**Solved**

Ok, so running H323 over a VPN requires the disabling of both SIP ALG and H323 ALG

ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Enabled
MSRPC : Disabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Disabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Enabled

Then I created a security policy as per the assitance on this thread for junos-h323 only (And then another policy for application 'any'

I now have RTP in both directions. Thanks for everyones input.

Hi there,

Thanks for coming to my aid on this one! It was really just a human blunder....

I was connected to the device with a statically addressed LAN port on a laptop. Meanwhile the laptop was connected to our enterprise network via wireless, so I could remote into my laptop and work on the juniper from my main machine. The device didn't mind responding to ping or allow SSH while I worked in this manner. 

When I turned the wireless function off on the laptop and removed the proxy settings the GUI worked fine.  Its always the basic things.

Hi,

I know this isnt what you are looking for. But worth to mention within the same scope as of O365.

It would be a good thing if support was added for dynamic ip object to handle JSON via remote url so the policy enforcer can grab the O365 "ip white list" and permit the traffic based on that.

Same for other cloud based services that shares their current IP lists in a public place.

Hello,

Juniper official site for Security Advisories is https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES 

There is also inofficial multivendor site https://www.cvedetails.com/ which has search capabilities

HTH

Thx

Alex

Gunner,

One possible option is to use SkyATP services on the SRX, more specifically the the Office 365 ip filter feed, which is an up-to-date list of published IP addresses for Office 365 service endpoints which you can use in security policies.

To use it, you would configure the feed as a dynamic address object like below (define an address-name, here I call it "office365", that maps to the feed's specific name "ipfilter_office365")

# set security dynamic-address address-name office365 profile category IPFilter feed ipfilter_office365

Then you can match on the address "office365" in a policy like this (I was testing deny, but of course you might want to permit)

policy o365 {
  match {
   source-address any;
   destination-address office365;
   application any;
   }
 then {
  deny;
  log {
  session-init;
  }
 }
}

You can find a little more here: https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-atp-integrated-feeds.html 

Hi, guys,

I have come across some strange issues, when I try to create a vpn tunnel between srx100 and paloalto (tunnel is UP and stable). when I enable source nat  in srx , a client computer behind paloalto can't communicate with client behind srx, But client behind srx can communicate with client behind paloalto. When I remove the source nat everything works fine.But the local clients behind the srx can't access internet as there is no source nat. If I route all the traffic through vpn tunnel then also everything works fine, I will post my configuration below, It would be really helpful if you someone  please point me in the right direction to solve the issue.

(172.18.40.1/27)srx----------intrenet------------paloalto(172.16.0.0/16)

set version 12.1X46-D86
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet address 233.54.23.23/25
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.0.0.1/24
set interfaces vlan unit 0 family inet address 172.18.40.1/27
set routing-options static route 0.0.0.0/0 next-hop 234.38.76.76
set protocols stp
set security ike policy asianet mode main
set security ike policy asianet proposal-set standard
set security ike policy asianet pre-shared-key ascii-text "$9$H.T36/t1RSHqCuOBSy24aJi.QF/tu1ZU/tu0hc"
set security ike gateway ike-asianet ike-policy asianet
set security ike gateway ike-asianet address 233.45.65.75
set security ike gateway ike-asianet external-interface fe-0/0/0
set security ipsec policy asianetvpn proposal-set standard
set security ipsec vpn ike-asianet bind-interface st0.0
set security ipsec vpn ike-asianet ike gateway ike-asianet
set security ipsec vpn ike-asianet ike ipsec-policy asianetvpn
set security ipsec vpn ike-asianet establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match destination-address 172.16.0.0/16
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule then source-nat off
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces st0.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

Hi,

I can see you have 2 Src NAT rules. Which one are you deactivating when you say "when I enable source nat in srx , a client computer behind paloalto can't communicate with client behind srx"?

