Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: SRX IPSec VPN dual ISP including a default route for inet.0

March 3, 2019, 8:55 am
$
0
0

Hi test20001,

 

Looks like instance-import works:

set policy-options policy-statement from_VR_to_inet term term1 from instance VR
set policy-options policy-statement from_VR_to_inet term term1 then accept
set routing-options instance-import from_VR_to_inet

 

Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB16453

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

 

Search

Re: SRX IPSec VPN dual ISP including a default route for inet.0

March 3, 2019, 9:17 am
$
0
0

I prefer to use the logical tunnel pair of interfaces in this scenario.  It creates a virtual interface pair where one side is in your inet.0 routing instance and the other in your isp routing istance. 

 

You can then assign these to the desired zones and make a bgp peer across this virtual internal link.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21260

 

Re: SRX210 getting DHCP from ISP Virgin Media Hub 3.0 but NO Internet

March 3, 2019, 9:26 am
$
0
0

Since you get the default route I assume you are also getting the dhcp ip address on the reth interface too.  That seems to validate the basic connection.

 

How you are physically connecting the cluster to the modem?

 

And what exactly do you mean by "LACP on the SRX cluster"? 

Note that reth are redundant ethernet and NOT an Aggregated Ethernet bundle.  These are an active/passive ethernet pair and not an LACP AE configuration.

 

Restrict access with junos-host zone

March 3, 2019, 11:31 am
$
0
0

I am trying to restrict management access with the junos-host zone but it doesn't appear to be working. All traffic still seems to be allowed, even though I have tied it down to one IP and only ssh. Any help appreciated, config below;

 

vsrx> show configuration security zones security-zone mgmt | display set
set security zones security-zone mgmt address-book address mgt-server 192.168.10.133/32
set security zones security-zone mgmt address-book address-set manager-ip address mgt-server
set security zones security-zone mgmt host-inbound-traffic system-services all
set security zones security-zone mgmt host-inbound-traffic protocols all
set security zones security-zone mgmt interfaces lo0.0

 

vsrx> show configuration security policies | display set
set security policies from-zone mgmt to-zone junos-host policy management-access match source-address manager-ip
set security policies from-zone mgmt to-zone junos-host policy management-access match destination-address any
set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-ssh
set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-http
set security policies from-zone mgmt to-zone junos-host policy management-access then permit
set security policies from-zone mgmt to-zone junos-host policy denyall match source-address any
set security policies from-zone mgmt to-zone junos-host policy denyall match destination-address any
set security policies from-zone mgmt to-zone junos-host policy denyall match application any
set security policies from-zone mgmt to-zone junos-host policy denyall then deny

 

There are no other security policies on the device other than the ones above (so it's not hitting another policy) When I ssh from another IP in the 192.168.10.x range, it is permitted. 

 

Thanks

Re: Restrict access with junos-host zone

March 3, 2019, 11:30 am
$
0
0
Remove lo0.0 interface from mgmt zone.

Re: Restrict access with junos-host zone

March 3, 2019, 11:37 am

Re: Restrict access with junos-host zone

March 3, 2019, 11:50 am
$
0
0
Is incoming traffic interface also part of mgmt zone? Or different zone? I hope you are trying to access lo0 ip from your pc.

Re: SRX IPSec VPN dual ISP including a default route for inet.0

March 3, 2019, 12:23 pm
$
0
0

thanks guys.. seem like two good options, will give them a go... will let you know how i get on

Search

Re: Restrict access with junos-host zone

March 3, 2019, 12:37 pm
$
0
0

Incoming traffic is coming in via fxp0 so it's not part of a zone as such.

Re: Restrict access with junos-host zone

March 3, 2019, 4:31 pm
$
0
0
You have to use option 1 mentioned in the above KB to restrict the access since the traffic is coming via fxp0 interface. junos-host is used when you want to restrict the traffic coming in or going out via revenue interfaces which are part of a security zone . fxp0 is out of band management interface and it is not a part of any security zone.

Re: Restrict access with junos-host zone

March 3, 2019, 11:28 pm
$
0
0
Thanks, that is how I set it up before but the problem is firewall filters are not stateful so you can't ping (monitor) the firewall after applying the firewall filter (return pings are dropped) I tried to also allow icmp in a separate filter and apply it outbound but it didn't seem to work. This is why I started looking into doing it a different way (firewall policy which is stateful)

Any idea how to get around that?

Re: SRX210 getting DHCP from ISP Virgin Media Hub 3.0 but NO Internet

March 3, 2019, 11:20 pm
$
0
0

Thansk for your reply Steve.

 

The cluster of SRX210 is connected to a TP LINK switch, reth0 to a LACP and reth1 forming a second LACP on that switch. That TP LINK switch has several VLANs, one of them 100, which is the external Virgin Media one. On reth0 the LACP is tagged with that VLAN 100 and is the native VLAN.

 

The VM Hub3 is connected to that same switch to a single port, configured as follows:

  • VLAN 100 is native
  • VLAN 100 tagged on traffic coming to the switch, therefore is the reth0 interface
  • VLAN 100 is untagged (ot it's flag stripped) on traffic going out the switch towards the Hub 3.0

This same setup method of VLAN tagging and untagging was working fine with a single unit. I'd bet this is a VM Hub3 dislinking of a Juniper device behind it. Although, as I mentioned before I think I received a [default] route when I had a single unit. It's very frustrating to see everything fine on PCAPs and even so not being able to ping the Internet.

