Re: SRX 1400 commit error

June 14, 2018, 12:06 pm

Hello, here are the results from the CLI commands

Version

node0:
--------------------------------------------------------------------------
Hostname: XXXXXXXX
Model: srx1400
JUNOS Software Release [12.1X47-D25.4]

node1:
--------------------------------------------------------------------------
Hostname: XXXXXXXX
Model: srx1400
JUNOS Software Release [12.1X47-D25.4]

uptime

node0:
--------------------------------------------------------------------------
Current time: 2018-06-14 13:55:26 COT
System booted: 2018-03-18 04:12:18 COT (12w4d 09:43 ago)
Protocols started: 2018-03-18 04:16:44 COT (12w4d 09:38 ago)
Last configured: 2018-06-13 15:49:02 COT (22:06:24 ago) by admin
1:55PM up 88 days, 9:43, 3 users, load averages: 0.10, 0.12, 0.12

node1:
--------------------------------------------------------------------------
Current time: 2018-06-14 13:55:26 COT
System booted: 2018-03-18 04:12:18 COT (12w4d 09:43 ago)
Last configured: 2018-06-13 15:49:01 COT (22:06:25 ago) by root
1:55PM up 88 days, 9:43, 0 users, load averages: 0.07, 0.10, 0.03

show security pki ca-certificate detail

node0:
--------------------------------------------------------------------------

Certificate identifier: CAs_Trust_4
Certificate version: 3
Serial number: 02ac5c266a0b409b8f0b79f2ae462577
Issuer:
Organization: DigiCert Inc, Organizational unit: www.digicert.com, Country: US, Common name: DigiCert High Assurance EV Root CA
Subject:
Organization: DigiCert Inc, Organizational unit: www.digicert.com, Country: US, Common name: DigiCert High Assurance EV Root CA
Subject string:
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Validity:
Not before: 11-10-2006 00:00 UTC
Not after: 11-10-2031 00:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:c6:cc:e5:73:e6:fb:d4:bb:e5:2d:2d
32:a6:df:e5:81:3f:c9:cd:25:49:b6:71:2a:c3:d5:94:34:67:a2:0a
1c:b0:5f:69:a6:40:b1:c4:b7:b2:8f:d0:98:a4:a9:41:59:3a:d3:dc
94:d6:3c:db:74:38:a4:4a:cc:4d:25:82:f7:4a:a5:53:12:38:ee:f3
49:6d:71:91:7e:63:b6:ab:a6:5f:c3:a4:84:f8:4f:62:51:be:f8:c5
ec:db:38:92:e3:06:e5:08:91:0c:c4:28:41:55:fb:cb:5a:89:15:7e
71:e8:35:bf:4d:72:09:3d:be:3a:38:50:5b:77:31:1b:8d:b3:c7:24
45:9a:a7:ac:6d:00:14:5a:04:b7:ba:13:eb:51:0a:98:41:41:22:4e
65:61:87:81:41:50:a6:79:5c:89:de:19:4a:57:d5:2e:e6:5d:1c:53
2c:7e:98:cd:1a:06:16:a4:68:73:d0:34:04:13:5c:a1:71:d3:5a:7c
55:db:5e:64:e1:37:87:30:56:04:e5:11:b4:29:80:12:f1:79:39:88
a2:02:11:7c:27:66:b7:88:b7:78:f2:ca:0a:a8:38:ab:0a:64:c2:bf
66:5d:95:84:c1:a1:25:1e:87:5d:1a:50:0b:20:12:cc:41:bb:6e:0b
51:38:b8:4b:cb:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Use for key: CRL signing, Certificate signing, Digital signature
Fingerprint:
5f:b7:ee:06:33:e2:59:db:ad:0c:4c:9a:e6:d3:8f:1a:61:c7:dc:25 (sha1)
d4:74:de:57:5c:39:b2:d3:9c:85:83:c5:c0:65:49:8a (md5)

Certificate identifier: CAs_Trust_8
Certificate version: 3
Serial number: 0a5f114d035b179117d2efd4038c3f3b
Issuer:
Organization: DigiCert Inc, Organizational unit: www.digicert.com, Country: US, Common name: DigiCert High Assurance EV Root CA
Subject:
Organization: DigiCert Inc, Organizational unit: www.digicert.com, Country: US, Common name: DigiCert High Assurance CA-3
Subject string:
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Validity:
Not before: 04- 2-2008 12:00 UTC
Not after: 04- 3-2022 00:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:bf:61:0a:29:10:1f:5e:fe:34:37:51
08:f8:1e:fb:22:ed:61:be:0b:0d:70:4c:50:63:26:75:15:b9:41:88
97:b6:f0:a0:15:bb:08:60:e0:42:e8:05:29:10:87:36:8a:28:65:a8
ef:31:07:74:6d:36:97:2f:28:46:66:04:c7:2a:79:26:7a:99:d5:8e
c3:6d:4f:a0:5e:ad:bc:3d:91:c2:59:7b:5e:36:6c:c0:53:cf:00:08
32:3e:10:64:58:10:13:69:c7:0c:ee:9c:42:51:00:f9:05:44:ee:24
ce:7a:1f:ed:8c:11:bd:12:a8:f3:15:f4:1c:7a:31:69:01:1b:a7:e6
5d:c0:9a:6c:7e:09:9e:e7:52:44:4a:10:3a:23:e4:9b:b6:03:af:a8
9c:b4:5b:9f:d4:4b:ad:92:8c:ce:b5:11:2a:aa:37:18:8d:b4:c2:b8
d8:5c:06:8c:f8:ff:23:bd:35:5e:d4:7c:3e:7e:83:0e:91:96:05:98
c3:b2:1f:e3:c8:65:eb:a9:7b:5d:a0:2c:cc:fc:3c:d9:6d:ed:cc:fa
4b:43:8c:c9:d4:b8:a5:61:1c:b2:40:b6:28:12:df:b9:f8:5f:fe:d3
b2:c9:ef:3d:b4:1e:4b:7c:1c:4c:99:36:9e:3d:eb:ec:a7:68:5e:1d
df:67:6e:5e:fb:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
Authority Information Access OCSP:
http://ocsp.digicert.com
Use for key: CRL signing, Certificate signing, Digital signature
Fingerprint:
42:85:78:55:fb:0e:a4:3f:54:c9:91:1e:30:e7:79:1d:8c:e8:27:05 (sha1)
c6:8b:99:30:c8:57:8d:41:6f:8c:09:4e:6a:db:0c:90 (md5)

