Hi,
Is anyone aware about it?
SACK Panic: Linux and FreeBSD Kernels Vulnerable to Remote Denial of Service Vulnerabilities (CVE-2019-11477, CVE-2019-5599)
AFAIK, Junos uses FreeBSD kernel, meaning it's affected, right?
↧
Does JunOS affected by "SACK Panic: Linux and FreeBSD Kernels Vulnerable to Remote Denial of Service Vulnerabilities (CVE-2019-11477, CVE-2019-5599)"?
↧
Re: RADIUS authenticaiton on SRX1500
You can add log/syslog action in the firewall filter discard term to log the discarded packets.
To see discarded packets:
show firewall log
show log <syslog file name>
↧
↧
Re: SRX340 - Prioritize VPN traffic
Hi stwardlp,
As I have mentioned in my previous reply, only client side has Cisco SRX340, other - Cloud side, has something else. Is there a general way of reserving 20% of traffic to go to Cloud destination IP address + use remaining 80% for any other traffic; and use full traffic when there is no traffic to the Cloud?
I have also attached a part of config related to CoS, filters, etc.
Thank you for any help,
Alex
↧
Re: Does JunOS affected by "SACK Panic: Linux and FreeBSD Kernels Vulnerable to Remote Denial of Service Vulnerabilities (CVE-2019-11477, CVE-2019-5599)"?
Pretty sure Juniper has written their own network stack. To confirm your best bet is t make an inquiry to the Juniper CIRT team via your sales engineer. The public postings from them only come out when they release patches themselves for the various CVE.
↧
Re: Site-to-Site VPN with one site behind NAT device
Hi
the lifetime and the NAT-T is already enabled and matched "as this is not a new VPN setup, the VPN was working over the same connection using another vendor device".
Since the SRX is behind a NAT device and the NAT device has the VPN public IP address, then I used the "Local Identity" command in the IKE settings to reference the public IP address.
But here, do I have to configure a "Remote Identity" in the Cisco side, or change any other settings?
I am not sure as the same setup work when we connect the old device back in-place of the SRX...
↧
↧
Re: Does JunOS affected by "SACK Panic: Linux and FreeBSD Kernels Vulnerable to Remote Denial of Service Vulnerabilities (CVE-2019-11477, CVE-2019-5599)"?
Thanks for the advice!
I've sent the request to our Juniper support engineer.
↧
Re: Site-to-Site VPN with one site behind NAT device
Hellomahmoud,
Because the device is behind NAT then you will need NAT-T enabled on both devices and local-identity configured on your SRX; I can see you have both. I believe that by default the ASA shold be using the following IKE-IDs:
local-identity: ASA's public IP
remote-identity: NAT device's public IP
The above will match with the SRX configuration we have in place as of now (note it has to match in the reverse order).
Regarding the proxy-IDs, I can see you have configured:
set security ipsec vpn HQ-VPN ike proxy-identity local x.x.x.x set security ipsec vpn HQ-VPN ike proxy-identity remote y.y.y.y
This is not needed (and I believe is not doing anything) as the SRX will populate the proxy-IDs values from the matching criteria of the secuirty-policies:
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match source-address x.x.x.x set security policies from-zone trust to-zone untrust policy Branch-To-HQ match destination-address y.y.y.y set security policies from-zone trust to-zone untrust policy Branch-To-HQ match application any set security policies from-zone trust to-zone untrust policy Branch-To-HQ then permit tunnel ipsec-vpn HQ-VPN set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match source-address y.y.y.y set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match destination-address x.x.x.x set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match application any set security policies from-zone untrustt to-zone trust policy HQ-To-Branch then permit tunnel ipsec-vpn HQ-VPN
So you can delete the proxy-IDs statements.
If phase 1 is not coming up, we have either a reachability issue or a negotiation problem. Lets find it out:
1. Try the following command to confirm if we have IKE sessions and if we see phase 1 temporally up:
> show security flow sessions protocol udp destination-port 500
> show security flow sessions protocol udp destination-port 4500
> show security ike security-associations
2. If we see sessions and packets being sent/received, lets gather IKE traces to investigate further:
# set security ike traceoptions file IKE_TRACE
# set security ike traceoptions flag all
# commit
# run request security ike debug-enable local [External_SRX_IP] remote [ASA_Public_IP] level 15
# run show security ike debug-status
# run clear log IKE_TRACE
# run show log IKE_TRACE
Please upload the IKE_TRACE file output so we can check for any errors and help you.
