juniper  vsrx ssl vpn configuration works ??

We have a SRX320 with two ISPs connected to the ge-0/0/0 and ge-0/0/2 interfaces and trusted subnets connected to the ge-0/0/5 interface.

We use both ISPs for destination NATs to forward ports from the Internet to trusted subnets. To solve the problem with asymmetric NAT, for each ISP interface a separate routing-instance.

root@orn-gw-01> show configuration interfaces ge-0/0/0
description "ISP1";
unit 0 {
    family inet {
        address 95.78.251.27/24;
    }
}

root@orn-gw-01> show configuration interfaces ge-0/0/2
description "ISP2";
unit 0 {
    family inet {
        address 79.140.22.231/24;
    }
}

root@orn-gw-01> show configuration routing-instances
isp-1 {
    instance-type virtual-router;
    interface ge-0/0/0.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 95.78.251.254;
        }
    }
}
isp-2 {
    instance-type virtual-router;
    interface ge-0/0/2.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 79.140.22.1;
        }
    }
}

Routes from the default routing table are copied into ISP routing-instances using rib-groups.

root@orn-gw-01> show configuration routing-options
interface-routes {
    rib-group inet isp;
}
static {
    route 0.0.0.0/0 next-table isp-1.inet.0;
}
rib-groups {
    isp {
        import-rib [ inet.0 isp-1.inet.0 isp-2.inet.0 ];
    }
}

Also, we use both ISPs for source NATs. We have configured a simple filter for that.

root@orn-gw-01> show configuration firewall filter output-isp
term to-isp-2 {
    from {
        source-address {
            10.110.12.0/24;
        }
    }
    then {
        routing-instance isp-2;
    }
}
term default-isp {
    from {
        source-address {
            0.0.0.0/0;
        }
    }
    then {
        routing-instance isp-1;
    }
}
term default-allow {
    then accept;
}

root@orn-gw-01> show configuration interfaces ge-0/0/5.10
vlan-id 10;
family inet {
    filter {
        input output-isp;
    }
    address 10.110.10.1/24;
}

Everything works fine, but there is no basic failover for the Internet access. We would like that routes switches to the ISP2 provider interface if there are no Internet access over the ISP1 provider.

To do this, we configured probes in the real-time performance monitoring service.

root@orn-gw-01> show configuration services rpm
probe isp-1 {
    test google {
        probe-type icmp-ping;
        target address 8.8.8.8;
        probe-count 3;
        probe-interval 5;
        test-interval 10;
        thresholds {
            successive-loss 3;
            total-loss 3;
        }
        destination-interface ge-0/0/0.0;
        next-hop 95.78.251.254;
    }
}
probe isp-2 {
    test google {
        probe-type icmp-ping;
        target address 8.8.8.8;
        probe-count 3;
        probe-interval 5;
        test-interval 10;
        thresholds {
            successive-loss 3;
            total-loss 3;
        }
        destination-interface ge-0/0/2.0;
        next-hop 79.140.22.1;
    }
}

Then we added actions in the ip monitoring service that changes a preffered routes for routing-instances.

root@orn-gw-01> show configuration services ip-monitoring
policy isp-1 {
    match {
        rpm-probe isp-1;
    }
    then {
        preferred-route {
            routing-instances isp-1 {
                route 0.0.0.0/0 {
                    next-hop 79.140.22.1;
                }
            }
        }
    }
}
policy isp-2 {
    match {
        rpm-probe isp-2;
    }
    then {
        preferred-route {
            routing-instances isp-2 {
                route 0.0.0.0/0 {
                    next-hop 95.78.251.254;
                }
            }
        }
    }
}

But it does not work. If probe fails configured action is applied.

root@orn-gw-01> show services ip-monitoring status

Policy - isp-1 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    isp-1                  google          8.8.8.8          PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    isp-1             0.0.0.0/0         79.140.22.1      NOT-APPLIED

Policy - isp-2 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    isp-2                  google          8.8.8.8          FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    isp-2             0.0.0.0/0         95.78.251.254    APPLIED

But there is no specified route in the routing-instance.

root@orn-gw-01> show route table isp-2.inet.0 exact 0.0.0.0/0

isp-2.inet.0: 30 destinations, 32 routes (30 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 01:17:19
                    > to 79.140.22.1 via ge-0/0/2.0

We suppose that our mistake is that ip monitoring is trying to install a route to the non-related inteface for that routing-instance. Probably, it would be right to use next-table in another routing-instance as an action. But ip monitoring can do only next-hop.

