Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Route based VPNs have disappearing static routes when IKE/VPN activate

$
0
0

I don't see anything configured.

 

superit@my345srx> show services rpm ?
Possible completions:
active-servers Show configured servers
history-results Show history results
probe-results Show probe results
twamp Show TWAMP information

superit@my345srx> show services rpm active-servers

superit@my345srx> show services rpm history-results

superit@my345srx> show services rpm probe-results

superit@my345srx> show services rpm twamp server

superit@my345srx> show services rpm twamp client

superit@my345srx> show service ip-monitoring status

superit@my345srx> show configuration | display set | match rpm

superit@my345srx> show configuration | display set | match ip-monitoring

superit@my345srx>


Issue with a DSL firmware on SRX branch device

$
0
0

Greetings,

 

 

 

I need the firmware for the DSL modem. I have access to the JunOS load, and it does not seem to include the updated firmware. For example:

VBCEFS03@VBCEFS03> show version
Hostname: VBCEFS03
Model: srx110h2-va
JUNOS Software Release [12.3X48-D50.6]

VBCEFS03@VBCEFS03> show system firmware
Part             Type           Tag Current   Available Status
                                    version   version
FPC 1          
  PIC 0          VDSLBCM        10 
2.10.0              OK               
Routing Engine 0 RE BIOS        0   2.5       2.8       OK               
Routing Engine 0 RE BIOS Backup 1   2.5       2.8       OK               
Routing Engine 0 RE FPGA        14  1.0.0               OK 

And here's an SRX320 with one modem on 2.10.0 and one on 2.16.0, but no available firmware updates either:

FTWOFS02@FTWOFS02-VancouverSportsClub> show system firmware
Part             Type           Tag Current   Available Status
                                    version   version
FPC 1          
  PIC 0          VDSLBCM        10 
2.16.0              OK               
FPC 2          
  PIC 0          VDSLBCM        10 
2.10.0              OK               
Routing Engine 0 RE BIOS        0   3.1       3.2       OK               
Routing Engine 0 RE BIOS Backup 1   3.1       3.2       OK 

According to various documents, the version needed for vectoring is 2.16.0. I'm still unclear on whether G.INP is supported at all, and if so, which firmware is necessary.

 

 

Thank you very much in advance

Mac client disconnects from dynamic vpn after a few minutes

$
0
0

I have an issue with mac Sirerra and High Sierra clients disconnecting from dynamic vpn connected to an SRX 220H2.

Everything seems fine until between five and ten minutes after connecting when the connection fails with no error message. The only way to resume is to disconnect and reconnect. The SRX is  two years old and the sw version is 12.1x46.

I have tried two Pulse client versions, 8.1 and 8.3.

Has anyone else seen this behaviour?

Re: Route based VPNs have disappearing static routes when IKE/VPN activate

$
0
0

Have you maybe configured traffic selectors? If yes then please delete static route as it is added automatically.

Can you share vpn part of the config?

 

Regards, Wojtek

Re: Route based VPNs have disappearing static routes when IKE/VPN activate

$
0
0

Yes, I obfuscated some of the data. I included the only two VPNs I have setup.

 

Routes are using default route (which is incorrect):

superit@my345srx> show route 66.n.n.n

inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w6d 13:46:30
> to 45.z.z.z via ge-0/0/7.0

superit@my345srx> show route 10.y.y.y

inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w6d 13:47:06
> to 45.z.z.z via ge-0/0/7.0

## Interface assignments:
set interfaces ge-0/0/6 unit 0 family inet address 45.z.z.z-4/30
set interfaces ge-0/0/7 unit 0 family inet address 45.z.z.z-1/30
set interfaces st0 unit 1 family inet
set interfaces st0 unit 5555 family inet

## First VPN:

set security zones security-zone vpn-sec-zone interfaces st0.1

set routing-options static route 66.n.n.n/32 next-hop st0.1
set routing-options static route 66.n.n.n+1/32 next-hop st0.1