Please mark my answer as the solution if it applies.
↧
Re: SSL Libraries out of Date SRX240H2
Yea, I don't have access, as stated above I purchased my SRX240H2 from a reseller on Amazon brand new but i don't have a support/maintenance agreement and tried contacting someone previously.
Seems odd that a security company would ignore security upgrades for core components. I will definitely take that into consideration when purchasing a replacement once this machine is EOL.
↧
Re: SRX340 - Prioritize VPN traffic
Hey Alex,
I understand that people in the LAN side of the HQ office are running an app that will connect to a could server (iLand). The communication between HQ's SRX and the Could Server is via a VPN:
LAN--------HQ---------Internet-----------Cloud_server
Something I need to understand is when you say "I do not need to do CoS inside VPN tunnel". So what you want to do is to give 20% of the physical link to VPN packets? meaning that VPN traffic will have the 20% of the resources of the external interface of the SRX and the other 80% will be for non VPN traffic. I am assuming the the only traffic flowing over this VPN is related to this app.
In that case we will need to do the classification based on already encrypted packets destined to iLand public IP.
↧
↧
Re: takes long time to commit when adding security policies
Hi K1mffrey,
Please check out this KB: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28402&cat=SRX_1400&actp=LIST to see if any of the steps listed here helps the slowness you are encountering.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Regards,
HS
↧
Re: srx-240h2 HA cluster maxproc limit by uid 0
It persists in even the much later versions >=D
@1234567> show version
node0:
--------------------------------------------------------------------------
Hostname: 1234567
Model: srx240h2
JUNOS Software Release [12.3X48-D75.4]
node1:
--------------------------------------------------------------------------
Hostname: 7654321
Model: srx240h2
JUNOS Software Release [12.3X48-D75.4]
{primary:node0}
@1234567> show log messages | last 10
Jun 19 16:23:42 1234567 /kernel: maxproc limit exceeded by uid 65534, please see tuning(7) and login.conf(5).
Jun 19 16:23:42 1234567 /kernel: Process with Most Children- 0:swapper - Children - 64
Jun 19 16:23:42 1234567 /kernel: maxproc limit exceeded by uid 65534, please see tuning(7) and login.conf(5).
Jun 19 16:23:43 1234567 httpd[94378]: httpd error: : httpd: Error: start: can't fork a new process to run /html/index.php, errno 35
Jun 19 16:24:05 1234567 inetd[1601]: accept (for ssh): Software caused connection abort
Jun 19 16:24:30 1234567 /kernel: nearing maxproc limit by uid 0, please see tuning(7) and login.conf(5).
Jun 19 16:24:30 1234567 /kernel: Process with Most Children- 0:swapper - Children - 64
Jun 19 16:24:36 1234567 /kernel: nearing maxproc limit by uid 0, please see tuning(7) and login.conf(5).
Jun 19 16:24:36 1234567 /kernel: Process with Most Children- 0:swapper - Children - 64
{primary:node0}
@1234567> show system processes extensive | match swapper
0 root 1 -8 0 0K 0K WAIT 0 0:00 0.00% swapper
0 root 1 -8 0 0K 0K WAIT 0 0:00 0.00% swapper
↧
Re: SRX340 - Prioritize VPN traffic
If we see the picture in the following post, we can tell that we could place traffic in a specific forwarding-class by matching it on the egress interface with a Multifiled Classifier (firewall filter apply of the egreess interface):
https://forums.juniper.net/t5/SRX-Services-Gateway/QoS-Default-Behavior/td-p/288002
If only the cloud app traffic is flowing over this VPN to iLand, you could match the already encrypted traffic on the egress interface with the following criteria:
If traffic matches: Public Address of the SRX + Public address of iLand + protocol ESP -> then Forwarding-call: Assured-Forwarding
You can keep the Schedulers and Sheduler-Maps that you have in place. I would modify the CLOUD scheduler and configure it with Strict-High instead of High.
