Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Recovery issue, help using u-boot

October 25, 2018, 3:17 am
$
0
0

Hi all,

As I had the same issue as the original poster I wanted to post up my solution for future readers needs:

1. Format a flash drive using the FAT filesystem
2. Download the JUNOS OS Image and obtain the boot loader files via the procedure listed at https://kb.juniper.net/InfoCenter/index?page=content&id=KB30427
3. Copy the JUNOS image (.tgz file), the uboot, and loader_crc on to the flash drive
4. Insert the flash drive into the USB slot 0 on the SRX and boot up the device
5. When presented with the following U-Boot message press the space bar to enter the U-Boot loader
Press SPACE to abort autoboot in 1 seconds
6. Verify that the files can be seen on the flash drive
=> fatls usb 1:1
.spotlight-v100/
.fseventsd/
297184 loader_crc
4096 ._loader_crc
639364 uboot
4096 ._uboot

4 file(s), 2 dir(s)


7. Copy the uboot and loader_crc files to the SRX using the below sequence of commands (output below)

fatload usb 1:1 0x100000 uboot
bootloader upgrade u-boot active 0x100000
reset
fatload usb 1:1 0x100000 loader_crc
bootloader upgrade loader 0x100000
Reset



8. Output of operation below






=> fatload usb 1:1 0x100000 uboot
reading uboot

639364 bytes read
=> bootloader upgrade u-boot active 0x100000
Checking sanity of backup u-boot...OK
Un-Protected 10 sectors

.......... done
Erased 10 sectors
writing to flash...
Verifying the new u-boot... OK
=> reset


U-Boot 1.1.6-JNPR-2.8 (Build time: Feb 10 2015 - 01:03:41)

Initializing memory this may take some time...
Measured DDR clock 333.28 MHz
SRX_240H2 board revision major:2, minor:11, serial #: ACLT4470
OCTEON CN5230R-SCP pass 2.0, Core clock: 600 MHz, DDR clock: 333 MHz (666 Mhz data rate)
DRAM: 2048 MB
Starting Memory POST...
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash: 4 MB
USB: scanning bus for devices...
Root Hub 0: 4 USB Device(s) found
Root Hub 1: 1 USB Device(s) found
scanning bus for storage devices... 2 Storage Device(s) found
Clearing DRAM........ done
BIST check passed.
PCIe: Initializing port 0
PCIe: Initializing port 1
Boot Media: nand-flash usb
Net: octeth0
Switch driver image not programmed properly in bootflash
Expected 0x3c1c0000, actual 0xaaaaaaaa
POST Passed
Press SPACE to abort autoboot in 1 seconds
## No elf image at address 0x00100000
=> fatload usb 1:1 0x100000 loader_crc
reading loader_crc

297184 bytes read
=> bootloader upgrade loader 0x100000
Un-Protected 16 sectors

................ done
Erased 16 sectors
writing to flash...
Verifying new loader image...OK
=> reset

Search

how to get blocked traffic information from LAN Traffic.

October 25, 2018, 3:54 am
$
0
0

hello ,

i am using srx 340 in production and have limited traffic open for internal users like pop smtp 80 and 443..

now there is app called anydesk for remote support. this is application is not working i already opened port 80 and 443 as suggested by support team of anydesk. if i creat policy with any any source and destination it start work but this is not possible to open all port for internal traffic.

now i wanted to trace what traffic hiting to srx from local traffic which is notpermitted and blocked by firewall.

 

Thnaks

 

RPM for reachability to 3rd party devices

October 25, 2018, 7:16 am
$
0
0

 

Hi,

 

I am new to Junos RPM having primarily worked with Cisco IP SLA features...

I have a site with Junos SRXs which has connectivity to other sites with SRXs... RPM works great, though i believe that you have to have a responder configured, i.e. RPM is Junos proprietary... Hence does that mean that i can't test ICMP-pings out to other Vendor devices? If so is ther another probe i can configure for this? Just need RTT, jitter and pkt loss...

 

Thanks in advance!

Re: RPM for reachability to 3rd party devices

October 25, 2018, 10:10 am
$
0
0
You don't need to consider anything on reponder.

