Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: SRX 550 - NAT

March 28, 2019, 7:45 pm
$
0
0

Yasmin!! Thanks to your suggestion I was able to see the error:

Mar 28 21:32:03 21:32:03.122183:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Mar 28 21:32:03 21:32:03.122183:CID-0:RT:flow_first_policy_search: VPN firstpath permit check failed

Mar 28 21:32:03 21:32:03.122183:CID-0:RT: packet dropped, VPN firstpath permit check failed.

 

After doing some research, the VPN seemed to be the culprit. Once I deleted the dynamic VPN, the inbound traffic started working.

I think I have to do a route based VPN instead but that will be tomorrow's hurdle.

 

Regarding your other question about the static route, I thought I needed it. I have removed it.

Thank you so much for your advice!

Search

SRX enrol with JATP problem

March 29, 2019, 2:56 am
$
0
0

Hi,
I think that is the first post on this forum about SRX enroled with JATP.


I follow documentation here: https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/concept/jatp-srx-integration-getting-started.html

 

OP script seems works perfectly, in fact I see on the SRX setting on JATP my SRX enabled, but NOT online.

And here is the problem.

 

Checking "show services advanced-threat-detection- status" show "disconnect due HTTP error.

Too much generic message and I don't find anywhere solutions.

 

Here the extract of op script:

root@vSRX-HQ> op url "https://10.20.20.166:443/cyadmin/cgi-bin/srx_enrollment?operation=enroll&api_key=d315e3ceea71sssssccbc28a9aa&config=.slax" 
Platform is supported by JATP: VSRX.
[WARNING] More than 1 license found with name: Sky ATP. Invalid licenses might cause enrolling/disenrolling failure. Please remove invalid licenses.
Enrolling with Sky ATP license serial number: 91730sss217.
Version JUNOS Software Release [15.1X49-D140.3] is valid for bootstrapping.
Going to enroll single device for VSRX: 2514Csss7C@91730D0ss17 with hostname vSRX-HQ.
Clear CA profile aamw-ca...
Clear CA profile aamw-cloud-ca...
Clear CA profile aamw-secintel-ca...
Start downloading Application Signature DB update...
Configure CA...
Request aamw-secintel-ca CA...
Load aamw-secintel-ca CA...
Retrieve CA profile aamw-ca...
CA certificate ready: aamw-ca...
CA certificate ready: aamw-secintel-ca...
Clear local certificate aamw-srx-cert with CA server...
Clear key pair: aamw-srx-cert...
Generate key pair: aamw-srx-cert...
Enroll local certificate aamw-srx-cert with CA server #1...
Configure advanced-anti-malware services...
Configuration added successfully for advanced-anti-malware services.
Checking configuration on SRX...
SSL profile:                          [OK]
SecIntel CA:                          [OK]
Client cert found:                    [OK]
SSL profile action:                   [OK]
URL for advanced-anti-malware:        [OK]
Profile for advanced-anti-malware:    [OK]
URL for security-intelligence:        [OK]
Profile for security-intelligence:    [OK]
All SRX configurations are correct for enrollment.
Communicate with JATP server...
SRX status changed to Registered successfully...
Checking Application Signature DB download status...
Wait for Application Signature DB signature download status #1...
Start installing Application Signature DB update...
Wait for Application Signature DB signature install status #1...
Wait for Application Signature DB signature install status #2...
Wait for Application Signature DB signature install status #3...
Wait for Application Signature DB signature install status #4...
Wait for Application Signature DB signature install status #5...
Wait for aamw connection status #1...
Wait for aamw connection status #2...
Wait for aamw connection status #3...
Wait for aamw connection status #4...
Wait for aamw connection status #5...
Enroll SRX is finished. However aamw connection status is incorrect: Disconnected because of HTTP error (expecting 'Connected'). 
Please check your network connection and other configuration. Running diagnostics process is recommended.
Please run diagnostic process with the following cli command:
request services advanced-anti-malware diagnostics 10.20.20.166/ detail pre-detection
[WARNING] Failed to update Application Identification Signature package.
This package is necessary for latest Sky ATP features. Please update it manually.
For more information, please see: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/services-application-package-manually-updating.html

Interesting here the last thing about "excepting connected" on HTTP error.

If i start the test diagnostic:

root@vSRX-HQ> request services advanced-anti-malware diagnostics jatpdfdfdfb.italy.local detail pre-detection    
    [INFO]    Try to get IP address for hostname jatpdfdfdfb.italy.local
DNS check                                            : [OK]
    [INFO]    Try to test SKYATP server connectivity
    [INFO]    Successfully connected to jatpdfdfdfb.italy.local443
    [INFO]    Successfully connected to ca.junipersecurity.net:8080
    [INFO]    Successfully connected to va.junipersecurity.net:80
SKYATP reachability check                            : [OK]
    [INFO]    Time difference between SKYATP server and this device: 19 second(s)
Time check                                           : [OK]
    [INFO]    Configuration checking passed: PKI
    [INFO]    Configuration checking passed: SSL
    [INFO]    Configuration checking passed: AAMW Connection
    [INFO]    Configuration checking passed: SecIntel URL
    [INFO]    Configuration checking passed: SecIntel Authentication
Configuration activation check                       : [OK]
    [INFO]    Try ICMP service in SKYATP
SKYATP ICMP service check                            : [OK]
    [INFO]    To-SKYATP connection is using ge-0/0/2.0, according to route
Interface configuration check                        : [OK]
Outgoing interface MTU is default value
    [INFO]    Check IP MTU with length 1472
IP Path MTU is 1472
    [INFO]    VSRX detected. Checking system licenses
VSRX License check                                   : [OK]

Everything seems correct!