## Proposals
set security ike proposal ike-proposal-robot authentication-method pre-shared-keys
set security ike proposal ike-proposal-robot dh-group group2
set security ike proposal ike-proposal-robot authentication-algorithm sha1
set security ike proposal ike-proposal-robot encryption-algorithm 3des-cbc
set security ike proposal ike-proposal-robot lifetime-seconds 86400
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs protocol esp
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs authentication-algorithm hmac-sha1-96
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs encryption-algorithm 3des-cbc
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs lifetime-seconds 86400


## Phase I
set security ike policy ike-policy-robot mode main
set security ike policy ike-policy-robot proposals ike-proposal-robot
set security ike policy ike-policy-robot pre-shared-key ascii-text "password-removed"
set security ike gateway ike-gateway-robot ike-policy ike-policy-robot
set security ike gateway ike-gateway-robot address 66.n.c.c
set security ike gateway ike-gateway-robot external-interface ge-0/0/7
set security ike gateway ike-gateway-robot version v1-only

## Phase II
set security ipsec policy ipsec-policy-robot proposals 3des-cbc-hmac-sha1-96-nopfs
set security ipsec vpn ipsec-vpn-robot-cfg bind-interface st0.1
set security ipsec vpn ipsec-vpn-robot-cfg vpn-monitor optimized
set security ipsec vpn ipsec-vpn-robot-cfg ike gateway ike-gateway-robot
set security ipsec vpn ipsec-vpn-robot-cfg ike ipsec-policy ipsec-policy-robot
set security ipsec vpn ipsec-vpn-robot-cfg establish-tunnels immediately

# Address book entries

set security address-book global address xmen-lab 45.e.e.e/32
set security address-book global address robot-0 66.n.n.n/32
set security address-book global address robot-1 66.n.n.n+1/32

## Policy-Inbound
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match source-address xmen-lab
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address robot-0
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address robot-1
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match application any
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy then permit
## Policy-Outbound
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address robot-0
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address robot-1
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match destination-address xmen-lab
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match application any
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy then permit

## Second VPN

set security zones security-zone vpn-sec-zone interfaces st0.5555
set routing-options static route 10.y.y.y/32 next-hop st0.5555

## Proposals
set security ike proposal ike-pro-dhg5-sha256-aes256 authentication-method pre-shared-keys
set security ike proposal ike-pro-dhg5-sha256-aes256 dh-group group5
set security ike proposal ike-pro-dhg5-sha256-aes256 authentication-algorithm sha-256
set security ike proposal ike-pro-dhg5-sha256-aes256 encryption-algorithm aes-256-cbc
set security ike proposal ike-pro-dhg5-sha256-aes256 lifetime-seconds 86400

set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs protocol esp
set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs encryption-algorithm aes-256-cbc
set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs lifetime-seconds 86400


## Phase I
set security ike policy ike-pol-x-robot mode main
set security ike policy ike-pol-x-robot proposals ike-pro-dhg5-sha256-aes256
set security ike policy ike-pol-x-robot pre-shared-key ascii-text "password-removed"
set security ike gateway ike-gw-x-robot ike-policy ike-pol-x-robot
set security ike gateway ike-gw-x-robot address 208.a.a.a
set security ike gateway ike-gw-x-robot external-interface ge-0/0/7


## Phase II
set security ipsec vpn-monitor-options interval 10
set security ipsec vpn-monitor-options threshold 10
set security ipsec policy ipsec-policy-x-robot proposals ipsecpro-sha1-96-aes256-nopfs
set security ipsec vpn ipsec-vpn-x-robot bind-interface st0.5555
set security ipsec vpn ipsec-vpn-x-robot vpn-monitor optimized
set security ipsec vpn ipsec-vpn-x-robot ike gateway ike-gw-x-robot
set security ipsec vpn ipsec-vpn-x-robot ike ipsec-policy ipsec-policy-x-robot
set security ipsec vpn ipsec-vpn-x-robot establish-tunnels immediately

## Address book
set security address-book global address xmen-lab 45.e.e.e/32
set security address-book global address x-robot-system 10.y.y.y/32


## Policy
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match source-address xmen-lab
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address x-robot-system
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match application any
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy then permit

set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address x-robot-system
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match destination-address xmen-lab
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match application any
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy then permit

SRX - Want to configure L3 dot1q trunk port + access ports into trunked vlans.