How else can we solve this problem?

when there is no active group members, system would send prune msg upstream to its neighbor. clearing those joins shouldn't ideally affect. The command is not only "clear pim join" but its as follows:

> clear pim join ?  
Possible completions:
  <group>              IP address and optional prefix length of group
  all                  Clear all PIM join/prune states
  bidirectional        Clear only bidirectional PIM entries
  dense                Clear only PIM dense-mode entries
  exact                Clear only group that matches exactly
  inet                 Clear IPv4 join/prune state
  inet6                Clear IPv6 join/prune state
  instance             Name of instance
  logical-system       Name of logical system, or 'all'
  rp                   IP address and optional prefix length of rendezvous point
  sg                   Clear only S,G entries
  source               IP address and optional prefix length of source
  sparse               Clear only PIM sparse-mode entries (including SSM)
  star-g               Clear only *,G entries

So clear the group that is inactive, not all to be safe.

Can be used for spare mode as well followed group address.

At this moment the access is set  to any address but i want to give acces to a limmited number of external ip adresses.

this wil work for static ip adresses but mobilephone users have changing ip adresses. does anybody have a clue how to solve this.

mij juniper is a SRX210

This is ebay gray market SRX so JTAC will not help here  

I'll figure something out though.

Thanks

Looks like it is supported in vSRX with 15.1X49-D80 

https://apps.juniper.net/feature-explorer/feature-info.html?fKey=7737&fn=SSL%20remote%20access%20VPNs%20by%20encapsulating%20IPsec%20traffic%20over%20TCP%20connections

Hi anwarabbas,

Can you share:

• show chassis cluster status
• show version

Even though the logs are showing high CPU on dataplane, this is not seen in the outputs you provided:

show security monitoring fpc 5 
node1:
--------------------------------------------------------------------------
FPC 0
PIC 0CPU utilization : 40 %

show chassis forwarding 
'node1:
--------------------------------------------------------------------------
FWDD status:
State Online 
Microkernel CPU utilization 15 percentReal-time threads CPU utilization 16 percent

• Were the commands taken during the time of the high CPU utilization?
• Are the logs showing always or just between 11pm-12am?

During the time of the problem can you confirm how much traffic (bps) is the SRX receiving. See the following post:

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX1500-Capactiy/m-p/338608#M50534

Hi, I am having hard time to understand how BFD works on SRX-5400, I have a BGP session with peer 169.254.254.1, zone security policy is allowing host inbound protocol bgp and bfd

SRX-5400>show bgp summary | match 169.254.254.1
169.254.254.1          9059      37084      38202       0       1 1w5d 7:41:27 1/1/1/0              0/0/0/0

SRX-5400>show bfd session | match 169.254.254.1
169.254.254.1            Up        reth0.103      1.500     0.500        3

All is well, however, "show security flow session source " confuses me,

SRX-5400> show security flow session source-prefix 169.254.254.1

Session ID: 30000034, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
  In: 169.254.254.1/49152 --> 169.254.254.2/3784;udp, Conn Tag: 0x0, If: reth0.103, Pkts: 25066025, Bytes: 1303433300, CP Session ID: 30000128
  Out: 169.254.254.2/3784 --> 169.254.254.1/49152;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0, CP Session ID: 30000128

The outbound leg counters always show 0, why is that? the actual BFD hello packets went out otherwise BFD session wouldn't be in UP state.

Hello,

You have several errors in Your configuration:

1/ on SRX, "ipsecproposal" does not have authentication defined but MD5 is configured on MX side

2/ SRX does not have proxy-id defined that matches MX104 <== this is important since MX derives proxy-id from IPSec-VPN rules.

