Hello Nellikka

The network for the DMZ is on a public class (134.59.x.222/27).

For now I do not use NAT because all networks are public.

Hi Nik_MH

See article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB26775

I believe the issue is you have two interfaces in the same routing instance but in different security zones.

From your config:

1. you create reth0.100 and reth0.105 which are by default in the 'global' routing instance;

  - both interfaces in the same routing instance: OK

2. next you place both reth0.100 and reth0.105 into the 'Untrust ' security zone;

  - both interfaces in the same security zone: OK

3. you then move reth0.100 to the 'Untrust' routing instance (which you obviously created);

  - both interfaces in different routing instances but same security zone: NOT OK

JUNOS does not allow an interface to be in more than one security zone, and it does not allow one security zone to be associated (by it's member interfaces) with more than one routing instance.

I believe this is your problem.

You must follow the one-to-many rule of association between interfaces, zones and v-routers:

> 1-to-Many: one routing instance to one or more security zones (1:*)

> 1-to-Many: one security zone to one or more [sub-]interfaces (1:*)

By derivation, we then have:

> 1-to-Many: one routing instance to one or more [sub-]interfaces (1:*)

Another way of stating it is:

- an interface may be a member of one and only one security zone, and a security zone may be a member of one and only one routing instance, therefore an interface may be a member of one and only one routing instance.

Please let us know if that solves your problem

As a side note, I would recommend having a naming convention that differentiates between routing instances and security zones, which will help reduce confusion when viewing the config.

Hope that helps.

Try to ping vSRX gateway ip with using source as trust interface ip and dmz interface ip. If you are able to ping using trust interface ip but dmz ip, gateway may not have reverse route for dmz network (134.59.x.222/27)

Are you able to ping DMZ interface ip from DMZ PC  and vice versa?

If possible, please share configuration

Hi,

I hope you are not using any custom VR etc and vSwitch etc connectivity is fine.

When you put ge-0/0/2 in trust zone, do you use same IP as 134.59.x.222/27 or the one from the ge-0/0/1 subnet ? If you use the IP from the 134.59.x.222/27 subnet and it works then please check your security policy  from DMZ to untrust.

If you use IP from ge-0/0/1 subnet and it works then please check security policy and NAT from DMZ to untrust. Even it's public IP , you can try using source NAT ( for test only) to ensure it's not issue with the return route on the upstream device.

> show security nat source rule all

> show security policies from-zone DNZ to-zone untrust

Thanks,

Vikas

Is it possible to upgrade BIOS in SRX300, I tried to execute:

root@rudn> request system firmware upgrade re bios
^
syntax error, expecting <command>.

root@rudn> request system firmware upgrade ?
Possible completions:
fpc Upgrade FPC ROM monitor
pic Upgrade PIC firmware
vcpu Upgrade VCPU ROM monitor

As for SRX550 i see:

junoadmin@srx550> request system firmware upgrade ?
Possible completions:
fpc Upgrade FPC ROM monitor
pic Upgrade PIC firmware
re Upgrade baseboard BIOS/FPGA
vcpu Upgrade VCPU ROM monitor

Also I suppose that there is no Backup BIOS in SRX300:

show system firmware compatibility
Part Type Tag Current Available Status version version
Routing Engine 0 RE BIOS 0 3.1 2.9 OK
Routing Engine 0 RE BIOS Backup 1 0.0 2.9 OK

May be the reason is that Current BIOS 3.1 > Available BIOS 2.9

I didn't upgrade anything in srx300, the device was unpacked some days ago.

The configuration (below) is very simple, I don't use any NAT

> show security policies from-zone DMZ1 to-zone untrust
From zone: DMZ1, To zone: untrust
Policy: DMZ1-to-untrust, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Dynamic Applications: any
Action: permit

I have a PC (134.59.21.221) doirectly connecte to ge-0/0/2 interface

With the ge-0/0/2 interface on DMZ1 zone

Ping from PC (134.59.21.222) to ge-0/0/2.0 (134.59.21.222) is successful

tracert command from PC to 8.8.8.8 fails (never reach the first hop

With the ge-0/0/2 interface on trust zone, without changing anything else

Ping from PC (134.59.21.222) to ge-0/0/2.0 (134.59.21.222) is successful

tracert command from PC to 8.8.8.8 is succesful and the first hop is 134.59.21.222

