thx for repling,
okay i removed a Laptop and i add L3 Cisco switch, i am also unable to ping from switch interface 0/25 to srx ge 0/0/0 interface.
this is switch interface configuration:
interface GigabitEthernet0/25
no switchport
ip address 192.168.3.1 255.255.255.0
Like Alexander mentioned, the SRX is a firewall by default and not a router. The SRX interfaces will not process any traffic until they are assigned to security zones, the appropriate inbound traffic is permitted, and security policies are defined. You will need to properly set up the 'security' portion of the config with all of those features before traffic will flow. Or, you can set the device into packet mode and it will perform standard routing functions, but you lose all firewall functionality.
The SRX Day One book available at https://www.juniper.net/us/en/training/jnbooks/day-one/srx-up-running/index.page should walk you through everything you'll need to configure.
Hi,
I will try and explain this as best as possible.....
RADIUS --> SRX1(Radius-VR) --> SRX1(Customer-VR) --> CORE --> LNS --> LAC --> CPE
The RADIUS could also access the internet via the core and the upstream provider.
So, the policies between the Customer-VR and the Radius-VR are working exactly as I want them to. This means PPP authentication requests from the LNS to the RADIUS.
However, I have just been asked if I can allow Internet access from the Radius for repo updates. This will be via a separate route if it's possible.
Is there a way, on the SRX, that I can tell UDP ports 1812, 1813 and 1814 to go to the LNS while allowing the repository traffic to go via the core and upstream providers? Or will I have to perfform this action on the core itself?
Thanks
As a quick add on question:
Why would the following command ever be required :
security policies default-policy permit-all
Surely this should be a "deny-all"
However, when I complete a deny all, I can't even ping the device even though I have ping allowed through the policies
Hi all,
Can any one have any idea about why the following messages are occuring on the SRX chassis cluster and how to troubleshooting to understand about why they are generated?
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312080 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089296 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089296
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089808 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089808
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28311824 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28311824
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312336 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312336
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312080 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312080
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 28312592 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 28312592
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
ifinfo: ifext_uspipc_connect_and_send_to_pfe: send to pfe 45089552 failed
ifinfo: ifext_uspipc_get_flow_stats: Could not get stats from pfe 45089552
ifinfo: ipc_pipe_write:353 num_sent=-1 errno=32 Broken pipe
ifinfo: usp_ipc_client_send: failed to send message - type 1032, subtype 32
Thanks,
Eriydix
Hi Adgwytc,
So as per your last update, if you remove the default-policy then the traffic starts to drop which means that there is a specific polciy which is dropping it.
I would suggest you to put a simple flowtrace and see which policy is droping the packet throguh te SRX.
It is quite possible that the policy which is denying the traffic is sitting above the policy which should allow the ping.
regards,
Guru Prasad
HI,
If i understand corectly there is only one exit interface on the SRX to go to the Core and the internet.
And if the exit interface is connected to the core then unfortunately you will have to perform this on the core and not on the SRX.
However if there is a separate route or path available from the SRX itself then yes we can perform that on the SRX.
regards,
Guru Prasad
Hi G_prasad
Thank you. That is exactly where I expected I would have to perform this operation.
Is there documentation anywhere to describe the best way of completing this please?
Thanks
Hi,
You can use the below link to understand the way SRX can be used to forward traffic.
regards,
Guru Prasad
Please help, can't load kernel, it seems CF corrupted.
I am the new beginner, don't know how to fix.
Thanks,
Anson
We are using a SRX550 for a VPN to AWS. The AWS VPN generated config for SRX's template [JUNOS 9.3 or higher] assumes each tunnel has its own public IP, thus needing BGP for failover. All of our single leg IPSec VPN's use the unnumbered feature. All outbound routes are static routes, while internally we use OSPF. We used a "next-hop preference 10" for the second tunnel's static route syntax. We did use VPN monitoring syntax [per AWS], but comparing the AWS template with the Juniper VPN Configurator, there were some differences.
So, does anyone have any experience or trade secrets with setting up AWS dual tunnels with unnumbered single public IP, without using BGP? Just trying to ensure that we get some type of HA that functions. Thanks for any ideas or help.
Yeah, I was wondering why I need a pool if all I really want to do is assign a 5-IP range to ge0/0/0.1-5 and then route to them based on each VLAN, so do I need a pool at all or can I just add each IP to ge0/0/0.1 = 1.2.3.2, ge0/0/0.2 = 1.2.3.3 and so on and then route each VLAN traffic to that respective IP?
