Yes, both the time values and all the crypto settings have to match on both the SRX and the client.
↧
Re: Can SRX series work with Shrew Soft VPN client?
↧
Re: Automated configuration backup - SRX345
This solutionooks also great to me. Would like to thank the community for being so supportive.
↧
↧
how to specifically locating a new creating security policy in the sec policy list
Hi all,
There is a high number of security policies on srx device. I like to ask about it is possible to locating a security policy in the security list during to creation of a sec policy not after creation? If so, can you provide example in CLI set.
Thx.
arx
↧
Re: how to specifically locating a new creating security policy in the sec policy list
Hello,
Not sure if I completely understood the question. Are you looking to insert the security policy at a particular location before the commit?
By default the new security policy is at the end of the list. You can use the insert statement to move the security policy to the desired location.
> insert security policies from-zone trust to-zone untrust policy trust-to-untrust-new after policy trust-to-untrust
> insert security policies from-zone trust to-zone untrust policy trust-to-untrust-new before policy trust-to-untrust
I hope this answers your question. Regards,
Vikas
↧
Re: Automated configuration backup - SRX345
dimkatsar,
Im glad we were able to help, if you consider any of the comments as a valid solution please mark it as such so that future users can see it right since the beggining.
↧
↧
Re: how to specifically locating a new creating security policy in the sec policy list
Arix,
There is no way of inserting a policy on a specifc position during its creation, it will have to be done after it is created and with the use of the "insert" command:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB10120
If you have several policies the following command is very useful to avoid overlapping policies:
I hope it helps you.
↧
Re: MTU filter revisited...
Thx for the reply lpaniagua .
Anyone have answer before I try what was suggested.
Anyone have answer before I try what was suggested.
↧
Re: how to specifically locating a new creating security policy in the sec policy list
Thanks Nelumbo and lpaniagua for reply.
So we can not get 2 birds with only one stone at the same time........!
Create a security policy first that locates end of the list then use "insert" command for re-location the policy.... My understanding is correct?
If this is correct, Juniper should need to put more functionality on "insert" command like creating L2 Vlans.
Thx,
Arx.
↧
Re: how to specifically locating a new creating security policy in the sec policy list
Create a security policy first that locates end of the list then use "insert" command for re-location the policy.... My understanding is correct?
Yes you are absolutely correct.
insert command not restricted to security policies, different functionalities like routing policy-option have insert feature, this again various feature and hierarchy wise what you can do with various variables.
↧
↧
Re: how to specifically locating a new creating security policy in the sec policy list
Arix,
Yes, your understanding is correct. Ive never thought about it but you have a good point.
In case you are looking to see all the policies names in a quick way, you could try "show security policies | match policy":
root@SRX100H2# show security policies | match policy
policy A-2-B {
policy B-2-A {
policy A-2-C {
policy C-2-A {
This way you can have a good idea of after/before what policy to insert your newly created policy. I hope this helps.
If you consider this to be a valid answer to your question please mark this comment as Solution.
↧
Is it safe to manually delete files from /var/transfer/config on a SRX3400?
Hello,
we have a SRX3400 cluster configured with "set system archival configuration transfer-on-commit". Now I realized that the secondary node was not able to transfer its config file to the configured host for some time.
We now have a lot of config files in /var/transfer/config/ which could not be transferred. If I repair the configuration, all these file would be transferred, which is not necessary. So I would like to delete a big part of all those files.
I am now wondering how this archival job is working and if it is safe to delete files manually from that directory. I haven't found information on this. I currently can think of two possibilities:
1. The archival job checks from time to time if there are files in that directory. If yes, they are transferred in an order from oldest to newest. Once a file is transferred, the job deletes the file. I think, in this case it would be safe to delete the files manually from the directory.
2. Upon commit a new config file is created for transfer and a list is updated with the new file name. The archival job parses this list and transfers the listed files. Once the file is transferred, its name is removed from the list and the file is removed as well.
If I delete files manually, I would not update this list. Maybe it makes a difference, if I delete those files from shell (rm -f /var/transfer/config/$filename_pattern) or from CLI (file delete /var/transfer/config/$filename_pattern)?
Does someone have a hint on this?
Thanks in advance,
Hermod
↧
Re: Is it safe to manually delete files from /var/transfer/config on a SRX3400?
Hi Hermod,
Im not sure how the exact process works but I confirmed with JTAC that you could manually delete those files without problems. You can use either the shell command or the Junos command that you mentioned.
I hope this information helps you. Please mark my comments as Solution if it applies.
↧
Re: Is it safe to manually delete files from /var/transfer/config on a SRX3400?
The process is as you describe in option 1. The list of files is taken from the actual directory listing and transfered in order of age oldest first. So removing files that are there has no adverse affect.
↧
↧
Re: Automated configuration backup - SRX345
Greetings,
I applied the configuration you proposed, however seems doesn't work at all. I have set a time interval of 60mins. I also did it with a "transfer on commit" but still nothing happens. Do I miss something?
