Are you able to upgrade the srx300 to confirm it is a software bug?

Hi, problem solved.

Usually in JATP just installed, it needed to wait some hours in order to give JATP possibility to download images and software for SRX connection.

On top, if it's still not working I did:

1) disenroll from JATP the SRX

2) reload SRX

3) enroll SRX once again

4) reload the JATP

5) wait the next day

....

then I found JATP and SRX connected!!! 

Hope that this help someone else.

regards

I think this is it, in 19.1R1:

Monitoring DHCP session logs (SRX Series)—Starting in Junos OS Release 19.1R1, you can monitor the Dynamic Host Configuration Protocol (DHCP) session events. Using the session logs generated by the jdhcp process, you can observe the session (subscribe) creation, session deletion, and renew events details. You can configure the DHCP session logs by using the log session and log session dhcpv6 options at the [edit system processes dhcp-service] hierarchy level for IPv4 and IPv6 addresses, respectively. You can use the session logs for monitoring and troubleshooting purposes.

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/19.1/jd0e14979.html#jd0e15092

Hi!

When i'm trying to upgrade JunOS on SRX300 from 15.1X49-D120.3 to 15.1X49-D170.4 I receive strange errors:

> request system software add /var/tmp/junos-srxsme-15.1X49-D170.4-domestic.tgz no-copy unlink
NOTICE: Validating configuration against junos-srxsme-15.1X49-D170.4-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da1s2a)...
/dev/da1s2a: 596.2MB (1220920 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 149.05MB, 9539 blks, 19200 inodes.
super-block backups (for fsck -b #) at:
32, 305280, 610528, 915776
Checking compatibility with configuration
Initializing...
Using junos-15.1X49-D170.4-domestic from /altroot/cf/packages/install-tmp/junos-15.1X49-D170.4-domestic
Copying package ...
mkdir: /cf/var/validate/c/tmp: No such file or directory
mount_nullfs: /cf/var/validate/c/tmp: No such file or directory
cd: can't cd to /cf/var/validate/c/tmp/junos
/usr/libexec/ui/validate-config: cannot create /cf/var/validate/c/tmp/junos/+INSTALL.x: No such file or directory
chroot: /bin/sh: No such file or directory
ERROR: validate-config: /cf/var/validate/c/tmp/junos/+INSTALL fails
ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-15.1X49-D170.4-domestic

I tried to upgrade to several other versions, but received the same error.

It doesn't look like problem with free space:

> show system storage
node0:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/da1s1a 579M 251M 282M 47% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 20M 11M 6.7M 63% /junos
/cf/packages 579M 251M 282M 47% /junos/cf/packages
devfs 1.0K 1.0K 0B 100% /junos/cf/dev
/dev/md1 807M 807M 0B 100% /junos
/cf 20M 11M 6.7M 63% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
/cf/packages 579M 251M 282M 47% /junos/cf/packages1
procfs 4.0K 4.0K 0B 100% /proc
/dev/bo0s3e 185M 806K 170M 0% /config
/dev/bo0s3f 4.9G 1.5G 3.0G 33% /cf/var
/dev/md2 672M 44M 574M 7% /mfs
/cf/var/jail 4.9G 1.5G 3.0G 33% /jail/var
/cf/var/jails/rest-api 4.9G 1.5G 3.0G 33% /web-api/var
/cf/var/log 4.9G 1.5G 3.0G 33% /jail/var/log
devfs 1.0K 1.0K 0B 100% /jail/dev
/dev/md3 1.8M 4.0K 1.7M 0% /jail/mfs
devfs 1.0K 1.0K 0B 100% /cf/var/validate/c/cf/dev
procfs 4.0K 4.0K 0B 100% /cf/var/validate/c/proc

Any advices?

The error is pretty clear:

NOTICE: Validating configuration against junos-srxsme-15.1X49-D170.4-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Checking compatibility with configuration
ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-15.1X49-D170.4-domestic

Config validation is rarely helpful and I don't know what wouldn't be compatible between two minor updates. I would update with the no-validate option:

request system software add /var/tmp/junos-srxsme-15.1X49-D170.4-domestic.tgz no-copy no-validate unlink

Hello rsuraj

Yes, the AD is always connected.

No, the Issue happen with radom users.

Regards,

Rr.

Hi RuslanP,

Is your box booted up with backup partition when you are trying the upgrade?

You can confirm from command:

show system storage partitions | match "Currently booted"

This expected the validation option failed if you are booting up from backup partition.

The validation option should work properly if your box is booted up from primary partition.

Hope this help.

Tim.

Hi

I need to inspect HTTPS traffic over SKYATP, so I configured a forward proxy and attached it to the security policy.