$
0
0

My current setup has an SRX with a link into an aggregation switch via a single trunk port. I would like to configure and use the other interfaces on the SRX as layer2 access ports that can be in the same vlan(s) as the ones on the trunk.

 
 
jr1.iwc.ig24# show interfaces 
ge-0/0/0 {
    vlan-tagging;
    unit 42 {
        vlan-id 42;
        family inet {
            address 192.168.0.1/24;
        }
    }
    unit 191 {
        vlan-id 191;
        family inet {
            address x.y.z.33/28;
        }
    }
    unit 376 {
        encapsulation ppp-over-ether;
        vlan-id 376;
    }
    unit 2000 {
        vlan-id 2000;
        family inet;
    }
}
 
 
I've configured fe-0/0/0/6 as what I would think an access port on a specific vlan would look like:
 
 
fe-0/0/6 {
    description "WIFI WAN - VLAN191";
    unit 0 {
        family ethernet-switching {
            vlan {
                members dot191;
            }
        }
    }
}
 
 
VLANS:
 
j
r1.iwc.ig24# show vlans           
dot191 {
    vlan-id 191;
}
dot376 {
    description DSL_TESTING;
    vlan-id 376;
}
dot42 {
    vlan-id 42;
}
 
I've set what I think the correct zones should be:
 
 
jr1.iwc.ig24# show security zones 
security-zone LAN_TRUST {
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
            http;
        }
    }
    interfaces {
        ge-0/0/0.42;
    }
}
security-zone WAN_UNTRUST {
    host-inbound-traffic {
        system-services {
            ping;
        }
    }
    interfaces {
        pp0.0;
    }                                   
}
security-zone WAN_DMZ {
    host-inbound-traffic {
        system-services {
            ping;
            traceroute;
        }
    }
    interfaces {
        ge-0/0/0.191;
        fe-0/0/6.0;
    }
}
 
Further trouble shooting:
 
When I configured l3-interface references from vlans, to vlan.X interface, my DSL worked but the vlan.42 & vlan.191 didn't come up.
 
 
interfaces {
    ge-0/0/0 {
        vlan-tagging;
        unit 42 {
            vlan-id 42;
        }
        unit 191 {
            vlan-id 191;
        }
        unit 376 {
            encapsulation ppp-over-ether;
            vlan-id 376;
        }
    }
    vlan {
        unit 42 {
            family inet {
                address 192.168.42.33/27;
            }
        }
        unit 191 {
            family inet {
                address 209.112.191.33/28;
            }
        }
    }
}
vlans {
    dot191 {
        vlan-id 191;
        l3-interface vlan.191;
    }
    dot376 {
        description DSL_TESTING;
        vlan-id 376;
    }
    dot42 {
        vlan-id 42;
        l3-interface vlan.42;
    }
}
 
 
 
# show interface terse | match vlan
vlan.42                 up    down inet     192.168.0.1/24
vlan.191                up    down inet     x.y.z.33/28
 
Everything works well as long as it's plugged into a aggregation switch, but I would like to also utilize the ports on the SRX.
In short "How can I get ge-0/0/0.191 & fe-0/0/6.0 into the same broadcast domain?"
Thanks.
 
-Sean

Re: Route based VPNs have disappearing static routes when IKE/VPN activate

$
0
0

What is the interface status of the tunnel st0.5555 when the route is withdrawn?

And the extensive output of that interface?

 

Typically I would expect the tunnel interface to be down for some reason for the route not to install.  The key will be finding out why the interface goes down.

 

Look for log messages about the interface too.

 

Re: SRX - Want to configure L3 dot1q trunk port + access ports into trunked vlans.

$
0
0

Generally for vlan.x interfaces to come up a physical interface in the same vlan needs to be up as well.

In your config assign the physical interfaces to the vlan or use the member function on the sub interface instead of manually assigning the vlan-id.