You can configure any kind of prboe supported by RPM on Junos, just make sure the responder understand the probe Smiley Happy
like for ICMP probe, no config required on responder

Re: SRX340 Base Model, which JunOS version?

October 25, 2018, 4:23 pm
$
0
0
Thanks for the post. Kudos!!!! Incidently I'm trying to get more memory. Ipv6 is scarce on my 240.

Re: RPM for reachability to 3rd party devices

October 25, 2018, 4:57 pm
$
0
0

so currently i can ping from my SRX to the external device, though the icmp-ping probe doesn't work...  below is my config; ...  can I change it so the responder replies as it if was a normal ping??? guess i need to try removing the time-stamps?

 

set services rpm probe n4-mgmt-vpn test icmp-ping probe-type icmp-ping-timestamp
set services rpm probe n4-mgmt-vpn test icmp-ping target address [xx].[xx].10.18
set services rpm probe n4-mgmt-vpn test icmp-ping probe-count 1
set services rpm probe n4-mgmt-vpn test icmp-ping probe-interval 30
set services rpm probe n4-mgmt-vpn test icmp-ping test-interval 10
set services rpm probe n4-mgmt-vpn test icmp-ping thresholds
set services rpm probe n4-mgmt-vpn test icmp-ping destination-interface reth0.8
set services rpm probe n4-mgmt-vpn test icmp-ping hardware-timestamp

Do I have an MTU-VPN-OSPF ticking time bomb?

October 26, 2018, 2:59 am
$
0
0

To start with, here is my point of reference:

 

http://networkingbodges.blogspot.com/2015/07/ospf-stuck-in-exchange-exstart.html - in particular the second paragraph under sub-heading 'Papering Over the Cracks'

 

I have recently (over the last 6 months) replaced our estate of Netscreen and SSG devices with SRXs. Most employ a VPN back to the 'hub'. The aforementioned devices only supported VPN tunnels with a maximum MTU of 1500. When the SRXs went in, a third party Juniper consultant advised that this limitation no longer applied, i.e. we could use the default MTU for the tunnels  - the maximum for a jumbo frame of 9192. Sure enough all of our new tunnels have been happily functioning with this value. However, 2 of said connections have recently become stuck in the Exchange state. JTAC got involved, and for whatever reason OSPF will now only function if the tunnel carries an MTU of 1388 (over a VDSL link). JTAC could offer no explanation as to why this is now the case.

 

The article above, may or may not be relevant in this instance, but if it is, I fear each site will be lost one by one. However, I do not want to needlessly and significantly lower the MTU value of all tunnels. The 1388 value above was merely arrived at by trial and error.

 

Can anyone help me avoid a bit of a disaster?

Re: RPM for reachability to 3rd party devices

October 26, 2018, 4:55 am
$
0
0

Hi

3rd party device may not filter timestamp request. Can you please try to test with below config?

 

set services rpm probe n4-mgmt-vpn test icmp-ping probe-type icmp-ping
set services rpm probe n4-mgmt-vpn test icmp-ping target address [xx].[xx].10.18
set services rpm probe n4-mgmt-vpn test icmp-ping probe-count 1
set services rpm probe n4-mgmt-vpn test icmp-ping probe-interval 30
set services rpm probe n4-mgmt-vpn test icmp-ping test-interval 10
set services rpm probe n4-mgmt-vpn test icmp-ping destination-interface reth0.8

Search

Re: how to get blocked traffic information from LAN Traffic.

October 26, 2018, 5:01 am

Uncommitted after firmware update

October 26, 2018, 5:21 am
$
0
0

Came across an issue when i was trying to run a configlet against an SRX router from Junos Space.  Discovered that after the last firmware update i had an uncommitted configuration because the firmware version didn't save to the configuration.  Is there something i missed doing the firmware update?  Junos Space doesn't like to run configlets against routers with uncommitted changes so i probably have a hundred routers with this issue.

Re: Uncommitted after firmware update

October 26, 2018, 5:32 am
$
0
0

Have you tried to do "rollback 0" before the run a configlet?

