dear all,
i have srx1400 HA Chassis cluster.
i have problem with device backup. i try reboot the device backup (node1) and why the traffik is interupt 5 minute.
i see led interface device primary is going down and up again.
my question why interface interupt because i used HA Chassis cluster ? and why interface led device primary is going down if i reboot device backup?
any one have problem same with me? i attach configure HA.
Hi,
Rebooting backup node (here node1) should not affect traffic going through Primary (node0). It is an abnormal behavior.
Is it happening every time you reboot backup node?
What was the cluster status before and after reboot?
Do you have any logs before and after reboot?
is it possible to share below mentioned command output?
show route summary
show ospf interfce
show ospf neighbor extensive
show chassis cluster status
show chassis cluster interfaces
show chassis cluster information detail
hi.
are you reboot srx1400 device backup?
this information for you
Is it happening every time you reboot backup node?
- this is first time i reboot the backup device ( node1) bacause i do maintenance
What was the cluster status before and after reboot?
- the status is same no chang, because i reboot device backup ( node1)
is it possible to share below mentioned command output?
show route summary
- attach
show ospf interfce
- attach
show ospf neighbor extensive
- attach
show chassis cluster status
- attach
show chassis cluster interfaces
- attach
show chassis cluster information detail
- attach
Hi,
The Cluster is NOT in healthy state. There is a hardware failure in node0 and multiple monitoring failure.
You may use below mentioned commands to check hardware status:
show chassis alarms
show chassis fpc pic-status
Recommend to contact JTAC for support.
hi,
"There is a hardware failure in node0 and multiple monitoring failure"
there is log when the device long time not going up. now i see not alarm and status fpc is online.
show chassis alarms
node0:
—------------------------------------------------------------------------
No alarms currently active
node1:
—------------------------------------------------------------------------
No alarms currently active
show chassis alarms
node0:
—------------------------------------------------------------------------
No alarms currently active
node1:
—------------------------------------------------------------------------
No alarms currently active
Hi all,
Is there any one can help regarding test below. This url https://forums.juniper.net/t5/SRX-Services-Gateway/How-to-setup-multiple-IKE-gateways/td-p/45849 not refer using mode aggresive. Appreciate some advise how to achive that.
Thanks
Hi Hong Zeng,
May i know whether your case already get the solution?
Thanks
Hi,
up for this post. We have same exact problem, tried also to uprage at 18.1 version without resolution.
Any ideas or supports from Juniper?
Hi,
I have a scenario, in which I am connected to two different ISPs with different public IP. I am doing NATting of my Private IPs to Public IPs from two ISP. I want to route traffic to related ISP, if traffic is source natted to Public IP of that ISP.
I configured three separate routing-instance (1st Trust, 2nd ISP-1, and 3rd ISP-2). ISP-1/ISP-2 has default static route toward them and redistributing both routes each from ISP to Trust routing Instance.
I am facing issue that SRX select one default route which is e.g. ISP-1. If SRX is configured to NAT that traffic to ISP-1 Public IP, NATting and Routing going good. but if SRX is configured to NAT traffic to ISP-2 Public IP, traffic is routed to ISP-1 Next-Hop and skip NATting.
Kindly let me know, is it possible to do routing as per my scenario or not.
Regards,
Atif.
Hello,
in Juniper SRX, source NAT happens AFTER route lookup
You would need to change Your design to use interface-based source NAT so that xlation automatically picks the public src IP from the Your SRX' interface facing ISP-1/2/3 etc.
Alternate soution would be to use double-lookup with LT interface/cable loop so that another src IP lookup is executed before forwarding the xlated packet out.
HTH
Thx
Alex
Greetings,
Can you more elaborate this part Alternate soution would be to use double-lookup with LT interface/cable loop so that another src IP lookup is executed before forwarding the xlated packet out.
how to do it.
Hi All,
I'm currently trying to build a VPN between my SRX345 cluster and a 3rd party service (Azure)
It's transpired the 3rd party will only use a route based VPN and I had prepared for a policy based one.
At present my current setup has multiple policy based VPNs for other customers / services.
I've been told that the Juniper platform will not support simultanious policy and route based VPNs - I'm not sure that's true but don't fancy taking the chance...Can anyone confirm if that's the case or if there are any other obstacles?
I've applied plenty of policy based VPNs before but never a route based on.
Apprecaite any feedback
there is NO problem having policy-based and route-based VPNs on th same SRX
regards
alexander
Route based is fairly straightforward.
If you are using multiple instances it is important to remember the following (IPSec):
IKE Phase 1 will create the tunnel between the physical endpoints.
IPSec Phase 2 will set up the data channel using the tunnel.
The data tunnel at the SRX end, exits via the st0 interface. If you are utilising multiple VRs, it is important which VR you place the data end point (st0) interface. I have just configured the exact same thing, from Azure to an SRX1500 in a specified routing instance.
Create the static route to the Azure networks within the VR rather than globally.... as per what I did in our Customer-VR below:
set routing-instances Customer-VR routing-options static route (azure network addresses) next-hop st0
Then you need your address book entries and assign to an address set and apply to the policies between the routing-instances.
Worked for me for Azure to the RADIUS and LNS REST APIs via the Site-to-Site routed VPN.
Let me know if you want the actual config I used and I will put here (Minus our addressing of course 
hello,
We have the same problem here.
We have found a workaround not ideal but...
We call the ISP and we ask for the ip assign to the device. After, in the Internet interface, we configure a static ip and we activate the configuration. After, we remove the ip and change the configuration to DHCP and active the configuration.
After that, the internet work on the unit. The SRX seen to save the ip somehow.
@wdusys, I tried recommened setup like:
set security address-book b address c set security address-book b attach zone a
but when I try to create an address like:
[edit security]
set address-book something address 10.20.0.0/24
^
missing argument.
[edit security]
r1# set address-book something address 10.20.0.0/24 ?
Possible completions:
<ip-prefix> Numeric IPv4 or IPv6 address with prefix
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
description Text description of address> dns-name DNS address name> range-address Address range> wildcard-address Numeric IPv4 wildcard address with in the form of a.d.d.r/netmaskMeanwhile I deleted the address book I had, but it gives me an error that source address or address-group not found, presumably until I can get one created.
I'm running JunOS 15.1X49-D45
So I tried to create it like:
[edit security address-book] r1# set something address a1 10.20.0.0/24
which worked, but now I get a commit check error:
# commit check
[edit security zones security-zone something]
'address-book'
Zone specific address books are not allowed when there are global address books defined
error: configuration check-out failed: (statements constraint check failed)
Dear Community,
I would like to seek help on how to start migrating SRX100H2 to SRX320
Is there a rough guide, or even better, a step by step guide on how to migrate the configuration over?
Any advise is appreciated.
Thank you.
I am going to be testing this myself soon for another Site-to-Site that will have to use the same physical interface. I think I am going to have to use sub-interfaces but will let you know the results when I have configured and tested.
I'm not aware of a guide, but the main difference is the change in layer 2 configurations called ELS enhanced layer 2 services. The new configuration methods are listed here with a list of all the changes in behavior on the bottom of the article with links to the details of each.
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/getting-started-els.html
There was a conversion tool on the support site, but I can't find the link right now.
I have a new configuration for SRX1400 in Head Office and there is VPN connections with three Branches (A, B and C) witch have Cisco IP Teleohony
Head Office: Cucm 4.1
Branch A: CUCM 10
Branch B: Call Manager Express
Branch C: Call Manager Express
when i connected SRX1400, everything working fine, except Branch C, all IP Phones restarting randomly