I loaded a certifcate signed by a public CA to SRX and used it in the forward proxy, but when clients tried to browse HTTPS they got certificate error.

My questions;

- Do I have to load the signed SRX certifcate to clients browsers, as its already signed by a public CA which is already in the browser CA's list?

-When generating the certificate request in SRX, is it required to fill correct values for the subject, domain, IP...?

"as the firewall is not joined to a domain and dont have public IP"

- Is there a way to test if the imported SRX certificate is valid "from the SRX itself" and communicate with the CA proberly?

---

 wrote:

Hope there is no type in address book ip address. Please use below mentioned command in both cases and check the status:

 

show security match-policies from-zone trust to-zone trust source-ip a.b.c.d destination-ip e.f.g.h source-port 1025 destination-port 1025 protocol icmp

---

Thanks for your reply. If I have a typo wouldn't JunOS notice and issue an error? I used the webUI for these changes so I hope they're fine syntax-wise. Anyway I changed my config as follows:

1. Changed destination to subnet - OK!
2. Changed source to subnet - Error.

Here's the error output

Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
Sequence number: 2

The problem is I can't find this Default-Policy when I issue show security policies.

When everything was working after changing step 1, here's the output

Policy: Intra-trust-allow, action-type: permit, State: enabled, Index: 12
0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: trust
  Source addresses:
    Management-subnet(Trusted-Addresses): x.y.z.1 ~ x.y.z.254
  Destination addresses:
    any-ipv4(Trusted-Addresses): 0.0.0.0/0
    any-ipv6(Trusted-Addresses): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Source identities:
    any
  Per policy TCP Options: SYN check: No, SEQ check: No

---

 wrote:

Hello ,

 

SRX by default in flow mode , blocks in intra zonal traffic also . So indeed you need trust-to-trust policy if the traffic is traversing from  x.y.z.0/24  to  x.y.z.0/24or a.b.c.0/24 as they both are binded to the trust zone .

 

Can you also try configuring the following way :

 

set security zones security-zone trust address-book address A-prefix-subnet x.y.z.0/24
set security zones security-zone trust address-book address B-prefix-subnet a.b.c.0/24

 

set security policies from-zone trust to-zone trust policy Intra-trust-allow match source-address A-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match destination-address B-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match application any
set security policies from-zone trust to-zone trust policy Intra-trust-allow then permit

---

Thanks for your reply. I tried it but because I'm using global address book entries, I can't enter any addresses in my zones.

---

 wrote:

Hello,

 

Indeed sounds strange. Assuming no typo in the /24 subnet definition I would try the following

 

> Remove the /24 entry

> commit the config

> Add the /24 address book entry

> Add the /24 address-book entry to the policy while removing the range entry

> commit full (note that dynamic routing and vpns may encounter a blip with this)

 

> Can you check if the policy detial shows the correct subnet?

root@srx> show security policies from-zone trust to-zone trust detail
Policy: Subnet1-to-Subnet2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
Subnet1(global): 192.168.10.0/24
Destination addresses:
Subnet2(global): 192.168.20.0/24
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No 

> Which platform is this? We can check if the policy is programmed properly in the pfe is the above steps dont help

 

I hope this helps.

 

Regards,

 

Vikas

---

Interesting!

I replaced the entry in my reply to Nellikka, and here's the detail:

root@srx240poe> show security policies from-zone trust to-zone trust detail
Policy: Intra-trust-allow, action-type: permit, State: enabled, Index: 12, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: trust
  Source addresses:
    Management-subnet(Trusted-Addresses): x.y.z.0/0.0.0.24
  Destination addresses:
    any-ipv4(Trusted-Addresses): 0.0.0.0/0
    any-ipv6(Trusted-Addresses): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Source identities:
    any
  Per policy TCP Options: SYN check: No, SEQ check: No

The problem was I was using CIDR and not reading the description in the CLI nor the webUI's drop down "IP Address/Netmask"!

Duh.

Replacing x.y.z.0/24 with x.y.z.0/255.255.255.0 fixed it!

EDIT: You guys are real sharp. I think the reason why you wrote if there was a typo was the CLI config doesn't use CIDR but they are defined as

            address Management-subnet {
                wildcard-address x.y.z.0/255.255.255.0;
            }

Thank you everyone.

Hi,

Whats the error shown on the clients' side?

Can you share the SSL profile configuration?

Can you provide the following commands in order to confirm that the trust chain is complete:

show security pki local-certificate detail certificate-id <certificate-id-name>

request security pki local-certificate verify certificate-id <certificate-id-name>

show security pki ca-certificate detail <ca-profile ca-profile-name>

Hi

Attached the SSL configuration and the error shown in client side "I cant share the certificate outputs"

Could you please answer my questions raised in the previous update.

