Ps. The 2 switches are working together as a primary / secondary core switch
↧
Re: Aggregated interface using OSPF issue
↧
Re: Aggregated interface using OSPF issue
Hi,
In secondary state Switch wont process control traffic and the ospf will stay down.
Need to make the state active or switch the 2nd interface to the same active switch.
Regards,
Rahul
↧
↧
Re: Aggregated interface using OSPF issue
You can't have a single ae interface connect to two different switches unless they are configured with multi-chassis LAG. If you post a topology and configurations people will be better able to help.
↧
Re: Aggregated interface using OSPF issue
Topology is Juniper with aggregated interface (2 interfaces) with OSPF peer to 2 x switches using multi chassis LAG (Aruba technology).
It peers to the second switch just fine, but when I shut this interface down (on the 2nd switch), switch 1 just sits in init state on OSPF.
I was thinking that MC LaG would automatically then form an adjacency with the first switch as the second one fails.
They’re all talking on a /29 address space
.1 juniper SRX
.2 active gateway for both switches
.3 switch 2
.4 switch 1
Thanks
It peers to the second switch just fine, but when I shut this interface down (on the 2nd switch), switch 1 just sits in init state on OSPF.
I was thinking that MC LaG would automatically then form an adjacency with the first switch as the second one fails.
They’re all talking on a /29 address space
.1 juniper SRX
.2 active gateway for both switches
.3 switch 2
.4 switch 1
Thanks
↧
RT_ALG_WRN_CFG_NEED
Hi All
I have recently had the following non-stop warning log on srx320(15.1X49-D50.3). When looking at the Juniper's System Log Explorer, the log says that it is not an error. If it is not an error, why does Junos need a configuration? Or how to fix this warning log? Any ideas or technique to respond the log?
May 13 10:58:52 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/49488 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:58:55 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/49568 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:58:56 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/61580 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:58:56 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.22/51051 which need extra policy config with UUID:12345678-1234-abcd-ef00-01234567cffb or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:00 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/62001 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:10 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/63129 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:31 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50345 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:34 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/64807 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:37 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/64970 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:40 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50527 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:41 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.129/52665 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:41 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.80.129/52669 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 10:59:53 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.83.232/62423 which need extra policy config with UUID:12345778-1234-abcd-ef00-0123456789ab or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 11:00:05 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.22/50527 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 11:00:06 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.53.83.234/60448 which need extra policy config with UUID:12345678-1234-abcd-ef00-01234567cffb or 'junos-ms-rpc-any' to let it pass-through on ASL session
May 13 11:00:08 kz8204fw101 junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.232.3.31/50842 which need extra policy config with UUID:f309ad18-d86a-11d0-a075-00c04fb68820 or 'junos-ms-rpc-any' to let it pass-through on ASL session
Thanks,
Arix
↧
↧
Re: RT_ALG_WRN_CFG_NEED
Try to read this topic
↧
Re: Aggregated interface using OSPF issue
Configuring the mc-lag peer as active-active and status control as active stand-by needs to be done.
Also make sure that the interfaces under ospf are not configured as interface-type p2p.
↧
Re: Aggregated interface using OSPF issue
Hi
Just trying to undertand the requirement here. I am not sure LAG and OSPF is required together here.
1. If you have a L2 LAG connectivity, why do you need OSPF to both switch members. Firewall would route traffic to the ae and the switch can route to the LAG. Redundancy is taken care by the LAG
2. I believe what you are looking for is an ether-switching interface with irb interface on the SRX. This way it would not be a LAG. It will peer to the two switches independently and route based on OSPF learning/configuration
3. Configuration steps for the above will be:
> You would need to enable family ether-switching on the interface
> associate the interface with a VLAN, access or trunk
> configure the L3 on the IRB associated with the VLAN
> configure the ospf as p2mp
I hope this helps. Regards,
Vikas
Regards,
Vikas
↧
Get a configuration file from an external storage
Hi all
Currently, I am working with Packer and VMware workstation pro on a Linux machine. I have made a packer script to auto-generate a vsrx - vmx file from an ova file. Packer script works properly but I am booting the comments from the script. The idea is to pull the configuration file from an external storage (laptop) into a new virtual machine. I want to be able to change cofiguration file without chaging the packer script. To do that, I added a cdrom in vmware with specific path to load the configuration using this guid (https://www.juniper.net/documentation/en_US/vsrx/topics/task/configuration/security-vsrx-vmware-bootstrap-config.html) but I can't find the new file system (show system storage) in vsrx 17.3.