 


Re: SRX - Want to configure L3 dot1q trunk port + access ports into trunked vlans.

$
0
0

Thanks, that worked.. I had to move my underlying pppoe to an actual interface vs. a logical interface, but in the end it worked.

 

-Sean

Re: SRX 340 occasional panic

$
0
0

We're running off from usb stick couple of days and discovered that umass0 ( da0 ) will fail in certain point and panic is inevitable. We will open another RMA.  Thank you guys who tried to help Smiley Happy

 

A.

 

login: umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
umass0: at uhub0 port 1 (addr 2) disconnected
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
umass0: at uhub0 port 1 (addr 2) disconnected
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
umass0: at uhub0 port 1 (addr 2) disconnected
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
umass0: at uhub0 port 1 (addr 2) disconnected
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
umass0: at uhub0 port 1 (addr 2) disconnected
umass0: detached
umass0: ATP Electronics ATP CG eUSB, rev 2.00/11.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ATP ATP CG eUSB 1100> Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 7672MB (15712256 512 byte sectors: 255H 63S/T 978C)
umass0: at uhub0 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da0:umass-sim0:0:0:0): removing device entry
umass0: detached
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci0: ERROR! xHCI do command 11 failed.
xhci0: ERROR! Failed to set address for device, slot 1.
xhci_xdev_uninit+0x160 (0x5080ffa1,0x80a80000,0xffff8010,0x54) ra 0x8016e0f4 sz 80
usbd_remove_device+0x34 (0x5080ffa1,0x80a80000,0xffff8010,0x54) ra 0x8016f2c0 sz 32
usbd_new_device+0x2dc (0xc6e38540,0x80a80000,0xffff8010,0x54) ra 0x80167ae0 sz 1136
uhub_explore+0x2f8 (0xc6e38540,0x80a80000,0xffff8010,0x54) ra 0x8016c580 sz 64
usb_discover+0x44 (0xc6e38540,0x80a80000,0xffff8010,0x54) ra 0x8016cf9c sz 24
usb_event_thread+0x68 (0xc6e38540,0x80a80000,0xffff8010,0x54) ra 0x801baab8 sz 40
fork_exit+0x230 (0xc6e38540,0x80a80000,0xffff8010,0x54) ra 0x80a6f9a0 sz 40
MipsNMIException+0x34 (0xc6e38540,0x80a80000,0xffff8010,0x54) ra 0 sz 0
pid 32, process: usb0
cpu:0-Trap cause = 2 (TLB miss (load or instr. fetch) - kernel mode)
badvaddr = 0x4, pc = 0x80161540, ra = 0x80161510, sr = 0x5080ffa3
panic: trap
cpuid = 0
KDB: stack backtrace:
SP 0: not in kernel
uart_sab82532_class+0x0 (0,0,0,0) ra 0 sz 0
pid 32, process: usb0
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
Ignoring watchdog timeout during boot/reboot
panic: Hardware watchdog timeout
cpuid = 0
Uptime: 34m43s
Dumping 228 MB:Aborting dump due to I/O error.
status == 0xb, scsi status == 0x0

** Dump failed (rc = 5) **
(da1:umass-sim1:1:0:0): Synchronize cache failed, status == 0x34, scsi status == 0x0
Automatic reboot in 15 seconds - press a key on the console to abort