Thanks

Hi Tim,

No, I booted from active partions:

> show system storage partitions | match "Currently booted"
Currently booted from: active (da1s1a)
Currently booted from: active (da0s1a)

Thank you a lot, looks like no-validate helped.

I know this option, but I thought that the problem in some missing files...

Hi,

The error you are receiving is because the SRX was not able to authenticate the Facebook server and because of this, it sends a Dummy cert to the PC in order to inform about this error. See "Server Authentication" section:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ssl-proxy.html

When the SRX contacts Facebook and the server provides its local cert, the SRX will try to authenticate it with the CA certs stated under:

set services ssl proxy profile ssl-inspect-profile trusted-ca [Trusted_CA-Certs]

I just connected to Facebook and received the cert attached in file "Facebook cert". We can see that this cert was issued/signed by "Digicert SHA2 High Assurance Server CA" which in an Intermediate CA. In attached file "Facebook cert-3" we can see that "Digicert" signed/issued that Intermediate CA cert hence "Digicert" is the Root CA. We need to make sure that both, the Intermediate CA cert and Root CA cert are loaded in the SRX if we want it to trust the local cert provided by Facebook.

I believe you need to change the value "sky-atp-ca" to "all" so that the SRX will check all installed CA certs when authenticating Facebook or any other external website. Note that "all" option means that the SRX will check all installed CA certs when authenticating an external cert. Juniper packages come with pre-installed CA certs that can be loaded with the following command:

request security pki ca-certificate ca-profile-group load ca-group-name ca-default filename default

Check "Trusted CA List" section in the following doc:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ssl-proxy.html

Try installing the Trusted CA list provided by Juniper and using option "all" under [edit services ssl proxy profile ssl-inspect-profile trusted-ca]. If the issue persists after that, then we will confirm if the SRX does have the Root CA cert (Digicert) and the Intermediate CA cert (Digicert SHA2 High Assurance Server CA) installed correctly.

Can you please also send me your session analyzer tool.

Thank you very much!

gcmeads@yahoo.com

Hello, I have a SRX 4100 and high CPU "spikes"

While troubleshooting, I realised that mib2d & snmp take much utilization, & research showed me that our Check_MK plugin does snmpwalks and that may cause our high CPU, so I temporarly deactivated our plugin for Check_MK and monitored it manually with snmpgets and the CPU spikes were instantly less.. But still there are spikes above 90 percent

Running following commands:

show chassis routing-engine

node0:
--------------------------------------------------------------------------
Routing Engine status:
    Temperature                 27 degrees C / 80 degrees F
    CPU temperature             27 degrees C / 80 degrees F
    Total memory              1954 MB Max   645 MB used ( 33 percent)
    Memory utilization          27 percent
    5 sec CPU utilization:
      User                      24 percent
      Background                 9 percent
      Kernel                    56 percent
      Interrupt                 11 percent
      Idle                       0 percent
    1 min CPU utilization:
      User                       4 percent
      Background                14 percent
      Kernel                    17 percent
      Interrupt                  7 percent
      Idle                      59 percent
    5 min CPU utilization:
      User                       3 percent
      Background                14 percent
      Kernel                    14 percent
      Interrupt                  6 percent
      Idle                      63 percent
    15 min CPU utilization:
      User                       2 percent
      Background                13 percent
      Kernel                    13 percent
      Interrupt                  6 percent
      Idle                      66 percent
    Model                          SRX Routing Engine
    Serial ID                      BUILTIN
    Start time                     2019-01-10 08:42:04 CET
    Uptime                         74 days, 22 hours, 57 minutes, 58 seconds
    Last reboot reason             0x8:power-button hard power off 
    Load averages:                 1 minute   5 minute  15 minute
                                       1.11       0.83       0.73

show system processes extensive

last pid: 25114;  load averages:  0.80,  0.65,  0.59  up 82+23:06:30    08:47:53
172 processes: 3 running, 149 sleeping, 20 waiting

Mem: 437M Active, 96M Inact, 66M Wired, 724M Cache, 69M Buf, 579M Free
Swap: 615M Total, 615M Free


