Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

NCP Client - Phase 1 error

May 30, 2018, 7:34 am
$
0
0

Hi,

 

While I am troubleshooting this error, I thought I would ask for help here too as someone may know the resolution:

 

I am configuring an SRX1500 and the NCP Client and am getting the following error on IKE Phase 1 initiation:

 

No Proposal Chosen: 14

 

I have configured st0.1 to share a physical interface gateway and have placed st0.1 into the Customer-VR and the Customer secuirty Zone and configured it as follows:

 

set interfaces st0 unit 1 family inet

 

It shares the physical interface with a site-to-site VPN that works fine (Azure to Juniper).

 

I am not sure if anyone has seen this error on the NCP client before? There are too many options to put here, but here is the phase 1 SRX configuration:

 

set security ike proposal ike-prop1 authentication-method pre-shared-keys

set security ike proposal ike-prop1 dh-group group2

set security ike proposal ike-prop1 authentication-algorithm sha1

set security ike proposal ike-prop1 encryption-algorithm aes-192-cbc

set security ike proposal ike-prop1 lifetime-seconds 28800

 

set security ike policy ike-pol2 mode aggressive

set security ike policy ike-pol2 proposals ike-prop1

set security ike policy ike-pol2 pre-shared-key ascii-text xxxxxxxxx

 

set security ike gateway remote-vpn1 ike-policy ike-pol2

set security ike gateway remote-vpn1 dynamic hostname "user@wherever.com"

set security ike gateway remote-vpn1 dynamic connections-limit 2

set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id

set security ike gateway remote-vpn1 external-interface ge-0/0/1

set security ike gateway remote-vpn1 aaa access-profile vpn-users

set security ike gateway remote-vpn1 version v1-only

Search

Route based VPNs have disappearing static routes when IKE/VPN activate

May 30, 2018, 7:37 am
$
0
0

SRX 345 running JUNOS 15.1X49-D130.6

New system with two route-based VPNs configured. The static routes disappear when IKE / IPSec are active. When IKE / IPSec are deactivated the static routes disappear.

 

Here are the route statements:

set routing-options static route 0.0.0.0/0 next-hop 99.99.99.150
set routing-options static route 90.90.90.40/32 next-hop st0.5555

 

Show routes:

superit@my345srx> show route 90.90.90.40

inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w3d 20:35:39
> to 99.99.99.150 via ge-0/0/7.0 < - - - WRONG

superit@my345srx> edit
Entering configuration mode

[edit]
superit@my345srx# deactivate security ipsec vpn ipsec-vpn-system

[edit]
superit@my345srx# deactivate security ike gateway ike-gw-system

[edit]
superit@my345srx# commit
commit complete

[edit]
superit@my345srx# exit
Exiting configuration mode

superit@my345srx> show route 90.90.90.40

inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

90.90.90.40/32 *[Static/5] 00:02:15
> via st0.5555 < - - - CORRECT WHILE IKE AND IPSEC VPN DEACTIVATED.

superit@my345srx> edit
Entering configuration mode

[edit]
superit@my345srx# activate security ike gateway ike-gw-system

[edit]
superit@my345srx# activate security ipsec vpn ipsec-vpn-system

[edit]
superit@my345srx# commit
commit complete

[edit]
superit@my345srx# exit
Exiting configuration mode

superit@my345srx> show route 90.90.90.40 < - - - THIS COMMAND WAS RUN WITHIN A FEW SECONDS of EXITING CONFIG MODE.

inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

90.90.90.40/32 *[Static/5] 00:03:43
> via st0.5555 < - - - CORRECT

superit@my345srx>

superit@my345srx> show route 90.90.90.40< - - - THIS COMMAND WAS RUN ABOUT 20 to 30 SECONDS AFTER LAST COMMNAD. THE ROUTE CHANGED!

inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w3d 20:53:29
> to 99.99.99.150 via ge-0/0/7.0< - - - WRONG

BGP send subnets from interfaces

May 30, 2018, 8:42 am
$
0
0

Hi everyone, 

 

I'm trying to setup some BGP routes between my Ubiquiti EdgeLite and SRX210. I have the BGP connection established, but I don't see any routes being advertised from the SRX towards the EdgeLite. Any idea how to add the routes directly from the interface subnets? 

 

I now have the following config.

bgp {

    advertise-peer-as;

    group EdgeLite {

        type internal;

        multihop {

            ttl 10;

        }

        advertise-peer-as;

        neighbor 172.16.5.251 {

            peer-as 65050;

            local-as 65050;

        }

    }

}

isis {

    interface ge-0/0/0.0;

}

 

Re: BGP send subnets from interfaces

May 30, 2018, 9:40 am
$
0
0

never mind.. got it: 

 

policy-statement SendDMZ {

    from interface fe-0/0/2.0;

    then accept;

}

policy-statement SendlocalAddresses {

    from interface ge-0/0/0.0;

    then accept;

}

 

group EdgeLite {

    type internal;

    multihop {

        ttl 10;

    }

    advertise-peer-as;

    export [ SendlocalAddresses SendDMZ ];

........

   

Sizing an SRX5800 (SPCs and IOCs)

May 30, 2018, 9:56 am
$
0
0

Hallo, 

I believe with the new powerful SPCs, which have 4 SPUs, we do not require separate (NPCs), like we used to do on the old SRXs?

Do we have a guiding procedure on how many SPCs to load on an SRX5800 to achieve a certain throughput or CPS ? How do we determine the number of SPCs required. 

Has Juniper published the throughput of a Single SPC?

 

- Related: Any chance of a new MPC card that's capable of 100G on the SRX5800, that is not CFP? For the sole reason CFPs are quite expensive. Yet, I see newer SRX platforms are able to do 100G ports via QSFP28.

