Hello epaniagua,

Thank you for this answer. Here is the output of the command :

>show route table PRA-MF.inet.0

PRA-MF.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.5.0/24     *[Direct/0] 12w6d 16:20:10
                    > via reth0.300
192.168.5.254/32   *[Local/0] 12w6d 16:20:10
                      Local via reth0.300
192.168.6.0/24     *[Direct/0] 12w6d 16:20:10
                    > via reth0.301
192.168.6.254/32   *[Local/0] 12w6d 16:20:10
                      Local via reth0.301

Your solution seems to be correct, after adding the rib-groups I am now able to ping the internet. I've marked your post as the solution.

Thank you very much for your help, I thought I'd have gone crazy at this rate.

 Hi, 

When connecting to my ISP I receive a /56 IPv6 prefix for PD. Updates for RAs are sent to two irbs. Each irbreceives a /64 which hosts use for their purpose.

Issue is that the DHCPv6 client under pp0.0 family inet6 does not respect the client lease time and defaults it to 1day. 

My ISP sets the 2^32-1  value of 4,294,967,295. for both preferred and valid lifetime.

This value is set in accordance with RFC 3633 Section 10 by the DHCP server.

 preferred-lifetime: The recommended preferred lifetime for the IPv6
                     prefix in the option, expressed in units of
                     seconds.  A value of 0xFFFFFFFF represents
                     infinity.

   valid-lifetime:   The valid lifetime for the IPv6 prefix in the
                     option, expressed in units of seconds.  A value of
                     0xFFFFFFFF represents infinity.

This value is set by the Advertise message, Request message, Reply message.  (Attached JDHCPD debug file)

Essentially the most important piece of information from that file are after the Reply message.  where the server acknowledges the duration I see that it in the function 

dhcpv6_client_process_ack_packet

sets leasetime=-1. This to me seems undefined or unexpected value. Or overflow ?

It then proceeds to put a lease time of 43200.  However the lease under show dhcpv6 client binding detail it shows the lease to be valid for twice this amount at 86400.

Oct 15 16:55:43.386561 [MSTR][DEBUG][default:default][N/A][INET6][pp0.0][SID=0] dhcpv6_client_process_ack_packet: IAPD Prefix is 2a02:2f0a:4503:9700:: with Prefix len 56 leasetime=-1
Oct 15 16:55:43.386629 [MSTR][DEBUG] jdhcpd_rc_lease_timer_start: starting lease timer for 43200 seconds

After 43200 seconds it will begin to issue Renews to the DHCP server.  However both the server and client concluded that they use 4,294,967,295. seconds so most likely by ISP policy renews are not allowed. 

In any case this is pretty annoying. I know Juniper's DHCP implementation is flaky. Also my ONU handles it as expected setting the proper lease time. 

Each prefix has valid and preferred lifetimes whose durations are
specified in the IA_PD Prefix option for that prefix. The requesting
router uses Renew and Rebind messages to request the extension of the
lifetimes of a delegated prefix.

This is true as it sets the lease time to 86400 but if it kept the lease as the DHCPv6 server gave it then no renew would occur.

- Seen on SRX210he2 - JUNOS Software Release [12.3X48-D65.1]

- also on SRX320  15.1X49-D75/ 15.1X49-D130

I'm sure workardounds exists but I'm looking to know if there are plans to fix this as it's a very inconvenient issue. 

Hello,

Best way forward would be to open a JTAC case. 

Regards,

Rushi

We have SRX 320 with latest firmware version.

root@orn-gw-01> show version
Hostname: orn-gw-01
Model: srx320
Junos: 15.1X49-D150.2
JUNOS Software Release [15.1X49-D150.2] 

The SRX J-Web management interface removes backslashes when committing changes, if backslash is used in a source identity. The backslash character should be used when specifying domain groups or domain accounts. See "Configure Integrated User Firewall".

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-configure-integrated-userfw.html

For example, line

source-identity "corp.example.com\domain users";

after committing becomes to invalid:

source-identity "corp.example.comdomain users";

We found error report PR1304608. The report indicates that the problem was solved in firmware version 15.1X49-D120, but we get this error at the later versions 15.1X49-D140 and 15.1X49-D150. Unfortunately, we are not able to rollback to firmware version 15.1X49-D120, due to the fact that it has technical limitations on the number of security zones. Our configuration uses about 20 zones, while in firmware 15.1X49-D120 a maximum of 16 zones is allowed.

I would like to know if anyone else has got same problem?

Ztech,

You are very welcome, I am glad that it works now.