 

Thanks,

 

Alberto.

 

Re: Restrict access with junos-host zone

March 3, 2019, 11:29 pm
$
0
0

You are right. Firewall filters are stateless. But it will work as expected if you configure it properly. Please try below config and let me know:

set firewall filter lo-filter term 10 from source-address 192.168.10.133/32
set firewall filter lo-filter term 10 from port ssh
set firewall filter lo-filter term 10 from port http
set firewall filter lo-filter term 10 from port https
set firewall filter lo-filter term 20 from source-address 192.168.10.133/32
set firewall filter lo-filter term 20 from protocol icmp
set firewall filter lo-filter term 20 then accept

 

Try to ping from 192.168.10.133 ip after applying the filter in inbound direction. 

 

Re: Restrict access with junos-host zone

March 3, 2019, 11:33 pm
$
0
0

Forgot to mention. Apply the filter to lo0 interface in inbound direction:

set interfaces lo0 unit 0 family inet filter input lo-filter

Re: Restrict access with junos-host zone

March 4, 2019, 1:15 am
$
0
0

Thanks, that's almost exactly how I had it but it doesn't work like that. I have just tried your exact config and it doesn't work either.  You can SSH etc but can't ping, I think its dropping the response icmp packet.

 

Thanks

Search

Re: Restrict access with junos-host zone

March 4, 2019, 1:25 am
$
0
0

Interesting! Please modify existing filter and add count and log option for icmp and share output of belowmentioned commands

 

set firewall filter lo-filter term 20 then count  ALLOW_ICMP

set firewall filter lo-filter term 20 then log

set firewall filter lo-filter term 30 from protocol icmp

set firewall filter lo-filter term 30 then discard

set firewall filter lo-filter term 30 then count DENY_ICMP

set firewall filter lo-filter term 30 then log

 

show system statistics icmp

show firewall

show firewall log

show interface filters | no-more

 

Re: SRX210 getting DHCP from ISP Virgin Media Hub 3.0 but NO Internet

March 4, 2019, 2:59 am

SRX cluster routing engine has GR Error gres-not-ready

March 4, 2019, 3:50 am
$
0
0

Hi all,

 

I have a cluster problem, and no clue to it.

After some years of running I had to stop one firewall node(srx550) - this was the node1. After the reboot it's interfaces were down (bot in fpc0 and in fpc3) - so I took if offlilne until replace the HW.

Later I tried to start the fw node withot any cable and the interfaces started normally, so I tried to put it back to the cluster.

When It started it immediately become the active node on RG0 but the reth interfaces remain in down status (with all the ge interraces up) so I turnd off again. No preemtion configured so the interfaces remained active in the other node node1.

After it I discovered, that node1 RG0 shows an error (GR) - probably this is the reason why node 0 took mastership when I plugged back.

Now node0 is turned off, I have this GR (GRES monitoring) error and the firewall is working.

I would like to take node0 back in charge, but first I want to clear this GR error.

When I check show chassis cluster information deatil I can see that gres-not-ready ....

 

{primary:node1}

user@firewall-node1> show chassis cluster status

Monitor Failure codes:

    CS  Cold Sync monitoring        FL  Fabric Connection monitoring

    GR  GRES monitoring             HW  Hardware monitoring

    IF  Interface monitoring        IP  IP monitoring

    LB  Loopback monitoring         MB  Mbuf monitoring

    NH  Nexthop monitoring          NP  NPC monitoring

    SP  SPU monitoring              SM  Schedule monitoring

    CF  Config Sync monitoring      RE  Relinquish monitoring

 

Cluster ID: 1

Node   Priority Status         Preempt Manual   Monitor-failures

 

Redundancy group: 0 , Failover count: 0

node0  0        lost           n/a     n/a      n/a

node1  255      primary        no      yes      GR

 

Redundancy group: 1 , Failover count: 0

node0  0        lost           n/a     n/a      n/a

node1  0        primary        no      no       CS

 

 

{primary:node1}

user@firewall-node1> show chassis cluster information detail

node1:

--------------------------------------------------------------------------

Redundancy mode:

    Configured mode: active-active

    Operational mode: active-active

Cluster configuration:

    Heartbeat interval: 1000 ms

    Heartbeat threshold: 3

    Control link recovery: Disabled

    Fabric link down timeout: 66 sec

Node health information:

    Local node health: Not healthy

    Remote node health: Healthy

 

Redundancy group: 0, Threshold: 255, Monitoring failures: gres-not-ready

 

Please help me clearing this gr error.

 

Thanks,

Balázs

Re: VSRX Dynamic VPN - IKE Proposal Selection Errors

March 4, 2019, 7:53 am
$
0
0

No

user@ hostname is not U-FQDN

admin@router is not admin@router.company.com

and beside that 2 tunnels with the same address a no proposal chosen often comes from different authentication identities

 

regards

 

alexander

Re: SRX VLAN Logical Interfaces

March 4, 2019, 8:33 am
$
0
0

 

I did reboot and the interfaces are still down.

 

Interface Admin Link Proto Local Remote
irb up up
irb.9 up down inet 10.207.10.3/23
irb.10 up down inet 10.207.8.3/24
irb.13 up down inet 10.207.50.3/23
irb.14 up down inet 10.207.48.3/23
irb.20 up down inet 10.207.22.3/24
irb.21 up down inet 10.207.24.3/21
I am using JUNOS 15.1X49-D35.

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>