Certificate identifier: CAs_Trust_3
Certificate version: 3
Serial number: 08457721d8ac28f3
Issuer:
Organization: Google Inc, Country: US, Common name: Google Internet Authority G2
Subject:
Organization: Google Inc, Country: US, State: California, Locality: Mountain View, Common name: *.google.com
Subject string:
C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com
Alternate subject: email empty, youtubeeducation.com, ip empty
Validity:
Not before: 03-25-2015 15:50 UTC
Not after: 06-23-2015 00:00 UTC
Public key algorithm: ecdsaEncryption(256 bits)
04:0c:7a:9c:89:70:e6:64:31:ad:54:9a:26:c1:8c:f2:01:38:5b:1c
67:f2:50:ca:83:8f:02:35:4b:30:ef:3e:13:10:22:7f:be:2b:7c:82
59:8c:03:d2:c5:b0:41:19:00:92:b5:9e:48:f7:2a:12:ac:40:76:ec
93:2c:c5:cd:16
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://pki.google.com/GIAG2.crl
Authority Information Access OCSP:
http://clients1.google.com/ocsp
Use for key: Digital signature, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2
Fingerprint:
50:92:e7:91:16:53:cc:fc:f7:97:dc:e9:54:de:94:68:47:88:c0:fa (sha1)
31:a0:e4:6d:42:20:11:7a:6e:63:b5:d3:32:be:07:1e (md5)

Certificate identifier: CAs_Trust_6
Certificate version: 3
Serial number: 7ee14a6f6feff2d37f3fad654d3adab4
Issuer:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US,
Common name: VeriSign Class 3 Public Primary Certification Authority - G5
Subject:
Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 EV SSL CA - G3
Subject string:
C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 EV SSL CA - G3
Validity:
Not before: 10-31-2013 00:00 UTC
Not after: 10-30-2023 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:d8:a1:65:74:23:e8:2b:64:e2:32:d7
33:37:3d:8e:f5:34:16:48:dd:4f:7f:87:1c:f8:44:23:13:8e:fb:11
d8:44:5a:18:71:8e:60:16:26:92:9b:fd:17:0b:e1:71:70:42:fe:bf
fa:1c:c0:aa:a3:a7:b5:71:e8:ff:18:83:f6:df:10:0a:13:62:c8:3d
9c:a7:de:2e:3f:0c:d9:1d:e7:2e:fb:2a:ce:c8:9a:7f:87:bf:d8:4c
04:15:32:c9:d1:cc:95:71:a0:4e:28:4f:84:d9:35:fb:e3:86:6f:94
53:e6:72:8a:63:67:2e:be:69:f6:f7:6e:8e:9c:60:04:eb:29:fa:c4
47:42:d2:78:98:e3:ec:0b:a5:92:dc:b7:9a:bd:80:64:2b:38:7c:38
09:5b:66:f6:2d:95:7a:86:b2:34:2e:85:9e:90:0e:5f:b7:5d:a4:51
72:46:70:13:bf:67:f2:b6:a7:4d:14:1e:6c:b9:53:ee:23:1a:4e:8d
48:55:43:41:b1:89:75:6a:40:28:c5:7d:dd:d2:6e:d2:02:19:2f:7b
24:94:4b:eb:f1:1a:a9:9b:e3:23:9a:ea:fa:33:ab:0a:2c:b7:f4:60
08:dd:9f:1c:cd:dd:2d:01:66:80:af:b3:2f:29:1d:23:b8:8a:e1:a1
70:07:0c:34:0f:02:03:01:00:01
Signature algorithm: sha256WithRSAEncryption
Distribution CRL:
http://s1.symcb.com/pca3-g5.crl
Authority Information Access OCSP:
http://s2.symcb.com
Use for key: CRL signing, Certificate signing
Fingerprint:
e3:fc:0a:d8:4f:2f:5a:83:ed:6f:86:f5:67:f8:b1:4b:40:dc:bf:12 (sha1)
df:51:ce:65:bc:43:f9:1b:3e:1e:cf:48:ab:23:36:25 (md5)