 

Regards

Re: mysterious global address-book

May 30, 2018, 10:34 am
$
0
0

Run in config mode:

#show security zones | display set | match address-book

replace set with delete and remove them

recreate them using global address books

 

Regards, Wojtek

Re: ADVPN basic configuration

May 30, 2018, 1:15 pm
$
0
0

thanks but i looking for a working example as others vendors publish. the link is only theory, nothing practical

Re: Sizing an SRX5800 (SPCs and IOCs)

May 30, 2018, 1:20 pm
$
0
0

Hi,

 

overall most of these questions should be asked to your preferred Juniper partner who can answer these - but I will give some general notes.

 

  • There a no NPC's on SRX5K - only SPCs and IOCs
  • There are internal scaling numbers but really depend on your usecase - if you don't need extra inspection there are also possibilities to offload sessions to the IOC giving a huge performance gain.. but again, contact your partner.
  • A new SPC will soon be released with way better performance numbers so you should actively consider if you need a SRX5K "right now".
  • Currently no official plans for an IOC with QSFP28 ports due to reasons I cannot publish here... but I would expect a new MPC at a later stage.

I hope this gives you just a bit of the needed information... but please reach out to your Juniper partner or Juniper SE/account manager who should be able to help you.

Search

Re: ADVPN basic configuration

May 30, 2018, 1:23 pm

Re: mysterious global address-book

May 30, 2018, 2:34 pm
$
0
0

Thanks @wdusys, that worked! I did:

delete security policies from-zone r20 to-zone untrust policy r20

then per @nellikka suggestion, created global address and assigned a zone to it like:

set security address-book r20 address r2 range-address 10.20.0.1 to 10.20.0.254
set address-book r20 attach zone r20

And it passes traffic!

Re: 1-to-1 NAT setup to untrust /24?

May 30, 2018, 2:37 pm
$
0
0

Thanks to the folks on the separate thread I got it working by using:

set security address-book r20 address r2 range-address 10.20.0.1 to 10.20.0.254
set address-book r20 attach zone r20

And it passes traffic!

Re: SRX220, SRX-MP-1VDSL2-A and VDSL Vectoring

May 30, 2018, 3:49 pm
$
0
0

I am also looking for the firmware for SRX110. 12.1X46D65 or 75 or anyother...Can some one share.

Re: Sizing an SRX5800 (SPCs and IOCs)

May 31, 2018, 1:20 am
$
0
0

Thank you for the feedback. 

Mostly, these parts of the world are not well covered with Juniper reps.. therefore, 

these forums are quite helpful.

Will try reach out again see if we get some audience.

UTM - Content Filter not working

May 30, 2018, 7:26 pm
$
0
0

Hello guys, I got this config below but it doesn't seem to work. 

Anything i'm missing, or any ideas? Thank you for any help.

 

 utm {
        feature-profile {
            web-filtering {
                type juniper-local;
                juniper-local {
                    profile junos-wf-local-default {
                        default block;
                        fallback-settings {
                            default block;
                            server-connectivity block;
                            timeout block;
                            too-many-requests block;
                        }
                    }
                }
                juniper-enhanced {
                    profile junos-wf-enhanced-default {
                        site-reputation-action {
                            harmful block;
                        }
                    }
                }
            }
        }
    }

Re: UTM - Content Filter not working

May 31, 2018, 2:55 am
Search

Re: SRX220, SRX-MP-1VDSL2-A and VDSL Vectoring

May 31, 2018, 3:07 am

Re: BGP send subnets from interfaces

May 31, 2018, 3:22 am
$
0
0

By default BGP only advertises BGP routes.  From your description I assume you would want to send  the static routes configured (like the default), your local interfaces (direct routes) and your ISIS routes since this is configured.  For this you create an export policy and then attach that to the peer group.

 

policy creation (the name EdgeLiteExport can  be any variable you want.  And the term numbers are also variables that can be words as well)

 

set policy-options policy-statement EdgeLiteExport term 1 from protocol static
set policy-options policy-statement EdgeLiteExport term 1 then accept
set policy-options policy-statement EdgeLiteExport term 2 from protocol direct
set policy-options policy-statement EdgeLiteExport term 2 then accept
set policy-options policy-statement EdgeLiteExport term 3 from protocol isis
set policy-options policy-statement EdgeLiteExport term 3 then accept

set protocols bgp group EdgeLite export EdgeLiteExport

 

 

general docs on policy

https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/routing-applying-policies-to-bgp-routes.html

 

Re: Route based VPNs have disappearing static routes when IKE/VPN activate

May 31, 2018, 3:28 am
$
0
0

The route will be active as long as the tunnel interface next hop is up.  Typically this is all the time regardless of the vpn status.  But this can be overridden with RPM test probes to down the st0 interface when the tunnel is down.  I suspect that may be configured on your device.

 

Look for configuration under:

services > rpm

services > ip-monitoring

 

Re: NCP Client - Phase 1 error

May 31, 2018, 3:32 am

Re: Sizing an SRX5800 (SPCs and IOCs)

May 31, 2018, 6:56 am
$
0
0

Hi again,

 

fair enough regarding coverage of Juniper reps... if you can try to explain which scenario you are trying to solve, I will do my best to point you in the right direction in regards to scaling and performance.

 

Information needed;

* Use-case for this potential deployment

* Needed throughput now and 2-3 years ahead

* only stateful firewall, NAT and VPN or also Security services like UTM, Sky ATP?

* Interface requirements? (number of 10G, 40G and 100G interfaces)

* Cluster or standalone node?

 

Looking forward to an update from your side.

Viewing all 17645 articles
Browse latest View live
Search