Hi,
Since this is processed by the PFE we have limited visibility into the traffic sent although there are a few commands you can run to check the rtlog status.
Since this is TCP I would start by seeing the socket (netstat -an) on the server, if there are any open / half-open connections from the firewall source IP. Any intermediary devices will also help validate that the firewall is indeed sending the stream.
Regards,
Vikas
Hi All
I got the problem resovled and its sending security logs over TCP very nicely.
The issue was the device did not have NTP configured and was 40 minutes ahead so the logging system was not sure what to do so dropped the connection.
As soon as NTP was setup the logs started to come though properly.
Thanks for you help on this
Yes this is an old post but I'm still struggling with finding a sollution. Any suggestions? And yes I realize the srx-210 is end of life but hey, if it ain't broke 
And it's just running my home network.
Thanks!
To cut a long story short, I've configured the MSS to be 1300 - and this has made things work.
To my mind, mss should be MTU-40 (20+20) = 1452 - which is what it was set at.
What I've *not* done, is any testing to see if a larger value will work - when I do, I will update this page.
(but VDSL2 MTU should be 1514 if I've read Juniper's own docs correctly - so in theory mss be 1464 ??)
(Old ISP supplied router had MTU as 1492.... do what - what a lot of confusion)
I consider to run nic teaming in NAS. but i concern about this. can i use same IP address with two NIC ?
Or i didn't need to run etherchannel in E4300 for NAS ?
Is your reth0 interface tagged with any vlan-id?
=>reth 0 interface didn't tagged with any vlan-id.
I configure as below in SRX. But i cannot ping NAS to Server and Server to NAS even though i create any to any access rule. So i thought my design is wrong .
set interfaces xe-0/0/16 gigether-options redundant-parent reth1
set interfaces xe-0/0/17 gigether-options redundant-parent reth1
set interfaces xe-0/0/18 gigether-options redundant-parent reth0
set interfaces xe-7/0/16 gigether-options redundant-parent reth1
set interfaces xe-7/0/17 gigether-options redundant-parent reth1
set interfaces xe-7/0/18 gigether-options redundant-parent reth0
set interfaces fab0 fabric-options member-interfaces ge-0/0/11
set interfaces fab1 fabric-options member-interfaces ge-7/0/11
set interfaces fxp0 unit 0 family inet
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 10.1.1.1/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth1 unit 0 family inet address 10.1.1.2.1/24
I have recently upgrade the Junos on my SRX to JUNOS 12.1X46-D86 built 2019-04-04 and ever since I am not able to log back into JWEB. I can get to the login page but when I try the credentials I use to login to SSH with it keeps telling me incorrect username and password. I have tried factory resetting the device, as well as zeroizing the system with no luck. I am afraid I will have to unistall Jweb and reinstall it, problem with that is I am not able to find the Jweb software for an SRX due to the EOL. Any help on this would be greatly appreciated.
1. Not all branches are experiencing the same issue but few in number.
2. Branches used URL for APP which is resolved by DNS
2. APP is on a Server (at DataCentre) which is behind NATted IP as per below scenario
Branch side SRX320-------------------------> DataCentre side SRX1500
Branch side VPN local ip 10.3.xx.xx remote ip 192.168.xx.xx
Destination NAT used on DC side SRX1500
10.3.xx.xx --------->192.168.xx.xx -------NAT to pool 10.40.xx.xx-
Hello CCollins,
As per my knowledge, SRX never had a separate jweb package.
It should already be included in the JunOS.
I am assuming that you are able to ssh into the device.
Please check the interfaces configuration under "system services web-management http/https" .
It will be helpful if you can share the relevant section of the configuration.
Thanks!
Dear All,
Please see the below attachment . I am using fiber link to connect switches and firewall.
i tried my best. I got below error.
when i assign access mode in cisco switch. my server can reach to firewall .but if i change both ten 1/1/1 and 1/1/2 to Trunk port , server cannot reach to firewall.
NAS Junos switeches cannot reach to firewall. when i check ehtercahnnel ,it is ok.
But i cannot reach NAS switch to Firewall reth1.
Do i need to trunk reth1 ?
Now i assign ip address both of reth1 and reth0 .
Let me know eventh thought i didn't use etherchannel ( i remove two cables ) ,should it be ok ?
1. There is no need do configure trunk between SRX and Cisco Switch since you have only vlan
2. Allow vlan NAS on ae0 and ae1 interface EX switch. There is no need to configure trunk between SRX and EX Switch since you have only vlan
set interfaces ae0 unit 0 family ethernet-switching vlan members NAS
set interfaces ae1 unit 0 family ethernet-switching vlan members NAS
3. reth0 is part of trust security zone and reth1 is part of NAS-NET security zone. There is no security policy configured trust to NAS-NET to allow the traffic from Server to NAS. Configure policy:
set policies from-zone trust to-zone NAS-NET policy default-permit match source-address any
set policies from-zone trust to-zone NAS-NET policy default-permit match destination-address any
set policies from-zone trust to-zone NAS-NET policy default-permit match application any
set policies from-zone trust to-zone NAS-NET policy default-permit then permit
Hi,
I see the same issue on an SRX running 12.1X46-D86. After upgrade, J-web login fails,while SSH works fine. J-Web shows the following message- Invalid username or password specified - both for root as well as non-root user login attempts.
