at 0x8f0000a0 ...
Consoles: U-Boot console
Found compatible API, ver. 3.5
USB1:
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 2 USB Device(s) found
USB0:
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 1 Storage Device(s) found

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.9
(builder@haku.juniper.net, Thu Nov 5 23:17:51 UTC 2015)
Memory: 4096MB
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
[8]Booting from eUSB slice 1
Loading /boot/defaults/loader.conf
/kernel data=0xba0974+0x152ba4 WARN halted endpoint, queueing URB anyway.
Unexpected XHCI event TRB, type: 33, expected: 32, skipping... (0f3a1430 00000001 13000000 01008400)
Error: Mismatch slot ID or index, 0 != 1, field: 0x0, index: 0xffffffff, expect 0x0
Warning: transfer comp code 0x0 != 0x1a (COMP_STOP)
BUG: failure at xhci-ring.c:589/abort_td()!
BUG!

With stock factory default configuration ....

root# usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
panic: Hardware watchdog timeout
cpuid = 0
KDB: stack backtrace:
SP 0: not in kernel
uart_sab82532_class+0x0 (0,0,0,0) ra 0 sz 0
pid 30, process: swi5: cambio
Uptime: 1h0m44s
Dumping 340 MB:usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13
usbd_start_next: error=13

NMI Exception on core:0
Watchdog status, core 0: 0xfffecbffffb
FPA INT Summery: 0x2000000000000
Err EPC: 0x80121cf8
Trapframe Register Dump:
zero: 0000000000000000 at: fffffffffffffffe v0: 0000000050c808e4 v1: ffffffff80121cdc
a0: ffffffffc7085820 a1: ffffffffeafaa418 a2: 0000000000000005 a3: 00000000000000d5
t0: ffffffff80cc90f0 t1: ffffffff80dc06b0 t2: 00000000ffff8010 t3: 0000000000000800
ta0: 0000000000000000 ta1: 0000000000000001 ta2: 0000000000000000 ta3: 0000000000000000
t8: 0000000023c34600 t9: 0000000000000001 s0: ffffffffeafaa418 s1: ffffffffc709b200
s2: ffffffffc6f3d900 s3: ffffffffc6f03a00 s4: ffffffff80ca0000 s5: ffffffff80ca0000
s6: ffffffff80c5409c s7: ffffffff80ca36d0 k0: 00bb3f24808b1101 k1: 0034002000040028
gp: ffffffff80ca2a80 sp: ffffffffeafa9ff0 s8: ffffffffeafaa310 ra: ffffffff8011d144
sr: 0000000050c808e4 mullo: 0000000000000000 mulhi: 0000000000002a25
pc: ffffffff8073349c cause: 0000000040008408 badvaddr: ffffffffc000f084
ErrPC: 0000000000000840
Current ticks/softticks 3641751/3614216, curproc [30] swi5: cambio
Core0: CacheErr(I/D: current: 0x2000000000000000/0xffffffffffff0000)