Please find below the working configuration I tested in my lab:

MX

set services service-set tst1 ipsec-vpn-options local-gateway 162.255.61.67
set services service-set tst1 ipsec-vpn-rules vpn_rule_ms_0_2_0_01
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from source-address 10.209.210.4/32
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from destination-address 10.209.133.2/32
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from ipsec-inside-interface ms-0/2/0.1
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then remote-gateway 137.52.139.21
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ike-policy ike_policy_ms_0_2_0
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ipsec-policy ipsec_policy_ms_0_2_0
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then tunnel-mtu 1446
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then anti-replay-window-size 4096
set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 match-direction input
set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 protocol esp
set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 authentication-algorithm hmac-md5-96
set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 perfect-forward-secrecy keys group2
set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 proposals ipsec_proposal_ms_0_2_0
set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 dh-group group2
set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 authentication-algorithm md5
set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
set services ipsec-vpn ike policy ike_policy_ms_0_2_0 mode main
set services ipsec-vpn ike policy ike_policy_ms_0_2_0 proposals ike_proposal_ms_0_2_0
set services ipsec-vpn ike policy ike_policy_ms_0_2_0 pre-shared-key ascii-text "$9$XIm-w2aJDkmf8XaUiHPf5Tz6/tSyKXNbre"

SRX

set security ike proposal ikeprop authentication-method pre-shared-keys
set security ike proposal ikeprop dh-group group2
set security ike proposal ikeprop authentication-algorithm md5
set security ike proposal ikeprop encryption-algorithm aes-128-cbc
set security ike policy ikepol proposals ikeprop
set security ike policy ikepol pre-shared-key ascii-text "$9$XIm-w2aJDkmf8XaUiHPf5Tz6/tSyKXNbre"
set security ike gateway Davie ike-policy ikepol
set security ike gateway Davie address 162.255.61.67
set security ike gateway Davie external-interface ge-0/0/0.0
set security ipsec proposal ipsecproposal protocol esp
set security ipsec proposal ipsecproposal authentication-algorithm hmac-md5-96
set security ipsec proposal ipsecproposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsecpolicy perfect-forward-secrecy keys group2
set security ipsec policy ipsecpolicy proposals ipsecproposal
set security ipsec vpn toDavie bind-interface st0.0
set security ipsec vpn toDavie ike gateway Davie
set security ipsec vpn toDavie ike proxy-identity local 10.209.133.2/32
set security ipsec vpn toDavie ike proxy-identity remote 10.209.210.4/32
set security ipsec vpn toDavie ike ipsec-policy ipsecpolicy
set security ipsec vpn toDavie establish-tunnels immediately

HTH

Thx

Alex

Hello,

AFAIK, what You are seeing is expected with distributed BFD.

"Distributed" means BFD packet generation/consumption happens on linecard CPU and not on Routing Engine.

One can verify it with following JUNOS CLI command:

show ppm transmissions protocol bfd detail

You should see "Distributed: TRUE" for distributed BFD.

With d.BFD, one of linecard CPUs is selected as "BFD anchor" for a bunch of sessions meaning it handles BFD packet processing for several sessions even if the incoming interface is hosted on other linecards.

So, the inbound d.BFD session wing is passed through SPU on its way to BFD anchor but the other wing is not meaning generated d.BFD outgoing packets are directly put on the wire.

Hope this makes sense.

HTH

Thx
Alex 

hi All,

I like to know if any way use GUI to whitelist some IPs allowed to access Juniper SRX web management instead of using console?

The SRX340 base model closest to an SRX240B or B2 has a minimum version of JunOS. What is this version. I know the model numbers might not resemble the B or B2 designation but im sure someone can make the distinction. What is the base JunOS version of the SRX340 ? I want to make sure DHCPV6 client is installed. I think ver 12.xxx is what i need. Need sessions. Is this the correct answer? I have no sessions showing, but my flow is proper. See my post....

https://forums.juniper.net/t5/SRX-Services-Gateway/No-IPV6-flow-sessions/m-p/376674#M51198

Hello!

Device: SRX4200

Version: 15.1X49-D110.4

I've been trying to do some JunOS security hardening and I'm stumbling upon a weird phenomenon (at least to me it is) with the logged in users.