May 18 10:21:19 SRX checklogin[1806]: warning: can't get client address: Bad file descriptor May 18 10:21:19 SRX checklogin[1806]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username root) May 18 10:21:35 SRX checklogin[1810]: warning: can't get client address: Bad file descriptor May 18 10:21:35 SRX checklogin[1810]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username pradeep) May 18 10:22:08 SRX sshd[1813]: unlink(): failed to delete .perm file: No such file or directory May 18 10:22:08 SRX sshd[1811]: Accepted keyboard-interactive/pam for pradeep from 10.10.10.1 port 54074 ssh2 May 18 10:22:11 SRX mgd[1816]: UI_AUTH_EVENT: Authenticated user 'pradeep' at permission level 'j-operator'
Seems to be an issue with this particular Junos version. Will update this thread later, if there is any fix.
Hi ,
Thanks.I already addedd rule for those traffice.but i MY NAS cannot reach to FW reth1.
So i thought my config is something wrong.
Even those i plung my laptop in EX switches and ping to FW , my laptop cannot reachable to firewall. I already add host inbound traffic in Firewall.
Hello,
Ive set up 3 virtual instances on a SRX running ospf between them and it works fine. I have 1 instance with physical interface which connects to another router for wan access. (fe-0/0/0 has IP from 192.168.0.0/24 SN)
I can ping 8.8.8.8 from routing-inst1 which has interface on it.
Ive then added static route 0.0.0.0/0 next hop 192.168.0.1 and propagate it to OSPF
I can ping ospf links between routers but I cannot ping 8.8.8.8 from routing-inst2 or 3.
Im using SRX in packet forward mode.
So what Im trying to achieve is that I can ping WAN from any route instance. There must be something Im missing.
Below is my config
interfaces {
fe-0/0/0 {
unit 0 {
description p2p-to-upstream;
family inet {
address 192.168.0.100/24;
}
}
}
lt-0/0/0 {
unit 0 {
description "p2p-route-inst2-lt-0/0/0.1";
encapsulation ethernet;
peer-unit 1;
family inet {
address 10.10.10.1/30;
}
}
unit 1 {
description "p2p-route-inst1-lt-0/0/0.0";
encapsulation ethernet;
peer-unit 0;
family inet {
address 10.10.10.2/30;
}
}
unit 2 {
description "p2p-route-inst3-0/0/0.3";
encapsulation ethernet;
peer-unit 3;
family inet {
address 10.10.10.5/30;
}
}
unit 3 {
description "p2p-route-inst2-lt-0/0/0.2";
encapsulation ethernet;
peer-unit 2;
family inet {
address 10.10.10.6/30;
}
}
unit 4 {
description "p2p-route-inst1-lt-0/0/0.5";
encapsulation ethernet;
peer-unit 5;
family inet {
address 10.10.10.9/30;
}
}
unit 5 {
description "p2p-route-inst3-lt-0/0/0.4";
encapsulation ethernet;
peer-unit 4;
family inet {
address 10.10.10.10/30;
}
}
}
lo0 {
unit 1 {
family inet {
address 172.16.1.1/32;
}
}
unit 2 {
family inet {
address 172.16.2.2/32;
}
}
unit 3 {
family inet {
address 172.16.3.3/32;
}
}
}
}
policy-options {
prefix-list mgmt-prefix {
192.168.0.0/24;
}
policy-statement export-routes {
term export_dir_loc_con {
from protocol [ direct local static ];
then accept;
}
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
firewall {
family inet {
filter mgmt {
term ssh {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
mgmt-prefix except;
}
protocol [ tcp udp ];
destination-port ssh;
}
then {
discard;
}
}
term other {
then accept;
}
}
}
}
routing-instances {
route-inst1 {
description route-instance-1;
instance-type virtual-router;
interface fe-0/0/0.0;
interface lt-0/0/0.0;
interface lt-0/0/0.5;
interface lo0.1;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.0.1;
}
}
protocols {
ospf {
export export-routes;
area 0.0.0.0 {
interface lt-0/0/0.0;
interface lt-0/0/0.5;
}
}
}
}
route-inst2 {
description route-instance-2;
instance-type virtual-router;
interface lt-0/0/0.1;
interface lt-0/0/0.2;
interface lo0.2;
protocols {
ospf {
area 0.0.0.0 {
interface lt-0/0/0.1;
interface lt-0/0/0.2;
}
}
}
}
route-inst3 {
description route-instance-3;
instance-type virtual-router;
interface lt-0/0/0.3;
interface lt-0/0/0.4;
interface lo0.3;
protocols {
ospf {
area 0.0.0.0 {
interface lt-0/0/0.3;
interface lt-0/0/0.4;
}
}
}
}
}
Hello,
This makes sense, could you please if possible provide me with an example of how I would configure NAT translation between zones?