PCPU dump:
cpuid = 0
curthread = 0xc6ee3000: pid 30 "swi5: cambio"
ipis = 0x0
cpuid = 1
curthread = 0xc6e61000: pid 20 "idle: cpu1"
ipis = 0x0
cpuid = 2
curthread = 0xc6e5dc60: pid 19 "idle: cpu2"
ipis = 0x0
cpuid = 3
curthread = 0xc6e5da50: pid 18 "idle: cpu3"
ipis = 0x0
cpuid = 4
curthread = none
ipis = 0x0
cpuid = 5
curthread = none
ipis = 0x0
cpuid = 6
curthread = none
ipis = 0x0
cpuid = 7
curthread = none
ipis = 0x0
cpuid = 8
curthread = none
ipis = 0x0
cpuid = 9
curthread = none
ipis = 0x0
cpuid = 10
curthread = none
ipis = 0x0
cpuid = 11
curthread = none
ipis = 0x0
Memory dump of 1024 words starting at 0x80000000
0x80000000: 0829b8e3 401a4000 00000000 00000000
0x80000010: 00100000 00000000 00000000 00000000
0x80000020: 00000000 00000000 00000000 00000000
0x80000030: 00000000 00000000 00000000 00000000
0x80000040: 00000000 00000000 00000000 00000000
0x80000050: 00000000 00000000 00000000 00000000
0x80000060: 00000000 00000000 00000000 00000000
0x80000070: 00000000 00000000 00000000 00000000
0x80000080: 0829b8e3 401a4000 00000000 00000000
0x80000090: 00000000 00000000 00000000 00000000
0x800000a0: 00000000 00000000 00000000 00000000
0x800000b0: 00000000 00000000 00000000 00000000
0x800000c0: 00000000 00000000 00000000 00000000
0x800000d0: 00000000 00000000 00000000 00000000
0x800000e0: 00000000 00000000 00000000 00000000
0x800000f0: 00000000 00000000 00000000 00000000
0x80000100: 3c1b80df 277b2910 7c1a003b 001ad0c0
0x80000110: 035bd821 403ad801 ff7a0000 401a6000
0x80000120: 335a0002 17400005 00000000 3c1a80a7
0x80000130: 275af740 03400008 00000000 3c1a807c
0x80000140: 275aa92c 03400008 00000000 1000ffff
0x80000150: 00000000 42000018 00000000 00000000
0x80000160: 00000000 00000000 00000000 00000000
0x80000170: 00000000 00000000 00000000 00000000
0x80000180: 401a6000 401b6800 335a0010 001ad0c0
0x80000190: 337b007c 037ad825 3c1a80c9 275ac180
0x800001a0: 035bd021 8f5a0000 00000000 03400008
0x800001b0: 00000000 00000000 00000000 00000000
0x800001c0: 00000000 00000000 00000000 00000000
0x800001d0: 00000000 00000000 00000000 00000000
0x800001e0: 00000000 00000000 00000000 00000000
0x800001f0: 00000000 00000000 00000000 00000000
0x80000200: 00000000 00000000 00000000 00000000
0x80000210: 00000000 00000000 00000000 00000000
0x80000220: 00000000 00000000 00000000 00000000
0x80000230: 00000000 00000000 00000000 00000000
0x80000240: 00000000 00000000 00000000 00000000
0x80000250: 00000000 00000000 00000000 00000000
0x80000260: 00000000 00000000 00000000 00000000
0x80000270: 00000000 00000000 00000000 00000000
0x80000280: 00000000 00000000 00000000 00000000
0x80000290: 00000000 00000000 00000000 00000000
0x800002a0: 00000000 00000000 00000000 00000000
0x800002b0: 00000000 00000000 00000000 00000000
0x800002c0: 00000000 00000000 00000000 00000000
0x800002d0: 00000000 00000000 00000000 00000000
0x800002e0: 00000000 00000000 00000000 00000000
0x800002f0: 00000000 00000000 00000000 00000000
0x80000300: 00000000 00000000 00000000 00000000
0x80000310: 00000000 00000000 00000000 00000000
0x80000320: 00000000 00000000 00000000 00000000
0x80000330: 00000000 00000000 00000000 00000000
0x80000340: 00000000 00000000 00000000 00000000
0x80000350: 00000000 00000000 00000000 00000000
0x80000360: 00000000 00000000 00000000 00000000
0x80000370: 00000000 00000000 00000000 00000000
0x80000380: 00000000 00000000 00000000 00000000
0x80000390: 00000000 00000000 00000000 00000000
0x800003a0: 00000000 00000000 00000000 00000000
0x800003b0: 00000000 00000000 00000000 00000000
0x800003c0: 00000000 00000000 00000000 00000000
0x800003d0: 00000000 00000000 00000000 00000000
0x800003e0: 00000000 00000000 00000000 00000000
0x800003f0: 00000000 00000000 00000000 00000000
Stack trace:
dadone+0x1c (0xc7085820,0xeafaa418,0x5,0xd5) ra 0x8011d144 sz 776
camisr+0x3cc (0xc7085820,0xeafaa418,0x5,0xd5) ra 0x8011d274 sz 176
xpt_polled_action+0xf4 (0xc7085820,0xeafaa418,0x5,0xd5) ra 0x801219ec sz 48
dadump+0xf4 (0xc7085820,0xeafaa418,0x5,0xd5) ra 0x80798dd8 sz 288
minidumpsys+0x514 (0xc7085820,0xeafaa418,0x5,0xd5) ra 0x80797d90 sz 128
dumpsys+0x4c (0xc7085820,0xeafaa418,0x5,0xd5) ra 0x801dce2c sz 4208
0x801dcd48+0xe4 (0xc7085820,0xeafaa418,0x5,0xd5) ra 0 sz 0
pid 30, process: swi5: cambio
Resetting the system now...
cpu_reset: Stopping other CPUs
timeout stopping cpus