I will like to know how:
- to connect the virtual cd rom into vsrx
- how to apply the configuration and
- how to debug
Thanks in advance
Looking forward to read your suggestions
↧
↧
Re: Get a configuration file from an external storage
i do not think you can mount cd rom, but try with usb drive
↧
Re: Get a configuration file from an external storage
Hi,
The CD-ROM that is used in the document will refer to the Initial configuration which will be loaded while booting up the SRX VM.
If you see Login prompt, the config should already be updated on the vSRX VM.
The said CD-ROM is then required to be removed too so that changes to the configuration from CLI/Netconf post bootup stays.
Else VSRX would boot with the initial config everytime it boots up.
If you need to make changes to the initial config that is required to be done prior to creating an ISO image with the juniper.conf file.
Regards,
Rahul
↧
Re: Get a configuration file from an external storage
hi
I'm testing getting the initial configuration from the CDROM, and following the description in the link from the OP, I simply don't see any effect.
No change in configuration and no entries in the logs.
@rahuverma have you tested this? should I expect entries in the logs about sucess or fail?
/morten
↧
New ISP wants to use a WAN connection
We are moving to a temporary site, and our rental agent has provided us with a specific ISP to use. We are using extensive Amazon based VPN tunnels via site SRX-300s. In my experience, most ISPs will handshake off the static IP address via a router or modem. The ISP at our temporary site insists that they hand off either to a router of our choosing (and therefore maintenance) or that we connect to our Juniper directly.
Given that the turn around time on their tickets is 24 hours, I would rather not have to rely on them to configure a network to allow a specific MAC address on it, should my SRX-300 need to be replaced.
Apparently the ISP install is in about 38 hours, so can anybody point me to an article to set up this kind of VPN service?
↧
↧
Re: Get a configuration file from an external storage
Hi Morten,
Yes this is a tested process and should work.
Regarding no change in config :- Can you confirm while you select the ISO from Datastore, you check the box next to file which shows "Connected".
Secondly, Regarding success/Fail :- Since the config is added during boot, if the config is not supported you will get the errors in console itself.
Regards,
Rahul
↧
Re: New ISP wants to use a WAN connection
Hi Bantaro,
As per my understanding, your ISP is fine to give the IP to be used on Juniper box.
Your SRX300 can keep the Public IP on its Untrust side and your private and dmz side can remain connected on other interfaces.
So the SRX is Static IP and AWS would be Dynamic IP, this qualifies for an aggressive mode VPN.
Reference :- https://kb.juniper.net/KB28077
Regards,
Rahul
↧
Using an SRX as an NTP server
Is it possible to use a loopback interface on an SRX to provide NTP services? I want to do this to make a single NTP server address in one data centre available to all servers that can get to it. This will be used in addition to other NTP servers thayt are available.
With an SRX configured to get time updates from another server, and with 'host-inbound-traffic system-services ntp' set on the relevant zone for the interface where the requests come in, it is clearly possible to use an SRX as an NTP server.
When I configure an NTP client to use an IP address configured on lo0.0 the firewall does not even seem to respond. That is even with 'host-inbound-traffic system-services ntp' set on a zone containing the loopback interface lo0.0. I've been right all the filters that are configured on this firewall, and none of them would apply to NTP, including the discard terms in place.
The logs are showing that all the NTP requests are being allowed inbound to the firewall Lo0.0 address, but they all time out.
Any help gratefully received, even if it's a simple 'no, that's not possible'.
