Hi,
there is no technical way of converting remote access licenses to dynamic vpn licenses.
You can try to get your reseller and Juniper to credit the remote access licenses and then buy the correct ones. If a credit is not approved, then you are forced to buy the dynamic vpn licenses.
yes jonashauge.
i opened TTK with juniper support for a change licenses type. Hope i can change them
so thanks
You are very welcome Hermod, Im glad we were able to help you.
Hi Dimig,
I am not sure about the topology at this point. Could you please provide a rough topology diagram and the SRX config ?
The following config looks confusing / incorrect:
from zone ISP_ALL_EMPL;
rule Openvpn-fiber match { destination-address x.x.x.x/32; } then { static-nat { prefix { 10.0.110.11/32; } } }
Taking the flow trace into consideration, "10.0.110.11/1201->x.x.x.x/1194" would mean that Open VPN server is sennding packet with Source IP it's private IP and destination IP of it's Public IP (NAT'd IP). This looks wrong!
The destination IP should have been the IP address of the OpenVPN client.
Thanks,
Kinshuk
Any reason why the traffic is destined to OpenVPN server's own IP address ?
Dimi,
I believe we are confused because in the flow traces the x.x.x.x address was representing the public address of the OpenVPN client (remote user):
May 27 17:55:14 17:55:14.397463:CID-1:RT:<10.0.110.11/1201->x.x.x.x/1194;17> matched filter PF2:
However, in your static NAT configuration it represents the public IP address linked to the proxy-arp configuration, am I right? in summary you used the x.x.x.x address to represent two different public addresses and this is the root of the confusion.
show security nat proxy-arp
interface reth2.150 {
address {x.x.x.x/32;
I understand that the topology (when the traffic works) is like this:
OpenVPN_Server------------(reth2.110)-SRX-(reth2.150)-------------INTERNET------------OpenVPN_Client
Please confirm under which routing-instance(s) are reth2.110, reth2.150 and pp0.3 interfaces configured.
You also mentioned you have PBR configured, so I assume you have a filter applied as input on interface reth2.110, please confirm if this is true and if possible share the configuration of the filter.
Please share a "show route [remote_user_address] detail" command.
Please also filter your flow trace log file in order to confirm if the following message is reported: re-route-failed
> show log [file_name] | match "re-route failed"
And please share a "show version" and "show chassis hardware" command. I would to run the following command but I need first to see the previously requested outputs: show usp flow counters all.
Hi,
Can you share the configuration you used? Also please confirm if you are seeing any error messages related to the file transfer in the messages log file (if its configured):
> show log messages
You could also configure a new log file that will save any logs matching the "transfer" word:
# set system syslog file [new_file_name] any any
# set system syslog file [new_file_name] match transfer #commit
****try the test****
> show log [new_file_name]
Please try to manually copy the configuration file to your FTP server:
root@host> file copy /config/juniper.conf ftp://user@hostname/juniper.conf Password for user@hostname: ****** Receiving ftp: //user@hostname/juniper.conf (2198 bytes): 100% 2198 bytes transferred in 0.0 seconds (2.69 MBps)
Reference: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/file-copy.html
Hi guys,
Yes you are right and I am sorry for the confussion.
I represented 2 different addresses with the same letter.
So,
Topology is, as correctly mentioned lpaniagua:
OpenVPN_Server------------(reth2.110)-SRX-(reth2.150)-------------INTERNET------------OpenVPN_Client
10.0.110.11------------------(reth2.110)-SRX-(reth2.150)-------------Internet----------------1.1.1.1 (let's say)
Let's define the public ips
OpenvpnServer public ip 2.2.2.198/28
OpenvpnServer internal ip 10.0.110.11/32
Openvpn client public ip 1.1.1.1/32
So the flow goes like this
May 27 17:55:14 17:55:14.397463:CID-1:RT:<10.0.110.11/1201->1.1.1.1/1194;17> matched filter PF2:
show security na static
from zone ISP_ALL_EMPL; rule Openvpn-fiber match { destination-address 2.2.2.198/32; } then { static-nat { prefix { 10.0.110.11/32; } } }
show security nat proxy-arp
interface reth2.150 {
address { 2.2.2.198/32; other_public_ip_of_the_same_block_for_other_service/32;As for the PBR this interface is not configured anymore with the filter. i deleted before the issue and the issue persists
show interfaces reth2.110
description DMZ-ZONE;
vlan-id 110;
family inet {
address 10.0.110.1/24;
}the filter that WAS applied is:
# show firewall filter redirect-traffic-fiber
term default-table {
from {
destination-address {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/22;
}
}
then accept;
}
term to-fiber{
then {
routing-instance routing-table-fiber;
}
}and the instance is
# show routing-instances routing-table-fiber
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.193/32;--->the gw of my ISP from the /28 block
}
}So now for the question concerning under which routing-instance(s) are reth2.110, reth2.150 and pp0.3 we have:
reth2.110 is a DMZ int and is not applied in any routing-instance because is not a provider's interface