  PID USERNAME         THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
   10 root               1 171   52     0K    12K RUN    1268.2 50.00% idle: cpu0
 1952 root               1 139   15 11652K  6908K RUN     85.6H  5.96% sampled
   24 root               1 -68 -187     0K    12K WAIT    86.3H  3.96% irq11: uhci0 em3++*
    4 root               1  -8    0     0K    12K -       44.6H  3.47% g_down
   11 root               1 -40 -159     0K    12K WAIT    38.6H  0.49% swi2: netisr 0
   27 root               1 -16    0     0K    12K -       21.7H  0.49% em0 taskq
 1948 root               1  76    0 33016K 21372K select  90.9H  0.00% mib2d
 1995 root               1  76    0 23240K 18492K select  24.6H  0.00% snmpd
 1581 root               1  76    0  5464K  2384K select  16.9H  0.00% sysctlrelayd
 2074 root               1  76    0     0K    12K select 793:07  0.00% peerproxy02a00001
   14 root               1 -20 -139     0K    12K WAIT   638:05  0.00% swi7: +
   45 root               1 171   52     0K    12K pgzero 513:29  0.00% pagezero
 1956 root               1  76    0 11520K  8840K select 400:24  0.00% ppmd
 2603 root               1  76    0     0K    12K select 301:59  0.00% peerproxy1000a081
   15 root               1 -16    0     0K    12K -      229:15  0.00% yarrow
 1962 root               1   4    0 41096K 11752K kqread 179:47  0.00% l2cpd
 1585 root               1  76    0  9608K  4900K select 178:11  0.00% license-check
 1578 root               1  76    0  9568K  4808K select 174:36  0.00% rtlogd
   12 root               1 -20 -139     0K    12K WAIT   165:31  0.00% swi7: clock sio
 2602 root               1  76    0     0K    12K select 159:47  0.00% peerproxy1000a082
 1982 root               7  76    0 20784K  5584K select 115:13  0.00% aamwd
 1994 root               1  76    0 47356K 18908K select  88:44  0.00% pfed
 2540 root               1  76    0 40316K 14984K select  87:15  0.00% chassisd
    3 root               1  -8    0     0K    12K -       84:27  0.00% g_up
 2160 root               1  76    0 25480K 14012K select  64:14  0.00% nsd
 1570 root               1  76    0  5264K  2832K select  52:10  0.00% pmond
   32 root               1 -16    0     0K    92K -       50:00  0.00% vtblk1 taskq
   51 root               1  76    0     0K    12K sleep   39:12  0.00% netdaemon
 1564 root               1  76    0 12376K  7628K select  38:35  0.00% jsrpd
 1951 root               1  76    0 22988K  8900K select  32:32  0.00% l2ald
 1950 root               1   4    0 90840K 34172K kqread  30:35  0.00% rpd
 1953 root               1  76    0 10836K  5564K select  29:59  0.00% rmopd
 1967 root               1  76    0 17392K  5384K select  25:42  0.00% bdbrepd
 1955 root               1  76    0 10836K  4240K select  19:34  0.00% fud
 1562 root               1  76    0 12828K  4520K select  19:06  0.00% shm-rtsdbd
   28 root               1 -16    0     0K    12K -       15:53  0.00% em1 taskq

can someone help me with the troubleshoot? 

Thanks in advance

sampled seems to take CPU now.

Restart nd confirm the state:- 

restart sampling immediately

Hello everybody,

Specification:

Platform: SRX340

Firmware: JUNOS Software Release [15.1X49-D160.2]

route-based VPN

Clustered Active/Passive

Out-of-Band Management Interface (fxp0)

At the moment i have a Problem with the Management-Concept on my SRX340 VPN Cluster.

Let's say i want NTP, SNMP, Syslog, TACACS+ all over the out-of-band Management Interface(fxp0). Besides the Configuration of all this, there is a point, when i must send the Traffic to my Destination. At this moment i must define a Route to my Targethost/subnet.

Because i want the secondary to be reachable too, i also configure something like this for all named services (NTP, SNMP, Syslog, TACACS+)

set groups node0 system ntp source-address 10.10.10.194 (Source Address = Management-IP Device 1 )

set groups node1 system ntp source-address 10.10.10.195 (Source Address = Management-IP Device 2 )

set groups node0 system backup-router 10.10.10.1

set groups node1 system backup-router 10.10.10.1

set groups node0 system backup-router destination 10.10.100.0/24 (NTP Subnet)

set groups node1 system backup-router destination 10.10.100.0/24 (NTP Subnet)

(Secondary dont uses Routing Table, only backup-router route)

Now i also want to configure my route based tunnels.  So more Routes in routing-table and backup-router.

Here comes the risk, that one of my management subnets conflicts a remote subnet.

So how do i separate the routing tables? Best way would be a Virtual Routing Instance, as far as i know.

The only Problem is, that i read, that you cant put the Management in his own VR (with the Firmware i use), without Problems (e.g. with DHCP) .

In the end, i want to separate Trust+st0 in a VR, management in a VR, and maybe for untrust a VR, if this makes sense.

Sadly i dont know, which impact this has on the VPN Tunnels in the future

Has someone experiences with the problems here?

Is there a good solution to separate the VRs, so that management and Trust+st0 routes dont interfere?

Best Regards

Muyo