Hi there,

Juniper Networks’ User Experience team is conducting user research on Sky Advanced Threat Prevention (SkyATP). To ensure that we build a simple, reliable, and efficient interface, we need your input. If you have experience with SkyATP,  please join our study.

Study Details:

• The usability study will last 1.5 hours, and we will use GoToMeeting to hold the study remotely
• It will take place at your convenience between May 23rd – June 11th
• You will receive a $100 Amazon gift card as a token of our appreciation for your participation (subject to your company’s gift policy)

To participate in the study, please select a convenient time!

Thanks,

Natasha

Natasha Shimuk

User Experience Researcher | Juniper Networks

Hi Jonas,

Juniper Networks’ User Experience team is conducting user research on Sky Advanced Threat Prevention (SkyATP). To ensure that we build a simple, reliable, and efficient interface, we need your input. If you have experience with SkyATP,  please join our study.

Study Details:

• The usability study will last 1.5 hours, and we will use GoToMeeting to hold the study remotely
• It will take place at your convenience between May 23rd – June 11th
• You will receive a $100 Amazon gift card as a token of our appreciation for your participation (subject to your company’s gift policy)

To participate in the study, please select a convenient time!

Thanks,

Natasha

Natasha Shimuk

User Experience Researcher | Juniper Networks

Hi there,

Juniper Networks’ User Experience team is conducting user research on Sky Advanced Threat Prevention (SkyATP). To ensure that we build a simple, reliable, and efficient interface, we need your input. If you have experience with SkyATP,  please join our study.

Study Details:

• The usability study will last 1.5 hours, and we will use GoToMeeting to hold the study remotely
• It will take place at your convenience between May 23rd – June 11th
• You will receive a $100 Amazon gift card as a token of our appreciation for your participation (subject to your company’s gift policy)

To participate in the study, please select a convenient time!

Thanks,

Natasha

Natasha Shimuk

User Experience Researcher | Juniper Networks

Hi all,

Can any one have any idea about why the following messages are occuring on the SRX chassis cluster and how to troubleshooting to understand about why they are generated?

ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312080 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089296 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089296
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28311824 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28311824
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312336 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312336
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312080 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089040 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82ebe80
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28311824 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28311824
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312336 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312336
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82ebe80
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82ebe80
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089296 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089296
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28311824
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312336 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312336
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: usp_ipc_client_recv: failed to read message from ipc pipe
ifinfo: ifext_uspipc_recv_client_mesg: Msg receive from pfe failed, client 0x82eb000
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089040 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089040
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552

Thanks,

Eriydix

Hi,

The log description is : The chassis process (chassisd) could not perform the indicated ioctl() operation on the indicated component (field-replaceable unit, or FRU).

You may see this message when booting or committing a config on srx550. This message is harmless in srx550. You can safely ignore it.

Hi,

Are you seeing this message in both nodes or only on specific node? Do you have any monitoring tool which polls SRX for statistics?

Also check the message intervals.

Hello,

Can you configure commands below & try diagnostics and enrolling process again?

set services ssl initiation profile aamw-ssl trusted-ca aamw-secintel-ca
set services ssl initiation profile aamw-ssl trusted-ca aamw-cloud-ca
set services ssl initiation profile aamw-ssl client-certificate aamw-srx-cert

set services advanced-anti-malware connection url <URL Based on your region>
set services advanced-anti-malware connection authentication tls-profile aamw-ssl

Moreover the SKYATP license which you showed, is it a Demo license or evaluation license?

Regards,

Rushi

Hello,

Can you tell me if the Sky ATP license is evaluation or a demo license?

What is the output of diagnostic commands that the originator of this thread posted?

Regards,

Rushi

Hi Nellikka

It is coming from the node0.... Is there any command to check whether or not the same messages are generated on the node1?

Thanks

Erdal

Hi,

you may use "show log messages | match <Pattern> " command on node1. By the way, how are you checking on node0?

is your node0 active/primary for all Redundancy Groups?

Hello,

You can use JUNIPER-NAT-MIB for the same.

http://www.oidview.com/mibs/2636/JUNIPER-NAT-MIB.html

Regards,

Rushi

Okay, but all I want to do is route all traffic from the /24 on ge0/0/1.7, which is VLAN 10.20.1.0 all to one public static IP of 1.2.3.5, so do I really need a pool at all?