Can you run flow traceoptions when the traffic is not working properly:

# set security flow traceoptions file TRACE
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter TEST source-prefix 172.16.0.0/16
# commit

[try sending traffic from 172.16.0.0/16]

# run show log TRACE

I appreciate all your collaboration but I have barely had time due to work, tomorrow morning I put all the information that I have been asked for, although the configuration of irb 1500 I deleted it to prove what they have advised me, thanks epaniagua and spuluka

I changed configiuration according your sugesstion, please see it , but the issue still there.  I can remote desktop to clients behind paloalto but can't do any conection to ip behind srx. srx100 hundred is in branch and paloalto is in HQ.

If i ping from dns server to client behind srx it won't complete see the results.

C:\Users\administrator.MPP>ping 172.30.10.4

Pinging 172.30.10.4 with 32 bytes of data

Request timed out.

and tracert results

C:\Users\administrator.MPP>tracert 172.30.10.4

 

Tracing route to 172.30.10.4 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  palo.mpp.in [172.16.0.240]

2    28 ms    28 ms    27 ms  10.0.0.3

3     *        *        *     Request timed out.

 

It reaches the sto.0 interface Ip and then drops but if ping gateway of lan interface that is 172.16.10.1 it succeed, see below tracert and ping results

Tracing route to 172.30.10.1 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  palo.mpp.in[172.16.0.240]

 2    38 ms    39 ms    38 ms  172.30.10.1

Pinging 172.30.10.1 with 32 bytes of data:

Reply from 172.30.10.1: bytes=32 time=38ms TTL=63

Please see the configuration below.

set version 12.1X46-D86
set system host-name Kochi-TV
set system services ssh
set system services web-management http interface vlan.0
set system services dhcp pool 172.30.10.32/27 address-range low 172.30.10.34
set system services dhcp pool 172.30.10.32/27 address-range high 172.30.10.61
set system services dhcp pool 172.30.10.32/27 default-lease-time 14400
set system services dhcp pool 172.30.10.32/27 name-server 172.16.0.130
set system services dhcp pool 172.30.10.32/27 name-server 8.8.8.8
set system services dhcp pool 172.30.10.32/27 router 172.30.10.33
set system services dhcp pool 172.30.10.64/27 address-range low 172.30.10.66
set system services dhcp pool 172.30.10.64/27 address-range high 172.30.10.94
set system services dhcp pool 172.30.10.64/27 default-lease-time 3600
set system services dhcp pool 172.30.10.64/27 name-server 172.16.0.130
set system services dhcp pool 172.30.10.64/27 name-server 8.8.8.8
set system services dhcp pool 172.30.10.64/27 router 172.30.10.65
set system services dhcp pool 172.30.10.0/27 address-range low 172.30.10.4
set system services dhcp pool 172.30.10.0/27 address-range high 172.30.10.30
set system services dhcp pool 172.30.10.0/27 default-lease-time 3600
set system services dhcp pool 172.30.10.0/27 name-server 172.16.0.130
set system services dhcp pool 172.30.10.0/27 name-server 202.88.231.2
set system services dhcp pool 172.30.10.0/27 router 172.30.10.1
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 6
set interfaces fe-0/0/0 unit 0 family inet address 234.223.54.5/22
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members Corporate
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.0.0.3/24
set interfaces vlan unit 0 family inet address 172.30.10.1/27
set interfaces vlan unit 10 family inet address 172.30.10.33/27
set interfaces vlan unit 20 family inet address 172.30.10.65/27
set routing-options static route 0.0.0.0/0 next-hop 234.223.65.2
set routing-options static route 172.16.0.130/32 next-hop st0.0
set routing-options static route 172.16.0.240/32 next-hop st0.0
set routing-options static route 172.16.3.52/32 next-hop st0.0
set routing-options static route 172.16.0.135/32 next-hop st0.0
set security ike policy asianet mode main
set security ike policy asianet proposal-set standard
set security ike policy asianet pre-shared-key ascii-text "$9$Uyj.PTz39tuQzylvWx7"
set security ike gateway ike-asianet ike-policy asianet
set security ike gateway ike-asianet address 65.23.78.56
set security ike gateway ike-asianet external-interface fe-0/0/0
set security ipsec policy asianetvpn proposal-set standard
set security ipsec vpn ike-asianet bind-interface st0.0
set security ipsec vpn ike-asianet ike gateway ike-asianet
set security ipsec vpn ike-asianet ike ipsec-policy asianetvpn
set security ipsec vpn ike-asianet establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set no-nat-vpn from zone lan
set security nat source rule-set no-nat-vpn to zone vpn
set security nat source rule-set no-nat-vpn rule no-nat1 match source-address 0.0.0.0/0
set security nat source rule-set no-nat-vpn rule no-nat1 match destination-address 0.0.0.0/0
set security nat source rule-set no-nat-vpn rule no-nat1 then source-nat off
set security nat source rule-set source-nat from zone lan
set security nat source rule-set source-nat to zone untrust
set security nat source rule-set no-nat-vpn rule no-nat match source-address 172.30.10.0/24
set security nat source rule-set no-nat-vpn rule no-nat match destination-address 172.16.0.0/16
set security nat source rule-set no-nat-vpn rule no-nat then source-nat off

