Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Creating new vlan, link down

December 1, 2018, 5:48 pm
$
0
0
I have created vlan 2 . I added the following.

1. Interface unit 2 . With address ( no unit 1)(only has unit 0)
2. Vlans l3 interface vlan I'd 2
3. Added to vlan trust .
4. Added interface ge-0/0/10 to vlan2
5. Added vlan2 to system services DHCP with pool and router clauses, with propagate.

I can't figure out why the link status is down in jweb "monitor -> interfaces" . Can't ping.

Admin status is "up" .

What did I forget?

I have a flexible-vlan-tagging clause on interface ge-0/0/10 . It has unit 1 and unit 2 allocated. Unit 1 tags vlan-id 1 to a proposed wireless AP. Unit 2 tags vlan-id 2 to that same proposed AP, and unit 0 does the same, = vlan-id 0 . This communicates fine on other interfaces with those AP's

Conflict at ge-0/0/10.2 ????

Help....

The goal is to get vlan2 working on the APs.
Search

SRX110 VDSL PIC

December 1, 2018, 6:52 pm
$
0
0

Hi, I have an SRX110h2-va running 12.3x48-D75 however the firmware for the VDSL PIC is older than I would expect of this version and won't support G.993.5 vectoring. Where can I obtain the correct firmware?

Many Thanks.

root> show system firmware
Part             Type           Tag Current   Available Status
                                    version   version
FPC 1
  PIC 0          VDSLBCM        10  2.10.0              OK
Routing Engine 0 RE BIOS        0   2.5       2.8       OK
Routing Engine 0 RE BIOS Backup 1   2.5       2.8       OK
Routing Engine 0 RE FPGA        14  1.0.0               OK

root> show version
Model: srx110h2-va
JUNOS Software Release [12.3X48-D75.4]

Re: SRX110 VDSL PIC

December 1, 2018, 8:01 pm
$
0
0

Hi,

 

You will need to log a Case/Ticket with JTAC to in order to get the firmware for your desired JUNOS version/release. In case if you do not hold any Support Contract with Juniper for your Juniper product, you can still reach out to Juniper Customer Care Support Team and request for one time courtesy support case to download SRX Firmware.

 

Split brain happen on SRX1500 due to Fabric monitor down?

December 1, 2018, 10:04 pm
$
0
0

Hi all,

 

 

This is third time i'm facing issue split brain issue on SRX1500 cluster due to Fabric monitoring down. Previous case JTAC said hit PR but now it happen again. The fabric and control link connected direct withouth through any interconnect device. I'm really disappointed because it already third time happen even previous already escalate to Engineering level. But it still happen last night. So my question what the possiblity that can make "Fabric Monitoring" down as below output:

 

test@srx1500-node0> show chassis cluster interfaces
Control link status: Up

Control interfaces:
Index Interface Monitored-Status Internal-SA Security
0 em0 Up Disabled Disabled

Fabric link status: Down

Fabric interfaces:
Name Child-interface Status Security
(Physical/Monitored)
fab0 ge-0/0/15 Up / Down Disabled
fab0
fab1 ge-7/0/15 Up / Up Disabled
fab1

Re: SRX110 VDSL PIC

December 2, 2018, 10:55 am
$
0
0

Thanks for your help, how can I contact the Customer Care Support Team?

Re: SRX110 VDSL PIC

December 2, 2018, 4:31 pm
$
0
0

From the support portal choose  the service request dashboard and new service request.

 

https://my.juniper.net/#dashboard/servicerequests

 

Select the admin service request option

 

Then open the ticket with the download request along with all your platform information, serial numbers and purchase dates.

 

Re: SRX110 VDSL PIC

December 2, 2018, 10:13 pm
$
0
0
+1-888-314-5822 - U.S Domestic Toll Free
+1-408-745-9500 - Domestic & International

Re: Client Certificate Dynamic VPN with Pulse Secure Client and SRX320 15.1.X49-D150?

December 2, 2018, 11:36 pm
$
0
0

To my knowledge you will not get client certificate authentication working with dynamic vpn. You will need the remote access VPN + NCP client to get a supported solution.

 

Regarding dynamic vpn and Pulse... the only supported client version is Pulse Secure Client 5.1.5 which is close to legacy - only customers who has purchased pulse secure otherwise has access to an updated client.

Search

Re: SRX320 filter base forwarding with Nat on routing instance issue

December 3, 2018, 5:34 am
$
0
0

Hi,

Your configuration looks good and the static nat should work. Are you sure that the traffic is hitting srx?

Please enable flow traceoption and initiate traffic to see where the packet is getting dropped

1. Enable flow trace:

set security flow traceoptions file FLOW.log size 10m

set security flow traceoptions flag packet-drops

set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter p1 source-prefix <ip address of the outside PC from where traffic is initiated>

set security flow traceoptions packet-filter p2 destination-prefix <ip address of the outside PC from where traffic is initiated>

commit

2. Initiate traffic from outside (ISP2)

3. Remove flow trace options

delete security flow traceoptions

4. Analyze the FLOW.log or share with us

show log FLOW.log | match "p[12]|permit|drop|policy"

 

Re: SRX320 filter base forwarding with Nat on routing instance issue

December 3, 2018, 6:08 am
$
0
0

Hi,

it works after adding the routing instance to the static nat and also add the routing instance to the interface connected to ISP2.

set security flow route-change-timeout

December 3, 2018, 8:48 am
$
0
0

Can someone explain exactly what the command "set security flow route-change-timeout" does, and when it is used?