So I know you can logout users and it's been successful to a certain degree.  This is the current situation:

"Request system logout terminal p1" doesn't do anything, CLI doesn't return any message. Making it more specific doesn't work either, "request system logout terminal p1 user chxxx". I know that the root users are more finnicky to kick, but I have actually been able to do that on my QFXs and even on the SRX:

(Been able to kick root (d0) from both nodes)

Now I did find this post:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9341&cat=JUNOS&actp=LIST

And I tried this too; I checked the system processes both trying to match out the terminal values and by just looking through with my own eyes. The users that don't have a "WHAT" value don't seem to have a process linked to them. It's almost like they exist in the void? The chxxx user that exists on both nodes is probably from when I logged in between node1 and back to node0, but as said, I can't even kick these!

Before you point me towards an idle-timeout config, I do have that, but I need to fix the login class and make new local ones because it's not sticking to the standard super-user classes so currently it doesn't really work, and frankly I want to figure this out! I suppose the answer lies in what type of terminal the user is? I have been able to kick "p" TTYs from my QFXs, although they did have a "WHAT" value...

Any KB or PR articles, or response would be appreciated!

Hi,

You can change configuration depends on your firewall filter.

For Example: Configure > Security > Firewall Filters > IPv4 > Select "Firewall Filter" which you want to edit.

If you have a pre-configured loopback filter, you can do it.

Hi All

I eventually got to the bottom of this, in case anybody is curious. Put simply, the problem was with the ESXi host, not the SRX. 

I proved this by running packet captures on the host which showed the packets arriving on the hosts physical interfaces but not being passed up the stack to the vmkernel adapter. After speaking with a VMWare expert, I was advised to delete and recreate the VMK interface. After doing so, it worked fine.

It seems that the initial management adapter that ESXi creates takes the MAC address of the physical host's NIC0. This then creates issues when you try to create a LAG.
Paul

The SRX340 is running a minimum release of Junos 15.1X49-D30 which has DHCPv6 support. It can also run 18.1/18.2/18.3 but I would recommend you just taking the latest JTAC recommended: 15.1X49-D150.

Hi Community,

I need deployment a SRX like CPE with 2 Virtual Router, one for Internet Access with NAT feature and the other VR with BGP peering, I tried to deployment BGP VR in packet mode with selective filter but doenst work all BGP keepalives are discarding.

Is possible to do this implementation? , the documentation describe  "Make sure to configure host-bound TCP traffic to use flow-based forwarding—exclude this traffic when specifying match conditions for the firewall filter term containing the packet-mode action modifier. Any host-bound TCP traffic configured to bypass flow is dropped. Asynchronous flow-mode processing is not supported with selective stateless packet-based services"

Please let me know your comments and experiencie

Thanks in advance

BR

Martin

I'm not sure if I can setup a static route on the modem that points back in but I'll check. I'm actually replacing the modem as it's probaby over 5 years old - which isn't old but ... - and it's been displaying other wierd behavior that indicates a hardware type of issue so for > $200 I can get a new one and get a good 5-7 years out of it and be good.

I also did some more reading and found this:

Restricted Proxy ARP

Restricted proxy ARP enables the router or switch to respond to the ARP requests in which the physical networks of the source and target are not the same and the router or switch has an active route to the target address in the ARP request. The router does not reply if the target address is on the same subnet and the same interface as the ARP requestor.

Unrestricted Proxy ARP

Unrestricted proxy ARP enables the router or switch to respond to any ARP request, on condition that the router has an active route to the destination address of the ARP request. The route is not limited to the incoming interface of the request, nor is it required to be a direct route.

When an IP client broadcasts the ARP request across the Ethernet wire, the end node with the correct IP address responds to the ARP request and provides the correct MAC address. If the unrestricted proxy ARP feature is enabled, the router response is redundant and might fool the IP client into determining that the destination MAC address within its own subnet is the same as the address of the router.

You should be able to get the bgp peering to work in a separate vr in flow mode along with Filter based forwarding for te selective forwarding needs.