set security nat source rule-set source-nat rule source-nat match source-address 172.30.10.0/24
set security nat source rule-set source-nat rule source-nat then source-nat interface
set security policies from-zone lan to-zone untrust policy lan-to-untrust match source-address any
set security policies from-zone lan to-zone untrust policy lan-to-untrust match destination-address any
set security policies from-zone lan to-zone untrust policy lan-to-untrust match application any
set security policies from-zone lan to-zone untrust policy lan-to-untrust then permit
set security policies from-zone lan to-zone lan policy lan-to-lan match source-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match destination-address any
set security policies from-zone lan to-zone lan policy lan-to-lan match application any
set security policies from-zone lan to-zone lan policy lan-to-lan then permit
set security policies from-zone vpn to-zone lan policy vpn-lan match source-address any
set security policies from-zone vpn to-zone lan policy vpn-lan match destination-address any
set security policies from-zone vpn to-zone lan policy vpn-lan match application any
set security policies from-zone vpn to-zone lan policy vpn-lan then permit
set security policies from-zone lan to-zone vpn policy lan-vpn match source-address any
set security policies from-zone lan to-zone vpn policy lan-vpn match destination-address any
set security policies from-zone lan to-zone vpn policy lan-vpn match application any
set security policies from-zone lan to-zone vpn policy lan-vpn then permit
set security zones security-zone lan host-inbound-traffic system-services ping
set security zones security-zone lan host-inbound-traffic system-services ssh
set security zones security-zone lan host-inbound-traffic system-services snmp
set security zones security-zone lan host-inbound-traffic system-services http
set security zones security-zone lan host-inbound-traffic system-services all
set security zones security-zone lan host-inbound-traffic system-services snmp-trap
set security zones security-zone lan host-inbound-traffic protocols pim
set security zones security-zone lan host-inbound-traffic protocols all
set security zones security-zone lan interfaces vlan.0 host-inbound-traffic system-services dhcp
set security zones security-zone lan interfaces vlan.0 host-inbound-traffic system-services all
set security zones security-zone lan interfaces vlan.10 host-inbound-traffic system-services dhcp
set security zones security-zone lan interfaces vlan.20 host-inbound-traffic system-services dhcp
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set vlans Corporate vlan-id 5
set vlans Corporate l3-interface vlan.0
set vlans Guest vlan-id 10
set vlans Guest l3-interface vlan.10
set vlans Phone vlan-id 20
set vlans Phone l3-interface vlan.20

One more observation is if I remove the nat rule everything works without any issue, but internet won't work as there is no source nat rule. I tried to send all traffic including interenet to our HQ through tunnel and it is also working without any issue, but getting slow bandwith.

It will be really helpful if you can help me, I am out of options here.

Hi,

First two commands only recogonising 

whe I type 

packet-filter

It is not recogonising command but I tried to read the log without filtering and result is below.