By "route" I assume you mean source nat to the public address 1.2.3.5

Source nat uses either the address assigned to the egress interface OR a configured pool address.  So if your egress interface on the SRX for this traffic is 1.2.3.5 then you don't need a pool and use the interface term.

See the top of page 5 here

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Page 6 shows source nat using pool.  The pool can be a single address as you want in your case.  And if the pool address is in the same subnet as the egress SRX interface you need to enable proxy arp on that interface as shown.

Hi

I am trying to configure a VPN from Azure to the SRX. I have an aggregated interface labelled as ae2 that is utilised as the gateway interface. This interface has 2 x IP addresses assigned to it.... the VPN interface address is advertised out via eBGP and can be ping'd from our offices. The other interface is not available as it is an internal network address. 

When I run the following command on the ae2 interface on the SRX, I see the azure IP attempting to build Phase 1, but I see no response back and also no ike security-association built:

run monitor traffic interface ae2 no-resolve size 1500 (matching "net <ipaddress>")

I have also configured a static route to the exit interface for the azure gateway address.

I am guessing, from my troubleshooting tests that it is using the other IP address for the return even though a static route is configured......

So, my question is : can a site-to-site VPN be configured on an aggregated interface?

It's not really urgent as I have cabled up a separate port for this if required.

Phase 1 and Phase 2 successful on separate interface.

IKE Security-Associations working.

All working fine.

Dear Members, 

We are experiencing a weird problem with our HA configurations. The nodes are just installed and configured with basic HA configuration. The problem is the node tranists to disabled state after missing hearbeats. The nodes are connected back to back and we have tried chaning SFP, Cables and even both nodes but the problem persists. Please note that a similar pair is working fine in another location with same software and hardware.

We did upgrade the software to the latest release as recommended by JTAC, but the issue is still same. The case is now pening with ATAC and all the related logs have been provided.

Please let me know if anyone of you have faced a similar situation and what can be the solution. For Juniper Employees, the case number is 

2018-0503-0166

Error

May 23 21:14:04 Successfully sent jnxJsChClusterIntfTrap trap with severity minor to inform that Control link - em0 state changed from UP to DOWN on cluster 1; reason: missed heartbeats
May 23 21:14:07 missed heartbeats on control link between 25 to 33

Configuration

## Last commit: 2018-05-24 03:33:16 PKT by tayyab
version 15.1X49-D130.6;
groups {
node0 {
system {
host-name LHR_SRX_CH_FWL01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.12.41.227/23;
}
}
}
}
}
node1 {
system {
host-name LHR_SRX_CH_FWL02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.12.41.228/23;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Asia/Karachi;
root-authentication {
encrypted-password "$5$Ne4994/h$78cjDSVswBRh1lmOSdYwUTny7P/kZDG80bZoKJKCkb5"; ## SECRET-DATA
}
login {
user tayyab {
uid 2000;
class super-user;
authentication {
encrypted-password "$5$/./JeNE3$VGQK0zZrlqibVO7puB.3TJ4u91G0j7d6a4LsQmtv.X4"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 50;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 50;
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet;
}
}
}

 Thanks & Regards, 

Tayyab Bin Tariq

Hi,

I checked the log messages and those messages are only from the node0  -Primary.

And also node0 -Primary is active for all redundancy groups...

Any further idea?

Hi, we seem to hit the performance bottle neck of SRX-5400 cluster without explictly configuring express-path, the chassis has one 10x10GE IOC II and one SPC II card, the 3 SPU CPU on SPC card will shoot up to100% when roughly 4Gbps/2Mpps traffic is passing through this box, at that point we observed 20% packet drops and delays --- this is rediculously low throughput number considering that we spent 10s of thousand $ on this SRX-5400 cluster, IMHO, the official SRX-5400 spec data looked far more than enough for our use case, but we never expect that the throughput number is less than 1% of what is claimed, although we did not have fully populated SPC cards.

No screen, no ALG, just basic firewalling and NAT.

I did some research, seems that I have to configure "chassis fpc <> pic <> services-offload" to gain more throughput (I am not clear whether this shoud be configured on IOC or SPC or both card) out of the box, I am wondering do you guys always configure this express-path? what is the side effect of this feature? why it is not turned on by default -- why wouldn't anyone want more throughput anyways?