Certificate identifier: CAs_Trust_7
Certificate version: 3
Serial number: 18dad19e267de8bb4a2158cdcc6b3b4a
Issuer:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US,
Common name: VeriSign Class 3 Public Primary Certification Authority - G5
Subject:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US,
Common name: VeriSign Class 3 Public Primary Certification Authority - G5
Subject string:
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity:
Not before: 11- 8-2006 00:00 UTC
Not after: 07-16-2036 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:af:24:08:08:29:7a:35:9e:60:0c:aa
e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3
64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8
b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61
cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85
26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2
8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b
56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06
04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb
37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb
74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47
88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0
67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a
ee:53:e8:25:15:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Use for key: CRL signing, Certificate signing
Fingerprint:
4e:b6:d5:78:49:9b:1c:cf:5f:58:1e:ad:56:be:3d:9b:67:44:a5:e5 (sha1)
cb:17:e4:31:67:3e:e2:09:fe:45:57:93:f3:0a:fa:1c (md5)

Certificate identifier: CAs_Trust_1
Certificate version: 3
Serial number: 017152bcc760edc615dd8e4f57c86c0f
Issuer:
Organization: DigiCert Inc, Organizational unit: www.digicert.com, Country: US, Common name: DigiCert High Assurance CA-3
Subject:
Organization: "Facebook, Country: US, State: CA, Locality: Menlo Park, Common name: *.facebook.com
Subject string:
C=US, ST=CA, L=Menlo Park, O="Facebook, Inc.", CN=*.facebook.com
Alternate subject: email empty, messenger.com, ip empty
Validity:
Not before: 08-28-2014 00:00 UTC
Not after: 10-28-2015 12:00 UTC
Public key algorithm: ecdsaEncryption(256 bits)
04:d8:d1:dd:35:bd:e2:59:b6:fb:9b:1f:54:15:8c:db:bf:4e:58:bd
47:be:b8:10:fc:22:e9:d2:9e:98:f8:49:2a:25:fb:94:46:e4:42:99
84:50:1c:5f:01:fd:14:25:31:5c:4e:d9:64:fd:c5:0c:b3:46:d2:a1
bc:70:b4:87:8e
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://crl3.digicert.com/ca3-g29.crl
http://crl4.digicert.com/ca3-g29.crl
Authority Information Access OCSP:
http://ocsp.digicert.com
Use for key: Key agreement, Digital signature, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2
Fingerprint:
1f:2c:54:32:74:9e:2b:72:44:69:50:dc:68:7e:b0:e4:d3:ea:de:7a (sha1)
01:3c:39:86:2a:a5:45:09:8d:97:a7:fb:ed:ef:99:70 (md5)

Certificate identifier: CAs_Trust_2
Certificate version: 3
Serial number: 4da05b6587650f75ad343ae8ce4265d5
Issuer:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: Terms of use at https:, Country: US,
Common name: VeriSign Class 3 Secure Server CA - G3
Subject:
Organization: Yahoo Inc., Country: US, State: California, Locality: Sunnyvale, Common name: ww1.yahoo.com
Subject string:
C=US, ST=California, L=Sunnyvale, O=Yahoo Inc., CN=ww1.yahoo.com
Alternate subject: email empty, ymail.com, ip empty
Validity:
Not before: 03-16-2015 00:00 UTC
Not after: 04-24-2015 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:bd:6b:1f:e1:47:2d:36:f3:5c:88:76
c8:5e:e9:24:c9:3b:02:fb:6c:17:31:20:c2:65:a0:e5:1f:d7:0b:9c
6a:91:7c:90:a0:19:c6:29:7c:74:c5:20:88:bf:17:68:a1:f8:c4:ad
4a:92:ab:52:a2:13:ed:81:5b:ce:06:e2:3f:a4:19:ab:e5:0c:ad:c9
fd:b1:6d:ea:52:42:ed:b4:99:ad:da:b9:3e:a7:21:4a:df:fb:f2:1c
84:b4:a1:b4:ba:15:88:10:08:c0:8e:af:e8:9e:70:53:4e:b3:85:5b
c1:6d:fb:a8:7f:78:ee:95:6e:58:a8:4a:a5:52:de:e7:a3:04:c6:c8
58:a6:9a:ce:8e:23:2e:86:63:a3:0f:ce:95:6d:2c:65:10:50:ee:b2
ce:ac:f5:ca:72:f4:5c:ee:87:25:7a:33:3c:be:b2:e5:17:32:31:dd
d2:92:7d:e2:24:6f:cd:50:ee:eb:d7:cc:64:67:5d:a4:b2:7b:d6:22
34:65:5b:4d:e1:d3:50:b1:28:62:39:60:42:ad:12:ba:9d:03:6a:ed
9b:5d:b7:92:a2:cb:e3:50:f9:78:20:a3:44:e2:e1:67:7d:ad:a9:13
a7:a6:a1:e1:4e:51:fa:1d:c6:06:55:25:95:b8:d8:25:e7:20:04:5a
93:3e:c8:89:43:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://sd.symcb.com/sd.crl
Authority Information Access OCSP:
http://sd.symcd.com
Use for key: Key encipherment, Digital signature, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2
Fingerprint:
ba:32:f6:ed:ec:4a:20:69:d7:fd:93:d6:f2:38:0c:a9:4e:38:ce:f5 (sha1)
cd:2e:b3:f6:be:7c:b0:62:35:cd:91:a8:51:41:7d:af (md5)

