Hi, Ztech
Whats the model and Junos version of you SRX? Find the recommended code in this link:
https://kb.juniper.net/KB21476
Have you tried with a non Windows machine?
↧
Re: Dynamic VPN secondary DNS issue
↧
srx 4100 and srx 4200 license
can some provide how this works for these boxes? been search everywhare and canot find this
is the base included?
what features does the enhacned add?
↧
↧
Re: Issue trying to make some zones communicate with Internet
Hi Ztech,
Please share the following command:
> show route table PRA-MF.inet.0
Based on the traceoptions, the SRX is peforming the route-lookup in a custom routing-instance (assumed to be PRA-MF) and not finding a route to 8.8.8.8 (more likely the default route is missing). Running the above command will tell you if the default route is not showing up.
Oct 16 10:33:25 10:33:25.555360:CID-1:RT:flow_first_routing: vr_id 5, call flow_route_lookup(): src_ip 192.168.5.52, x_dst_ip 8.8.8.8, in ifp reth0.300, out ifp N/A sp 2525, dp 1, ip_proto 1, tos 0 .
.
. Oct 16 10:33:25 10:33:25.555422:CID-1:RT:Route-lookup for 8.8.8.8 yielded reject NH
I believe that the PRA-MF routing-instance is not aware of the subnet connected to reth2.0 (untrust zone) and that the next-hop address that PRA-MF routing-instance is trying to resolve is on that subnet connected to reth2.0 interface. Please let us know if this is correct.
If the above statement is correct, we need to make sure PRA-MF routing-instance knows reth2.0's subnet. You could apply some RIB groups to accomplish this:
1. Create a Rib-group to share routes from inet.0 table (Default routing-instance) to PRA-MF.inet.0 table. Also there is a routing-policy (RETH2-SUBNET-ONLY) to ensure that only reth2.0's subnet is shared between the mentioned tables. set routing-options rib-groups EXAMPLE import-rib [ inet.0 PRA-MF.inet.0 ] set routing-options rib-groups EXAMPLE import-policy RETH2-SUBNET-ONLY 2. Create the routing-policy to match the subnet of reth2.0 only: set policy-statement RETH2-SUBNET-ONLY term RETH2 from route-filter [reth2_subnet] exact; set policy-statement RETH2-SUBNET-ONLY term RETH2 then accept; set policy-statement RETH2-SUBNET-ONLY term REJECT-REST then reject; 3. Apply the rib-group under the Default routing-instance, under interface-routes hierarchy, in order to share the directly connected subnets from inet.0 to PRA-MF.inet.0: set routing-options interface-routes rib-group EXAMPLE
Please let us know.
↧
Re: (No) traffic through Dynamic VPN. Sometimes
elmiatero,
Can you disable Windows Defender service and try again? I believe this has been confirmed to be a workaround. (or an incompatibility between Pulse and this service)
↧
Re: SRX345 VPN issues with Cisco SA520W
Hi epaniagua,
I have added the following config:
set security ipsec vpn ike-vpn-BON vpn-monitor optimized
set security ipsec vpn ike-vpn-BON vpn-monitor source-interface irb.2
set security ipsec vpn ike-vpn-BON vpn-monitor destination-ip 192.168.7.254
But traffic is still not passing. Although after following the KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=METADATA, everything seems to check out, even flow sessions:
setarnoc@WEMA_DLI99046_Router> show security flow session source-prefix 192.168.1.0/24 destination-prefix 192.168.7.0/24
Session ID: 65074, Policy name: BON_VPN_OUT/15, Timeout: 22, Valid
In: 192.168.1.66/50398 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 486,
Out: 192.168.7.10/389 --> 192.168.1.66/50398;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
Session ID: 68168, Policy name: BON_VPN_OUT/15, Timeout: 38, Valid
In: 192.168.1.66/64423 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 400,
Out: 192.168.7.10/389 --> 192.168.1.66/64423;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
Session ID: 75386, Policy name: BON_VPN_OUT/15, Timeout: 22, Valid
In: 192.168.1.66/50397 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 400,
Out: 192.168.7.10/389 --> 192.168.1.66/50397;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
Session ID: 76158, Policy name: BON_VPN_OUT/15, Timeout: 2, Valid
In: 192.168.1.13/56520 --> 192.168.7.171/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.171/5060 --> 192.168.1.13/56520;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
Session ID: 76465, Policy name: BON_VPN_OUT/15, Timeout: 8, Valid
In: 192.168.1.13/56522 --> 192.168.7.172/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.172/5060 --> 192.168.1.13/56522;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
Session ID: 76676, Policy name: BON_VPN_OUT/15, Timeout: 14, Valid
In: 192.168.1.13/56525 --> 192.168.7.173/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.173/5060 --> 192.168.1.13/56525;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
One thing I noticed is that I don't see any Out Pkts/Bytes in the flow sessions. Normal?
Afterwards I tried using traffic-selectors, however it would not commit while VPN Monitoring is enabled, so I deleted monitoring and used traffic-selectors instead. I also removed the static route from the routing-options.
However I still get same results. I do see the route added to the routing-table:
setarnoc@WEMA_DLI99046_Router> show route 192.168.7.254
inet.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.7.0/24 *[Static/5] 00:01:30
> via st0.0
I'm beginning to think the issue might be with the ASA at the other end?
