Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 21, 2019, 5:10 am
$
0
0

Thanks all, and sorry for the slow reply - didn't realize that J-Net didn't automatically subscribe you to threads you initiate.


lpaniagua - I've set my logging per your suggestion and found no other relevant messages than those that Pradeep posted earlier:

May 21 06:44:25  SRX100JS checklogin[3446]: warning: can't get client address: Bad file descriptor
May 21 06:44:25  SRX100JS checklogin[3446]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username juniper)

 

I would love to open a JTAC case, but don't believe that I can since the SRX100 is EOL.  Additionally, because of that fact, will future SRX firmware updates even support the SRX100?

 

I will be back onsite with this device Thursday and will be able to test downgrading the firmware then.  Do we know if this issue was present on version 12.1X46-D82?  We skipped a few versions, so cannot confirm.

Search

Re: Zone_Communication

May 21, 2019, 9:25 am
$
0
0

Hi Shaan,

 

"""from 192.168.1.254 it should reach 192.168.4.254 as 192.168.2.2 and when 192.168.4.254 tries to reach 192.168.2.2 it should then NAT to 192.168.1.254 """


I understand you want source NAT when initiating the traffic from 192.168.1.254 it should reach 192.168.4.254 , AND destination NAT when 192.168.4.254 tries to reach 192.168.2.2 .


If you apply MIP on eth0/5 of ConnectorSSG then source NAT will not trigger correctly . Try applying the appropriate MIP on UntrustSSG(Eth0/0)


1: set interface "ethernet0/0" mip 192.168.2.2 host 192.168.1.254 netmask 255.255.255.255

2: Call MIP in appropriate security policy.

 

Thanks,

Vikas

 

 

Cannot wipe SRX240

May 21, 2019, 10:45 am
$
0
0

Hey J-Net Community,

 

Having a problem when trying to completely wipe the config. I have held the reset button for 15 seconds and longer and have rebooted the device and cannot get the SRX240 to completely wipe. I am still locked out by the password. Any suggestions? 

Re: Cannot wipe SRX240

May 21, 2019, 11:14 am

Re: Cannot wipe SRX240

May 21, 2019, 11:26 am
$
0
0

Else, 

 

If you still wish to go the reset path. The check to see if the reset is successful is the Status LED. Is the Status LED amber in your case ??

 

Quote from Juniper Documentation:-

"Pressing and holding the RESET CONFIG button for 15 seconds or more—until the Status LED is solid amber "

 

Regards,

Rahul

Re: Cannot wipe SRX240

May 21, 2019, 11:53 am
$
0
0

loader> boot -s
can't load '/kernel'
can't load '/kernel.old'
no bootable kernel

 

This is the output I am getting. 

Re: Cannot wipe SRX240

May 21, 2019, 11:55 am
$
0
0

@rahulverma, I did this. The LED turns amber and then transitions back to green. I still am required to put the password in to which I do not know. 

 wrote:

Else, 

 

If you still wish to go the reset path. The check to see if the reset is successful is the Status LED. Is the Status LED amber in your case ??

 

Quote from Juniper Documentation:-

"Pressing and holding the RESET CONFIG button for 15 seconds or more—until the Status LED is solid amber "

 

Regards,

Rahul

 

Re: Cannot wipe SRX240

May 21, 2019, 12:39 pm
Search

MTU filter revisited...

May 21, 2019, 1:37 pm
$
0
0
I have implemented an MTU filter at value 1522 . As such.

firewall {
filter 1522mtu {
term 1 {
from {
packet-length 1522-1522;
}
then {
count 1522mtu_DROP;
discard;
}
}
term 2 {
then accept;
}
}
}

My questions are these...

1. Will adding a third term help me in terms of round trip improvement? I want to make the filter more redundant but I realize that adding another term will divide the filter even more. In three parts.

The reason I want to do this is because of anomalous behavior at value 1522.

2. I have set a range in my code block, but if I set a single value will that change behavior closer to the needed behavior?

How do you boot from usb from => mode?

May 21, 2019, 7:37 pm
$
0
0

It appears the JUNOS image is missing. I have downloaded another JUNOS image from a healthy SRX240. However, I cannot figure out how to boot from USB and save the new JUNOS image from the mode I am in "=>"

 

Thank you for your help,

 

Re: How do you boot from usb from => mode?

May 21, 2019, 9:11 pm
$
0
0

You are in U-boot prompt. I think you pressed SPACE key during autoboot and hence you are in that prompt. Reboot the device and boot into loader prompt and then try to recover from USB:

Reboot the device.
The following message appears:

Loading /boot/defaults/loader.conf

After this message appears, you see the following prompt:

Hit [Enter] to boot immediately, or space bar for command prompt.

Press the space bar to access the loader prompt (loader>).
The loader> prompt appears. Enter:

loader> install file:///<image-path-on-usb>

An example of a command is as follows:

loader> install file:///junos-srxsme-10.0R2-domestic.tgz
 

Reference:
https://www.juniper.net/documentation/en_US/junos12.1x44/topics/task/installation/security-junos-os-boot-loader-usb-storage-device-srx-series-device-installing.html
https://www.juniper.net/documentation/en_US/junos/topics/task/installation/security-junos-os-tftp-srx-series-device-installing.html

 

Re: How do you boot from usb from => mode?