 

But from services advanced-anti-malware-status:

root@vSRX-HQ> show services advanced-anti-malware status    
Server connection status:
  Server hostname: 10.20.20.166
  Server port: 443
    Control Plane:
      Connection time: 2019-03-29 10:52:39 CET
      Connection status: Requesting client certificate
    Service Plane:
      fpc0
        Connection active number: 0
        Connection retry statistics: 0

root@vSRX-HQ> show services advanced-anti-malware status    
Server connection status:
  Server hostname: 10.20.20.166
  Server port: 443
    Control Plane:
      Connection time: 2019-03-29 10:52:40 CET
      Connection status: Disconnected because of HTTP error
    Service Plane:
      fpc0
        Connection active number: 0
        Connection retry statistics: 0

NOPE.

 

From JATP enrol page:

Screenshot_20190329_105617.png

 

 

Any suggestion?

 

Many regards

 

High CPU utilization due to "ifmon" process in chasiss cluster?

March 29, 2019, 2:58 am
$
0
0

Hi All,

 

Can someone explain to me what exactly function for this "ifmon" process. Is it any impact if i kill this process. Can someone guide me how to kill this process? Appreciate some feedback

 

 

{primary:node0}
user@srx> show chassis routing-engine node 1
node1:
--------------------------------------------------------------------------
Routing Engine status:
Slot 0:
Current state Master
Election priority Master (default)
Temperature 30 degrees C / 86 degrees F
CPU temperature 27 degrees C / 80 degrees F
DRAM 3313 MB (16384 MB installed)
Memory utilization 16 percent
5 sec CPU utilization:
User 73 percent
Background 0 percent
Kernel 27 percent
Interrupt 0 percent
Idle 0 percent
Model RE-S-1800x4
Serial ID 9013115900
Start time 2018-08-03 02:24:46 MYT
Uptime 238 days, 15 hours, 30 minutes, 49 seconds
Last reboot reason Router rebooted after a normal shutdown.
Load averages: 1 minute 5 minute 15 minute
1.05 1.05 1.00

 

 

{primary:node0}
user@srx> show system processes extensive node 1
node1:
--------------------------------------------------------------------------
last pid: 20797; load averages: 1.11, 1.07, 1.01 up 238+15:30:26 17:54:42
194 processes: 4 running, 173 sleeping, 1 zombie, 16 waiting

Mem: 329M Active, 93M Inact, 145M Wired, 1374M Cache, 69M Buf, 1296M Free
Swap: 3313M Total, 3313M Free


PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
72921 SUPERADMIN 1 122 0 6644K 2756K RUN 696.8H 93.26% ifmon
73421 root 1 8 0 62392K 28172K nanslp 33.2H 3.66% chassisd
20 root 1 -68 -187 0K 12K WAIT 55.4H 0.05% irq11: em0 em1 em2*

Re: High CPU utilization due to "ifmon" process in chasiss cluster?

March 29, 2019, 3:21 am
$
0
0

Hi,

 

ifmon is a process which ran when you issue cli command "monitor interface <interface name>"

 

Example:

In first terminal window:

> monitor interface ge-0/0/0

 

In second terminal window from shell:

% ps ax | grep ifmon
22888 0 S+ 0:00.00 grep ifmon
22886 1 S+ 0:00.01 /usr/sbin/ifmon ge-0/0/0 <<<

 

In order to kill this process, you might try:

request system process terminate 72921

 

Regards,

Roman

 

SRX110 - Compact Flash - Config-File

March 29, 2019, 3:30 am
$
0
0

Hi guys,

 

just a quick one / please send confirmation:

 

For SRX110 Boxes, the config for the box is only stored on the CF-Card.

So if you remove the CF-Card, the box will not boot up -> correct ?

 

BR, Christoph.

Re: SRX110 - Compact Flash - Config-File

March 29, 2019, 3:32 am
$
0
0

Yes, That is correct. It does not have any HD.

Re: SRX110 - Compact Flash - Config-File

March 29, 2019, 3:57 am
$
0
0

Great !

Thanks for the fast reply.

 

BR, Christoph

Re: IP Sec site-to-site VPN Poor performance

March 29, 2019, 7:48 am
$
0
0

Hi, 

 

I used the commonad you gave. Here is the analysis.

 

From India traffic is leaving from Singapore side and there it is having 25% of loss and also when it enters into USA there is 10% of loss. So in total there is 35% of loss in end to end connection. 

 

What to do now ? Shall I report to ISP about it. 

 

Thanks!

Regards,

Sagar Bairagi

 

 

Search

error when I create zone in vlan.

