Hi Spuluka,
Should I change the both sides timings??? I mean in the SRX and the VPN Client...
I have tested this with many timings but the client is disconnected in all of cases.
Thanks.
David.
↧
Re: Can SRX series work with Shrew Soft VPN client?
↧
Re: srx4600 cluster connected direct to mx10003 pair
Hello Niklas,
SRX4600 cluster is generally deployed to leverage the redundancy feature. The failovers on SRXs use the GARPs to force the switching infrastructure to forward traffic to new primary interfaces. Therefore, you would need the MX interfaces to act as a bridge.
I don't think you would need VRRP on the interfaces facing SRX as we only want common L-2 infrastructure.
I can think of 2 possible solutions : -
1. When MXs provide the L-2 infrastructure.
E.g.
Assuming reth0 is a Northbound interface on SRX consist of ge-0/0/0 from both nodes.
Node-0 (ge-0/0/0) ----- (ge-0/0/0) MX-1
Node-1 (ge-0/0/0) ----- (ge-0/0/0) MX-2
MX-1 (ge-0/0/1) ---- (ge-0/0/1) MX-2 . <<<<<<<<<< This will act as a bridge port between the two MXs extending the L2 domain.
In this case, ge-0/0/0 and ge-0/0/1 will be a part of a single bridge domain. You may add an L3 interface to this bridge which can act as a gateway to SRX cluster.
2. This is a complex approach and may need careful designing of the routing protocols. It uses Routing protocols over 2 interfaces to do the failover and all interfaces used are L3. This requires you to spend more IP addresses.
e.g.
Assuming reth0 on SRX consist of ge-0/0/0 from Node-0 and reth1 on SRX consist of ge-0/0/0 from Node-1.
Note both interfaces reth0 and reth1 are in the same direction (Northbound ).
Node-0 (ge-0/0/0) ----- (ge-0/0/0) MX-1
Node-1 (ge-0/0/0) ----- (ge-0/0/0) MX-2
Now you can establish an IBGP/OSPF with the two interfaces reth0 and reth1 making one of them a preferred route.
Note that reth0 and reth1 would be placed in different RGs where Node-0 is primary for reth0's RG and Node-1 is primary for reth1's RG.
You may like to put both reths in the same zone to avoid any drop due to asymmetric return path.
You can extend the same logic to rest of the interfaces.
I hope this helps!
Thanks!
↧
↧
Re: IKEv2 traffic selector support
I undertand that now it is possible IKE v2 with traffic selectors, but I can't make it work. Please see the output from my FW. You can see that after I add the traffic-selector is telling me that I am missing statements that are clearly in the config. Have you encountered this? my box is an SRX4100 with 15.1X49-D150.2
xxxxxxx# show | compare
[edit security ipsec]
xxxxxxx { ... }
+ vpn xxxxxxxPH2_VPN {
+ bind-interface st0.xxxxxxx;
+ ike {
+ gateway xxxxxxx-PH1_Gateway;
+ ipsec-policy xxxxxxx-PH2_Policy;
+ }
+ }
+ vpn xxxxxxx-PH2-VPN {
+ traffic-selector xxxxxxx-Proxy1 {
+ local-ip xxxxxxx/32;
+ remote-ip xxxxxxxxxxxxxxxxxxxxx/32;
+ }
+ ## Warning: missing mandatory statement(s): 'manual' or 'ike'
+ }
xxxxxxx# commit check
[edit security ipsec vpn xxxxxxx-PH2-VPN]
'traffic-selector'
Bind-interface must be configured under [edit security ipsec vpn] hierarchy
[edit security ipsec]
'vpn xxxxxxx-PH2-VPN'
Missing mandatory statement: 'manual' or 'ike'
error: configuration check-out failed: (missing mandatory statements)
{primary:node0}[edit]
xxxxxxx#
↧
Re: IKEv2 traffic selector support
There is a typo in vpn name. Change PH2-VPN to PH2_VPN
↧
Re: IKEv2 traffic selector support
Hi Victor,
Seems you have made a typo.
Traffic selector is to be configured under vpn name "xxxxxxxPH2_VPN "
but you by mistake has written the vpn name as "xxxxxxx-PH2-VPN".
You added "-" in case of "_" which lead junos to configure Traffic selector under a new VPN.
delete the vpn statement xxxxxxx-PH2-VPN and configure Traffic selector under xxxxxxxPH2_VPN which contains the ike config.
Regards,
Rahul
↧
↧
Re: Account Works in SSH but not HTTP after Firmware Upgrade
Hi.
Information about the SR releases for low memory devices can be found here:
https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17084
I hope we will see an updated D86 or a fixeb WebUI in a later release.
↧
Automated configuration backup - SRX345
I would like to automate the backup of the active configuration file for an SRX345 to be sent to a remote FTP Server. This should be done every 6months (I.e every 1st of June and every 1st of Dec) and be repeatable every year.
Manually getting the backup (I.e by doing commit) isn't desirable.
Any suggestions please? Thank you.
Manually getting the backup (I.e by doing commit) isn't desirable.
Any suggestions please? Thank you.
↧
Re: Automated configuration backup - SRX345
↧
Re: Automated configuration backup - SRX345
Thanx for your reply. However, transfer-on-commit isn't that I'm looking for. Could events-options help in this case? If yes, can you provide me a sample configuration?