tty: not found
Starting JUNOS installation:
Source Package: disk0:/d.tgz
Target Media : internal
Product : srx220h
ERROR: Target media /dev/ad0 does not exist
Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 0 0 0 0 0 0 0 done
====================================
/dev/ad0 does not exist
scratched in the notepad, not verified but should work
[edit security nat] set proxy-arp interface ge-0/0/0.0 address 1.2.3.4 to 1.2.3.6 [edit security nat source] set pool src-nat-pool10 address 1.2.3.4/32 set pool src-nat-pool20 address 1.2.3.5/32 set pool src-nat-pool30 address 1.2.3.6/32 set rule-set rs10 from zone z10 set rule-set rs10 to zone untrust set rule-set rs10 rule r10 match source-address 10.10.1/24 set rule-set rs10 rule r10 match destination-address 0.0.0.0/0 set rule-set rs10 rule r10 then source-nat pool src-nat-pool10 set rule-set rs20 from zone z20 set rule-set rs20 to zone untrust set rule-set rs20 rule r20 match source-address 10.20.1/24 set rule-set rs20 rule r20 match destination-address 0.0.0.0/0 set rule-set rs20 rule r20 then source-nat pool src-nat-pool20 set rule-set rs30 from zone z30 set rule-set rs30 to zone untrust set rule-set rs30 rule r30 match source-address 10.30.1/24 set rule-set rs30 rule r30 match destination-address 0.0.0.0/0 set rule-set rs30 rule r30 then source-nat pool src-nat-pool30 [edit] set security address-book ab10 address a10 10.10.1/24 set security address-book ab10 attach zone z10 set security address-book ab20 address a10 10.20.1/24 set security address-book ab20 attach zone z20 set security address-book ab30 address a10 10.30.1/24 set security address-book ab30 attach zone z30 [edit security policies from-zone z10 to-zone untrust] set policy p10 match source-address ab10 set policy p10 match destination-address any set policy p10 match application any set policy p10 then permit [edit security policies from-zone z20 to-zone untrust] set policy p20 match source-address ab20 set policy p20 match destination-address any set policy p20 match application any set policy p20 then permit [edit security policies from-zone z30 to-zone untrust] set policy p30 match source-address ab30 set policy p30 match destination-address any set policy p30 match application any set policy p30 then permit
Regards, Wojtek
If the ip address you are using for source nat is NOT the primary ip address of the egress interface then you do need a pool.
The pool can be a single ip address and you your case needs to be because you will be using a different ip address in each rule for the associated subnets.
I know this in pendantic, but don't refer to this process are "routing" nat does not "route" any traffic or have any interaction with the routing or forwarding systems. The traffic will follow the routes created and installed in the table. Nat is only changing the source address in this case per your rule set.
I don't see any global address book when I do:
[edit security]
root@r1# show address-book r20 { address 20 10.20.1.0/24; attach { zone r20; } }
But when I try to commit I get an error about there being a global address-book like:
[edit security zones security-zone r20]
'address-book'
Zone specific address books are not allowed when there are global address books defined
error: configuration check-out failed: (statements constraint check failed)Where else should I look to try to delete this mysterious global address book?
Okay, I changed some of my rules, but already had ge0/0/0 set up like:
[edit]
show interfaces ge-0/0/0
unit 0 {
family inet {
address 1.2.3.2/24;
}
}and proxy-arp
[edit security nat]
show proxy-arp
interface ge-0/0/0.0 {
address {
1.2.3.3/32;
1.2.3.3/32;
1.2.3.4/32;
1.2.3.5/32;
}
}
@wdudys, I keep getting an error when trying to attach zone to address book about that not being allow when a global address book is defined, but there is no global address book defined. I posted this to a separate thread https://forums.juniper.net/t5/SRX-Services-Gateway/mysterious-global-address-book/td-p/327204
Is there some way to do it without an address book?
There are two ways you can define address books but you can't use both at once
set security security-zone a address-book b address c set security address-book b address c set security address-book b attach zone a
It looks like you have a mix of both. You have to choose one way or another. Second one is recommended.
Regards, Wojtek
Today we have encountered an interesting problem; the SRX3400 (Software Version: 12.1X46-D25.7) device has stopped all traffic going through its all ports.
We could not understand why it happened as symtopms were below;
- We can ping the Juniper SRX from internal network
- We cannot ping Juniper SRX from DMZ (which we should have)
- We cannot reach Juniper using SSH and Web Management, only Console is working
- We cannot ping local devices from other local devices connected to Juniper SRX of different ports
- When trying to connect by SSH it does somehow accept the connection but hangs for a while and then connection drops
- We can ping or reach to any device connected to Juniper from Juniper SRX device
- The uplink interface was UP however we cannot ping peering IP
- When we look at routing-engine it says; 0.01 Load with %50 memory usage and everything is OK
- There are no alarms in chassis
- There are no alarms in system
- There are no changes in config
- We restart the machine and the problem is gone (!)
- The system was up for 750 days
I am suspecting a hardware failure but I am not sure about it.
What do you think the problem is ?
Additional info:
As I investigate I found thousands of "SIP ALG decode packet error" coming from the same IP address. And when I search it on google, I found this KB: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1193679
I believe this caused a DoS.
Hi,
There are two different methods to create Address Book objects: per zone and globally. It can be created in three locations:
1. Address book within a zone
Eg:- set security zones security-zone DMZ address-book address Server 8.8.8.8/32
2. Address book at the global level
set security address-book DMZ address Server 8.8.8.8/32
set security address-book DMZ attach zone DMZ
3. Address book within the global address book
set security address-book global address Server 8.8.8.8/32
Historically, each zone had its own address book directly under the zone configuration. In Release 11.2, they moved from the zone level to the device global level. Within this global level, you can create an address book by name and attach it to a zone so those objects are only available within the zone to which the address book is attached. Within the global level, there is also a global address book that you can create objects that are available within every zone on the device. The caveat to this is that you either have to do everything zone based or global based. If you have zone-specific address books, you cannot use the global le vel configuration or you will get a commit failure.