That's why I think there is no route problem and it's a zone problem

Thanks

## Last changed: 2019-02-07 09:04:43 CET
version 18.4R1.8;
system {
services {
ssh;
web-management {
http {
interface [ ge-0/0/0.0 fxp0.0 ge-0/0/1.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/0.0 fxp0.0 ge-0/0/1.0 ];
}
}
}
}
security {
alg {
dns disable;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000;
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ1 to-zone untrust {
policy DMZ1-to-untrust {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
}
}
}
from-zone trust to-zone DMZ1 {
policy trust_to_DMZ1 {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
}
}
}
from-zone DMZ1 to-zone trust {
policy DMZ1_to_trust {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
}
}
}
from-zone DMZ1 to-zone DMZ1 {
policy default-permit_61 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust {
inactive: screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone DMZ1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 172.16.21.1/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.21.6/30;
}
}
}
ge-0/0/2 {
description DMZ1;
unit 0 {
description DMZ1;
family inet {
address 134.59.21.222/27;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.*.*/22;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 172.16.21.2;
active;
}
route 134.59.x.x/32 {
next-hop 192.168.23.254;
active;
}
route 134.59.21.128/28 {
next-hop 172.16.21.5;
active;
}
route 134.59.21.144/28 {
next-hop 172.16.21.5;
active;
}
route 134.59.21.160/28 {
next-hop 172.16.21.5;
active;
}
}
}

You need to upgrade your Junos to a later version where a newer firmware for the bios is available.

Example from a SRX300 where I upgraded the bios from 3.3 to 3.6:

--- JUNOS 18.4R1.8 built 2018-12-17 03:29:17 UTC
user@fw> show system firmware compatibility
Part             Type              Tag Current   Available Status
                                       version   version
Routing Engine 0 RE BIOS           0   3.3       3.6       OK
Routing Engine 0 RE BIOS Backup    1   3.1       3.6       OK

user@fw> request system firmware upgrade re bios
Part             Type              Tag Current   Available Status
                                       version   version
Routing Engine 0 RE BIOS           0   3.3       3.6       OK
Routing Engine 0 RE BIOS Backup    1   3.1       3.6       OK
Perform indicated firmware upgrade ? [yes,no] (no) yes

On successful completion of the upgrade, the new bios will take effect after the box is rebooted.

user@fw> show system firmware compatibility
Part             Type              Tag Current   Available Status
                                       version   version
Routing Engine 0 RE BIOS           0   3.3       3.6       UPGRADED SUCCESSFULLY
Routing Engine 0 RE BIOS Backup    1   3.1       3.6       OK

user@fw>

I've just upgraded to 15.1X49-D150.2 and BIOS became upgradable as well as Backup BIOS appeared. So it was a software issue.

--- JUNOS 15.1X49-D150.2 built 2018-09-19 17:44:55 UTC
root@rudn% cli
root@rudn> show system firmware
Part Type Tag Current Available Status
version version
Routing Engine 0 RE BIOS 0 3.1 3.6 OK
Routing Engine 0 RE BIOS Backup 1 3.1 3.6 OK

root@rudn> request system firmware upgrade ?
Possible completions:
fpc Upgrade FPC ROM monitor
pic Upgrade PIC firmware
re Upgrade baseboard BIOS/FPGA
vcpu Upgrade VCPU ROM monitor

Config looks fine. Can you check the flow traceoptions:

#set security flow traceoptions file flow-trace
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter f0 source-prefix <134.59.21.221> destination-prefix <8.8.8.8>
# set security flow traceoptions packet-filter f1 source-prefix <8.8.8.8> destination-prefix <134.59.21.221> <-- filter for the return traffic, IPs will interchange.

# commit
initiate the ping test to 8.8.8.8 and let it fail and
#run show log flow-trace
#deactivate security flow traceoptions
#commit

Thanks,

Vikas

First of all I wold like to say that I've just upgraded SRX300 to 15.1X49D150 and everything is fine with J-Web.

And everything was fine with J-Web in initial JunOS 15.1X49D45/SRX-300 unpacked from the box.