I applied the configuration you proposed, however seems doesn't work at all. I have set a time interval of 60mins. I also did it with a "transfer on commit" but still nothing happens. Do I miss something?
↧
Re: Automated configuration backup - SRX345
are you able to manually copy the files to configured destinations from SRX?
↧
Re: Is it safe to manually delete files from /var/transfer/config on a SRX3400?
Hello, I thank you both for your answers! Helped me a lot to have this clarified.
↧
OpenVpn issue with rerouting interfaces
Hi guys,
New to this forum, so forgive me if I placed in wrong topic my issue.
The issue: I have an Openvpn server behind SRX with static nat. Everything works ok after the successful connection of openvpn client to the openvpn server but after a while (randomly 1~5 h) without any reason connection goes down.
Checked the openvpn server config and everything looks ok.
The topology:
I have an Openvpn Server behind my SRX 550 which is nated (statically).
A routing based policy with load balance for my reth interfaces (is not applied in openvpn interface)
I have configured my SRX to static nat the openvpn server to 1 public ip from our /28 block of Ips (reth2.150) and added proxy-arp for ISP requests since this ip is not the public interface of my SRX
Reth2.150 is my ISP's leased line interface. /28 block of ips.
Reth2.110 is my DMZ Wan gw for my OpenVpn internal ip.
Openvpn ip 10.0.110.11
Debug: After a tcpdump in both ways (client server) and on SRX I noticed the below when the connection of Openvpn went down. (same time for client/server)
May 27 17:55:14 17:55:14.397463:CID-1:RT:<10.0.110.11/1201->x.x.x.x/1194;17> matched filter PF2: May 27 17:55:14 17:55:14.397463:CID-1:RT:packet [112] ipid = 20559, @0x41d314ac May 27 17:55:14 17:55:14.397463:CID-1:RT:---- flow_process_pkt: (thd 5): flow_ctxt type 15, common flag 0x0, mbuf 0x41d31280, rtbl_idx = 20 May 27 17:55:14 17:55:14.397463:CID-1:RT: flow process pak fast ifl 98 in_ifp reth2.110 May 27 17:55:14 17:55:14.397463:CID-1:RT: find flow: table 0x528ce8a8, hash 10400(0xffff), sa 10.0.110.11, da x.x.x.x, sp 1201, dp 1194, proto 17, tok 45 May 27 17:55:14 17:55:14.397463:CID-1:RT: flow got session. May 27 17:55:14 17:55:14.397463:CID-1:RT: flow fast tcp/udp session id 215478 May 27 17:55:14 17:55:14.397463:CID-1:RT:flow_ipv4_rt_lkup success x.x.x.x, iifl 0x0, oifl 0x10a May 27 17:55:14 17:55:14.397463:CID-1:RT: handle reroute for tunnel 0 May 27 17:55:14 17:55:14.397576:CID-1:RT:new output if pp0.3May 27 17:55:14 17:55:14.397576:CID-1:RT:flow_ipv4_rt_lkup_reroute: session 0xf6000349b6 c2s if reth2.150 -> pp0.3 May 27 17:55:14 17:55:14.397576:CID-1:RT: refreshing session May 27 17:55:14 17:55:14.397576:CID-1:RT: vector bits 0x1020 vector 0x4b466ab8 May 27 17:55:14 17:55:14.397576:CID-1:RT: vsd 1 is active May 27 17:55:14 17:55:14.397576:CID-1:RT:mbuf 0x41d31280, exit nh 0xe20010 May 27 17:55:14 17:55:14.397576:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
As you can see it changes the outbound interface. (reth2.150 is the incoming correct interface where openvpn accepts requests and should forward them back, where pp0.3 is an active interface (ppoe) that serves for Load-Balance which is member on rib-group in routing-options for PBR)
**The same happened with other openvpn client and SRX rerouted traffic from pp0.4 (is also member of load balance rib-group
I will post the configs in order to tell me if I am missing something.
Interface DMZ-WAN (openvpn server IP)
show interfaces reth2.110
description DMZ-ZONE;
vlan-id 110;
family inet {
address 10.0.110.1/24;
}Interface for my Internet (one of them/ leased line)
# show interfaces reth2.150
description "*** FIBER FOR EMPL ***";
vlan-id 150;
family inet {
address x.x.x.x/28 {
primary;
}
address x.x.x.y/28;
}Static Nat for Openvpn Server
show security nat static
from zone ISP_ALL_EMPL;
rule Openvpn-fiber match { destination-address x.x.x.x/32; } then { static-nat { prefix { 10.0.110.11/32; } } }
Proxy arp for this IP for arp requests from my ISP
show security nat proxy-arp
interface reth2.150 {
address {
x.x.x.x/32;
y.y.y.y/32;show security policies from-zone ISP_ALL_EMPL to-zone DMZ
policy VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}I am not posting my routing-options config as I think that SRX don't want to check since we have static nat.
Please I need your help to fix this issue! I cannot find any wrong.