NMI Exception on core:0
Watchdog status, core 0: 0xfffecdffffb
FPA INT Summery: 0x2000000000000
Err EPC: 0x80a6d7dc
Trapframe Register Dump:
zero: 0000000000000000 at: fffffffffffffffe v0: 0000000050c808e5 v1: ffffffffce9f2059
a0: 00000000000186a0 a1: ffffffff80dc06b0 a2: 00000000ffff8010 a3: 0000000000000067
t0: 00000000508008a1 t1: 0000000000000000 t2: ffffffff80011800 t3: 0000000000000800
ta0: 0000000000000000 ta1: 0000000000000001 ta2: 0000000000000000 ta3: 0000000000000000
t8: 0000000023c34600 t9: 0000000000000001 s0: 0000000006419c56 s1: 0000000009896800
s2: ffffffffc85d840f s3: ffffffffc6e3a14c s4: ffffffff80a90000 s5: 0000000000000104
s6: 0000000000000000 s7: ffffffffc6ee3420 k0: 00bb3f24808b1101 k1: 0034002000040028
gp: ffffffff80ca2a80 sp: ffffffffeafb3148 s8: ffffffff80b423cc ra: ffffffff8079a9cc
sr: 0000000050c808e5 mullo: 000000000f023000 mulhi: 0000000019000000
pc: ffffffff801ff7fc cause: 0000000040008408 badvaddr: ffffffffc6e4d61c
ErrPC: 0000000000000840
Current ticks/softticks 1828450/1819714, curproc [32] usb0
Core0: CacheErr(I/D: current: 0x2000000000000000/0xffffffffffff0000)

