Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

COS to QOS, "exact" conditions ?

June 25, 2019, 10:00 am
$
0
0
I have configured COS and it isn't just for PC hosts. I have put some wireless AP's on ports ge-0/0/13.0 - ge-0/0/15.0 . They are routed and have QOS running. In those routers I have set bandwidth limits. In the srx240b2(junos 11.4xxx) I have set my unit 0 COS mapping to "exact" but have not set bandwidth limits or rate limiting or anything else. I'm assuming for a good reason that I can indeed use exact however I have a question.

1. Should I try to match the QOS bandwidth limit on the AP's?

2. Will I get better processing time?

3. Overall,,, is using an exact buffer
a bad idea?

schedulers {
be-scheduler {
transmit-rate exact;
buffer-size exact;
priority low;
}
ef-scheduler {
transmit-rate exact;
buffer-size exact;
priority high;
}
af-scheduler {
transmit-rate exact;
buffer-size exact;
priority high;
}
nc-scheduler {
transmit-rate exact;
buffer-size exact;
priority low;
}
}
}
Search

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 10:07 am
$
0
0

Hi 

 

 

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 10:14 am
$
0
0

 

Something like this:

show | display set| match 10.254.254.254

show | display set | match 10.254.255.130

And, show the ike + ipsec configuration hierarchies, of course after sanitizing sensitive information?

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Re: COS to QOS, "exact" conditions ?

June 25, 2019, 11:45 am
$
0
0

Hi eugene1973,

 

Please find the answers inline below:

 

1. Should I try to match the QOS bandwidth limit on the AP's?

 

A1: I guess this is dependent on your environment and how the APs are performing with the current values you have configured. However it wouldn't be a bad idea to match the bandwidth limit of the APs if possible since you want them to perform at their full potential. However if you want to throttle the traffic coming from those APs then you can define the limits accordingly.

 

2. Will I get better processing time?

 

A2: I think this is related to the APs and this purely depends on how the APs are currently performing. If you do match with bandwidth limit of the APs and then it would perform better.

 

3. Overall,,, is using an exact buffer
a bad idea?

 

A3: When you configure transmit-rate 'exact' then basically you are hard setting the limit without any ability to burst higher if the resources are indeed available. So I would recommend using this with caution and per design needs.

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Regards,

HS

 

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 12:06 pm
$
0
0

Pooja,

Here is the requested info.

 

 

user@SRX340-01> show configuration | display set | match 10.254.254.254  
set system syslog host 10.2.45.31 source-address 10.254.254.254
set security log source-address 10.254.254.254
set security address-book global address srx-FW-LAN-Interface 10.254.254.254/32
set interfaces ge-0/0/2 unit 0 family inet address 10.254.254.254/24

user@SRX340-01> show configuration | display set | match 10.254.255.130    
set services user-identification identity-management connection secondary address 10.254.255.130

user@SRX340-01> show route 10.254.255.130 

inet.0: 142 destinations, 180 routes (142 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.254.255.0/24    *[Static/2] 6d 15:17:43
                    >  via st0.2
                    [Static/5] 6d 15:17:42>  via st0.2

mgmt_junos.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 6d 15:20:13
                    >  to 10.254.254.1 via fxp0.0



user@srx-SRX340-01> show configuration security ike 
proposal WUS_Sonicwall_Proposal {
    authentication-method pre-shared-keys;
    dh-group group1;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}

policy Beta_WUS_Sonicwall {
    mode main;
    proposals WUS_Sonicwall_Proposal;
    pre-shared-key ascii-text "****************************"; ## SECRET-DATA
}

gateway 68_xxx_xxx_189_Beta_WUS_Sonicw {
    ike-policy Beta_WUS_Sonicwall;
    address 68.xxx.xxx.189;
    dead-peer-detection {
        always-send;
        interval 15;
        threshold 5;
    }
    nat-keepalive 1;
    local-identity inet 12.xxx.xxx.34;
    remote-identity inet 68.xxx.xxx.189;
    external-interface ge-0/0/3.0;
}                                       


user@srx-SRX340-01> show configuration security ipsec     
proposal WUS_Sonicwall_Proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy Beta_WUS_Sonicwall {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals WUS_Sonicwall_Proposal;
}

vpn 68_xxx_xxx_189_Beta_WUS_Sonicw {
    bind-interface st0.2;
    ike {
        gateway 68_xxx_xxx_189_Beta_WUS_Sonicw;
        ipsec-policy Beta_WUS_Sonicwall;
    }
    traffic-selector servers-to-WUSserver {
        local-ip 10.254.254.0/24;
        remote-ip 10.254.255.0/24;
    }
 }

 
 
 
user@SRX340-01> show configuration interfaces 

ge-0/0/2 {
    description "Trust interface";
    unit 0 {
        family inet {
            address 10.254.254.254/24;
        }
    }
}
ge-0/0/3 {
    description "untrust Interface";
    unit 0 {
        family inet {
            address 12.xxx.xxx.34/27 {
                primary;
                preferred;
            }
        }
    }
}

fxp0 {
    unit 0 {
        family inet {
            address 10.254.254.230/24;
        }
    }
}
st0 {
    unit 2 {
        family inet;
    }
}





user@SRX340-01> show configuration routing-instances 
mgmt_junos {
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.254.254.1;
        }
    }
}





safesys@Alpharetta-SRX340-01> show configuration routing-options  
static {
    route 0.0.0.0/0 next-hop 12.xxx.xxx.33;
    route 10.254.255.0/24 {
        next-hop st0.2;
        preference 2;
    }

 

 

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 12:08 pm
$
0
0

 

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 12:22 pm
$
0
0

 

 

Can you test traffic through this very vpn which isn't sourced on the firwall itself?

