Hi,
I have SRX-3400 in cluster mode.
I'm planning to upgrade it.
I will separate the units, and upgrade the slave unit.
switch the traffic from master to slave, wait a few days and if all is well I will upgrade the master unit.
during these few days there will be configuration changes at the slave unit.
once the master unit will be upgraded, how do I sync the configuration from the slave unit to the master ?
Thanks
Eyal
Hi Eyal,
Once you upgrade the master unit and post upgrade when it join the cluster it will automatically sync the updated configuration from slave unit provided you follow the upgrade procedure correctly, This is default behaviour in chassis cluster.
If by any chance config sync does not happnen then once you add master device in cluster that time slave device will still be the primary, just issue any dummy config from salve unit (like interface desc change) and issue commit from slave unit, it will resync the configuraion.
Thanks
Alex,
The output of "show class-of-service interface xe-4/0/0" I shared in my previous post was to show the default classifier attached to the interface, please disregard any other information on that output.
I understand that you applied the suggested configuration and that you dont see traffic under Assured-Forwarding, but I would like to confirm if you have noticed any performance improvement on your tests.
Also it will be good to confirm that the traffic is matching the filter. Maybe you can add an extra action of "count" to that filter to confirm if the traffic is matching the correct term. You just need to add the following line to the term matching the VPN traffic:
# set firewall family inet filter [name] term [name] then count COUNTER
Then try the test and check if the counter increases. The output will be similar to this one:
user@host> show firewall counter COUNTER Filter: [name] Counters: Name Bytes Packets COUNTER 0 0
Maybe you can configure security-policies traceoptions and try the J-Web commit and confirm if you can find any problem:
# set security policies traceoptions file TRACE # set security policies traceoptions file size [max_size] # set security policies traceoptions flag all
Feel free to attach the file so we can help you as well.
Thanks for your input @spuluka. I wasn't aware of Shrew Soft.
With lots of help from Juniper's JTAC team we managed to configure NCP client and make it talk VPN to SRX300.
Here's an excerpt of the SRX config with generic values specifically for the NCP client-Gateway VPN communication
ALL THE CREDIT FOR WRITING THE EXCERPT BELOW GOES TO THE JTAC TEAM and not me.
set security ike proposal NCP-PROP authentication-method pre-shared-keys
set security ike proposal NCP-PROP dh-group group5
set security ike proposal NCP-PROP authentication-algorithm sha1
set security ike proposal NCP-PROP encryption-algorithm aes-128-cbc
set security ike proposal NCP-PROP lifetime-seconds 86400
set security ike policy NCP-POL mode aggressive
set security ike policy NCP-POL proposals NCP-PROP
set security ike policy NCP-POL pre-shared-key ascii-text juniper123
set security ike gateway NCP-GW ike-policy NCP-POL
set security ike gateway NCP-GW dynamic user-at-hostname "user@juniper.net"
set security ike gateway NCP-GW dynamic connections-limit 2
set security ike gateway NCP-GW dynamic ike-user-type shared-ike-id
set security ike gateway NCP-GW external-interface ge-0/0/0.0
set security ike gateway NCP-GW aaa access-profile ncp-vpn-profile
set security ike gateway NCP-GW version v1-only
set security ipsec proposal NCP_IPSEC_PRO protocol esp
set security ipsec proposal NCP_IPSEC_PRO authentication-algorithm hmac-sha1-96
set security ipsec proposal NCP_IPSEC_PRO encryption-algorithm aes-128-cbc
set security ipsec proposal NCP_IPSEC_PRO lifetime-seconds 28800
set security ipsec policy NCP_IPSEC_POL proposals NCP_IPSEC_PRO
set security ipsec policy NCP_IPSEC_POL perfect-forward-secrecy keys group5
set security ipsec vpn NCP-IPSEC bind-interface st0.0
set security ipsec vpn NCP-IPSEC ike gateway NCP-GW
set security ipsec vpn NCP-IPSEC ike ipsec-policy NCP_IPSEC_POL
set security ipsec vpn NCP-IPSEC traffic-selector TS1 local-ip 0.0.0.0/0
set security ipsec vpn NCP-IPSEC traffic-selector TS1 remote-ip 0.0.0.0/0
set security zones security-zone trust interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces st0.0 host-inbound-traffic protocols all
set interfaces st0 unit 0 family inet
set access profile ncp-vpn-profile authentication-order password
set access profile ncp-vpn-profile client test firewall-user password test123
set access profile ncp-vpn-profile address-assignment pool NCP-pool
set access address-assignment pool NCP-pool family inet network 10.1.1.0/24
set access address-assignment pool NCP-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile ncp-vpn-profile
Also, do not forget to check the security policies, and confirm you may need a policy from Tunnel to Internal resources. Ensure that traffic started by checking the encrypted packets flow is increasing executing
# run show security ipsec sa
in order to get the TUNNEL_ID and then run
# run show security ipsec statistics index TUNNEL_ID
to confirm the encypted packets traffic is increasing
It is our experience that the NCP VPN client is VERY robust and connects really fast.