Certificate identifier: CAs_Trust_10
Certificate version: 3
Serial number: 00023456
Issuer:
Organization: GeoTrust Inc., Country: US, Common name: GeoTrust Global CA
Subject:
Organization: GeoTrust Inc., Country: US, Common name: GeoTrust Global CA
Subject string:
C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Validity:
Not before: 05-21-2002 04:00 UTC
Not after: 05-21-2022 04:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:da:cc:18:63:30:fd:f4:17:23:1a:56
7e:5b:df:3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:43:b6
03:e9:4d:21:07:08:88:da:58:2f:66:39:29:bd:05:78:8b:9d:38:e8
05:b7:6a:7e:71:a4:e6:c4:60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6
ed:83:f3:ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92:2e:4f
ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d:80:7a:57:ad:f2:ee:5f
6b:d2:00:8d:b9:14:f8:14:15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9
55:2b:cd:d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6:d4:d5
7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5:5c:4f:8c:2d:fe:50:23
36:fc:66:e6:cb:8e:a4:39:19:00:b7:95:02:39:91:0b:0e:fe:38:2e
d1:1d:05:9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2:fa:36
53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32:eb:18:03:28:52:04:71
e5:ab:33:3d:e1:38:bb:07:36:84:62:9c:79:ea:16:30:f4:5f:c0:2b
e8:71:6b:e4:f9:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
de:28:f4:a4:ff:e5:b9:2f:a3:c5:03:d1:a3:49:a7:f9:96:2a:82:12 (sha1)
f7:75:ab:29:fb:51:4e:b7:77:5e:ff:05:3c:99:8e:f5 (md5)

Certificate identifier: CAs_Trust_9
Certificate version: 3
Serial number: 00023a76
Issuer:
Organization: GeoTrust Inc., Country: US, Common name: GeoTrust Global CA
Subject:
Organization: Google Inc, Country: US, Common name: Google Internet Authority G2
Subject string:
C=US, O=Google Inc, CN=Google Internet Authority G2
Validity:
Not before: 04- 5-2013 15:15 UTC
Not after: 12-31-2016 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:9c:2a:04:77:5c:d8:50:91:3a:06:a3
82:e0:d8:50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5:f1:89
ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74:0b:53:4f:55:a4:ce:82
62:95:ee:eb:59:5f:c6:e1:05:80:12:c4:5e:94:3f:bc:5b:48:38:f4
53:f7:24:e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54:de:7d
be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40:da:08:73:51:6c:7f:ff
3a:3c:a7:37:06:8e:bd:4b:11:04:eb:7d:24:de:e6:f9:fc:31:71:fb
94:d5:60:f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:15:4b
8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:35:69:65:84:c8:19:c5
46:22:f8:53:95:be:e3:80:4a:10:c6:2a:ec:ba:97:20:11:c7:39:99
10:04:a0:f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:fc:ce
22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:de:7b:af:45:33:cf:ba
3e:71:b7:de:f4:25:25:c2:0d:35:89:9d:9d:fb:0e:11:79:89:1e:37
c5:af:8e:72:69:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://g.symcb.com/crls/gtglobal.crl
Authority Information Access OCSP:
http://g.symcd.com
Use for key: CRL signing, Certificate signing
Fingerprint:
bb:dc:e1:3e:9d:53:7a:52:29:91:5c:b1:23:c7:aa:b0:a8:55:e7:98 (sha1)
46:f1:bf:2f:24:dd:3a:a9:cf:d7:60:a3:ba:de:5e:c7 (md5)

Certificate identifier: CAs_Trust_11
Certificate version: 3
Serial number: 6ecc7aa5a7032009b8cebcf4e952d491
Issuer:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US,
Common name: VeriSign Class 3 Public Primary Certification Authority - G5
Subject:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: Terms of use at https:, Country: US,
Common name: VeriSign Class 3 Secure Server CA - G3
Subject string:
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Validity:
Not before: 02- 8-2010 00:00 UTC
Not after: 02- 7-2020 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:b1:87:84:1f:c2:0c:45:f5:bc:ab:25
97:a7:ad:a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:bb:65
8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:9c:68:8b:2e:95:7b:89
9b:13:ca:e2:34:34:c1:f3:5b:f3:49:7b:62:83:48:81:74:d1:88:78
6c:02:53:f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:4e:91
24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:ea:96:1d:0b:15:fc:a3
4b:3b:ce:63:88:d0:f8:2d:0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c
00:48:35:86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:98:d4
c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:ca:2c:23:a9:fd:14:06
e8:18:b4:9a:e8:3c:6e:81:fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba
56:6e:6f:9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:c5:bf
11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:9b:3f:53:45:7f:86:1a
f3:3c:fa:6d:7f:81:f5:b8:4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18
7b:38:4e:fa:0f:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://crl.verisign.com/pca3-g5.crl
Authority Information Access OCSP:
http://ocsp.verisign.com
Use for key: CRL signing, Certificate signing
Fingerprint:
5d:eb:8f:33:9e:26:4c:19:f6:68:6f:5f:8f:32:b5:4a:4c:46:b4:76 (sha1)
3c:48:42:0d:ff:58:1a:38:86:bc:fd:41:d4:8a:41:de (md5)