Hi all,

Can we establish multiple IKE using one gateway on SRX345? Below is my config. The peer unit is Strongswan. The issue is the user2 cannot establish. Even i disconnect user1 the user2 still cannot establish the IKE.

[edit security ike]
test# show
traceoptions {
    file ike-debug size 10m files 10;
    flag all;
    level 15;
}
proposal ike-proposal {
    authentication-method pre-shared-keys;
    dh-group group14;
    authentication-algorithm sha-256;
    encryption-algorithm aes-128-cbc;
}
policy ike-policy {
    mode aggressive;
    proposals ike-proposal;
    pre-shared-key ascii-text "$9$vA4WNdUDkq.foaz39C0OxN-V24aZU"; ## SECRET-DATA
}
gateway ike-gateway {
    ike-policy ike-policy;
    dynamic user-at-hostname "user1@test.com.us";
    dead-peer-detection optimized;
    external-interface ge-0/0/0.0;
    version v2-only;
}
gateway ike-gateway2 {
    ike-policy ike-policy;
    dynamic user-at-hostname "user2@test.com.us";
    dead-peer-detection optimized;
    external-interface ge-0/0/0.0;
    version v2-only;
}

[May 18 17:11:25]iked_pm_phase1_sa_cfg_lookup_by_addr: Address based phase 1 SA-CFG lookup failed for local:7.7.7.7, remote:42.153.23.34 IKEv2

[May 18 17:11:25]iked_pm_phase1_sa_cfg_lookup: IKEv2, initial negotiation case, skip ID lookup

[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: called with local ip:7.7.7.7

[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: IKEv2, doing local-address based gateway lookup

[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: ktu local ip:7.7.7.7

[May 18 17:11:25]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr ike-gateway for remote dynamic peer, sa_cfg[ipsec-vpn]

[May 18 17:11:25]iked_pm_phase1_sa_cfg_lookup: dynamic gateway match successfula_cfg:ipsec-vpn Gateway:ike-gateway

[May 18 17:11:25]ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID IDa(type = email (3), len = 22, value = user2@test.com.us) to IKEv1 ID

[May 18 17:11:25]ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID usr@fqdn(any:0,[0..21]=user2@test.com.us)

[May 18 17:11:25]iked_pm_id_validate called with id usr@fqdn(any:0,[0..21]=user2@test.com.us)

[May 18 17:11:25]iked_pm_id_validate id NOT matched.

Thanks and appreciate any feedback

Dear all,

   I have a new SRX1400 configuration, after i finish configuration i connect a Laptop interface to ge 0/0/0 , but i cannot reach ge 0/0/0 IP Address from my Laptop and also cannot reach my Laptop IP address from ge 0/0/0 , that is my configuration:

Laptop interface ip address: 192.168.3.1

admin@CIG-HQ# run show configuration
## Last commit: 2018-05-24 11:18:27 UTC by admin
version 12.3X48-D30.7;
system {
host-name CIG-HQ;
root-authentication {
encrypted-password "$1$7q9.bQor$DL82Udw7QTglbnw8QKaLE1"; ## SECRET-DATA
}
login {
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$zCoWnNIU$ybHRtNyEddKjVv2BPO3oW/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.3.3/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.33.3/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.3.1;
}
}

[edit]
admin@CIG-HQ#

admin@CIG-HQ# run ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3): 56 data bytes
64 bytes from 192.168.3.3: icmp_seq=0 ttl=64 time=0.247 ms
64 bytes from 192.168.3.3: icmp_seq=1 ttl=64 time=0.159 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=64 time=0.167 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=64 time=0.174 ms
^C
--- 192.168.3.3 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.159/0.187/0.247/0.035 ms

[edit]
admin@CIG-HQ# run ping 192.168.3.1 source 192.168.3.3
PING 192.168.3.1 (192.168.3.1): 56 data bytes

as the SRX name says it is not a router it is a firewall, thus you need to

either put it to packet-mode, then it behaves like a router

or

you need to configure zones and host in bound services

regards

alexander

PS: Day One book about SRX up and running from juniper website can be a help