Hi Avanoc

If you were able to reproduce the issue then this is a regresion in the newer versions. I will advise to open a case with JTAC. In the meantime I guess that you might need to commit those changes via CLI.

Good evening, 

I am trying to connect sto.1 in SRX-240 with MX-104. The SRX-240 currently have a sto.o in production connected to a cisco router. We are replacing the cisco router with the MX-104.  

----SRX240--162.255.61.67--------137.52.79.2-MX104-----

SRX 240

set security ipsec vpn-monitor-options interval 30
set security ipsec vpn-monitor-options threshold 4
set security ipsec proposal ipsecproposal protocol esp
set security ipsec proposal ipsecproposal encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsecpolicy proposals ipsecproposal
set security ipsec policy vpn-policy1 perfect-forward-secrecy keys group2
set security ipsec policy vpn-policy1 proposals ipsec-phase2-proposal
set security ipsec vpn toDavie bind-interface st0.0
set security ipsec vpn toDavie vpn-monitor optimized
set security ipsec vpn toDavie vpn-monitor source-interface st0.0
set security ipsec vpn toDavie vpn-monitor destination-ip 10.208.208.1
set security ipsec vpn toDavie ike gateway Davie
set security ipsec vpn toDavie ike ipsec-policy ipsecpolicy
set security ipsec vpn ike-vpn bind-interface st0.1
set security ipsec vpn ike-vpn df-bit clear
set security ipsec vpn ike-vpn vpn-monitor
set security ipsec vpn ike-vpn ike gateway ike-gw
set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
set security ipsec vpn ike-vpn establish-tunnels immediately

set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from source-address 10.209.210.4/32
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from destination-address 10.209.133.2/32
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then remote-gateway 162.255.61.67
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ike-policy ike_policy_ms_0_2_0
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ipsec-policy ipsec_policy_ms_0_2_0
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then tunnel-mtu 1446
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then anti-replay-window-size 4096
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 match-direction input
set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 protocol esp
set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 perfect-forward-secrecy keys group2
set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 proposals ipsec_proposal_ms_0_2_0
set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 dh-group group2
set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
set services ipsec-vpn ike policy ike_policy_ms_0_2_0 mode main
set services ipsec-vpn ike policy ike_policy_ms_0_2_0 proposals ike_proposal_ms_0_2_0
set services ipsec-vpn ike policy ike_policy_ms_0_2_0 pre-shared-key ascii-text "$9$XIm-w2aJDkmf8XaUiHPf5Tz6/tSyKXNbre"
set services ipsec-vpn traceoptions file ipseclog
set services ipsec-vpn traceoptions level all
set services ipsec-vpn traceoptions flag ike

SRX 240 LOGS:

Oct 17 17:39:30  Oceanography-IPSEC-Bkup last message repeated 2 times
Oct 17 17:49:30  Oceanography-IPSEC-Bkup last message repeated 13 times
Oct 17 17:59:30  Oceanography-IPSEC-Bkup last message repeated 14 times
Oct 17 18:09:30  Oceanography-IPSEC-Bkup last message repeated 13 times
Oct 17 18:18:49  Oceanography-IPSEC-Bkup last message repeated 13 times
Oct 17 18:19:01  Oceanography-IPSEC-Bkup kmd[1435]: KMD_PM_SA_ESTABLISHED: Local gateway: 162.255.61.67, Remote gateway: 137.52.139.21, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0xd71d7243, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Oct 17 18:19:01  Oceanography-IPSEC-Bkup kmd[1435]: KMD_PM_SA_ESTABLISHED: Local gateway: 162.255.61.67, Remote gateway: 137.52.139.21, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x3e055dff, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Oct 17 18:19:30  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Oct 17 18:19:49  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:20:19  Oceanography-IPSEC-Bkup last message repeated 2 times
Oct 17 18:22:19  Oceanography-IPSEC-Bkup last message repeated 6 times
Oct 17 18:29:19  Oceanography-IPSEC-Bkup last message repeated 21 times
Oct 17 18:29:49  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:30:04  Oceanography-IPSEC-Bkup kmd[1435]: Config download: Processed 31 - 32 messages
Oct 17 18:30:04  Oceanography-IPSEC-Bkup kmd[1435]: Config download time: 0 seconds
Oct 17 18:30:04  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:30:04  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:30:19  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:30:26  Oceanography-IPSEC-Bkup kmd[1435]: KMD_PM_SA_ESTABLISHED: Local gateway: 162.255.61.67, Remote gateway: 137.52.79.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x2a24498, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Oct 17 18:30:26  Oceanography-IPSEC-Bkup kmd[1435]: KMD_PM_SA_ESTABLISHED: Local gateway: 162.255.61.67, Remote gateway: 137.52.79.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x932d87d6, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Oct 17 18:30:26  Oceanography-IPSEC-Bkup kmd[1435]: KMD_VPN_UP_ALARM_USER: VPN ike-vpn from 137.52.79.2 is up. Local-ip: 162.255.61.67, gateway name: ike-gw, vpn name: ike-vpn, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: 10.209.210.4, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Oct 17 18:32:49  Oceanography-IPSEC-Bkup kmd[1435]: KMD_VPN_DOWN_ALARM_USER: VPN ike-vpn from 137.52.79.2 is down. Local-ip: 162.255.61.67, gateway name: ike-gw, vpn name: ike-vpn, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: 10.209.210.4, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Oct 17 18:34:00  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:35:19  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:36:49  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: 162.255.61.67, Remote IKE-ID: 137.52.79.2, VR-ID: 0
Oct 17 18:37:30  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Oct 17 18:38:19  Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Oct 17 18:40:19  Oceanography-IPSEC-Bkup last message repeated 3 times
Oct 17 18:50:19  Oceanography-IPSEC-Bkup last message repeated 14 times
Oct 17 19:00:19  Oceanography-IPSEC-Bkup last message repeated 14 times