Certificate identifier: CAs_Trust_12
Certificate version: 3
Serial number: 2c48dd930df5598ef93c99547a60ed43
Issuer:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US,
Common name: VeriSign Class 3 Public Primary Certification Authority - G5
Subject:
Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: Terms of use at https:, Country: US,
Common name: VeriSign Class 3 Extended Validation SSL SGC CA
Subject string:
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL SGC CA
Validity:
Not before: 11- 8-2006 00:00 UTC
Not after: 11- 7-2016 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:bd:56:88:ba:88:34:64:64:cf:cd:ca
b0:ee:e7:19:73:c5:72:d9:bb:45:bc:b5:a8:ff:83:be:1c:03:db:ed
89:b7:2e:10:1a:25:bc:55:ca:41:a1:9f:0b:cf:19:5e:70:b9:5e:39
4b:9e:31:1c:5f:87:ae:2a:aa:a8:2b:a2:1b:3b:10:23:5f:13:b1:dd
08:8c:4e:14:da:83:81:e3:b5:8c:e3:68:ed:24:67:ce:56:b6:ac:9b
73:96:44:db:8a:8c:b3:d6:f0:71:93:8e:db:71:54:4a:eb:73:59:6a
8f:70:51:2c:03:9f:97:d1:cc:11:7a:bc:62:0d:95:2a:c9:1c:75:57
e9:f5:c7:ea:ba:84:35:cb:c7:85:5a:7e:e4:4d:e1:11:97:7d:0e:20
34:45:db:f1:a2:09:eb:eb:3d:9e:b8:96:43:5e:34:4b:08:25:1e:43
1a:a2:d9:b7:8a:01:34:3d:c3:f8:e5:af:4f:8c:ff:cd:65:f0:23:4e
c5:97:b3:5c:da:90:1c:82:85:0d:06:0d:c1:22:b6:7b:28:a4:03:c3
4c:53:d1:58:bc:72:bc:08:39:fc:a0:76:a8:a8:e9:4b:6e:88:3d:e3
b3:31:25:8c:73:29:48:0e:32:79:06:ed:3d:43:f4:f6:e4:e9:fc:7d
be:8e:08:d5:1f:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://EVSecure-crl.verisign.com/pca3-g5.crl
Authority Information Access OCSP:
http://EVSecure-ocsp.verisign.com
Use for key: CRL signing, Certificate signing, Netscape Server Gated Crypto, 2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1, 2.16.840.1.113733.1.8.1,
TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2
Fingerprint:
b1:80:39:89:98:31:f1:52:61:46:67:cf:23:ff:ce:a2:b0:e7:3d:ab (sha1)
ca:d5:a7:99:dd:90:93:60:b8:7c:31:9b:de:d5:f3:2f (md5)

security pki local-certificate detail

Certificate identifier: SELF-SIGNED
Certificate version: 3
Serial number: b77f2f6ffa71a11818c25fae7a354f15
Issuer:
Domain component: areandina, Domain component: local
Subject:
Domain component: areandina, Domain component: local
Subject string:
DC=areandina, DC=local
Alternate subject: "admin@fuaa.edu.co", fuaa.edu.co, 192.168.11.2
Validity:
Not before: 03-30-2015 00:49 UTC
Not after: 03-28-2020 00:49 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:cb:30:cd:68:ae:50:d9:8b:af:91:7a
1c:15:a9:f7:aa:80:7a:a0:71:50:59:44:2c:ab:c7:34:49:4f:91:0b
93:55:72:99:5b:d7:3a:12:da:91:a2:d2:29:d2:ab:d5:2b:b8:f7:bd
8c:ce:fa:eb:53:db:72:0b:ef:11:c3:24:48:a1:99:4f:79:75:fd:59
7c:b2:9e:d4:56:6f:f8:51:da:cd:19:a4:a1:a6:98:55:a4:7e:28:09
f0:4b:e8:7d:46:93:db:96:2f:76:ae:0b:17:bf:4a:53:08:b9:21:57
99:a6:86:ab:c9:93:ea:e0:bf:9a:dd:b2:e6:b8:45:98:b6:c2:7b:54
8d:1e:d0:92:21:ca:ff:bb:92:ab:87:f2:12:73:f6:48:aa:b1:e7:91
49:ef:18:18:78:53:35:52:6d:87:80:7e:fa:67:6f:06:25:6e:fd:04
db:da:16:9d:17:5f:63:c8:a5:cc:e3:08:20:72:f2:30:01:73:4a:4a
22:50:7c:df:79:61:30:a6:d0:2d:83:62:45:91:57:21:72:cd:68:53
ac:63:18:1c:02:3e:f7:45:54:1a:f4:6b:40:0c:89:6a:ef:84:80:7d
91:04:e3:bb:ef:ce:b3:b2:93:12:c5:fe:c7:4f:1c:73:4f:c0:00:22
2b:86:df:fc:cf:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Use for key: CRL signing, Certificate signing
Fingerprint:
77:43:25:2b:f2:bd:17:83:c7:7b:ac:09:cd:9c:4c:1d:58:3c:ef:6b (sha1)
4c:d3:77:12:3f:44:0d:d0:89:7a:36:ee:df:41:c8:02 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started