May 21, 2019, 11:19 pm
$
0
0

Hi, Matt

 

I am assuming you already try the "reset" or "boot" commands and you reached the same prompt; if not please try them.

If the SRX is getting stuck on uboot (not even reaching Loader) you could try the steps mentioned in the following KB in order to upgrade/reinstall the Loader and maybe after that you could try to recover the device with a USB drive from the Loader:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB14175

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30427&cat=SRX_110&actp=LIST

 

A different person tried this already and it worked:

 

https://forums.juniper.net/t5/SRX-Services-Gateway/Recovery-issue-help-using-u-boot/td-p/217897

 

Also you can try, from u-boot, to boot from the secondary partition of your SRX:

 

https://thorsten-on-tech.blog/2013/11/13/recover-juniper-srx-from-failed-boot/

 

Ive also see the "setenv bootloader usb1:0" command in a couple of forums, however Im not sure about how to use it, maybe you can research more about it; it seems to work with a usb stick:

 

https://www.reddit.com/r/Juniper/comments/9cutat/ex3400_stuck_in_uboot_loader/

https://forums.juniper.net/t5/Junos/Juniper-EX3400-stuck-in-boot-loop-after-upgrade/td-p/307064

https://lists.gt.net/nsp/juniper/66012

 

Also you could try creating a snapshot from a working SRX in to a USB and inserted in the faulty SRX and have it booting from this usb:

 

https://www.juniper.net/documentation/en_US/junos/topics/example/security-boot-device-srx-series-device-configuring.html#jd0e168

 

I hope the above info helps you, please let us know.

 

 

 

 

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 21, 2019, 11:40 pm
$
0
0
Hi , This is confirmed to be an issue with Software, for now no workarounds other than Software fix. I just checked by downgrade to 12.1X46-D82 and can confirm that we do not have this issue (not able to login to J-web) in D82. With 12.1X46-D82, J-web works.

Re: Jweb Incorrect user/password after Junos upgrade on SRX

May 21, 2019, 11:43 pm
$
0
0

This is confirmed to be an issue with Software, for now no workarounds other than Software fix.

In the previous version (12.1X46-D82), we do not have this issue , could login to J-web.

Re: Zone_Communication

May 21, 2019, 11:44 pm
$
0
0

Can you share the configuration on your SSG?

 

What happens if you try to ping between the real IP addresses: 192.168.4.254 and 192.168.1.254? Does it work (assuming you have the routes configured as well)? Im just trying to isolate any other issues in between.

 

I can see that you have IP address 192.168.2.1 configured on the SSG's eth0/3 interface. Unless you are using it for a different purpose, it is not necessary for these communications. Can you delete it?

 

 

Search

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 21, 2019, 11:58 pm
$
0
0

pcamis,

 

You are right, that junos version is EoL and the SRX model as well, so I dont expect Engineering to work on this, or at least we could not demand it. As confirmed you can move to the previous version where the problem is not showing.

 

Regarding the syslog file commands I shared previously, it wasnt for logging purposes. I saw one case (in a high end SRX) where they were facing the same problem and the workaround was to upgrade to the faulty version again, then configure the messages log file in the way I specified and commit the configuration. After this they were able to access via J-Web. I know it doesnt make sense but thats what a bug is all about. Maybe you can try luck with these steps.

 

I hope this gets resolved.

 

Re: Cannot wipe SRX240

May 22, 2019, 12:03 am

Re: MTU filter revisited...

May 22, 2019, 12:38 am
$
0
0

Hi Eugene,

 

Im not sure I understand what you mean with "Will adding a third term help me in terms of round trip improvement?", can you elaborate further?

 

I dont think there is a way to know how much time it takes for a filter to process a packet but I can tell it is very very fast, at a point that I dont think you will notice the difference. I could think on a test like this:

 

PC_A------------SRX----------PC_B

 

You can try 10000 pings from PC_A to PC_B and check the statistics:

 

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=71ms TTL=55
Reply from 8.8.8.8: bytes=32 time=67ms TTL=55
Reply from 8.8.8.8: bytes=32 time=67ms TTL=55
Reply from 8.8.8.8: bytes=32 time=61ms TTL=55

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 61ms, Maximum = 71ms, Average = 66ms

Then you can apply the filter, try the test again and check the statistics. You can also add more terms and test if you see a considerable difference in the times.

 

Regarding the fact that you used a range on the matching criteria, I dont think it will make any difference if you use a single value but if thats an option, I will go with the fixed value instead of the range.

 

I hope I was able to help you a bit.

 

 

srx4600 cluster connected direct to mx10003 pair

May 22, 2019, 6:02 am
$
0
0

Hi experts,

The customer want to connect there new srx4600 cluster direct to a pair of mx10003 (not via switch layer).

The only working solution I can see is to create bridge domain + vrrp in both mx10003, and thus access the switch function as needed.

Is there another way to solve it?

 

Thanks Niklas

Re: Account Works in SSH but not HTTP after Firmware Upgrade

May 22, 2019, 7:26 am
$
0
0

Had the same issue after upgrading to junos-srxsme-12.1X46-D86-domestic.tgz on a SRX210BE. Downgraded to junos-srxsme-12.1X46-D82-domestic.tgz problem fixed. I can now access the web interface.

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>