Strange error on commit

October 26, 2018, 5:37 am
$
0
0

When commiting configuration changes I see strange errors (although commit ends with "commit complete"). What does this error mean:

node0:
configuration check succeeds
ssamlib error. Error code SSAMLIB_ASYNC_ERRORssamlib: ERROR ssam_add error code 0x2, type 0x8000002fssamlib error. Error code SSAMLIB_ASYNC_ERRORssamlib: ERROR ssam_add error code 0x2, type 0x80000028ssamlib error. Error code SSAMLIB_ASYNC_ERRORssamlib: ERROR ssam_add error code 0x2, type 0x80000007

 

P.S.

 

Model: srx5600
Junos: 18.1R2.5

Re: Strange error on commit

October 26, 2018, 6:02 am
$
0
0

Hi,

You are not using Recommended Junos Software, It might be a better solution to getting help from the JTAC.

Re: Uncommitted after firmware update

October 26, 2018, 7:09 am
$
0
0

No but can this be scripted?  I really don't want to have to do that everytime after a firmware update.

Loopbacks, the more the better???

October 26, 2018, 3:31 pm
$
0
0
I have a loopback only in lo0.0 . I want loopbacks on the interfaces but my ge-0/0/x.0 interfaces are configured on l3 . That is, I cant enable loopback at the ge-0/0/x level. How can I get a loopback at the unit 0 level? Are there alternatives to that as well? Heeeelp!!!!

My loopbacks are as follows...

lo0.0 with inet address 127.0.0.2
lo0.0 with inet6 addressing....

I want loopbacks at the ge-0/0/1.0 through ge-0/0/15.0 level .
Search

Re: source nat pool and proxy-arp not working

October 27, 2018, 1:48 am
$
0
0
172 is likely old school in terms of design. When I think of 172 I remember my old HUB. They often had coaxial ports. I forget the name of the ports offhand. Coax is analog. Pass through is what I keep thinking. Good for an intranet. Windows Enterprise intranet at best(scarcely). Good for RPC. Good for the routing and remote modules. For that it should be all digital or better(I.C.). Take a mac with many letters. Not good. Mac with numbers is better. Find that same modem with a Mac that starts with numbers and only has two to three letters in it. Avoid C-E . Since it is I.C. most likely, you'll want to find that special Mac. Remember with analog in mind the trick back then was to jump gaps. Good luck. Windows will still do it. Others may not. Try using Windows server DHCP and the full routing and remote access on a network with 172 . You'll get the hint.

https://en.m.wikipedia.org/wiki/10BASE2

Re: Loopbacks, the more the better???

October 27, 2018, 7:59 am
$
0
0

I don't follow the question. 

 

Loopbacks are a virtual interface inside the SRX.

ge-0/0/x are the physical interfaces on the SRX

 

There is not such thing as a loopback at the physical interface level.

 

Are you trying to have ip addresses on a trunk port maybe with multiple vlans then each with a gateway ip address on sub interfaces of the same physical port?

 

Re: Strange error on commit

October 27, 2018, 8:08 am
$
0
0

ssam appears to be the process that handles the configuration changes.  And these errors don't seem to be caught with a helpful message.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24598

 

You can check the main log file right after they occur to see if something more helpful is present in the area around where this occurs.

show log messages

 

since the commit does complete whatever the error is is not fatal.  I suspect something in the configuration is off.  And the surrounding log messages may point where to look if you are not up for the full JTAC ticket process.

 

Re: how to get blocked traffic information from LAN Traffic.

October 27, 2018, 8:13 am
$
0
0

You have two options:

 

-create a final deny policy for your test workstation address and add log on session initiation to the policy.  This will then log all the denied traffic from that workstation for your review.

 

-create an allow all policy for your test work station and put this at the bottom of your policy list and enable log on session close for this policy.  It will then log all the requests from the workstation normally and you can see what it needs while verifying the service does work.

 

Once you know the ports and addresses called you can create the narrow policy needed for the application.

 

Re: Loopbacks, the more the better???

October 27, 2018, 2:58 pm
$
0
0

I cannot use this functionality. But I want to do this at a different level.

 

interfaces -> ge-0/0/x -> gigether-options -> loopback

 

Simply adding an address somewhere is possible. I cannot. At the interface level.

Should i filter a netmask, what?

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>