Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Site-to-Site VPN with one site behind NAT device

June 23, 2019, 9:44 pm
$
0
0

Hello,

 

Apologies. Yes, main mode would also work. Here is a config from the lab and is validated to be working fine.


Setup: SRX1 (1.1.1.1) ---- SRX2 --- (2.2.2.2) SRX3 (NAT) --- SRX4 (with priv IP)


SRX4 config - policy based (in your case the SRX):
===================================================

set security ike policy SRX1Ike mode main
set security ike policy SRX1Ike proposal-set compatible
set security ike policy SRX1Ike pre-shared-key ascii-text "pre-shared-key"
set security ike gateway SRX1_gateway ike-policy SRX1Ike
set security ike gateway SRX1_gateway address 1.1.1.1
set security ike gateway SRX1_gateway local-identity inet 2.2.2.2
set security ike gateway SRX1_gateway external-interface ge-0/0/0.0
set security ipsec policy SRX1Ipsec proposal-set compatible
set security ipsec vpn SRX1_vpn ike gateway SRX1_gateway
set security ipsec vpn SRX1_vpn ike proxy-identity local 192.168.10.0/24
set security ipsec vpn SRX1_vpn ike proxy-identity remote 192.168.20.0/24
set security ipsec vpn SRX1_vpn ike ipsec-policy SRX1Ipsec
set security ipsec vpn SRX1_vpn establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust match source-address 192.168.10.0/24
set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust match destination-address 192.168.20.0/24
set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust then permit tunnel ipsec-vpn SRX1_vpn


SRX1 config - route based (in your case the ASA):
====================================================

set security ike policy SRX4Ike mode main
set security ike policy SRX4Ike proposal-set compatible
set security ike policy SRX4Ike pre-shared-key ascii-text "pre-shared-key"
set security ike gateway SRX4_gateway ike-policy SRX4Ike
set security ike gateway SRX4_gateway address 2.2.2.2
set security ike gateway SRX4_gateway external-interface lo0.27

set security ipsec policy SRX4Ipsec proposal-set compatible
set security ipsec vpn SRX4_vpn bind-interface st0.103
set security ipsec vpn SRX4_vpn ike gateway SRX4_gateway
set security ipsec vpn SRX4_vpn ike ipsec-policy SRX4Ipsec
set security ipsec vpn SRX4_vpn establish-tunnels immediately

set security zones security-zone SRX4_Internet screen standard-screens
set security zones security-zone SRX4_Internet host-inbound-traffic system-services ping
set security zones security-zone SRX4_Internet host-inbound-traffic system-services traceroute
set security zones security-zone SRX4_Internet host-inbound-traffic system-services ike
set security zones security-zone SRX4_Internet interfaces reth0.0
set security zones security-zone SRX4_Internet interfaces lo0.27 host-inbound-traffic system-services ping
set security zones security-zone SRX4_Internet interfaces lo0.27 host-inbound-traffic system-services traceroute
set security zones security-zone SRX4_Internet interfaces lo0.27 host-inbound-traffic system-services ike
set security zones security-zone SRX4_vpn interfaces st0.103

set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match source-address any
set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match destination-address any
set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match application junos-ike
set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match application junos-ike-nat
set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match application esp
set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all then permit

 

I hope this helps. Regards,

 

Vikas

CFTS-Security

Search

Re: Does JunOS affected by "SACK Panic: Linux and FreeBSD Kernels Vulnerable to Remote Denial of Service Vulnerabilities (CVE-2019-11477, CVE-2019-5599)"?

June 24, 2019, 2:26 am
$
0
0

Hi, 
Unluckily we didn't get any meaningful reply yet, they only registered our request.

SRX - Azure Express route

June 24, 2019, 2:55 am
$
0
0

Hello all,

 

 I would like to create an Azure expressroute configuration on my premises srx300 series chassis cluster. Is there anyone out there can share an example config from scratch? (Public peering, private peering, MS peering)

 

Thank you very much in advance.

 

Izac

Re: Site-to-Site VPN with one site behind NAT device

June 24, 2019, 7:26 am
$
0
0

Hi

 

Attached the trace file for VPN (KMD)

 

Can SRX 4200 config RPM  base on jitter and latency to select wan link?

June 24, 2019, 7:27 am
$
0
0

Hi Juniper

                 Can I config RPM  base on jitter and latency to select WAN link that meets criteria?

Re: Can SRX 4200 config RPM  base on jitter and latency to select wan link?

June 24, 2019, 8:00 am

Re: Site-to-Site VPN with one site behind NAT device

June 24, 2019, 8:05 am
$
0
0

Hi Mahmoud,

 

No attachments are actually seen on your post here unfortunately, can you check?

 

Cheers

Pooja

Re: SRX - Azure Express route

June 24, 2019, 1:28 pm
$
0
0

Izac,

 

I don't have a sample configuration to share, but this knowledge base article on Microsoft's website covers the Juniper snippets essential on Junos.

 

Although the device in the example is a Juniper MX router, the same sample applies to the SRX.

 

Refer https://docs.microsoft.com/en-us/azure/expressroute/expressroute-config-samples-routing

 

Let me know if you're stuck at something in specific.

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Search

Re: SRX300 No bootable media found. Entering loader prompt.

June 24, 2019, 4:30 pm
$
0
0

Hi Billy,

 

Can you confirm if you were able to install the OS on this eventually?