reth2.150 is applied with my ISP's gw 2.2.2.193
pp0.3 is also applied
# show routing-instances
routing-smtng-inf {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.4;
}
}
}
routing-table-Dept1-to-Internet {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.193;---->my ISP gw
}
}
}
routing-table-Dpt2-to-Specific public_srv {
instance-type forwarding;
routing-options {
static {
route a.a.a.a/32 next-hop pp0.3;
}
}
}
routing-table-all-empl {
instance-type forwarding;
routing-options {
static {
route ...... /32 next-hop pp0.3;
route ......./32 next-hop pp0.3;
route 0.0.0.0/0 next-hop [ pp0.1 reth2.2222 pp0.3 pp0.5 2.2.2.193 ];
route ....../32 next-hop pp0.1;
route ...../32 next-hop pp0.1;
route ...../32 next-hop pp0.3;
route 192.168.0.0/16 next-hop 10.0.111.254;----->DMZ-lan for internal openvpn communication (2nd interface)
}
}
}
routing-table-email {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.2;
}
}
}
routing-table-fiber{
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.193;
}
}
}
routing-table-guests {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
routing-table-serv-vpns {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop b.b.b.b/32;
}
}
}
routing-table-servers-fiber {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop [ b.b.b.b 2.2.2.193 ];
}
}
}right now traceoptions are configured to rewrite until maximux size is reached, so until now, i don't have any disconnections. i will post as soon as i notice any disconnection
Version: Model: srx550
JUNOS Software Release [12.3X48-D55.4] clustered
also the show route detail
show route 1.1.1.1 detail
inet.0: 144 destinations, 150 routes (143 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 262142
Address: 0x150e4d8
Next-hop reference count: 3
Next hop: a.a.a.a via reth2.2222
Session Id: 0x4d
Next hop: via pp0.0
Session Id: 0x0
Next hop: via pp0.1
Session Id: 0x0
Next hop: via pp0.2, selected
Session Id: 0x0
Next hop: via pp0.4
Session Id: 0x0
Next hop: via pp0.3
Session Id: 0x0
Next hop: b.b.b.b via reth2.2211
Session Id: 0x79
Next hop: via pp0.5
Session Id: 0x0
Next hop: 2.2.2.193 via reth2.150
Session Id: 0x7f
State: <Active Int Ext>
Age: 76w6d 15:55:06
Validation State: unverified
Task: RT
Announcement bits (2): 0-KRT 2-Resolve tree 1
AS path: I
routing-smthng-.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 609
Address: 0x151594c
Next-hop reference count: 5
Next hop: via pp0.4, selected
Session Id: 0x0
State: <Active Int Ext>
Age: 14:05:19
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
routing-table-all-empl.inet.0: 129 destinations, 134 routes (128 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 262144
Address: 0x1654718
Next-hop reference count: 2
Next hop: b.b.b.b via reth2.2211
Session Id: 0x4d
Next hop: via pp0.1
Session Id: 0x0
Next hop: via pp0.3, selected
Session Id: 0x0
Next hop: via pp0.5
Session Id: 0x0
Next hop: 2.2.2.2.193 via reth2.150
Session Id: 0x7f
State: <Active Int Ext>
Age: 76w6d 15:55:05
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
routing-table-email.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 2188
Address: 0x1515bf8
Next-hop reference count: 10
Next hop: via pp0.2, selected
Session Id: 0x0
State: <Active Int Ext>
Age: 9w5d 22:43:47
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
routing-table-servers-fiber.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 262143
Address: 0x157c010
Next-hop reference count: 2
Next hop: b.b.b.b via reth2.2211, selected
Session Id: 0x4d
Next hop: 2.2.2.193 via reth2.150
Session Id: 0x7f
State: <Active Int Ext>
Age: 32w6d 1:56:58
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
routing-table-serv-vpns.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 1971
Address: 0x1515310
Next-hop reference count: 9
Next hop: a.a.a.a via reth2.2222, selected
Session Id: 0x4d
State: <Active Int Ext>
Age: 32w6d 1:56:58
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
routing-table-guests.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 958
Address: 0x1515ea4
Next-hop reference count: 5
Next hop: via pp0.0, selected
Session Id: 0x0
State: <Active Int Ext>
Age: 3w4d 3:58:35
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
routing-table-Dpt1-to-Internet.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 2132
Address: 0x1514944
Next-hop reference count: 15
Next hop: 2.2.2.193 via reth2.150, selected
Session Id: 0x7f
State: <Active Int Ext>
Age: 12w4d 23:46:10
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
routing-table-fiber.inet.0: 102 destinations, 107 routes (101 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 2132
Address: 0x1515e58
Next-hop reference count: 3
Next hop: 2.2.2.193 via reth2.150, selected
Session Id: 0x7f
State: <Active Int Ext>
Age: 1w5d 19:26:41
Validation State: unverified
Task: RT
Announcement bits (1): 1-KRT
AS path: I
If you generate traffic from 192.168.4.254 to 192.168.1.254
then on the SSG confirm the sesson with nat is created
get session src-ip 192.168.4.254 dst-ip 192.168.4.254
If the session exists with the correct nat, confirm the session on the SRX is seen with the further nat change there
show security flow session source-prefix 192.168.2.2 destination-prefix 192.168.4.254
If this also exists then the nat portion is working on both sides and the issue may be routing.