March 29, 2019, 9:14 am
$
0
0

Hello,

 

We need to create a zone in vsrx, but we have a error when executate this accion.

 

{primary:node0}[edit security zones]
root@fw-mci-cl-01-vSRX-Node0# set security-zone SL-COSTUMER interfaces reth2 host-inbound-traffic system-services all 

root@fw-mci-cl-01-vSRX-Node0# commit
[edit security zones security-zone SL-COSTUMER]
'interfaces reth2.0'
Interface reth2.0 must be configured under interfaces
error: configuration check-out failed

{primary:node0}[edit]
root@fw-mci-cl-01-vSRX-Node0#

 

! config interface!

 

description CLIENTES;
vlan-tagging;
mtu 9000;
redundant-ether-options {
redundancy-group 1;
}
unit 3281 {
description Previ_Poc_APP;
vlan-id 3281;
family inet {
address 10.187.171.1/24;
address 10.208.133.129/26;
}
}
unit 3320 {
description Previ_Poc_BD;
vlan-id 3320;
family inet {
address 10.208.145.1/24;
}
}

 

Re: error when I create zone in vlan.

March 29, 2019, 9:36 am
$
0
0
reth2 interface is configured with unit 3281 and 3320. It does not have unit 0 logical interface. Remove reth2.0 interface from zone config and add the configured unit number like reth2.3281 , reth2.3320 etc


Re: error when I create zone in vlan.

March 29, 2019, 10:12 am
$
0
0

Hello Raul,

 

When you do not explicitly mention the interface unit under security zone, it defaults to unit 0.

 

In your case you used - 

 

set security-zone SL-COSTUMER interfaces reth2 host-inbound-traffic system-services all 

 

This would end up with reth2.0 under SL-COSTUMER zone. But your interface does NOT define this unit. Hence the error.

 

I would suggest you to use (adjust the zones as per your need.)

 

set security-zone SL-COSTUMER interfaces reth2.3281 host-inbound-traffic system-services all 

 

set security-zone SL-COSTUMER interfaces reth2.3320 host-inbound-traffic system-services all 

 

Thanks!

Re: High CPU utilization due to "ifmon" process in chasiss cluster?

March 29, 2019, 10:16 am
$
0
0

Hello there,

 

In addition to the suggestion above, You may also like to run the command "show system users" and log out the users who are not actively working on the device.

 

Also look for any script which might have been running interace monitor in the background.

 

Thanks,

Re: SRX enrol with JATP problem

March 29, 2019, 10:28 am
$
0
0

Hi,

 

This issue is generally seen when there is some kind of validation failure.

 

Please check the licenses on the vSRX. Sometimes presence of more than 1 licenses for JATP or presence of an expired license may lead to it too.

 

Besides, what is the version of your vSRX and JATP ?

 

Thanks!

Re: IP Sec site-to-site VPN Poor performance

March 29, 2019, 10:35 am
$
0
0

Hello Sagar,

 

If there is 35% drop by the ISP on plain text traffic, there is nothing you can do on SRX to fix it. 

 

I believe you should reach out to your ISP with this evidence asking NOT to throttle your traffic. I am sure they would be putting some kind of trafffic shapers to drop your traffic burst.

 

Thanks! 

Site to site VPN with self signed certificate

March 29, 2019, 1:46 pm
$
0
0
Hi all,

I have 2 x 4100 SRX. I want to create a site to site VPN between them using self signed certificate. Can anyone help?

Thanks
Search

Web interface error

March 29, 2019, 1:51 pm
$
0
0
Hi all,

I’m using a loopback address to manage my SRX 345. It is fine for SSH but when I navigate to the device in a web browser it redirects me to /servererror.php?code=401

Anyone know why this happens?

Thanks

Re: Web interface error

March 29, 2019, 2:59 pm
$
0
0

Hello there,

 

Error 401 stands for unauthorize connection.

 

I would suggest you to make sure that both loopback and the ingress physical interface are configured under 

 

root# show system services

web-management {

    http {

       interface [ lo0.0 ge-0/0/0.0 ];  <<<<<<< ge-0/0/0 being the ingress interface.

    }

}

 

Thanks!

Re: Web interface error

March 29, 2019, 3:20 pm

In a multicast network, can the SRX be LHR/FHR or RP/FHR at the same time?

March 29, 2019, 5:04 pm
$
0
0

Hi Team,

 

I'm looking if there is a way we can make the SRX to act as RP/FHR at the same time. Or LHR/FHR.

 

I know the SRX can only have one role, however I have a customer that only has 2 SRX's and we are looking for a way to accomplish the sparse scenario explained in https://kb.juniper.net/InfoCenter/index?page=content&id=KB21591&actp=METADATA 

 

So we configured the SRX to act as RP/FHR but didn't work. Making the RP/LHR also didn't work.

 

Please advise!

 

Thanks in advance!

Re: Dynamic Traffic Shaping

March 30, 2019, 7:19 am
$
0
0

Yea I obviously didn't  think through how a 20Mb shaper on ge-0/0/1 would work, that's exactly  what I need, thanks

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>