Hello,
Here is the working SRX config for 3CX VoIP server behind SRX
https://www.itadvantage.be/blog/3cx-behind-juniper-srx
HTH
Thx
Alex
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
It is running 12.3X48-D80.4
↧
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
Thanks I'll have a look at it
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
Hi Viz,
"junos-alg: RT_ALG_ERR_NAT: SIP ALG NAT failed" means SIP ALG hit NAT allocation failure. When NAT translation context runs out of usage, it could result in NAT failure and hence this error log could be seen.
Was an upgrade on this SRX done recently? If so, from which Junos version was it upgraded to D80?
Thanks,
Harri Srinivasan
↧
Re: Site-to-Site VPN with one site behind NAT device
Hi Mahmoud,
This KB describes how to configure site-to-site VPNs between SRX and Cisco ASA in different scenarios: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA
If this solves your problem, please mark this post as "Accepted Solution."If this solves your problem, please mark this post as "Accepted Solution."
Regards,
HS
↧
↧
Re: SSL Libraries out of Date SRX240H2
Does that mean because the 12.3 release train is older that there won't be any security updates to the core components like openSSH?
↧
Re: Site-to-Site VPN with one site behind NAT device
In addition to the KB article, review this thread too for reference with respect to the NAT device: https://forums.juniper.net/t5/SRX-Services-Gateway/Vpn-created-behind-NAT-device/m-p/290866#M40688
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!
Regards,
HS
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
It was running D40.5 before I upgraded. It's a unit I only use for testing purpose so I can pretty test anything as its not in a critical position
↧
Re: QOS/COS, best effort doesn't transmit
I used the cli to set the cos. Thought default would handle unit 0, etc.
↧
↧
Re: Shaping on multiple st0 interfaces
Hello Cevangelu,
would you be able to attach configuration and IKE/IPSEC traceoptions. This looks to be interesting scenario which needs more deep dive investigation.
↧
Re: QOS/COS, best effort doesn't transmit
intresting, good to know that it resovled the issue.
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
Hi Viz,
Thanks for your response. If its not too much trouble, could you downgrade this SRX it to D40 (or even to D60) and check if you see the same issues again?
If this issue is not seen on D40 or D60 versions after downgrade, then I would recommend open a JTAC case to track/investigate this issue further.
Regards,
HS
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
I wasn't running this config before the upgrade. In the meantime I tried isolating the issue and it seems like it might be related to the firewall/filters as after disabling them altogether the issue did not come back. I will recreate the rules and try to find out exactly when the issue occurs.
Thanks for your help
↧
↧
Re: RT_ALG_ERR_NAT: SIP ALG NAT failed
You're welcome and glad to hear that Viz.
If the issue reoccurs/persists, please downgrade to D40/D60 and test it again. Also open a JTAC case if needed for further investigation.
Please mark my solution accepted if it helped, kudos are appreciated too!!!
Regards,
HS
↧
Re: Site-to-Site VPN with one site behind NAT device
Could you confirm that this phase 2 lifetime is correct per the ASA configuration. My recollection is that the default on the ASA is 3600
ipsec proposal HQ-VPN lifetime-seconds 28800
Since there is NAT involved make sure NAT-T is enabled on the Cisco side.
Since phase 1 is not coming up we need to see the logs for this.
show log kmd-logs
Post the ike log message you get for the failed phase 1.
Typical problems are:
Mismatch on preshared key
MIsmatch on the ike policy specifics
local id on SRX does not match remote id on cisco
remote id on SRX does not match local id on cisco
↧
takes long time to commit when adding security policies
Hi Guys,
we are having problem when we are saving/committing after we add security policy on our srx340, it take ages especially in jweb. actually we've already configured 231 security policies and on top of that 200+ address books. committing other configs other than sec policies is fine. is there a way to faster the commit when we add sec policy? thanks
↧
Re: takes long time to commit when adding security policies
You can try it from CLI that should be much faster compare to J-web.
In CLI if you still see the slow commit then you can run the command commit | display detail to see the whole commit process and get to know where is getting (like which daemons) takes longer to commit
display detail—(Optional) Monitors the commit process.
↧
↧
Re: SSL Libraries out of Date SRX240H2
Hi,
12.3 code is still not end of engineering support. Support for the same will end next year.
https://support.juniper.net/support/eol/software/junos/
While, the focus in the 12.3 code would be more on the bug fixes related to JUNOS, I doubt if the SSH version would change. But I cannot confirm the same. If you have access to a Juniper Partner / Accounts team, they can get this information for you.
I hope this answers your question.
Regards,
Vikas
↧
Re: takes long time to commit when adding security policies
Hi,
CLI is fine no problem on it. my colleagues are not familiar with command lines in junos. hoping there's still a way using jweb.
↧
Re: RADIUS authenticaiton on SRX1500
Hi,
I had missed a firewall filter so it was blocking the traffic.
Are there any easy ways of seeing this since the tracelog didn't really show that?
↧