If one of these sessions is not created:
The issue will be either a missing policy to permit the traffic or an incorrect nat rule on that device.
Hello
I have a problem regarding connecting to Skyatp cloud.
the Problem is i can only ping the internet from specific interface.
If i dont specify the source interface i cant ping or have a DNS lookup.
is there a way to force the connection to gets out from the untrust interface?
Dimi,
Based on the configuration, reth2.110 and reth2.150 are not configured under any custom routing-instances so they will be configured by default under the Master/Default routing-instance (inet.0).
If a packet destined to 1.1.1.1 comes in to reth2.110, the inet.0 routing-table will be checked and based on the provided information the route from inet.0 is the following:
show route 1.1.1.1 detail
inet.0: 144 destinations, 150 routes (143 active, 0 holddown, 1 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 262142
Address: 0x150e4d8
Next-hop reference count: 3
Next hop: a.a.a.a via reth2.2222
Session Id: 0x4dNext hop: via pp0.0
Session Id: 0x0Next hop: via pp0.1
Session Id: 0x0Next hop: via pp0.2, selected
Session Id: 0x0Next hop: via pp0.4
Session Id: 0x0Next hop: via pp0.3
Session Id: 0x0Next hop: b.b.b.b via reth2.2211
Session Id: 0x79Next hop: via pp0.5
Session Id: 0x0 Next hop: 2.2.2.193 via reth2.150
Session Id: 0x7f
State: <Active Int Ext>
Age: 76w6d 15:55:06
Validation State: unverified
Task: RT
Announcement bits (2): 0-KRT 2-Resolve tree 1
AS path: I
I can see diferent next-hops showing up and I would like to confirm if this is expected. Can you share the configuration of that default route under [edit routing-options static].
When we configure multiple next-hops for a route, without specifying any preference/prioritization between them, they will all have the same chances to be elected as the next-hop for that route. Actually Junos does the next-hop selection randomly, so at any given time reth2.150 can be the next-hop and out of the sudden we could see pp0.4 interface showing as the next-hop, because it is equally preferable as reth2.150. I believe this is the root cause of your issue.
I could think of three possible scenarios here:
1. You have the incorrect configuration and you only need reth2.150 as the next-hop for your default-route.
2. You might want to use "qualified next-hop" feature in order to have multiple next-hops, different than reth2.150, but have them as backup in case reth2.150 fails:
3. You are trying to configure load-balance among all those next-hops. In that case you will need to load balance per flow (even though the command says per-packet it works per flow):
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/ecmp-flow-based.html
I hope this helps
Hello all,
I am facing same issue about high CPU utilization on Juniper SRX340. Below is some output from my SRX.