As for the DATA Scheduler, I am not sure if you should use "exact" option instead of "reminder". With "exact" you could guarantee that traffic different than VPN traffic wont use resources allocated to VPN traffic.
Maybe you can give it a try and let us know the results.
↧
Re: SRX340 - Prioritize VPN traffic
It will be also very important to make sure that only VPN traffic to iLand is being placed on Assured-Forwarding class. Check all SRX's interfaces looking for classifiers that will place non-VPN traffic on this class.
user@host> show class-of-service interface xe-4/0/0
Physical interface: xe-4/0/0, Index: 153
Maximum usable queues: 8, Queues in use: 4
Shaping rate: 5000000000 bps
Scheduler map: <default>, Index: 2
Congestion-notification: Disabled
Logical interface: xe-4/0/0.0, Index: 77
Object Name Type Index
Classifier ipprec-compatibility ip 13The default ipprec-compatibility classifier wont place any traffic on Assured-Forwarding, which is good for our scenario:
↧
↧
Re: RADIUS authenticaiton on SRX1500
Dazzler it is advisable that you mark one of the comments as an Acepted Solution so future users will see the solution right from the begining of this forum.
↧
Re: takes long time to commit when adding security policies
Are you running Junos Recommended code for SRX340?
15.1X49-D170: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476
↧
Re: srx-240h2 HA cluster maxproc limit by uid 0
Hi Purplezorz,
By default, on the SRX240H2 maximum processes is set to 276.
jtac-SRX240H2% sysctl -a | grep kern.max
kern.maxvnodes: 64996
kern.maxproc: 276 <<<<
kern.maxfiles: 2500
kern.maxfilesperproc: 2500
kern.maxprocperuid: 248
kern.maxdsiz: 671088640
kern.maxusers: 16
So when this is exceeded you start to see the error messages in the logs indication the process that has probably causing it.
In this case, it seems to be the swapper process based on the logs messages seen. Ways to resolve this would probably be either gracefully restarting the SRXs one at a time or killing this process which should restart automatically.
In either ways, if these SRXs are in production please plan to do so in a MW to avoid any downtime.
If the issue persists, then please open a JTAC case for further investigation.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Regards,
HS
↧
Re: Site-to-Site VPN with one site behind NAT device
When you configure local and remote identity on the SRX the partner device must have the matching configuration in place for the policies to fully match and phase one come up.
↧
↧
Re: takes long time to commit when adding security policies
Hi,
the problem is when committing/saving after adding security policy only, other config like adding sec zones/interfaces/ are fine when committing it. no problem too on navigating jweb
↧
Re: SRX340 - Prioritize VPN traffic
Hi mrojas,
Thanks a lot for your replies. Yes, your understanding of network layout and situation is correct.
I have made changes as you suggested:
1) Removed filter from ingress interface
2) Modified it to Match Cloud Destination IP, protocol ESP, interface reth0 -> assured-forwarding; All else to Best-Effort
3) Applied this filter to egress interface reth0.0
4) Changed ILAND Classifier to strict-high
For DATA scheduler I am using reminder, so if there is no traffic to ILAND, it will use full bandwidth. I have tested "exact 80%" before, and it only affected upload. So, if somebody will use YouTube or any other heavy download apps, it will not help. Maybe I will need to use policing to limit inbound traffic as well?!
Also, I can see in a printscreen you have provided you specify a maximum bandwidth with shaping-rate. Not sure if I need to do this as well to be able to use % instead of exact speed limits.
Here is my external interface "show class-of-service interface ge-0/0/3":
> show class-of-service interface ge-0/0/3
Physical interface: ge-0/0/3, Index: 137
Maximum usable queues: 8, Queues in use: 4
Scheduler map: ILAND-MAP, Index: 12119
Congestion-notification: Disabled
Logical interface: ge-0/0/3.0, Index: 81
Object Name Type Index
Classifier ipprec-compatibility ip 13
I have also attached latest CoS config from the router.
I am going to test it and let you know.
Thanks,
Alex
↧
Re: SRX340 - Prioritize VPN traffic
UPD: As I am monitoring now, non of the traffic goes to assured-forwarding, all goes to best-effort + network-control. When filter was applied to internal interface, it did sent traffic to assured-forwarding.
↧