↧
↧
Access to local dataplane logs in stream mode
I know that using stream mode means that dataplane (security) logs are sent to the syslog servers instead of logging locally. However, I noticed a steram mode "cache" setting (security/log section) that seems to be associated with writing log entries to the "audit log buffer". I'm guessing this is just a memory buffer that is overwritten as needed, but I'm not sure. Additionally, I'm wondering if there is a way to view the contents of this buffer? Ultimately, I was looking for a way to look at the security (traffic ) logs on the local firewall, even if it is only a few recent minutes worth.
Thanks in advance!
From Tech Library:
Description
Cache security log events in the audit log buffer
↧
Re: srx 4100 and srx 4200 license
All SRX models from SRX300 series to SRX4200 (excluding SRX550) can be purchased in two ways:
- Seperate HW + SW SKU. Example: SRX4100-AC + SRX4100-JSB
- Bundle SKU which includes both HW+SW. Example: SRX4100-SYS-JB-AC
If you purchase the seperate HW+SW you will need a support SKU for the software and a seperate SKU for the HW.
If you buy bundle SKU there is only on support SKU for SW+HW (depending on support level).
In general I would recommend just looking at the bundle SKUs.
JSE (Enhanced) adds support for firewalling based on App identification - eg. block facebook, but allow youtube.
You can also do routing and QoS decissions based on application identification.
If you intend to buy subscription for IPS, UTM or similar, JSE functionality will be included in these... but only for so long as your subscription lasts.... so if these features are needed as well, just go for JSB.
I hope this clarifies.
↧
Re: Need assitance with mPIM upgrade for VDSL2 vectoring.
Hi Colin
Did you ever get a jfirmware package for the SRX210? (12.1x46?). I'm struggling myself to find this. There is another thread that Juniper have been responding to requests and uploading them temporarily to ftp shares but I'm not sure it's still active. On a device that's already EOL I'd be frustrated if I had to renew support on a device especially as it won't receive even software updates after 6months or so from now.
Thanks
↧
Re: srx 4100 and srx 4200 license
do i need the enhanced to do BGP, BFD osfp etc?
↧
↧
Re: Access to local dataplane logs in stream mode
OK, I haven't found any more information on the cache setting, but it looks like the new "report" security/log configuration setting added in 15.x-d100 allows you to store all of the dataplane logs on the local box while in stream mode. It also allows you to create reports and graphs in jweb using the data or access the data right from the CLI using show security log report in-detail all and similar commands. There are a lot of options for parsing/displaying the information in the CLI. If you want to be able to view dataplane (security) logs on the firewall while running in stream mode, this may be just what you are looking for.
↧
Re: srx 4100 and srx 4200 license
No everything related to routing, BGP, MPLS basic security policies, nat and VPN is included in JSB.
↧
Re: Need assitance with mPIM upgrade for VDSL2 vectoring.
Hi, Colin
Please check this post for the same topic. In summary JTAC will provide you with the file:
I hope this helps.
↧
Re: SRX345 VPN issues with Cisco SA520W
Hi,
Its good that we are seeing the sessions created, however the SRX is reporting that no reply traffic is being received:
In: 192.168.1.13/56525 --> 192.168.7.173/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104, Out: 192.168.7.173/5060 --> 192.168.1.13/56525;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
I will definitely check the ASA at this point.
↧
↧
Re: Need assitance with mPIM upgrade for VDSL2 vectoring.
Many thanks for the very prompt response but I no longer have any SRX210s under active service contracts so cannot open a case with JTAC. This is the same problem many people are having with the cards used in these models. According to the release notes the jfirmware for the MPIM is supposed to be included in the JUNOS update package but it’s missing for some reason
↧
Re: Need assitance with mPIM upgrade for VDSL2 vectoring.
Hi jporter,
Can you share the release notes document where this is stated? I want to check if it is for specific versions only.
↧
SRX 4100 with EX-SFP-1GE-T
Dear Juniper
SRX 4100 with GBIC EX-SFP-1FE-T, Does It support device that connects with 10Mbps and 100Mbps?
↧
Re: Need assitance with mPIM upgrade for VDSL2 vectoring.
Hi epaniagua, sure two links here:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB31818&actp=RSS
SUMMARY:
SYMPTOMS:
and
Release 12.1X46-D55 Software Features
Interfaces
- G.993.5 Vectoring support for VDSL modules on SRX Series devices— Starting with Junos OS Release 12.1X46-D55, firmware version, v2.16.0, is available for SRX-MP-1VDSL-A to support VDSL vectoring. Vectoring on VDSL reduces crosstalk and increases network bandwidth.
[For more information, see Upgrading the VDSL PIC Firmware in the Junos OS Release 15.1X49-D50 Feature Guide. ]
Also, there is another thread where Juniper have been uploading files on a request by request basis to the juniper ftp download site however it's not really scaleable since only one person seems to be responding there:
https://forums.juniper.net/t5/forums/v3_1/forumtopicpage/board-id/srx/thread-id/48612/page/2
Many thanks
↧
↧
Re: SRX 4100 with EX-SFP-1GE-T
The SRX4100 only support 1G and 10G connections as documented in the hardware guide:
The SRX4100 Services Gateway supports only 1000 Mbps speed on SRX-SFP-1GE-T and EX-SFP-1GE-T; 10-Mbps and 100-Mbps speeds are not supported.
↧
Re: SRX 4100 with EX-SFP-1GE-T
Thank for your reply
Jonas Hauge Jensen
↧
Re: Dynamic VPN secondary DNS issue
Hello epaniagua,
Thank you for your reply. SRX model is a 240H and current JunOS version is 12.1X46-D45.4. Recommended version is supposedly 12.1X46-D77. I'll check this out.
I've only tested this with Windows clients so far because we have no Linux or Mac machines to try out.
↧