seyma@SRX340> show version Hostname: SRX340 Model: srx340 Junos: 15.1X49-D70.3 JUNOS Software Release [15.1X49-D70.3]
seyma@SRX340> show chassis routing-engine
Routing Engine status:
Temperature 39 degrees C / 102 degrees F
CPU temperature 60 degrees C / 140 degrees F
Total memory 4096 MB Max 1106 MB used ( 27 percent)
Control plane memory 2624 MB Max 682 MB used ( 26 percent)
Data plane memory 1472 MB Max 412 MB used ( 28 percent)
5 sec CPU utilization:
User 100 percent
Background 0 percent
Kernel 0 percent
Interrupt 0 percent
Idle 0 percent
Model RE-SRX340
Serial ID CY3318AF0723
Start time 2019-05-18 14:24:09 HKT
Uptime 10 days, 22 hours, 6 minutes, 40 seconds
Last reboot reason 0x1:power cycle/failure
Load averages: 1 minute 5 minute 15 minute
0.99 1.00 1.00seyma@SRX340> show system processes extensive
last pid: 24051; load averages: 0.99, 0.98, 0.99 up 10+22:11:07 12:25:01
149 processes: 19 running, 118 sleeping, 12 waiting
Mem: 289M Active, 169M Inact, 1579M Wired, 416M Cache, 112M Buf, 1525M Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1829 root 6 76 0 1554M 471M RUN 0 857.9H 369.87% flowd_octeon_hm
21 root 1 171 52 0K 16K RUN 0 177.8H 0.00% idle: cpu0
1859 root 7 76 0 34520K 9288K select 0 151:29 0.00% aamwd
23 root 1 -20 -139 0K 16K RUN 0 127:39 0.00% swi7: clock
1818 root 1 76 0 39308K 14692K select 0 52:38 0.00% l2ald
1820 root 1 76 0 60500K 22896K select 0 47:32 0.00% pfed
25 root 1 -20 -139 0K 16K WAIT 0 43:01 0.00% swi7: +
1889 root 1 76 0 0K 16K select 0 40:44 0.00% peerproxy00000001
22 root 1 -40 -159 0K 16K WAIT 0 33:29 0.00% swi2: netisr 0
1868 root 1 76 0 19004K 7876K select 0 29:06 0.00% license-check
1821 root 1 76 0 21060K 9216K select 0 25:42 0.00% rmopd
5 root 1 -16 0 0K 16K rtfifo 0 16:39 0.00% rtfifo_kern_recv
1479 root 1 76 0 18260K 6572K select 0 16:03 0.00% eventd
1817 root 1 4 0 91876K 57380K kqread 0 10:50 0.00% rpd
18 root 1 171 52 0K 16K RUN 3 9:46 0.00% idle: cpu3
19 root 1 171 52 0K 16K RUN 2 9:43 0.00% idle: cpu2
1847 root 1 76 0 19792K 4604K select 0 8:39 0.00% shm-rtsdbd
1824 root 1 76 0 22336K 10612K select 0 7:17 0.00% ppmd
1858 root 7 8 0 97412K 6748K nanslp 0 5:41 0.00% ipfdBased on above output, we could not find any process is eating much CPU except "flowd_octeon_hm". The transit traffic is not interrupt but exception traffic is. This cause slowness of accessing to the device via SSH and our monitoring system is not be able to capure the traffic.
Kindly advise the next action I should do/check in order to resolve the issue.
When connecting to the Internet the SRX will use by default the IP address of the interface facing the Internet (usually the interface in the untrust zone). To what interface is linked the address being used now? Can you share a "> show route 8.8.8.8" to better understand your implementation.
The following document explains more about the source address to be used for outbound traffic generated by the SRX:
And in the following discussion it was suggested to specify a source-address for the packets sent to the DNS server:
https://forums.juniper.net/t5/Routing/DNS-Request-Source-Address/td-p/316655
Hey
the output from
admin@node0> show route 8.8.8.8
inet.0: 204 destinations, 205 routes (204 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 09:23:10
> to X:X:X:X via reth0.1000
[Static/5] 09:23:09
> to X:X:X:X via reth0.1000
I did change the Public IP adresses to X:X:X:X for security reasons
i can ping the internet using the interface reth0.1000 but if i used ping alone i still cant do it.
I did read your response but for some reason the Ping is going out from a diffrent Interface
Hi lpaniagua
Thanks for your detailed answer.
The purpose of those multiple routes is load-balance for 0.0.0.0/0.
# show routing-options
interface-routes {
rib-group inet fbf-group-ISP-traffic;
}
static {
route b.b.b.b/32 next-hop pp0.1;
route 0.0.0.0/0 next-hop [ pp0.2 pp0.3 pp0.1 pp0.0 reth2.2222 pp0.4 reth2.2211 pp0.5 2.2.2.193];
route f.f.f.f/24 next-hop pp0.3;
route a.a.a.a next-hop pp0.3;
route z.z.z.z/32 next-hop reth2.2222;
route v.v.v.v/32 next-hop pp0.3;
route y.y.y.y/24 next-hop 2.2.2.193
route ...../ next-hop .....
other routes have been ommitted
}
rib-groups {
fbf-group-ISP-traffic {
import-rib [ routing-table-email.inet.0 routing-smtng.inet.0 routing-table-guests.inet.0 routing-table-all-empl.inet.0 routing-table-servers-fiber.inet.0 routing-table-Dpt1-to-Internet.inet.0 routing-table-fiber.inet.0 ......inet.0 ......];
}
}
forwarding-table {
export load_balance;
}So the correct scenario is 3rd. But i have already configured it like that.
policy-statement load_balance {
then {
load-balance per-packet;
}
}This is what you propose right?
Thank you so much
If I create a firewall filter to use as next-hop, only the 2.2.2.193 ip and add it as input in reth2.110 will save the situation?