If you need more config files please let me know
Thank you in advance
Dimi,
CCNA-CCNP-JNCIA-MCSA
↧
↧
Re: OpenVpn issue with rerouting interfaces
HI Dimi,
The flow trace shows traffic flow "10.0.110.11/1201->x.x.x.x/1194;17" is entering on "reth2.110" and leaving out on "pp0.3".
Please check the output of "show route x.x.x.x detail" during working and non-working state to confirm if the route changes and if so why ?
SRX is not dropping the packet but re-routing it through pp0.3 interface. If you believe this should not happen then please check the route table during non-working state to find out the reason for change in interface.
Thanks,
Kinshuk
↧
VPN issue Licenses buyed
hi there, by mistake, i buyed 20 licenses remote access VPN, i understand that works only NCP client, i really need 20 dyn VPN with pulse secure access. Any way for solving this trouble.
attach output show system licenses
juniper@Jardines_Tropicales_PC_SRX300> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 0 2 0 permanent
remote-access-ipsec-vpn-client 0 20 0 permanent
Licenses installed:
License identifier: XXXXXX
License version: 4
Valid for device: XXXXXX
Customer ID: TIGO BUSINESS COSTA RICA
Features:
remote-access-ipsec-vpn-client-10 - remote-access-ipsec-vpn-client 10 users
permanent
License identifier: XXXXX
License version: 4
Valid for device: XXXXXX
Customer ID: TIGO BUSINESS COSTA RICA
Features:
remote-access-ipsec-vpn-client-10 - remote-access-ipsec-vpn-client 10 users
permanent
thanks
↧
Re: OpenVpn issue with rerouting interfaces
Hi Kinshuk,
Thanks for your reply.
It is wrong to rerouting it because the session was established in reth2.150 interface. So when the reply of the session goes out the pp0.3 interface, clients sees another public ip with another session id which is unknown for it and the packet is correctly ignored.
The output right now (it works) is the below
show route x.x.x.x detail
inet.0: 144 destinations, 150 routes (143 active, 0 holddown, 1 hidden)
x.x.x.x/32 (1 entry, 1 announced)
*Static Preference: 1
Next hop type: Receive
Address: 0x12d4510
Next-hop reference count: 13
State: <Active Int ProxyArp>
Age: 5w4d 9:28:32
Validation State: unverified
Task: RPD Unix Domain Server./var/run/rpd_serv.local
Announcement bits (2): 0-KRT 2-Resolve tree 1
AS path: IBelow shows all the other routing-instances that i have configured, but in many of them this route isn't configured as next-hop. I don't understand why it shows me the block /28 with these instances
routing-smtng.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
x.x.x.x/28 (2 entries, 1 announced)
*Direct Preference: 0
Next hop type: Interface
Address: 0x1514010
Next-hop reference count: 16
Next hop: via reth2.150, selected
State: <Secondary Active Int>
Age: 12w4d 9:03:52
Validation State: unverified
Task: IF
Announcement bits (1): 1-KRT
AS path: I
Primary Routing Table inet.0
Direct Preference: 0
Next hop type: Interface
Address: 0x1514600
Next-hop reference count: 15
Next hop: via reth2.150, selected
State: <Secondary Int>
Inactive reason: No difference
Age: 12w4d 9:03:52
Validation State: unverified
Task: IF
AS path: I
Primary Routing Table inet.0
routing-table-all-empl.inet.0: 129 destinations, 134 routes (128 active, 0 holddown, 1 hidden)
x.x.x.x/28 (2 entries, 1 announced)
*Direct Preference: 0
Next hop type: Interface
Address: 0x1514010
Next-hop reference count: 16
Next hop: via reth2.150, selected
State: <Secondary Active Int>
Age: 12w4d 9:03:52
Validation State: unverified
Task: IF
Announcement bits (1): 1-KRT
AS path: I
Primary Routing Table inet.0
Direct Preference: 0
Next hop type: Interface
Address: 0x1514600
Next-hop reference count: 15
Next hop: via reth2.150, selected
State: <Secondary Int>
Inactive reason: No difference
Age: 12w4d 9:03:52
Validation State: unverified
Task: IF
AS path: I
Primary Routing Table inet.0
routing-table-email.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
x.x.x.x/28 (2 entries, 1 announced)
*Direct Preference: 0
Next hop type: Interface
Address: 0x1514010
Next-hop reference count: 16
Next hop: via reth2.150, selected
State: <Secondary Active Int>
Age: 12w4d 9:03:52
Validation State: unverified
Task: IF
Announcement bits (1): 1-KRT
AS path: I
Primary Routing Table inet.0
Direct Preference: 0
Next hop type: Interface
Address: 0x1514600
Next-hop reference count: 15
Next hop: via reth2.150, selected
State: <Secondary Int>
Inactive reason: No difference
Age: 12w4d 9:03:52
Validation State: unverified
Task: IF
AS path: I
Primary Routing Table inet.0
↧