Certificate identifier: ssl-inspect-ca
Certificate version: 3
Serial number: ffb749fe9a450811
Issuer:
Organization: areandina, Organizational unit: security, Country: CO, State: BOG, Locality: BOG, Common name: areandina.edu.co
Subject:
Organization: areandina, Organizational unit: security, Country: CO, State: BOG, Locality: BOG, Common name: areandina.edu.co
Subject string:
C=CO, ST=BOG, L=BOG, O=areandina, OU=security, CN=areandina.edu.co, emailAddress=admin@areandina.edu.co
Validity:
Not before: 04- 6-2015 02:20 UTC
Not after: 04- 5-2018 02:20 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:ba:6e:15:6f:70:e2:38:eb:39:ea:9c
37:df:b8:8a:68:76:19:48:90:bb:f6:c3:1b:f5:f7:d9:af:1e:04:a1
ba:9a:f9:61:52:f9:fa:47:9f:4f:9e:ef:c2:d9:5c:02:de:b7:42:36
1a:99:b1:20:66:2e:e7:7f:5a:32:3b:ad:5e:26:0a:1a:09:53:36:ed
ca:92:2e:a5:85:47:ef:a6:a6:b8:f2:fa:f9:b1:74:e4:d8:0f:68:31
b1:68:a5:dc:2e:2f:00:d2:5f:34:ed:08:50:02:cc:d8:1f:c4:d9:e2
ff:65:83:27:ef:3a:1e:50:77:a0:cf:bf:08:cb:5a:f2:4e:25:92:c0
f6:ea:db:96:07:55:79:5b:11:42:eb:b6:c6:24:d2:43:0c:1b:15:48
5e:ae:7b:8b:f5:7f:87:37:11:a0:7a:71:5e:9b:16:7c:8b:66:51:81
94:6b:f8:dd:02:de:f1:2b:33:a7:ef:75:27:2c:bd:b7:3e:fd:a8:c1
33:c3:1b:a4:47:9b:d8:e2:5b:e7:96:b4:11:04:d2:e0:ab:95:db:f8
68:c4:6c:ae:e3:fa:cd:ac:7b:10:36:45:73:d4:3f:80:05:ea:34:66
56:04:9b:a1:3c:91:ad:d2:12:4c:6d:bc:00:32:98:4d:e3:9e:62:fb
80:3c:ca:4f:6b:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
ff:c1:e6:40:7f:cd:44:0c:e0:89:46:86:3a:b0:2c:dc:dc:52:79:39 (sha1)
ac:9b:0a:f9:d9:a2:44:72:47:ca:27:06:c5:16:00:d8 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started

show configuration security pki | display set

set security pki ca-profile CAs_Trust_1 ca-identity CAs_Trust_1
set security pki ca-profile CAs_Trust_2 ca-identity CAs_Trust_2
set security pki ca-profile CAs_Trust_3 ca-identity CAs_Trust_3
set security pki ca-profile CAs_Trust_4 ca-identity CAs_Trust_4
set security pki ca-profile CAs_Trust_5 ca-identity CAs_Trust_5
set security pki ca-profile CAs_Trust_6 ca-identity CAs_Trust_6
set security pki ca-profile CAs_Trust_7 ca-identity CAs_Trust_7
set security pki ca-profile CAs_Trust_8 ca-identity CAs_Trust_8
set security pki ca-profile CAs_Trust_9 ca-identity CAs_Trust_9
set security pki ca-profile CAs_Trust_10 ca-identity CAs_Trust_10
set security pki ca-profile CAs_Trust_11 ca-identity CAs_Trust_11
set security pki ca-profile CAs_Trust_12 ca-identity CAs_Trust_12
set security pki ca-profile-group CAs_Trust cert-base-count 12

Thanks

↧

Re: SRX 1400 commit error

June 14, 2018, 3:26 pm

≫ Next: Re: more specific monitoring via automation for high-end SRX(s)

≪ Previous: Re: SRX 1400 commit error

And this is where you have a problem (certificate expired):

Certificate identifier: ssl-inspect-ca
Certificate version: 3
Serial number: ffb749fe9a450811
Issuer:
Organization: areandina, Organizational unit: security, Country: CO, State: BOG, Locality: BOG, Common name: areandina.edu.co
Subject:
Organization: areandina, Organizational unit: security, Country: CO, State: BOG, Locality: BOG, Common name: areandina.edu.co
Subject string:
C=CO, ST=BOG, L=BOG, O=areandina, OU=security, CN=areandina.edu.co, emailAddress=admin@areandina.edu.co
Validity:
Not before: 04- 6-2015 02:20 UTC
Not after: 04- 5-2018 02:20 UTC
Public key algorithm: rsaEncryption(2048 bits)

Regards

Leon Smirnov

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

↧

Re: more specific monitoring via automation for high-end SRX(s)

June 14, 2018, 4:21 pm

≫ Next: Can I use advpn conbination with FBF ?

≪ Previous: Re: SRX 1400 commit error

I haven't seen any reply since I posted my topic (more specific monitoring via automation for high-end SRX(s)). I am not sure but can you please advise this topic should be here or in the Automation section? Thanks.

↧

Can I use advpn conbination with FBF ?

June 14, 2018, 7:59 pm

≫ Next: some erros on the SRX

≪ Previous: Re: more specific monitoring via automation for high-end SRX(s)

Hi expert
Can I use advpn conbination with FBF ?

↧

some erros on the SRX

June 14, 2018, 10:23 pm

≫ Next: Re: SRX 1400 commit error

≪ Previous: Can I use advpn conbination with FBF ?

Hi All,

Recently the following log messages have been taking place on the high end SRX in cluster environment. Is any one experiencing in these errors?