MX 104 LOG

nils@nota-wangate01> show log kmd-logs 
Oct 17 17:27:00  nota-wangate01 kmd[82433]: KMD_PM_PHASE2_POLICY_LOOKUP_FAIL: Unable to retrieve policy for Phase 2 from responder (Phase 1 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67); Phase 2 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67))
Oct 17 17:27:19  nota-wangate01 kmd[82433]: KMD_PM_PHASE2_POLICY_LOOKUP_FAIL: Unable to retrieve policy for Phase 2 from responder (Phase 1 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67); Phase 2 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67))
Oct 17 17:28:48  nota-wangate01 last message repeated 4 times
Oct 17 17:29:49  nota-wangate01 last message repeated 3 times
Oct 17 18:19:49  nota-wangate01 kmd[82433]: KMD_PM_PHASE2_POLICY_LOOKUP_FAIL: Unable to retrieve policy for Phase 2 from responder (Phase 1 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67); Phase 2 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67))
Oct 17 18:20:00  nota-wangate01 kmd[82433]: KMD_PM_PHASE2_POLICY_LOOKUP_FAIL: Unable to retrieve policy for Phase 2 from responder (Phase 1 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67); Phase 2 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67))
Oct 17 18:22:00  nota-wangate01 last message repeated 6 times
Oct 17 18:29:49  nota-wangate01 last message repeated 23 times
Oct 17 18:30:00  nota-wangate01 kmd[82433]: KMD_PM_PHASE2_POLICY_LOOKUP_FAIL: Unable to retrieve policy for Phase 2 from responder (Phase 1 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67); Phase 2 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67))
Oct 17 18:30:04  nota-wangate01 kmd[82433]: KMD_PM_PHASE2_POLICY_LOOKUP_FAIL: Unable to retrieve policy for Phase 2 from responder (Phase 1 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67); Phase 2 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67))
Oct 17 18:30:19  nota-wangate01 kmd[82433]: KMD_PM_PHASE2_POLICY_LOOKUP_FAIL: Unable to retrieve policy for Phase 2 from responder (Phase 1 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67); Phase 2 local peer ipv4(any:0,[0..3]=137.52.79.2), remote peer ipv4(any:0,[0..3]=162.255.61.67))

Any suggestion? Thank you for the time 

Nils. 

Hi, 

I am facing the the CPU high utilzation issue of SRX240.

Log messages are :

Oct 18 11:14:55 SRX-CORP-WILL-A last message repeated 2 times
Oct 18 11:15:15 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=87
Oct 18 11:16:23 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:16:31 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:20:40 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=92
Oct 18 11:21:49 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:22:20 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:23:15 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:24:49 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:25:02 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=85
Oct 18 11:25:08 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:25:33 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=88
Oct 18 11:25:47 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:27:18 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=94
Oct 18 11:27:28 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:27:32 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:27:35 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=98
Oct 18 11:27:38 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=87
Oct 18 11:27:55 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=93
Oct 18 11:27:59 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:28:31 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:29:23 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=93
Oct 18 11:29:26 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:30:05 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 11:31:04 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=90
Oct 18 11:31:07 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=97
Oct 18 11:31:15 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=95
Oct 18 11:33:41 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=92
Oct 18 12:01:19 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=87
Oct 18 12:02:19 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=94
Oct 18 12:02:22 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 12:02:26 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=86
Oct 18 12:02:34 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=93
Oct 18 12:03:24 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=86
Oct 18 12:03:46 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=93
Oct 18 12:04:05 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 12:04:11 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=85
Oct 18 12:04:20 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=94
Oct 18 12:04:22 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=91
Oct 18 12:04:25 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=89
Oct 18 12:26:36 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 12:26:40 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=94
Oct 18 12:31:51 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=89
Oct 18 12:33:02 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=91
Oct 18 12:33:04 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 12:47:30 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99
Oct 18 12:48:59 SRX-CORP-WILL-A PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 5 PIC 0 CPU utilization exceeds threshold, current value=99