Oct 17 13:26:10 13:26:10.033911:CID-0:RTroc_loopback_common: Found loop if vlan.0

Oct 17 13:26:13 13:26:10.033911:CID-0:RT:check self-traffic on vlan.0, in_tunnel 0x44c0b254

Oct 17 13:26:13 13:26:10.033911:CID-0:RT:retcode: 0x204

Oct 17 13:26:13 13:26:10.033911:CID-0:RTak_for_self : proto 1, dst port 1, action 0x4

Oct 17 13:26:13 13:26:10.033911:CID-0:RT: flow_first_create_session

Oct 17 13:26:13 13:26:10.033911:CID-0:RT:Loopback first path alloc pending session, natp=0x4515c430, id=11813

Oct 17 13:26:13 13:26:10.033911:CID-0:RT: flow_first_in_dst_nat: in <vlan.0>, out <N/A> dst_adr 172.30.10.1, sp 31141, dp 1

Oct 17 13:26:13 13:26:10.033911:CID-0:RT: chose interface st0.0 as incoming nat if.

Oct 17 13:26:13 13:26:10.033911:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.30.10.1(1)

Oct 17 13:26:13 13:26:10.033911:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.3.52, x_dst_ip 172.30.10.1, in ifp vlan.0, out ifp N/A sp 31141, dp 1, ip_proto 1, tos 0

Oct 17 13:26:13 13:26:10.033911:CID-0:RToing DESTINATION addr route-lookup

Oct 17 13:26:13 13:26:10.033911:CID-0:RT:flow_ipv4_rt_lkup success 172.30.10.1, iifl 0x46, oifl 0x0

Oct 17 13:26:13 13:26:10.033911:CID-0:RT: routed (x_dst_ip 172.30.10.1) from lan (vlan.0 in 0) to .local..0, Next-hop: 172.30.10.1

He tried to follow the configuration but I don't know if it will be for the version of the software that I have of the SRX550 but it doesn't let me, I get this error:

root# ...B interfaces irb.2500 host-inbound-traffic system-services ping
error: interface-unit: 'irb.2500': This interface cannot be configured in a zone
error: statement creation failed: irb.2500

I have been asked to put in a port a bridge, where we host all virtual routers, I put the configuration that I have right now, but I think I will delete it and start from 0 because I have things that are not yet clear to me, I could put in bridge-domain several virtual-routers? Thank you

My conf:

root# show
## Last changed: 2019-10-17 11:43:29 UTC
version 12.3X48-D85.1;
system {
root-authentication {
encrypted-password "$1$lF6LWOE6$AhiW/stsYxHoqWoeqGYNU0"; ## SECRET-DATA
}
services {
ssh;
web-management {
https {
port 443;
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
}
security {
policies;
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
}
}
}
}
}
security-zone RepartoZone {
description "Zona del router de reparto.";
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/3.0;
}
}
}

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.20.10/24;
}
}
}
ge-0/0/4 {
vlan-tagging;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 2500 3500 ];
}
}
}
irb {
unit 2500 {
family inet {
address 192.168.7.254/24;
}
}
unit 3500 {
family inet {
address 172.22.1.254/24;
}
}
}
}

routing-instances {
VRPRUEBA {
description "Este router es de prueba para conectar entre ellos mismos";
instance-type virtual-router;
interface irb.2500;
}

Thanks!

please ignore my previous post about tracepotions, this is what I get when I do security flow traceoptions.

Oct 18 00:02:19 00:02:19.844570:CID-0:RTacket [60] ipid = 52936, @0x40899a3e

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x40899800, rtbl_idx = 0

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: in_ifp <vpn:st0.0>

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x431f25c8

Oct 18 00:02:19 00:02:19.844570:CID-0:RTkt out of tunnel.Proceed normally

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: st0.0:172.16.3.52->172.30.10.4, icmp, (8/0)

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: find flow: table 0x42689418, hash 16596(0xffff), sa 172.16.3.52, da 172.30.10.4, sp 34370, dp 1, proto 1, tok 8

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: no session found, start first path. in_tunnel - 0x445656d8, from_cp_flag - 0

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: flow_first_create_session

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 172.30.10.4, sp 34370, dp 1

Oct 18 00:02:19 00:02:19.844570:CID-0:RT: chose interface st0.0 as incoming nat if.