After login page I see webpage and menus, but everything is broken.

As for JunOS 15.1X49D150 in SRX550HM, I opened the HTTPD log and saw:

httpd: 2: Error: "Not Found", code 404 for URI "/extjs/resources/ext-theme-classic/ext-theme-classic-all.css", file "/html/extjs/resources/ext-theme-classic/ext-theme-classic-all.css": Can't open document: /html/extjs/resources/ext-theme-classic/ext-theme-classic-all.css.

Browser debugger said that no ext-theme-classic-all.css loaded.

I opened J-Web for SRX300 with JunOS 15.1X49D45 2016 as well as upgraded JunOS 15.1X49D45/SRX-300, there are no errors with CSS, by the way there are two CSS: for classic theme and for j-web theme. SRX300 is the NG SRX and J-web theme is loaded, as well as classic is available for browser too.

Then I've found that php-scripts (index.php and login.php in the root) contain  /html/extjs/resources/ext-theme-classic/ path to load ext-theme-classic-all.css, but there is no any CSS there,  the both CSS (for classic and for j-web are located in /jail/html/extjs/resources/ext-theme-jweb folder!

here is an index.php:

........

if(check_model('MODEL_NGSRX')) {
print <<<EOF
<script type="text/javascript" src="/javascript/ext-jnpr-slipstream.js?$urlArgs"></script>
<link rel="stylesheet" type="text/css" href="/extjs/resources/ext-theme-jweb/ext-theme-jweb-all.css"/>
<link rel="stylesheet" type="text/css" href="/extjs/resources/css/ext-all.css"/>
<link rel="stylesheet" type="text/css" href="/stylesheet/ext-jnpr-slipstream.css"/>
EOF;
} else {
print <<<EOF
<link rel="stylesheet" type="text/css" href="/extjs/resources/ext-theme-classic/ext-theme-classic-all.css"/>
EOF;

......

550 is not NG SRX, so  the browser was redirected to load extjs/resources/ext-theme-classic/ext-theme-classic-all.css,

but there is no ext-theme-classic-all.css in extjs/resources/ext-theme-classic/. ext-theme-classic-all.css is located in /jail/html/extjs/resources/ext-theme-jweb folder!

I tried to put this CSS to extjs/resources/ext-theme-classic folder, but I've got a message:

--- JUNOS 15.1X49-D150.2 built 2018-09-19 17:44:55 UTC
$ su root
Password:
root@juno% cp /jail/html/extjs/resources/ext-theme-jweb/ext-theme-classic-all.css /jail/html/extjs/resources/ext-theme-classic/
cp: /jail/html/extjs/resources/ext-theme-classic/ext-theme-classic-all.css: Read-only file system

As for 15.1X49D45 in SRX300, both CSS are in /jail/html/extjs/resources/ext-theme-jweb/ as well as in D150, but there is no redirect to classic css:

if(check_model('MODEL_NGSRX')) {
print <<<EOF
<link rel="stylesheet" type="text/css" href="/extjs/resources/css/ext-all.css"/> 
EOF;
}
print <<<EOF
<link rel="stylesheet" type="text/css" href="/stylesheet/ext-jnpr.css"/>

There are some screens attached.

Dear Jonas, thank you very much! Could you give me advise on the problem in topic 

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-550HM-and-JunOS-15-1X49D150-J-Web-has-broken-interface/td-p/458726

Before JunOS 15.1X49D150 I tested JunOS 18.1R1.9 on this device and have other problem with J-Web.

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-550-upgraded-to-HM-and-JunOS-18-1R1-9-J-Web-doesn-t-work/m-p/368071#M51107

18.1 is not recommended by JTAC for SRX I mentioned this just for information.

I see that current JunOS wasn't tested well on old devices. I hope that this bug will be fixed in next release, I've send this info to support@juniper.com, but no feedback yet. 

So I shall try previous versions, for example D110 is the minimal version with necessary features.

Another way is:

1. Make a snapshot of D150 to USB,

2. USB: Copy classic theme CSS to classis theme folder

3. Recovering from modified USB partition

I see that current JunOS wasn't tested well on old devices. I hope that this bug will be fixed in next release, I've send this info to support@juniper.com, but no feedback yet. 