PCPU dump:
cpuid = 0
curthread = 0xc6ee3420: pid 32 "usb0"
ipis = 0x0
cpuid = 1
curthread = 0xc6e61000: pid 20 "idle: cpu1"
ipis = 0x0
cpuid = 2
curthread = 0xc6e5dc60: pid 19 "idle: cpu2"
ipis = 0x0
cpuid = 3
curthread = 0xc6e5da50: pid 18 "idle: cpu3"
ipis = 0x0
cpuid = 4
curthread = none
ipis = 0x0
cpuid = 5
curthread = none
ipis = 0x0
cpuid = 6
curthread = none
ipis = 0x0
cpuid = 7
curthread = none
ipis = 0x0
cpuid = 8
curthread = none
ipis = 0x0
cpuid = 9
curthread = none
ipis = 0x0
cpuid = 10
curthread = none
ipis = 0x0
cpuid = 11
curthread = none
ipis = 0x0
Memory dump of 1024 words starting at 0x80000000
0x80000000: 0829b8e3 401a4000 00000000 00000000
0x80000010: 00100000 00000000 00000000 00000000
0x80000020: 00000000 00000000 00000000 00000000
0x80000030: 00000000 00000000 00000000 00000000
0x80000040: 00000000 00000000 00000000 00000000
0x80000050: 00000000 00000000 00000000 00000000
0x80000060: 00000000 00000000 00000000 00000000
0x80000070: 00000000 00000000 00000000 00000000
0x80000080: 0829b8e3 401a4000 00000000 00000000
0x80000090: 00000000 00000000 00000000 00000000
0x800000a0: 00000000 00000000 00000000 00000000
0x800000b0: 00000000 00000000 00000000 00000000
0x800000c0: 00000000 00000000 00000000 00000000
0x800000d0: 00000000 00000000 00000000 00000000
0x800000e0: 00000000 00000000 00000000 00000000
0x800000f0: 00000000 00000000 00000000 00000000
0x80000100: 3c1b80df 277b2910 7c1a003b 001ad0c0
0x80000110: 035bd821 403ad801 ff7a0000 401a6000
0x80000120: 335a0002 17400005 00000000 3c1a80a7
0x80000130: 275af740 03400008 00000000 3c1a807c
0x80000140: 275aa92c 03400008 00000000 1000ffff
0x80000150: 00000000 42000018 00000000 00000000
0x80000160: 00000000 00000000 00000000 00000000
0x80000170: 00000000 00000000 00000000 00000000
0x80000180: 401a6000 401b6800 335a0010 001ad0c0
0x80000190: 337b007c 037ad825 3c1a80c9 275ac180
0x800001a0: 035bd021 8f5a0000 00000000 03400008
0x800001b0: 00000000 00000000 00000000 00000000
0x800001c0: 00000000 00000000 00000000 00000000
0x800001d0: 00000000 00000000 00000000 00000000
0x800001e0: 00000000 00000000 00000000 00000000
0x800001f0: 00000000 00000000 00000000 00000000
0x80000200: 00000000 00000000 00000000 00000000
0x80000210: 00000000 00000000 00000000 00000000
0x80000220: 00000000 00000000 00000000 00000000
0x80000230: 00000000 00000000 00000000 00000000
0x80000240: 00000000 00000000 00000000 00000000
0x80000250: 00000000 00000000 00000000 00000000
0x80000260: 00000000 00000000 00000000 00000000
0x80000270: 00000000 00000000 00000000 00000000
0x80000280: 00000000 00000000 00000000 00000000
0x80000290: 00000000 00000000 00000000 00000000
0x800002a0: 00000000 00000000 00000000 00000000
0x800002b0: 00000000 00000000 00000000 00000000
0x800002c0: 00000000 00000000 00000000 00000000
0x800002d0: 00000000 00000000 00000000 00000000
0x800002e0: 00000000 00000000 00000000 00000000
0x800002f0: 00000000 00000000 00000000 00000000
0x80000300: 00000000 00000000 00000000 00000000
0x80000310: 00000000 00000000 00000000 00000000
0x80000320: 00000000 00000000 00000000 00000000
0x80000330: 00000000 00000000 00000000 00000000
0x80000340: 00000000 00000000 00000000 00000000
0x80000350: 00000000 00000000 00000000 00000000
0x80000360: 00000000 00000000 00000000 00000000
0x80000370: 00000000 00000000 00000000 00000000
0x80000380: 00000000 00000000 00000000 00000000
0x80000390: 00000000 00000000 00000000 00000000
0x800003a0: 00000000 00000000 00000000 00000000
0x800003b0: 00000000 00000000 00000000 00000000
0x800003c0: 00000000 00000000 00000000 00000000
0x800003d0: 00000000 00000000 00000000 00000000
0x800003e0: 00000000 00000000 00000000 00000000
0x800003f0: 00000000 00000000 00000000 00000000
Stack trace:
R4K_GetCOUNT+0xc (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x8079a9cc sz 0
DELAY+0x54 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801dc318 sz 32
shutdown_panic+0x54 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801dd608 sz 32
boot+0x7a4 (0x186a0,0x80dc06b0,0xffff8010,0x67) ra 0x801ddee4 sz 48
panic+0x580 (0x186a0,0,0x80b48118,0x11b) ra 0x807b43b4 sz 64
panic_on_watchdog_timeout+0x78 (0x186a0,0,0x80b48118,0x11b) ra 0x807da754 sz 32
re_srxsme_watchdog_intr+0x158 (0x186a0,0,0x80b48118,0x11b) ra 0x8078aaac sz 24
mips_handle_this_interrupt+0x8c (0x186a0,0,0x80b48118,0x11b) ra 0x8078ab38 sz 40
mips_handle_interrupts+0x58 (0x186a0,0,0x80b48118,0x11b) ra 0x8078af5c sz 48
mips_interrupt+0x224 (0x186a0,0,0x80b48118,0x11b) ra 0x80a6ed14 sz 32
MipsKernIntr+0x140 (0xffffffff,0,0x80011800,0x1000) ra 0x807d175c sz 368
octeon_twsi_write_byte+0x20 (0xffffffff,0,0x80011800,0x1000) ra 0x807d1ea4 sz 32
octeon_i2c_xfer_msg_raw+0x404 (0xffffffff,0,0x80011800,0x1000) ra 0x807d2334 sz 56
i2c_write_24lc256_raw+0x7c (0xffffffff,0,0x80011800,0x80d6e910) ra 0x808145fc sz 56
srxsme_dump_on_exception+0x2c8 (0xffffffff,0,0x80011800,0x80d6e910) ra 0x80814728 sz 64
srxsme_dump_on_panic+0x1c (0xffffffff,0,0x80011800,0x80d6e910) ra 0x801dd290 sz 24
boot+0x42c (0xffffffff,0,0x80011800,0x80d6e910) ra 0x801ddee4 sz 48
panic+0x580 (0xffffffff,0,0x80011800,0xf8) ra 0x80794e80 sz 64
trap+0x1250 (0xffffffff,0,0x80011800,0xf8) ra 0x80a6e5ac sz 144
0x80a6e414+0x198 (0xffffffff,0,0x80011800,0xf8) ra 0 sz 0
pid 32, process: usb0
Resetting the system now...
cpu_reset: Stopping other CPUs
timeout stopping cpus