↧
↧
The internet loopback 127.0.0.0
I have read that this address is the internet loopback which exists on all internet appliances. I assume. Anyway, is it necessary to set this in the lo0 of the srx?
Does anyone do this?
Seems as though it already handled this.
Any comments are welcome.
I'm not referring to 127.0.0.1
Does anyone do this?
Seems as though it already handled this.
Any comments are welcome.
I'm not referring to 127.0.0.1
↧
Re: Automated configuration backup - SRX345
Instead of transfer-on-commit, there is transfer-interval - but maximum interval is every 48 hours so not 100% what you are looking for. Would backup every second day and then a cleanup job, deleting files older than X days on the archival server be a feasible solution?
↧
Re: Automated configuration backup - SRX345
I would consider that option. Can you provide me a sample configuration please?
↧
Re: The internet loopback 127.0.0.0
Eugene,
You dont need to configure that address in junos devices. The 127.0.0.0 is just a network address; actaully within that network we could find addresses like 127.0.0.1 which is configured on the SRX by default:
root@a13-17> show interfaces terse lo0 Interface Admin Link Proto Local Remote lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet
Find more info here: https://www.howtogeek.com/149227/whats-the-difference-between-127.0.0.0-and-127.0.0.1/
In short you dont need to configure the 127.0.0.0 for enabling any funtionalities on the SRX.
↧
↧
Re: Automated configuration backup - SRX345
something like this. There can be several archive-sites defined if needed:
user@fw# show system archival
configuration {
transfer-interval 2880;
archive-sites {
"ftp://user:pass@192.168.1.10:";
"scp://user:pass@192.168.1.11:/some/folder/";
}
}
↧
Re: Weekly Schedule configuration backup(auto)
Does the 604800 corresponds to 420days??
↧
Re: srx4600 cluster connected direct to mx10003 pair
Hi Niklas,
The following KB article uses SRX5800 as an example for deployment in chassis cluster scenario but you can use other SRXs too like SRX4600s to build network.
Please see if one of them suits your requirements and if you have any other specific question, let us know.
Thanks,
Kinshuk
↧
Re: How do you boot from usb from => mode?
I am getting this error "## No elf image at address 0x00100000"
I am currently in the => mode. The following commands I have access too:
askenv - get environment variables from stdin
autoscr - run script from memory
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootloader - upgrade u-boot
bootloader - upgrade loader
bootloader - upgrade ushell
bootloader - check u-boot
bootloader - check loader
bootm - boot application image from memory
bootoct - Boot from an Octeon Executive ELF image in memory
bootoctelf - Boot a generic ELF image in memory. NOTE: This command does not support
simple executive applications, use bootoct for those.
bootoctlinux - Boot from a linux ELF image in memory
bootp - boot image via network using BootP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
cpld - peek/poke CPLD
crc32 - checksum calculation
dhcp - invoke DHCP client to obtain IP/boot params
dumpoct - dump octeon regs
dumpstats - dump cavium stats
echo - echo args to console
eeprom - EEPROM sub-system
erase - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
flinfo - print FLASH memory information
go - start application at address 'addr'
gpio - read/write on gpio pins
help - print online help
i2c - read/write on i2c bus
id_eeprom - peek/poke EEPROM
ide - IDE sub-system
iminfo - print header information for application image
imls - list all images found in flash
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
ls609x_read_reg - Read 88E6097 register
md - memory display
mdkinit - start MDK
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
pciemd - pcie memory display
pciemw - pcie memory write
pciereset - do PCIE reset
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
read64 - read 64 bit word from 64 bit address
read64b - read 8 bit word from 64 bit address
read64l - read 32 bit word from 64 bit address
read_cmp - read and compare memory to val
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sleep - delay execution for some time
smi - peek/poke SMI devices
tftpboot- boot image via network using TFTP protocol
usb - USB sub-system
usbboot - boot from USB device
version - print monitor version
watchdog <start | stop | show | pat>
write64 - write 64 bit word to 64 bit address
write64b - write 8 bit word to 64 bit address
write64l - write 32 bit word to 64 bit address
↧
↧
Re: How do you boot from usb from => mode?
Matt,
Please reinstall/upgrade the loader and uboot as shown in the first two links from my previous comment and let us know.
↧
Re: Automated configuration backup - SRX345
Hi dimkatsar,
You could use the following event-options script:
- Generate an event every week
set event-options generate-event config-archival-event time-interval [SECONDS]
- Create event-policy for the above event to upload /config/juniper.conf.gz to ftp
set event-options policy config-archive-policy events config-archival-event set event-options policy config-archive-policy then upload filename /config/juniper.conf.gz destination myftp
- Specify the FTP/SCP server where you want to copy the file.
set event-options destinations myftp archive-sites "ftp://USER@SERVER_ADDRESS/config" password PASSWORD
It was shared over the following post for a weekly configuration backup:
Because the time-interval value has to be specified in seconds, they used 604800 seconds which is equivalent to 7 days. I know you are looking for this to happen every 6 months, however the maximun value you can configure are 2,592,000 seconds which are 30 days:
This way if you have to try a workaround on the server side at least you will only have 6 configuration files.
I hope this helps.
↧
Re: Weekly Schedule configuration backup(auto)
The time-interval value has to be specified in seconds:
They used 604800 seconds which is equivalent to 7 days because they needed the backup to happen weekly.
↧