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.30.10.4(1)

Oct 18 00:02:19 00:02:19.844570:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.3.52, x_dst_ip 172.30.10.4, in ifp st0.0, out ifp N/A sp 34370, dp 1, ip_proto 1, tos 0

Oct 18 00:02:19 00:02:19.844570:CID-0:RToing DESTINATION addr route-lookup

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: routed (x_dst_ip 172.30.10.4) from vpn (st0.0 in 0) to vlan.0, Next-hop: 172.30.10.4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_policy_search: policy search from zone vpn-> zone lan (0x0,0x86420001,0x1)

Oct 18 00:02:20 00:02:19.844570:CID-0:RTolicy lkup: vsys 0 zone(8:vpn) -> zone(6:lan) scope:0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: 172.16.3.52/2048 -> 172.30.10.4/50968 proto 1

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: permitted by policy vpn-lan(6)

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: packet passed, Permitted by policy.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: dip id = 0/0, 172.16.3.52/34370->172.16.3.52/34370 protocol 0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: choose interface vlan.0 as outgoing phy if

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.0, addr: 172.30.10.4, rtt_idx:0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf : Alloc sess plugin info for session 2412

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:[JSF]Normal interest check. regd plugins 13, enabled impl mask 0x0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 138986356, impli mask(0x0), post_nat cnt 2412 svc req(0x0)

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:-jsf : no plugin interested for session 2412, free sess plugin info

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_service_lookup(): natp(0x44671b28): app_id, 0(0).

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: service lookup identified service 0.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow_first_final_check: in <st0.0>, out <vlan.0>

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4270a328, nsp: 0x44671b28, in_tunnel: 0x445656d8

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:construct v4 vector for nsp2

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: existing vector list 0x204-0x41f5e650.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: Session (id:2412) created for first pak 204

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow_first_install_session======> 0x44671b28

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: nsp 0x44671b28, nsp2 0x44671ba8

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: make_nsp_ready_no_resolve()

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: route lookup: dest-ip 172.16.3.52 orig ifp st0.0 output_ifp st0.0 orig-zone 8 out-zone 8 vsd 0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: route to 172.16.3.52

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:avt_get_config_by_lsys_id: Not supported on low memory platforms.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:no need update ha

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:Installing s2c NP session wing

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow got session.

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: flow session id 2412

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: vector bits 0x204 vector 0x41f5e650

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: encap vector

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: no more encapping needed

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:mbuf 0x40899800, exit nh 0x100010

Oct 18 00:02:20 00:02:19.844570:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x4270a328 associated with mbuf 0x40899800

Oct 18 00:02:20 00:02:19.844570:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:<172.16.3.52/34371->172.30.10.4/1;1> matched filter test:

Oct 18 00:02:24 00:02:24.842993:CID-0:RTacket [60] ipid = 52937, @0x4089233e

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x40892100, rtbl_idx = 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: in_ifp <vpn:st0.0>

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x431f25c8

Oct 18 00:02:24 00:02:24.842993:CID-0:RTkt out of tunnel.Proceed normally

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: st0.0:172.16.3.52->172.30.10.4, icmp, (8/0)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: find flow: table 0x42689418, hash 61220(0xffff), sa 172.16.3.52, da 172.30.10.4, sp 34371, dp 1, proto 1, tok 8

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: no session found, start first path. in_tunnel - 0x445656d8, from_cp_flag - 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_create_session

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr 172.30.10.4, sp 34371, dp 1

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: chose interface st0.0 as incoming nat if.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.30.10.4(1)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.3.52, x_dst_ip 172.30.10.4, in ifp st0.0, out ifp N/A sp 34371, dp 1, ip_proto 1, tos 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RToing DESTINATION addr route-lookup

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: routed (x_dst_ip 172.30.10.4) from vpn (st0.0 in 0) to vlan.0, Next-hop: 172.30.10.4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_policy_search: policy search from zone vpn-> zone lan (0x0,0x86430001,0x1)

Oct 18 00:02:24 00:02:24.842993:CID-0:RTolicy lkup: vsys 0 zone(8:vpn) -> zone(6:lan) scope:0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: 172.16.3.52/2048 -> 172.30.10.4/50967 proto 1

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: permitted by policy vpn-lan(6)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: packet passed, Permitted by policy.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: dip id = 0/0, 172.16.3.52/34371->172.16.3.52/34371 protocol 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: choose interface vlan.0 as outgoing phy if

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.0, addr: 172.30.10.4, rtt_idx:0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf : Alloc sess plugin info for session 2418

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:[JSF]Normal interest check. regd plugins 13, enabled impl mask 0x0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 138986356, impli mask(0x0), post_nat cnt 2418 svc req(0x0)

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:-jsf : no plugin interested for session 2418, free sess plugin info

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_service_lookup(): natp(0x446725d8): app_id, 0(0).