SPI stage 1 bootloader (Build time: Dec 9 2017 - 13:45:17)


U-Boot 2013.07-JNPR-3.5 (Build time: Dec 09 2017 - 13:45:17)

SRX_340 board revision major:1, minor:13, serial #: CY5016AF0253
OCTEON CN7130-AAP pass 1.2, Core clock: 1600 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10fc00000, size: 0x400000
DRAM: 4 GiB
Clearing DRAM...... done
Using default environment

SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Found valid SPI bootloader at offset: 0x80000, size: 1377808 bytes


U-Boot 2013.07-JNPR-3.5 (Build time: Dec 09 2017 - 13:47:20)

Using DRAM size from environment: 4096 MBytes
SATA0: not available
SATA1: not available
SATA BIST STATUS = 0x0
SRX_340 board revision major:1, minor:13, serial #: CY5016AF0253
OCTEON CN7130-AAP pass 1.2, Core clock: 1600 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10f000000, size: 0x1000000
DRAM: 4 GiB
Clearing DRAM...... done
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
PCIe: Port 0 link active, 1 lanes, speed gen2
PCIe: Link timeout on port 1, probably the slot is empty
PCIe: Port 2 not in PCIe mode, skipping
Net: octrgmii0
octeon_fdt_broadcom_config: Unknown broadcom phy for octrgmii0
Interface 4 has 1 ports (AGL)
Type the command 'usb start' to scan for USB storage devices.

Boot Media: eUSB usb
Found TPM SLB9660 TT 1.2 by Infineon
TPM initialized
Hit any key to stop autoboot: 0
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 1048576 bytes @ 0x200000 Read: OK
## Starting application at 0x8f0000a0 ...
Consoles: U-Boot console
Found compatible API, ver. 3.5
USB1:
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 2 USB Device(s) found
USB0:
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 2 USB Device(s) found
scanning usb for storage devices... 2 Storage Device(s) found

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.9
(builder@haku.juniper.net, Thu Nov 5 23:17:51 UTC 2015)
Memory: 4096MB
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
[0]Booting from usb slice 1
Loading /boot/defaults/loader.conf
/kernel data=0xba0974+0x152ba4 syms=[0x4+0xa0810+0x4+0xf0441]

Re: NCP Client - Phase 1 error

$
0
0

Hi Spuluka,

 

I have assigned the st0.1 interface to the Customer-VR and also to the Customer-Network zone... I already made sure that was the case and had also read the document before posting here Smiley Happy

 

set security zones security-zone Customer-Network interfaces st0.1

set routing-instances Customer-VR interface st0.1

 

 I have completed a traceoptions on IKE with the following error:

error_code: No proposal chosen

ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 92a2000)

 

and the NCP log shows the following error:

Ike: NOTIFY : ISP Data Network : RECEIVED : NO_PROPOSAL_CHOSEN : 14

 

Still not operational ......  

 

Thanks

 

 

Re: NCP Client - Phase 1 error

$
0
0

Let me put the whole traceoptions output for this Client:

 