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Re: SRX - Azure Express route

June 25, 2019, 7:11 am
$
0
0

Hi JPSEC,

 

Just wondering if that link helped and if you have any further questions on here?

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Re: Does JunOS affected by "SACK Panic: Linux and FreeBSD Kernels Vulnerable to Remote Denial of Service Vulnerabilities (CVE-2019-11477, CVE-2019-5599)"?

June 25, 2019, 8:57 am

Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:01 am
$
0
0

Having some issues with an SRX dropping the return traffic because it thinks it is a new flow and doesn't belong to any existing sessions and says "packet dropped, first pak not syn".

 

security flow trace appears to have matching flow data but the return traffic gets dropped.

 

SRX is trying to connect to a remote secondary identity management server across an IPsec tunnel that is terminated on the SRX itself. This connection to the identity mangement server is sourced from a revenue port. This same issue occurs with an SRX trying to download threat intel feeds from a policy enforcer server across the same IPsec tunnel. Any traffic sourced from inside the firewall on the same subnet works, it is only traffic sourced from the SRX itself.

 

 

I have included the output of the security flow trace debut basic-datapath as an attachment

 

 

Return dropped


Jun 25 13:57:43 13:57:43.722769:CID-0:RT:  ge-0/0/2.0:10.254.255.130/9443->10.254.254.254/59093, tcp, flag 12 syn ack
Jun 25 13:57:43 13:57:43.722834:CID-0:RT: find flow: table 0x4ec03d8, hash 5292(0xffff), sa 10.254.255.130, da 10.254.254.254, sp 9443, dp 59093, proto 6, tok 7, conn-tag 0x00000000
Jun 25 13:57:43 13:57:43.722848:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Jun 25 13:57:43 13:57:43.722848:CID-0:RT:  packet dropped, first pak not syn
Jun 25 13:57:43 13:57:43.722848:CID-0:RT:flow_initiate_first_path: first pak no session

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:19 am
$
0
0

Hi 

 

Could you please share the SRX configuration that you have in place currently? 

 

Regards,

HS

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:20 am
$
0
0

Hi

 

 

 

ge-0/0/2.0:10.254.255.130/9443->10.254.254.254/59093, tcp, flag 12 syn ack

 

How does your flow trace configuration look like?

If you have packet filters enabled in both directions (request and response), that should cover both, the syn and syn-acks.

Is there a NAT in the traffic context?

 

Cheers

Pooja

 Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:30 am
$
0
0

There is an asymmetric routing in your network. Outgoing traffic from SRX is going via st0.2 (ge-0/0/3 exit interface) tunnel interface but the return traffic is not coming via tunnel.
Return traffic is received on another interfaces ge-0/0/2.0. That is why SRX is dropping the packets. Please check your routing. Return traffic should come via tunnel interface.

 

routed (x_dst_ip 10.254.255.130) from junos-host (.local..0 in 0) to st0.2, Next-hop: 10.254.255.130
going into tunnel 67108908 (nsp_tunnel=0x851eb98)
ge-0/0/2.0:10.254.255.130/9443->10.254.254.254/60169, tcp, flag 10

 

 

 

 

Search

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:33 am
$
0
0

Pooja,

 

enabling no-syn-check seems like a bad idea for a production firewall since that disables it globally. However, I thought about using a firewall filter to match the specific flow of traffic and then put that traffic in packet-mode. However, I wasn't sure which interface to apply it too.

 

 

 

trace config currently inactive:

 

safesys@Alpharetta-SRX340-01> show configuration security flow traceoptions 
##
## inactive: security flow traceoptions
##
file secFlowDebug size 20m files 5;
flag basic-datapath;
packet-filter filter2 {
    source-prefix 66.194.109.124/32;
    destination-prefix 172.127.49.85/32;
}
packet-filter filter1 {
    source-prefix 172.127.49.85/32;
    destination-prefix 66.194.109.124/32;
}

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:34 am
$
0
0

I'll see if I can sanitize it and exclude any uncessary bits. It is quite long.

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:43 am
$
0
0

Nellikka,

 

That was my initial thought as well and thought it was odd.  That interface is the interface it was sourced on..... 10.254.254.254 is configured on ge-0/0/2.0. Is it possible the logs are showing the return on the st0.2 interface that is bound to ge-0/0/3.0 and then should be routed to 10.254.254.254 ge-0/0/2.0 inteface? 

 

And to reinterate, this is only happening when the SRX is the source address. I can do a secflow trace for working traffic to compare. It wouldn't be sourced from the SRX and process on a different zone to zone rule instead of junos-host.

 

 

 

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:48 am
$
0
0

Pooja,

 

Here is the matching syn for the flow you referenced:

 

Jun 25 13:57:43 13:57:43.687824:CID-0:RT:  .local..0:10.254.254.254/59093->10.254.255.130/9443, tcp, flag 2 syn
ge-0/0/2.0:10.254.255.130/9443->10.254.254.254/59093, tcp, flag 12 syn ack

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 9:57 am
$
0
0

 

If you know the "ideal" path this traffic context/flow should be taking, adding that flow into selective packet mode might be an option.

 

But I feel like it's too early in the troubleshooting here to make such a major change.

 

I did not notice the attached traces earlier on, I will respond back shortly after reviewing it.

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>