Routing engine :

show chassis routing-engine
node1:
--------------------------------------------------------------------------
Routing Engine status:
Temperature 35 degrees C / 95 degrees F
CPU temperature 35 degrees C / 95 degrees F
Total memory 2048 MB Max 1126 MB used ( 55 percent)
Control plane memory 1088 MB Max 457 MB used ( 42 percent)
Data plane memory 960 MB Max 672 MB used ( 70 percent)
CPU utilization:
User 18 percent
Background 0 percent
Kernel 11 percent
Interrupt 0 percent
Idle 71 percent
Model RE-SRX240H2
Serial ID ACMT9642
Start time 2017-08-11 15:30:02 EST
Uptime 432 days, 20 hours, 20 minutes, 39 seconds
Last reboot reason Router rebooted after a normal shutdown.
Load averages: 1 minute 5 minute 15 minute
0.28 0.30 0.29

Show System process Extensive:

node1:
--------------------------------------------------------------------------
last pid: 86460; load averages: 0.22, 0.29, 0.28 up 432+20:22:23 13:01:42
138 processes: 19 running, 107 sleeping, 1 zombie, 11 waiting

Mem: 208M Active, 109M Inact, 1024M Wired, 495M Cache, 112M Buf, 136M Free
Swap:

PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1430 root 7 76 0 997M 59188K RUN 0 ??? 7800.59% flowd_octeon_hm
40 root 1 -16 0 0K 16K psleep 0 12:15 2844.34% bufdaemon
22 root 1 171 52 0K 16K RUN 0 7090.5 68.41% idle: cpu0
1443 root 1 139 0 10068K 2884K select 0 0:01 1.46% sdxd
1083 root 1 76 0 12896K 4664K select 0 269.1H 0.00% eventd
23 root 1 -20 -139 0K 16K RUN 0 82.5H 0.00% swi7: clock
1489 root 1 76 0 28276K 12856K select 0 59.7H 0.00% mib2d

packet forwarding engine (data plane)

show security monitoring fpc 5
node1:
--------------------------------------------------------------------------
FPC 0
PIC 0
CPU utilization : 40 %
Memory utilization : 70 %
Current flow session : 2666
Current flow session IPv4: 2666
Current flow session IPv6: 0
Max flow session : 524288
Total Session Creation Per Second (for last 96 seconds on average): 219
IPv4 Session Creation Per Second (for last 96 seconds on average): 219
IPv6 Session Creation Per Second (for last 96 seconds on average): 0

show chassis forwarding
'node1:
--------------------------------------------------------------------------
FWDD status:
State Online
Microkernel CPU utilization 15 percent
Real-time threads CPU utilization 16 percent
Heap utilization 70 percent
Buffer utilization 1 percent
Uptime: 432 days, 20 hours, 18 minutes, 55 seconds

show security flow statistics
node1:
--------------------------------------------------------------------------
Current sessions: 2139
Packets forwarded: 519251685982
Packets dropped: 1186868040
Fragment packets: 9990718

Any help would highly appreciated.

Thank you

Hello,

When you see High PFE CPU, can you execute the command below 3 times?

show pfe statistics traffic

Regards,

Rushi

Hello,

Looks like a configuration mismatch issue.

Can you provide complete Phase 1 and Phase 2 output of the VPN from SRX and MX for the said tunnel?

Regards,

Rushi

Looks like the client is hardcoded to reject infinity and use its own MAX. It is not strictly compliant it would appear.

Regards

Rahul

As rushi says above.....

The following in the logs:

No proposal chosen:

Is normally associated with a configuration mismatch.

Also, are you trying to configure a site-to-site VPN between the devices? (I would think so but wanted to confirm)... As the logs point to a "Dynamic" configuration....