We have an issue that I believe this command may help us fix, but I'm not 100% sure.

 

During a routing failover of BGP with our ISP, traffic will fail over to a seconday interface.

 

When the primary interface BGP neighbor comes back over, routing on both our side and the ISP's side will shift back over to the primary circuit.

 

The problem is a bunch of destination-prefix flows of applications that use UDP stay "stuck" on the secondary circuit.  How long do they stay stuck?  Pretty much forever until we manually do "clear security flow session destination-prefix" on them.

 

This, unfortunately, causes an outage with those UDP applications.

 

What should we do?  Will the "set security flow route-change-timeout" help us out?  Or should we just put a 5 minute timeout on security flow sessions in general?  Is there any way to specify the general timeout to UDP flows only?

 

Thanks!

Re: set security flow route-change-timeout

December 3, 2018, 11:37 am
$
0
0

I think you need:

set applications application udpApp1 source-port ftp inactivity-timeout 60

HTH.

Re: Split brain happen on SRX1500 due to Fabric monitor down?

December 3, 2018, 9:14 pm
$
0
0

Have you try add another fabric interface ?
Have you try move to other port interface ?

Public IP mapping on SRX300

December 4, 2018, 6:28 am
$
0
0

Hi,

I am migrating from SSG5 (ScreenOS) to SRX300 (JUNOS). On the SSG5 box, I have multiple (~20) public IPs mapped to the outside interface. These IPs are mapped to internal IPs (servers) within our LAN i.e. these servers are identifying themselves on the internet using those public IPs. All other PCs/devices on the LAN are using a single public IP assigned as a main one to the outside interface.

Can somebody please guide me how to achieve that on the SRX300? I have searched here and found some recommendations to use Source/Destination/Static NAT but I don't know which one of them would suit best for my scenario and/or if these can be combined together.

I have no previous experience with JUNOS (but I can understand individual CLI commands) so I would prefer J-Web guidance, if possible.

Thanks a million.

Miro

Simple pppoe + vlan setup issue

December 4, 2018, 6:38 am
$
0
0

Hi ,

Im trying to setup a simple pppoe + vlan install and its not working . The pppoe appears to go up / down and its not getting any IP .... I have searched the forum and pretty much tried all proposed solution but its not working . Im guessing at this point its something very obvious and im not seeing it

 

Any help appreciated

 

Thanks

 

root@srx210> show pppoe interfaces
pp0.0 Index 71
State: Session up, Session ID: 5661,
Service name: None,
Session AC name: STESPQ3502W, Configured AC name: None,
Remote MAC address: <removed from posting> ,
Session uptime: 00:00:20 ago,
Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
Underlying interface: ge-0/0/0.0 Index 70
Ignore End-of-List tag: Disable

 

Then a minute later :

root@srx210> show pppoe interfaces
pp0.0 Index 71
State: Down, Session ID: None,
Service name: None,
Session AC name: None, Configured AC name: None,
Remote MAC address: 00:00:00:00:00:00,
Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
Underlying interface: ge-0/0/0.0 Index 70
Ignore End-of-List tag: Disable

 

 

Snippet of config ( see attached for the full one )

interfaces {
    ge-0/0/0 {
        vlan-tagging;
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 35;
        }

pp0 {
unit 0 {
apply-macro pppoe;
ppp-options {
pap {
local-name <hidden>;
local-password "password"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
auto-reconnect 10;
client;
idle-timeout 0;
}
family inet {
negotiate-address;
}

 

Search

Re: Simple pppoe + vlan setup issue

December 4, 2018, 6:40 am

Re: Simple pppoe + vlan setup issue

December 4, 2018, 6:46 am
$
0
0

Hi,

 

Configuration looks good. May i know the server? We may need to capture the packet to understand the reason.

 

interfaces {
ge-0/0/9 {
vlan-tagging;
unit 100 {
encapsulation ppp-over-ether;
vlan-id 100;
}
}
pp0 {
unit 100 {
ppp-options {
pap {
local-name "test@test.com";
local-password "X"
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/9.100;
auto-reconnect 10;
client;
}
family inet {
primary;
negotiate-address;
}
}
}

 

Regards,

Rahul

Re: Simple pppoe + vlan setup issue

December 4, 2018, 6:48 am
$
0
0

Kindly do the monitor traffic on server facing interface and share the same. 

 

Need to understand if it's LCP phase failure or NCP phase failure or Keepalive Failure or Client Initiated Termination Request or Server Initiated Termination Request.

 

Regards,
Rahul

Re: Public IP mapping on SRX300

December 4, 2018, 7:40 am

Re: Simple pppoe + vlan setup issue

December 4, 2018, 8:59 am
$
0
0

Hi Mayar ,

 

Thank for the fast response ! I dont have access to the other end , its the ISP . Anything else that can be done to troubleshoot this ? 

 

Thanks

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>