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: service lookup identified service 0.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_final_check: in <st0.0>, out <vlan.0>

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_first_complete_session, pak_ptr: 0x4270a328, nsp: 0x446725d8, in_tunnel: 0x445656d8

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:construct v4 vector for nsp2

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: existing vector list 0x204-0x41f5e650.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: Session (id:2418) created for first pak 204

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow_first_install_session======> 0x446725d8

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: nsp 0x446725d8, nsp2 0x44672658

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: make_nsp_ready_no_resolve()

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: route lookup: dest-ip 172.16.3.52 orig ifp st0.0 output_ifp st0.0 orig-zone 8 out-zone 8 vsd 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: route to 172.16.3.52

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:avt_get_config_by_lsys_id: Not supported on low memory platforms.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:no need update ha

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:Installing s2c NP session wing

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow got session.

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: flow session id 2418

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: vector bits 0x204 vector 0x41f5e650

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: encap vector

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: no more encapping needed

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:mbuf 0x40892100, exit nh 0x100010

Oct 18 00:02:24 00:02:24.842993:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x4270a328 associated with mbuf 0x40892100

Oct 18 00:02:24 00:02:24.842993:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

I have configured a policy based VPN on an SRX5600 with an SPC3. The configuration was previously working on another SRX with SPC-2. The debug shows the message below

 [EXT] [PEER] [xx.xx.xx.xx <-> yy.yy.yy.yy]  peer-schema look-up failed for local-ip xx.xx.xx.xx remote-ip yy.yy.yy.yy vr-id 6

Has anyone experienced this

Thanks for the prompt response guys. However, what happens in case i have a mix of SPC-II and SPC3 in the chassis. Will the Policy based still not be supported

Strange issue, i must be forgetting something in the config.

Scenario: 

Datacenter<-- |VPN Connection| --> SRX300<---> EX2300-C

*I cannot ping our Datacenter from the SRX300, but i can ping it from the EX switch.

*If i disconnect the switch from the SRX300 i lose connection to the SRX300 completely. Cannot SSH or Ping even though the tunnel is up. I reconnect the switch and everything comes back up.

*Traceroute from the SRX300 shows nothing. Traceroute from EX works correctly.

The switch config is simple. Trunk with all vlans included between the SRX and EX. Native vlan is "1". All ports are configured for one of the three vlans we use.

Config of the SRX:

set version 17.3R2.10
set system host-name SRX300
set system root-authentication encrypted-password "xxxxxx"
set system name-server 8.8.8.8
set system services ssh root-login allow
set system services telnet
set system services xnm-clear-text
set system services dhcp-local-server group CorpDHCP interface irb.1
set system services dhcp-local-server group CorpWIFI interface irb.24
set system services dhcp-local-server group Guests interface irb.136
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security ike policy corporate mode main
set security ike policy corporate proposal-set standard
set security ike policy corporate pre-shared-key ascii-text "xxxx"
set security ike gateway corp-gw ike-policy corporate
set security ike gateway corp-gw address xx.xx.xx.xx
set security ike gateway corp-gw local-identity inet xx.xx.xx.xx
set security ike gateway corp-gw external-interface ge-0/0/5
set security ipsec policy corp-ipsec-vpn proposal-set standard
set security ipsec vpn corp-vpn bind-interface st0.0
set security ipsec vpn corp-vpn vpn-monitor
set security ipsec vpn corp-vpn ike gateway corp-gw
set security ipsec vpn corp-vpn ike ipsec-policy corp-ipsec-vpn
set security ipsec vpn corp-vpn establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat source rule-set guest-to-untrust from zone GuestiNet
set security nat source rule-set guest-to-untrust to zone untrust
set security nat source rule-set guest-to-untrust rule source-nat-guest match source-address 10.255.7.160/27
set security nat source rule-set guest-to-untrust rule source-nat-guest then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone VPN policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone VPN policy trust-to-vpn match application any
set security policies from-zone trust to-zone VPN policy trust-to-vpn then permit
set security policies from-zone VPN to-zone trust policy VPN-to-trust match source-address any
set security policies from-zone VPN to-zone trust policy VPN-to-trust match destination-address any
set security policies from-zone VPN to-zone trust policy VPN-to-trust match application any
set security policies from-zone VPN to-zone trust policy VPN-to-trust then permit
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match source-address any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match destination-address any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust match application any
set security policies from-zone GuestiNet to-zone untrust policy Guest-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.1 host-inbound-traffic system-services all
set security zones security-zone trust interfaces irb.1 host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.24
set security zones security-zone trust interfaces irb.120 host-inbound-traffic system-services all
set security zones security-zone trust interfaces irb.120 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/5.0 host-inbound-traffic system-services ping
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services traceroute
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services ping
set security zones security-zone GuestiNet interfaces irb.136 host-inbound-traffic system-services dhcp
set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/0 native-vlan-id 1
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members Workstation
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Workstation
set interfaces ge-0/0/5 unit 0 family inet address xx.xx.xx.xx/27
set interfaces ge-0/0/6 unit 0
set interfaces ge-0/0/7 unit 0
set interfaces irb unit 1 family inet address 10.255.7.1/27
set interfaces irb unit 24 family inet address 10.255.7.33/27
set interfaces irb unit 120 family inet address 10.255.7.129/27
set interfaces irb unit 136 family inet address 10.255.7.161/27
set interfaces st0 unit 0 description "Tunnel Interface to ChiDataCenter"
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet mtu 1500
set interfaces st0 unit 0 family inet address 10.250.110.7/24
set routing-options static route 10.0.0.0/8 next-hop 10.250.110.110
set routing-options static route xx.xx.xx.xx/32 next-hop xx.xx.xx.xx
set routing-options static route 0.0.0.0/0 next-hop xx.xx.xx.xx
set routing-options router-id 10.255.7.1
set protocols lldp interface all
set policy-options prefix-list manage-ip 10.0.0.0/8
set access address-assignment pool p1 family inet network 10.255.7.0/27
set access address-assignment pool p1 family inet range r1 low 10.255.7.10
set access address-assignment pool p1 family inet range r1 high 10.255.7.25
set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 28800
set access address-assignment pool p1 family inet dhcp-attributes name-server 10.110.2.20
set access address-assignment pool p1 family inet dhcp-attributes propagate-settings irb.1
set access address-assignment pool CorpWifiPool family inet network 10.255.7.32/27
set access address-assignment pool CorpWifiPool family inet range r1 low 10.255.7.35
set access address-assignment pool CorpWifiPool family inet range r1 high 10.255.7.61
set access address-assignment pool CorpWifiPool family inet dhcp-attributes maximum-lease-time 28800
set access address-assignment pool CorpWifiPool family inet dhcp-attributes name-server 10.110.2.20
set access address-assignment pool CorpWifiPool family inet dhcp-attributes propagate-settings irb.24
set access address-assignment pool GuestWifiPool family inet network 10.255.7.160/27
set access address-assignment pool GuestWifiPool family inet range r1 low 10.255.7.163
set access address-assignment pool GuestWifiPool family inet range r1 high 10.255.7.189
set access address-assignment pool GuestWifiPool family inet dhcp-attributes maximum-lease-time 28800
set access address-assignment pool GuestWifiPool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool GuestWifiPool family inet dhcp-attributes propagate-settings irb.136
set vlans CorpWData vlan-id 24
set vlans CorpWData l3-interface irb.24
set vlans Guest vlan-id 136
set vlans Guest l3-interface irb.136
set vlans Wireless vlan-id 120
set vlans Wireless l3-interface irb.120
set vlans Workstation vlan-id 1
set vlans Workstation l3-interface irb.1

Thank you in advance.