Hello,

Is it continuous panic or predictable frequency panic?

Since RMA did not resolve the issue, can you try to zeroize the device and see if it helps?

You can also try to upgrade it to latest release.

Regards,

Rushi

Hello,

ESP captures taken on both ends simultaneously can help when generating a specific size ping to ascertain if ISG is sending the ESP out as well as SRX is getting it and vice versa.

On ISG you can enable the 'debug flow basic' for ping traffic to see if the packet is pushed to the tunnel or not.

Same thing can be done on SRX (flow traceoptions).

Regards,

Rushi

uff... sometimes with security director is difficult :-|

Here my case.

I've update the DMI schema from JunosSPACE 17.2 R1, in order to perfectly match my vSRX17.3R1.10.

The problem is that meanwhile I'm trying to configure SDSN 17.2R1 by Junos Security Director, it's missing some parameterse that JunOS require but security director don't mention.

For example here below. I try to configure manually SDSN by CLI and it's correctly working!

After that I syncronized the policy with security director, update the policy and try to push it.

The problem specifically is that it's trying to remove "match and permit" policy from the service advanced-threat-prevention, but as I said seems that it's required from the system!

Maybe Security Directory is right and I should install one old DMI because "match and permit statenement" was allowed in 15.x version. ...but it's really strange this things BTW.

ANy update please?

##Security Policy Settings##
set security policies policy-rematch
##Security Firewall Policy : contact - Server##
delete security policies from-zone contact to-zone Server policy VPN-Client_to_Server then permit application-services 
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match application junos-dns-udp
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address dc_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address synology_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - contact##
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match application junos-dns-udp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match application server-internet_access
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match source-address server-net
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services idp 
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services utm-policy Advance_internet_antivirus
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application Synology-Torrent
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application synology_internet
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match source-address synology_host
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services idp 
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-icmp-ping
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-snmp-agentx
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-https
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-ssh
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address fw-edge-inside
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address EX-Core
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address Junos-SPACE
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-https
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ping
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - junos-host##
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-icmp-all
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-snmp-agentx
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application snmp
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address server-net
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - contact##
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Block_from_Reagion
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - Server##
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match application any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
insert security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy HQ_mgmt_FW
##Security Firewall Policy : contact - Server##
insert security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 before policy HQ_to_serverDNS
##Security Firewall Policy : Server - contact##
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 before policy DNS-DC_request
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 before policy server_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 before policy synology_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 before policy Observium_to_HQ
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 before policy Space-MGMT
##Security Firewall Policy : Server - junos-host##
insert security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy SNMP-Monitoring
##Security Firewall Policy : junos-host - Server##
insert security policies from-zone junos-host to-zone Server policy vSRX-Server after policy PolicyEnforcer-Rule1-2
##Security Firewall Policy : global ##
set security policies global policy PolicyEnforcer-Rule1-2 match application any
set security policies global policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies global policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Advanced AntiMalware Policy Configurations##
delete services advanced-anti-malware policy SkyATP_DMZ match   (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ then  (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ inspection-profile 
delete services advanced-anti-malware policy SkyATP_DMZ default-notification 
delete services advanced-anti-malware policy SkyATP_DMZ whitelist-notification 
delete services advanced-anti-malware policy SkyATP_DMZ blacklist-notification