So I shall try previous versions, for example D110 is the minimal version with necessary features (Enhanced traffic log reporting in J-Web).

Another way is:

1. Make a snapshot of D150 to USB,

2. USB: Copy classic theme CSS to classis theme folder

3. Recovering from modified USB partition

How do I setup the Network Policy Server in Windows Server 2016 in order to added as my RADIUS server in the juniper devices?

Feb 7 16:33:26 vSRX-SG-01 clear-log[11503]: logfile cleared
Feb 7 16:55:41 16:55:41.032708:CID-0:RT:<134.59.21.221/1003->8.8.8.8/1;1,0x0> matched filter pf1:

Feb 7 16:55:41 16:55:41.032708:CID-0:RTacket [60] ipid = 7193, @0x2da22048e

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:---- flow_process_pkt: (thd 4): flow_ctxt type 15, common flag 0x0, mbuf 0x401a9a00, rtbl_idx = 0

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: flow process pak fast ifl 75 in_ifp ge-0/0/2.0

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: ge-0/0/2.0:134.59.21.221->8.8.8.8, icmp, (8/0)

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: find flow: table 0x7a139940, hash 386984(0xfffff), sa 134.59.21.221, da 8.8.8.8, sp 1003, dp 1, proto 1, tok 10, conn-tag 0x00000000

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: flow_first_create_session

Feb 7 16:55:41 16:55:41.032708:CID-0:RTave init hash spu id 0 to nsp and nsp2!

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:First path alloc and instl pending session, natp=0x93031700, id=524850

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/2.0>, out <N/A> dst_adr 8.8.8.8, sp 1003, dp 1

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: chose interface ge-0/0/2.0 as incoming nat if.

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 8.8.8.8(1)

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(1)

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 524850 implicit mask(0x0), service request(0x0)

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:-jsf : no plugin ingress interested for session 524850
Feb 7 16:55:41 16:55:41.032708:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 134.59.21.221, x_dst_ip 8.8.8.8, in ifp ge-0/0/2.0, out ifp N/A sp 1003, dp 1, ip_proto 1, tos 0

Feb 7 16:55:41 16:55:41.032708:CID-0:RToing DESTINATION addr route-lookup

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:flow_ipv4_rt_lkup success 8.8.8.8, iifl 0x4b, oifl 0x46

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: routed (x_dst_ip 8.8.8.8) from DMZ1 (ge-0/0/2.0 in 0) to ge-0/0/0.0, Next-hop: 172.16.21.2

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:flow_first_policy_search: policy search from zone DMZ1-> zone untrust (0x0,0x3eb0001,0x1)

Feb 7 16:55:41 16:55:41.032708:CID-0:RTolicy lkup: vsys 0 zone(10MZ1) -> zone(8:untrust) scope:0

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: 134.59.21.221/2048 -> 8.8.8.8/18800 proto 1

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:flow_first_policy_search: dynapp_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: packet dropped, denied by policy

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: packet dropped, policy deny.

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:flow_initiate_first_path: first pak no session

Feb 7 16:55:41 16:55:41.032708:CID-0:RT: flow find session returns error.

Feb 7 16:55:41 16:55:41.032708:CID-0:RT:flow_proc_rc: -1.

Interesting but I don't understand "denied by policy default-policy-logical-system-00(2), dropping pkt"

Thanks for your help

Hi,

The average of traffic ingresing the SRX is around 260Mbps so I dont think we are pushing too much traffic. However I am suspecting about bursts of traffic because the CPU goes high just for 1 or 2 seconds:

	Average Thread(2) Utilization: 68%Last 60 seconds:
	0: 68 1: 71 2: 75 3: 61 4: 76 5: 69
	6: 84 7: 87 8: 79 9: 78 10: 76 11: 68
	12: 62 13: 57 14: 58 15: 66 16: 67 17: 68
	18: 66 19: 69 20: 74 21: 66 22: 53 23: 52
	24: 66 25: 69 26: 62 27: 66 28: 64 29: 66
	30: 65 31: 62 32: 57 33: 47 34: 78 35: 71
	36: 76 37: 75 38: 75 39: 71 40: 74 41: 69
	42: 64 43: 68 44: 73 45: 66 46: 73 47: 64
	48: 68 49: 67 50: 76 51: 73 52: 66 53: 70
	54: 71 55: 63 56: 72 57: 69 58: 68 59: 59
	Average Thread(3) Utilization: 68%
	Last 60 seconds:
	0: 69 1: 72 2: 75 3: 61 4: 76 5: 69
	6: 85 7: 87 8: 79 9: 78 10: 76 11: 68
	12: 62 13: 57 14: 58 15: 67 16: 67 17: 68
	18: 66 19: 69 20: 74 21: 65 22: 53 23: 53
	24: 66 25: 70 26: 62 27: 67 28: 63 29: 66
	30: 65 31: 63 32: 57 33: 47 34: 78 35: 71
	36: 76 37: 75 38: 75 39: 71 40: 74 41: 69
	42: 64 43: 68 44: 73 45: 66 46: 73 47: 64
	48: 68 49: 67 50: 76 51: 73 52: 66 53: 69
	54: 71 55: 63 56: 72 57: 69 58: 68 59: 59

I dont see any memory problems and no processes are showing high, however I can see that User and Kernel are high:

	show chassis routing-engine 
	Routing Engine status:
	Temperature 49 degrees C / 120 degrees F
	CPU temperature 47 degrees C / 116 degrees F
	Total memory 2048 MB Max 1065 MB used ( 52 percent)
	Control plane memory 976 MB Max 517 MB used ( 53 percent)
	Data plane memory 1072 MB Max 557 MB used ( 52 percent)
	CPU utilization:User 21 percent
	Background 0 percentKernel 43 percent
	Interrupt 0 percentIdle 36 percent
	Model RE-SRX240H2
	Serial ID ACAL8054
	Start time 2019-02-05 20:59:39 MSK
	Uptime 1 day, 15 hours, 18 minutes, 39 seconds
	Last reboot reason Router rebooted after a normal shutdown.
	Load averages: 1 minute 5 minute 15 minute
	0.80 1.01 0.93

PLease gather the following commands from shell gather:

      > start shell  (entering shell mode)
      % ps
      % top -H

Also please share the following commands:

> request pfe execute command "show fwdd statistics notification" target fwdd

> request pfe execute command "show threads" target fwdd

> request pfe execute command "show pfe statistics notification" target fwdd

> request pfe execute command "show fwdd statistics result" target fwdd

Can you confirm if the high CPU is seeing during non-production hours? This could help us to understand if the issue can be related to specific traffic:

       show log messages | match RTPERF_CPU_THRESHOLD_EXCEEDED

Was the SRX recently rebooted for testing purposes?

Determining whats causing the high CPU will require a deeper inspection on the SRX. Can you share a RSI and the var/log/ directory of the SRX?

• In order to get the RSI (request support information) run the following command to save the resulting output in to a text file that you could later download from the SRX:

                                request support information | save /var/tmp/[Document_Name].txt

       Another option for getting the request support information is to set the terminal application, like putty/secure CRT, to log  the session to a file and run:

                                 request support information | no-more

• Archive the /var/log/ contents:

                                file archive compress source /var/log/* destination /var/tmp/[File_Name]

         To ensure the files directory was properly archived, check the file size using the command:  

                                file list /var/tmp/[File_Name] detail

Remove "dynamic-application any"from DMZ to untrust policy.
delete security policies from-zone DMZ1 to-zone untrust policy DMZ1-to-untrust match dynamic-application any

Hi Pablo -

Thanks for posting in our community! I'm going to move this over to the SRX Services Gateway Discussion Forum for better visibility.

 or  : feel free to move it to a more relevant forum if need be.

Hope this helps!

- Jeremiah, J-Net Community Manager

Hello,
I wanted to set the timeout of ssh to 4 hours.
When I type the command:

set applications application junos-ssh inactivity-timeout 14400

Do I get the following message:

error: cannot use reserved identifier: junos-ssh

Software version is: Junos: 18.4R1.8

How did I set the timeout high?

Thank you for your help

Create a custom application and use that application in your policy:

set applications application my-ssh protocol tcp destination-port 22 inactivity-timeout 14400

set security policies from-zone A to-zone B policy Allow-SSH match application my-ssh