Thanks
↧
SRX Syslogging to TCP
Is there a way to send syslogs over TCP instead of UDP.
I have the following configured but its not working
show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 1.1.1.1 {
port 514;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}show configuration security log
utc-timestamp;
mode stream;
format sd-syslog;
report;
source-address 4.4.4.4;
transport {
protocol tcp;
}
stream External {
category all;
host {
1.1.1.1;
port 514;
}
}The syslog setup is all fine and working nicely on TCP as it currently handles other devices sending syslog over TCP to it.
↧
↧
Re: Using an SRX as an NTP server
I have this working on a SRX300 without any issues.... so it should be possible. Could you provide configuration snippets etc. for further analysis?
Output:
user@fw> show configuration system ntp
server X.X.X.X;
server Y.Y.Y.Y;
user@fw> show configuration security zones security-zone trust
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
user@fw> show configuration interfaces ge-0/0/1.0
family inet {
address 10.1.95.1/24;
}
user@fw> show ntp associations
remote refid st t when poll reach delay offset jitter
===============================================================================
+ground.corbina.net
89.109.251.24 2 - 156 1024 377 89.243 -26.386 6.468
*time1.google.com
.GOOG. 1 - 1002 1024 377 22.236 1.868 0.253From an internal switch on 10.1.95.0/24:
user@sw> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.1.95.1 216.239.35.0 2 - 611 1024 377 2.795 -5.618 2.879
{master:0}
↧
Order - Removing SRX Route Based VPN Config
Hello all,
I've done a bit of research and I see conflicting answers and solutions to this activity, so I figured to ask again.
I'm looking for the correct formation when removing a full blown SRX VPN config. Some solutions advise to remove the config starting from Phase 1/2, Routes, Zones, and then Interfaces. Other solutions recommend the opposite, to remove the bindings, interfaces, zones, routes and then the Phase 1/2 configs.
Does anyone have the correct order without causing issues when commit checking?
My full config is sectionated and consists of:
Tunnel Interfaces (st0) Unit Inet Config
IKE & IPSEC Proposals/Policies/Gateways
Security Zones Defined
Routing Instances (VRF) - Static Routes
Thanks!
J
↧
Re: Order - Removing SRX Route Based VPN Config
Hello J,
This can be thought in terms of dependencies of one configuration part on the other. In JunOS, you will not be able to remove a section that is referred in other parts of the configuration.
Let's take a look at the sections in your configuration and try to identify the reference points:-
1. Tunnel Interfaces (st0) Unit Inet Config
=> It does NOT refer to any other section. Therefore, deleting other sections have NO impact on this section. But it may have been referred in "security ipsec vpn ", routing-options and security zones.
2. a ) IKE (Proposals/Policies/Gateways )
=> IKE refers external-interface name in the gateway. Other than that, Gateway refers IKE policy and IKE policy refers Ike Proposals.
b ) IPSEC (Proposals/Policies/VPN)
=> IPSEC vpn hierarchy refers st0 interface and ike gateway. Policy/Proposal hierarchies are have same references as IKE.
3. Security Zones Defined
=> Security zones are generally referred in security policies and NAT rules.
4. Routing Instances (VRF) - Static Routes
=> Routing-Instances and their static routes refer interfaces (like st0.0 ) or next-hop. But they are not referred in any other configuration parts. Therefore deleting them should be one of the easiest thing but note that it will change the routing table on the device.
Based on the above understanding, I would consider the following : -
- Delete IKE/IPSEC as they are NOT referred anywhere else. If you are deleting one stanza at a time and committing, start in the following order: -
- Delete IPSEC VPN first.
- Delete IKE gateway second.
- You can delete rest of the IKE/IPSEC at your will as without the VPN/Gateway combination, the VPN is already down.
- Deleted Routing-instances/static route (referecing st0 interface).
- Delete the security zone alongwith any policies and NAT rules referring to this security zone.
- Delete the st0 interface. (Assuming all the VPNs referring to this one are deleted.)
Hopefully I have not missed any section which you wanted to delete.
Thanks!
↧