Meaning non junos-host sourced traffic that transits the firewall, matches the traffic selector and leaves?

 

Cheers

Pooja

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 12:29 pm
$
0
0

Agreed, my bad. I thought your ge-0/0/2 interface was your untrust interface. 

 

Regards,

HS

Search

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 12:36 pm
$
0
0

pmallya,

 

I've tested prior and it works for any other device on the same subnet. Are you wanting me to provide a secflow trace for the working flow?

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 12:36 pm
$
0
0

 

 

CoS based on Cloud destination

June 25, 2019, 12:59 pm
$
0
0

Sorry I'm new to Junos and some quick help.

I have SRX345 with JSE and would like to priotize traffic to Line of Business Cloud websites (e.g https://www.abc.com, https://www.def.com. I have a 16MB internet connection and would like to give traffic to these destinations 10MB.

My internet interface is ge-0/0/0 (10.81.10.1/24) and my internal interface is ge-0/0/1 (10.80.10.1/24). Have no VLANs. Your quick help with configuration sample will be highly appreciated.

 

SRX320 has identity crisis and thinks it's an SRX300

June 25, 2019, 1:06 pm
$
0
0

The SRX320 is running 15.1X49-D120.3

This switch used to work fine for ±1 month on my desk, but after a reboot today, the PoE stopped working. It's like it doesn't even exist in the config. I tried to zeroize in case something was up in the config but still nothing on the ports

 

When I try to add PoE settings it doesn't work. It gives me this:

[edit poe]
root# set ?
No valid completions

 

If I try to "show poe something", it gives me this:

root> show poe ?
No valid completions

 

And just now, I noticed that the switch thinks it is an SRX300, which would explain why I don't have any PoE settings

root> show version
Model: srx300
Junos: 15.1X49-D120.3
JUNOS Software Release [15.1X49-D120.3]

 

Do you guys have any suggestion on why/how this happens? Should I just RMA the thing?

Re: SRX320 has identity crisis and thinks it's an SRX300

June 25, 2019, 1:30 pm
$
0
0

My SRX320's show up as 300's as well. I think this is normal. The SRX is a firewall, but you keep calling it a switch--are you sure you are logged into the right device? Otherwise, it's possible the unit is not recognizing that it has poe capabilities. My non-poe unit does not allow configuring poe options.

Re: Flow Session Lookup Fails for return traffic when sourced from the SRX

June 25, 2019, 1:32 pm
$
0
0

Hi 

 

 

 

Re: SRX320 has identity crisis and thinks it's an SRX300

June 25, 2019, 1:53 pm
$
0
0

Hi viz,

 

I suppose this isn't an expected behavior. So would recommend opening a JTAC case for it to be investigated further.

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Regards,

HS

Search

Re: SRX320 has identity crisis and thinks it's an SRX300

June 25, 2019, 2:29 pm
$
0
0

Hi viz,

 

I just did a quick test in my lab and I see the following output on my SRX320-poe:

 

root@t11-40> show version

Hostname: t11-40

Model: srx320-poe <<<<<

Junos: 15.1X49-D120.3

JUNOS Software Release [15.1X49-D120.3]

JUNOS Firmware Software Suite [15.1X49-D50.3]

 

root@t11-40> show poe ?

Possible completions:

  controller           Show Power over Ethernet system information <<<<<

  interface            Show Power over Ethernet interfaces <<<<<

  telemetries          Show Power over Ethernet telemetries <<<<<

 

So when you get a chance, please open a JTAC case for further investigation.

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Regards,

HS

Re: SRX320 has identity crisis and thinks it's an SRX300

June 25, 2019, 2:36 pm
$
0
0

Hi viz,

 

Can you confirm if you have any Jflow services configured on this SRX?

 

Cheers

Pooja 

 

Re: SRX320 has identity crisis and thinks it's an SRX300

June 25, 2019, 5:03 pm
$
0
0

Viz, Please check that by any chance lldp is enabled on SRX, if yes disabled that and reboot the SRX box again to see if that fix the problem.

 

 

standby node liveliness to be monitored in HA

June 25, 2019, 8:49 pm
$
0
0

Hi Guys,

 

we have srx1500s set up in HA. currently our NMS only monitor the liveliness of the active node. is there a way to monitor the back up node to alert us by NMS if it reboots or goes down? thanks 

Re: SRX320 has identity crisis and thinks it's an SRX300

June 25, 2019, 9:03 pm
$
0
0

Hi 

 

This seems strange indeed. Can you connect via console and check the same?

 

Regards,

 

Vikas

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>