"Oct 17 18:19:01 Oceanography-IPSEC-Bkup kmd[1435]: KMD_PM_SA_ESTABLISHED: Local gateway: 162.255.61.67, Remote gateway: 137.52.139.21, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x3e055dff, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: Oct 17 18:19:30

Oceanography-IPSEC-Bkup kmd[1435]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ike-vpn Gateway: ike-gw, Local: 162.255.61.67/500, Remote: 137.52.79.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

Hello,

Everything is OK but my DHCP is not working.

If I put fixed IPs into machines they work normally, if I let DHCP on so the computers get APIPA addresses.

I am not a Juniper Expert so If somoene can help me I will paste down my CLI lines.

Note that I am using a SRX300 and I already restarted the DHCP services.

## Last changed: 2018-10-18 14:59:54 GMT
version 15.1X49-D70.3;
system {
    host-name rotem_brazil_altino_cptm;
    time-zone GMT;
    root-authentication {
        encrypted-password "$5$.bjNp99b$HxfDwZzNmQTSri2ZFfhU62lkzgnC4A/bWdiQmRdctZ8";
    }
    name-server {
        200.225.197.34;
        200.225.197.37;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        dhcp-local-server {
            pool-match-order {
                external-authority;
                ip-address-first;
                option-82;
            }
            group rotem_pool {
                interface ge-0/0/1.0;
            }
        }
        web-management {
            http;
            https {
                system-generated-certificate;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
security {
    ike {
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy Rotem {
            mode aggressive;
            proposals pre-g2-3des-sha;
            pre-shared-key ascii-text "$9$AYJPuIc-dsoZjKMYoaJkq/CtuRSevL";
        }
        gateway Rotem {
            ike-policy Rotem;
            address 58.87.57.67;
            local-identity hostname rotem_brazil_altino_cptm;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal esp-3des-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Rotem {
            proposals esp-3des-sha;
        }
        vpn Rotem {
            bind-interface st0.0;
            ike {
                gateway Rotem;
                no-anti-replay;
                ipsec-policy Rotem;
            }
            establish-tunnels immediately;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy All_Internet_Internal {
                description altino;
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            host-inbound-traffic {
                system-services {
                    http;
                    https;
                    ping;
                    dhcp;
                }
            }
            interfaces {
                ge-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            snmp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    ping;
                    http;
                    https;
                    ssh;
                    telnet;
                }
            }
            interfaces {
                st0.0;
                ge-0/0/0.0;
            }
        }
        security-zone internal;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 187.32.128.193/27;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.196.136.1/24;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
            family inet6;
        }
    }
}
routing-options {
    static {
        route 10.0.0.0/8 next-hop st0.0;
        route 0.0.0.0/0 next-hop 187.32.128.222;
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
}
access {
    address-assignment {
        pool rotem_pool {
            family inet {
                network 10.196.136.0/24;
                range rotem_pool {
                    low 10.196.136.50;
                    high 10.196.136.220;
                }
                dhcp-attributes {
                    name-server {
                        10.196.24.31;
                    }
                    router {
                        10.196.136.1;
                    }
                }
            }
        }
    }
}

And how can I fix it?

As I told I am not Juniper expert, if possible give me the commands.

Kind regards.

set security zones security-zone Internal interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp

You are a God.

Thank you.

Hi 

I'm confused with SRX license. I would need a firewall for branches in first year without any subscription and next year we have a plane to move all email service to Office365 and deploy 

I'm interested in SRX300.

Can I purchase SRX300-SYS-JB with SRX300-IPS-1? but I need Application Security feature. Is it included in these license? 

 Please consider the following example:

Listener-------f1 SRX---f2---------------Rest of Multicast Network--SRC 1.1.1.1

235.1.1.1

DENSE MODE CASE:

Suppose  SRC is generating packet every 2 msec for group 235.1.1.1

If we isse  "clear pim join "   on SRX, to flush multicast cache ( that can be seen as show multicast route), will it cause SRX to drop ( 1.1.1.1,235.1.1.1) packet?

Will same be true for SPARSE MODE as well?

Thanks and have a nice weekend!!

If you need application security, there are two ways:

SRX300-SYS-JE which includes perpetual licensing for the application security functionality (AppFW, AppQoS etc.).

BUT: If you intend to purchase IPS subscription the application security is included in this subscription. In this scenario I would buy SRX300-SYS-JB and then add the IPS subscription.

It all depends on if you intend to keep subscriptions active on the gateway, then always go for JSB/SYS-JB. If there are no intentions for subscriptions or just subscriptions for 1 year, then go for JSE/SYS-JB.