node0.fpc0.pic0 cpu_util_usp_ipc_cmd_handler: message is type 4
node0.fpc0.pic1 cpu_util_usp_ipc_cmd_handler: message is type 4
node0.fpc0.pic2 cpu_util_usp_ipc_cmd_handler: message is type 4
node0.fpc0.pic3 cpu_util_usp_ipc_cmd_handler: message is type 4
node0.fpc0.pic0 cpu_util_usp_ipc_cmd_handler: message is type 4
node0.fpc0.pic1 cpu_util_usp_ipc_cmd_handler: message is type 4
node0.fpc0.pic2 cpu_util_usp_ipc_cmd_handler: message is type 4
node0.fpc0.pic3 cpu_util_usp_ipc_cmd_handler: message is type 4
rpd[2740]: Decode ifd ge-5/3/9 index 172: ifdm_flags 0xc001
rpd[2740]: EVENT <UpDown> ge-5/3/9.0 index 101 <Broadcast Multicast> address #0 0.10.db.ff.b0.0
rpd[2740]: EVENT <UpDown> ge-5/3/9 index 172 <Broadcast Multicast> address #0 0.10.db.ff.b0.0
/kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
mib2d[2796]: SNMP_TRAP_LINK_DOWN: ifIndex 680, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-5/3/9
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
/kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
rpd[2740]: Decode ifd ge-5/3/9 index 172: ifdm_flags 0xc000
rpd[2740]: EVENT <UpDown> ge-5/3/9.0 index 101 <Up Broadcast Multicast> address #0 0.10.db.ff.b0.0
rpd[2740]: EVENT <UpDown> ge-5/3/9 index 172 <Up Broadcast Multicast> address #0 0.10.db.ff.b0.0
mib2d[2796]: SNMP_TRAP_LINK_UP: ifIndex 680, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-5/3/9
mib2d[2796]: SNMP_TRAP_LINK_UP: ifIndex 681, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-5/3/9.0
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ge-5/3/9: get tlv ppfeid 0
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
(FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
mustd: UI_DELTA_CONSTRAINT_CHECK_NOT_RUNNING: delta constraint check process can not run because persist groups is not configured
nsd[2784]: ipc_pipe_write:353 num_sent=-1 errno=35 Resource temporarily unavailable

Thanks

Erx

↧

Re: SRX 1400 commit error

June 15, 2018, 7:31 am

≫ Next: Re: SRX 1400 commit error

≪ Previous: some erros on the SRX

Thanks for your help, however I'm noy sure how to proceed after this, is there a way to bypass the issue ? what do I need to do?

wrote:
And this is where you have a problem (certificate expired):

Certificate identifier: ssl-inspect-ca
Certificate version: 3
Serial number: ffb749fe9a450811
Issuer:
Organization: areandina, Organizational unit: security, Country: CO, State: BOG, Locality: BOG, Common name: areandina.edu.co
Subject:
Organization: areandina, Organizational unit: security, Country: CO, State: BOG, Locality: BOG, Common name: areandina.edu.co
Subject string:
C=CO, ST=BOG, L=BOG, O=areandina, OU=security, CN=areandina.edu.co, emailAddress=admin@areandina.edu.co
Validity:
Not before: 04- 6-2015 02:20 UTC
Not after: 04- 5-2018 02:20 UTC
Public key algorithm: rsaEncryption(2048 bits)

Regards
Leon Smirnov
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

↧

Re: SRX 1400 commit error

June 15, 2018, 9:13 am

≫ Next: Re: SRX 1400 commit error

≪ Previous: Re: SRX 1400 commit error

Well, now that the problem is clear you can fix it.

To fix it you have two options:

1. remove the ssl_inspect_ca certificate currently loaded and replace it with a valid certificate.

CLI command examples:

> clear security pki ca-certificate ca-profile <profile-name>

follow the KB : https://kb.juniper.net/InfoCenter/index?page=content&id=KB31122

This should guide you on how to generate the key pair, certificate etc.

2. If you do not want to load the certificate for now and just get rd of the error. You can simply delete the certificate and its, relevant config.

CLI commands:

> clear security pki ca-certificate ca-profile <profile-name>

> configure

# delete services ssl proxy profile <profile-name>

# commit and-quit

Hope this helps!

Regards,

Kinshuk

↧

Re: SRX 1400 commit error

June 15, 2018, 10:14 am

≫ Next: Re: IP Phones Restarting with Juniper SRX1400

≪ Previous: Re: SRX 1400 commit error

Thanks a lot! I was able to remove the certificate and proxy and now I can make changes

↧

Re: IP Phones Restarting with Juniper SRX1400

June 15, 2018, 3:10 pm

≫ Next: Re: some erros on the SRX

≪ Previous: Re: SRX 1400 commit error

You can try running a consistant ping from branch C to the CUCM in HQ. If this helps, you have a tunnel timeout issue. Please post HQ and branch C config files for review

↧

Re: some erros on the SRX

June 15, 2018, 10:41 pm

≫ Next: Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

≪ Previous: Re: IP Phones Restarting with Juniper SRX1400

Hi Erx,

Interface ge-5/3/9, member of reth0 seems to go down in operating state.

Are you running LACP on reth0 ?

Cmds to check from Primary of SRX:

show chassis cluster status

show lacp interfaces

show lacp statistics interface reth0 (interface on which lacp is running)

Do you see any interface level alarms on ge-5/3/9 ?

Cmds to check: show interfaces extensive | match "L2 Channel"

Regards,

Rahul

↧

Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

June 16, 2018, 2:46 am

≫ Next: Re: IP Phones Restarting with Juniper SRX1400

≪ Previous: Re: some erros on the SRX

1. Interface is in security zone & hence the sessions is built in first place. So no doubt about zone/policies.

2. As per defination:

An interface’s primary address is used by default as the local address for broadcast and multicast packets sourced locally and sent out the interface.

An interface’s preferred address is the default local address used for packets sourced by the local router to destinations on the subnet.

3. You are trying to perform ping which is unicast & that too to a destination IP outside subnet.

4. We need to check routing to understand the behaviour.

5. Assist to grab output from the device : show route

6. Also One question to be answered: Are we only looking for self traffic generated by SRX towards internet or is this just for testing? As in, Is this question a minute question of a bigger question/problem that you are trying to fix/implement?