[Jun 4 10:23:22]---------> Received from 166.166.166.166:10952 to 195.80.24.17:0, VR 13, length 568 on IF
[Jun 4 10:23:22]ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_v1_get_sa
[Jun 4 10:23:22]ikev2_packet_st_input_v1_get_sa: FSM_SET_NEXT:ikev2_packet_st_input_v1_create_sa
[Jun 4 10:23:22]ikev2_packet_st_input_v1_create_sa: [9215c00/0] No IKE SA for packet; requesting permission to create one.
[Jun 4 10:23:22]ikev2_packet_st_input_v1_create_sa: FSM_SET_NEXT:ikev2_packet_st_connect_decision
[Jun 4 10:23:22]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jun 4 10:23:22]ike_get_sa: Start, SA = { 8f0b4c3d 27a8a164 - 00000000 00000000 } / 00000000, remote = 166.166.166.166:10952
[Jun 4 10:23:22]ike_sa_allocate: Start, SA = { 8f0b4c3d 27a8a164 - 8cb7464f cf378454 }
[Jun 4 10:23:22]ike_init_isakmp_sa: Start, remote = 166.166.166.166:10952, initiator = 0
[Jun 4 10:23:22]ikev2_fb_p1_negotiation_allocate_sa: FSM_SET_NEXT:ikev2_fb_p1_negotiation_wait_sa_done
[Jun 4 10:23:22]ikev2_fb_st_new_p1_connection_start: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_local_addresses
[Jun 4 10:23:22]ikev2_fb_st_new_p1_connection_local_addresses: FSM_SET_NEXT:ikev2_fb_st_new_p1_connection_result
[Jun 4 10:23:22]IKEv1 packet R(<none>:500 <- 166.166.166.166:500): len= 568, mID=00000000, HDR, SA, KE, Nonce, ID, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Jun 4 10:23:22]ike_st_i_vid: VID[0..8] = da8e9378 80010000 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = eb4c1b78 8afd4a9c ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = cbe79444 a0870de4 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = c61baca1 f1a60cc1 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
[Jun 4 10:23:22]ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
[Jun 4 10:23:22]ike_st_i_id: Start
[Jun 4 10:23:22]ike_st_i_sa_proposal: Start
[Jun 4 10:23:22]ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Jun 4 10:23:22]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jun 4 10:23:22]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 92a2000)
[Jun 4 10:23:22]ike_isakmp_sa_reply: Start

Re: NCP Client - Phase 1 error

$
0
0

I see the error message for the kb was on the wrong side, the client not the SRX.

 

This one generally means either the proposals don't match or the gateway is not matching for an aggressive tunnel this will be the hostname declarations.  I don't see a local hostname declared in the configuration.

 

I also notice you don't have an ip address assigned to the tunnel interface, I have always had an address or configured it as unnumbered with another interface.  I think you need an ip here too but that would not affect phase 1.

 

Re: NCP Client - Phase 1 error

$
0
0

Hi Spuluka,

 

Thanks for the response......

 

I am using a Juniper configuration sent by NCP, but changing it slightly to fit our requirements......

We are using the SRX Gateway address from the Client itself, but the dynamic requirement is there because it is for remote anywhere usage and not a specific location......

 

I have the following configured on the client:

 

aggressive mode (IKEv1)

Pre-shared-key

DH2

IPSec Policy - Automatic (There is no other option)

PFS Group - DH2

 

Policy Editor:

IKE : Pre-shared-key : AES 192 Bit : SHA

IPSec: ESP : AES 128 Bit : SHA

 

Gateway Tunnel Endpoint is correct:

 

I'm in agreement with you with regards to the "unnumbered" but NCP are adamant that this is not required.....

 

 

 

 

 

 

 

Re: NCP Client - Phase 1 error

$
0
0

Hi Spuluka,

 

I changed the hostname to user-at-hostname and Phase 1 is working.... now we are gettting the same on Phase 2 - No proposal chosen, but working through it  Smiley Happy

 

 


Re: NCP Client - Phase 1 error

$
0
0

Okay. It is all up and running.

 

So, the Phase 1 (IKE) issue was a simple change of "hostname" to "user-at-hostname"

 

Phase 2.... unbelievzbly, the XAUTH for the pool had no Secondary DNS configured but the NCP cline thad 8.8.4.4... I set this to 0.0.0.0 on the Client and it all worked.


Awesome

Re: Route based VPNs have disappearing static routes when IKE/VPN activate

$
0
0

Do you see this happening even when you have traffic flowing via the VPN?

 

Anand

Re: Issue with a DSL firmware on SRX branch device

Re: UTM - Content Filter not working

$
0
0

As pointed earlier check if you have defined UTM under the security policy. If you have defined the same check if your traffic is hitting that policy.

 

Anand

Re: Migrating SRX100H2 to SRX300

$
0
0

Apart from the changes in L2 switching deployment the rest would pretty much be standard. But if you are unsure you can involve Juniper Professional Services.

 

Anand

Viewing all 17645 articles
Browse latest View live