Lastly, if your Juniper Gateways are SRX300s please make sure you buy the Exclusive Entry client for Windows from https://www.ncp-e.com/en/exclusive-remote-access-solution/vpn-client/#c12977
I hope this helps someone else in a similar technical deadlock.
Please feel free to close this thread.
Thanks
Stavros
Hi
These KB resources on SIRT's published policies may help clears things up:
Hi mrojas,
Please see output below.
> show firewall counter COUNTER filter CLASSIFY-ILAND
Filter: CLASSIFY-ILAND
Counters:
Name Bytes Packets
COUNTER 0 0
Additionally, if I go to web interface -> Monitor -> Interfaces -> select external interface -> CoS tab. Can see all packets are in best-effort queue, some in NC. No packets in AF.
And overall, there is no performance impprovement in my tests.
Now, I reapplied filter (without ESP protocol and interface option) back to internal interface and checking counter:
> show firewall counter COUNTER filter CLASSIFY-ILAND
Filter: CLASSIFY-ILAND
Counters:
Name Bytes Packets
COUNTER 98193 1587
If I go to Web Monitoring -> External int -> CoS tab:
Best-effort - lots of packets
Assured-forwarding - some packets here
Network-control - some packets here
please see an image attached.
So, this filtering seems to work. But it is still difficult to measure if that has any effect.
The main difficulty for me now is how can I test it and make sure prioritization is working, as I do not have access to DB app.
I run speedtest, and ping two destinations -> 8.8.8.8 and Cloud IP. Both ping results show high latency when I run the test. But this, I believe, is not a clear test. The only real test I can think of will be to run some network traffic "killer" util and test DB when there is a constant high network utilization.
1) With my results now - seeing AF traffic on egress interface, is it safe to say that traffic prioritization actually work?
2) Any ideas on how to best test it?
Thanks,
Alex
Hi K1mffrey,
Understood, thanks for this information. This delay could probably be because of the number of security policies you have in place on the device.
If you/your team is interested in making changes on the SRX via GUI, then you could consider using Junos Space:
https://www.juniper.net/us/en/products-services/network-management/junos-space-platform/
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Regards,
HS
Hello,
Have you receive an answer from JTAC?
Hi,
Juniper is still investigating around these vulnerabilities and hasnt realease a public answer as of now.
UPD: Think I did silly mistake - in my filter I had a Cloud external IP, instead of internal. Added 10.x.x.x/24 destination network to to my filter and can definately say that now all VPN traffic goes to AF class. Measured this by copying large files over VPN and checked CoS transmit packet statistics for different classifiers. If I run speedtest - this goes to best-effort.
Client is going to test it over the next week and I will let you know how it goes.
Hello,
You are using IKEv2 only, as per tech docs this is not supported with VPN monitoring
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-vpns-for-ikev2.html
IKEv2 does not support the following features:
Policy-based VPN.
Dialup tunnels.
VPN monitoring.
Multiple child SAs for the same traffic selectors for each QoS value.
IP Payload Compression Protocol (IPComp).
Thats the reason, you need to remove vpn-monitoring or change it to IKEv1(if possible).
Thanks
Mahesh
You can use dead peer detection, if monitoring the tunnel is necessary.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21652&cat=IPSEC&actp=LIST
Thanks
Mahesh
Hi there,
Could you perhaps monitor/collect the output of 'show chassis routing-engine' and 'show system processes extensive' iteratively while you do the policy test via Jweb?
Also, what Junos code are you at?
Cheers
Pooja
Billy,
Can you check if this works for you instead?
Cheers
Pooja
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Hi,
I was working on a similar setup.
> Please use aggressive mode on both sides
> Rest I believe is fine
https://forums.juniper.net/t5/SRX-Services-Gateway/IPSEC-with-NAT-T/td-p/103102
I hope this helps. Regards,
Vikas
Are you able to do a snapshot to USB on a working SRX300 and do a full boot on the corrupted device, not to the boot loader but all the way to the Junos load.
Then do a snapshot again from the USB junos to the internal media.
Aggressive mode is only necessary when on side has a dynamic ip address. If the nat is from a static address down to the internal one aggressive mode is not necessary only the engagement of nat-t.
Hi Arix,
Here are two interesting documents, you might want to look at them as well for df bit and fragmentation issue on traffic over VPN.
https://rtodto.net/ipsec-tcp-mss-df-bit-and-fragmentation-in-srx/
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25625&cat=OBSOLETE&actp=LIST
Thanks
Mahesh