-Rahul

↧

Re: IP Phones Restarting with Juniper SRX1400

June 17, 2018, 11:20 pm

≫ Next: Re: Srx mikrotik ospf

≪ Previous: Re: Can Ping Internet from 1 of IPs on Interface, Can't Ping from the Other

SInce IP phones connect over the network for its availability.

The cause for restart is related session on the FW getting cleared.

One cause of the restart could be VPn tunnel flapping to the Branch C.

Do we se any tunnel flaps ??

↧

Re: Srx mikrotik ospf

June 18, 2018, 12:20 am

≫ Next: SSH Access via VPN Only

≪ Previous: Re: IP Phones Restarting with Juniper SRX1400

Change to p2p on both sides, on SRX

set protocols ospf area 1.1.1.1 interface gr-0/0/0.0 interface-type p2p

Change traceoptions to flag "all" run the test and search trace file for MTU. You should see the exact values used by SRX and Mikrotik. If there is a mismatch please correct accordingly

Regards, Wojtek

↧

SSH Access via VPN Only

June 18, 2018, 1:14 am

≫ Next: Re: more specific monitoring via automation for high-end SRX(s)

≪ Previous: Re: Srx mikrotik ospf

Is it possible to have two policies from the same zone to the same zone to only allow SSH access from the VPN range of address rather than from everywhere please?

I will try and explain the issue:

I have a "Customer-VR" which is connected to an aggregated interface "AE1". This in turn is connected to the internal network where the LNS resides and the Core.

I have a second VR, let's call it "ssh-vpn-VR". This has a physical interface of ge-0/0/8.

The ST interface, as the end point for data, is located within the "Customer-VR".

This all works perfectly at the moment but now I have the issue of allowing all traffic other than SSH through the Customer-VR but only SSH traffic from the VPN. So, can I craft two policies to complete this please?

↧

Re: more specific monitoring via automation for high-end SRX(s)

June 18, 2018, 1:00 am

≫ Next: Re: SSH Access via VPN Only

≪ Previous: SSH Access via VPN Only

Well, a nice thought.

In my view the best way to perform this would be a mix of python and shell scripts.

As with python you need to use pyez/netconf for all aspects.

Using shell scripts at a defined time script logs into the box execute, run command outputs and save to a .txt file.

Later retrieve the file and analyze offline, make a report.

↧

Re: SSH Access via VPN Only

June 18, 2018, 1:27 am

≫ Next: Re: SSH Access via VPN Only

≪ Previous: Re: more specific monitoring via automation for high-end SRX(s)

if SSH access is working as you expect with one policy "application any", you can configure more specific policy to restrict the access. Make sure you place the specific policy above the any any policy.

↧

Re: SSH Access via VPN Only

June 18, 2018, 2:38 am

≫ Next: Re: SSH Access via VPN Only

≪ Previous: Re: SSH Access via VPN Only

You actually need three policies:

1-allow ssh from the desired subnets to desired sources

2-deny ssh for any any

2-your current allow all policy

This will permit the desired ssh and deny all the other ssh before passing to your base policy.

↧

Re: SSH Access via VPN Only

June 18, 2018, 3:18 am

≫ Next: Re: WAN to pfSense throug Juniper SRX240H

≪ Previous: Re: SSH Access via VPN Only

Hi Spuluka,

So, I would need something like the following:

set security policies from-zone Customer-Network to-zone radius-server policy test match source-address <VPN Address Range>

set security policies from-zone Customer-Network to-zone radius-server policy test match destination-address <radius server>

set security policies from-zone Customer-Network to-zone radius-server policy test match application junos-ssh

set security policies from-zone Customer-Network to-zone radius-server policy tesy then permit

set security policies from-zone Customer-Network to-zone radius-server policy test1 match source-address any

set security policies from-zone Customer-Network to-zone radius-server policy test1 match destination-address <radius server>

set security policies from-zone Customer-Network to-zone radius-server policy test1 match application junos-ssh

set security policies from-zone Customer-Network to-zone radius-server policy test1 then deny

set security policies from-zone Customer-Network to-zone radius-server policy test2 match source-address any

set security policies from-zone Customer-Network to-zone radius-server policy test2 match destination-address <radius-server>

set security policies from-zoneCustomer-Network to-zone radius-server policy test2 match application <applications>

set security policies from-zone Customer-Network to-zone radius-server policy test2 then permit

Is this right?

↧

Re: WAN to pfSense throug Juniper SRX240H

June 18, 2018, 5:01 am

≫ Next: Re: SSH Access via VPN Only

≪ Previous: Re: SSH Access via VPN Only

Big thank You for reply and ssory for delay of my answer.

I try to add port 0/0/0.0 to VLAN, but i have an IP address, which was given to this logical port - at screen is 217.22.xxx.162/30.

If i remove it and change VLAN to 100(for example), internet access was broken for all office. And i can't bind port to VLAN without remove IPv4 settings:

In this time no port has a binding to a special VLAN, all ports work at 1 default VLAN.

I suppose, that my option is partially 3, because i don't have separation for VLAN's, but from ISP i have one ethernet cable in 0/0/0.0 port?

And in this time i don't have a vision, how i must set up VPLS instance - i'm trying some attemps with different configs, but this still not working.

P.S. Oh, maybe i must change port 0/0/0.0 to all VLAN's in trunk modes? I don't remember, but maybe i'm tried port mode is access...

With best regards

Yan

↧

Re: SSH Access via VPN Only

June 18, 2018, 6:01 am

≫ Next: Re: Can I use advpn conbination with FBF ?

≪ Previous: Re: WAN to pfSense throug Juniper SRX240H

Worked perfectly. Thank you Spuluka

↧