Yes, the officially supported upgrade path i maximum of 3 major releases. In this case the upgrade from 15.1X49 to 18.2 would be 4 major releases so you need an intermediate release like you propose yourself..
I would actually suggest 18.1 as the intermediate release as I remember some functionality not fully ported from 15.1X49 to 17.4. That issue will not be present if you go 15.1X49 -> 18.1 -> 18.2.
wrote:
Is it good on any platform?
Well. No - but I know where it has been so at least small enhancements has been made in every release and I know it's a focus area... I have several times pointed out to a lot of Juniper employees that this has to work way more efficiently to have people embrace using the WebUI.
Usually I'm a CLI person so I'm not using the J-web UI actively but I test it for every release that juniper does and report back with my findings and honest oppinion :-)
wrote: I have a further question = if we set the local account password to 20 characters, will the TACACS credentials be affected and still operate at 9 chars?
I'm not sure I fully understand your scenario but if your authentication order is tacplus and then local password, if the user is found in tacacs and has as 9 charater password... you will be let in with 9 charaters.
If I misunderstood your scenario, please share configuration examples and what you are experiencing.
P.S. Please remember to accept the post which helped you the most so others are able to quickly find the right information later on.
Hi, Guys,
Thanks so much for your kind help.
The issue is my full stupidness, it is the local firewall configuration issue.
Many thanks
Morning All
The more I look into it the more I'm convinced the 802.1ad tagging is not supported on SRX300 series, all examples of double tagging are using 0x8100 ethertype, not a single example is showing 802.1ad.
example from documentation:
[edit interfaces ge-0/2/0]
flexible-vlan-tagging;
unit 0 {
vlan-id 232;
family inet {
address 10.66.1.2/30;
}
}
unit 1 {
vlan-tags outer 0x8100.222 inner 0x8100.221;
family inet {
address 10.66.1.2/30;
}
}
Maybe the way to close this case is to agree on the following facts:
If we agree on above 3 points than a juniper representative could request this functionality to be put on roadmap.
Documentation will also need to be corrected to indicate lack of support of 802.1ad.
The "tag-protocol-id " and "vlan maps" errors were spotted while working on vSRX image so it may be just related to this platform, confirmation is needed if this errors also appear in hardware 300 series.
Hi All,
I have a SRX 340 that I performed a 15-second factory reset on. When I try to login, the root password is not blank. Has anyone else experienced this issue? I can't recover the root password because the recovery configuration is not there.
Much appreciated.
It could be that factory-reset via reset button has been disabled in the configuration preventing you from resetting the device:
I would point you towards the following procedure to reset the root password to something known so you can regain access to the device: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/recovering-root-password.html
You should just use the first described steps - it's not Junos with upgraded FreeBSD or Junos evolved.
I am trying to set up a DHCP server on an SRX 345 device. The DHCP server should send back some options (bootfile, router, domain-names...). The DHCP is involved in the boot process so a static dhcp binding is used where every mac address has a mapped IP in the pool. The dhcp client requests the DHCP server for the first time during the pxe boot, it gets the correct IP that was mapped to it's mac so the client will use the TFTP-server option specified in the DHCP offer and download the boot file, kernel and the initramd
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35072
Logical Interface Index Extension TLV #4, length 4, value: 74
-----original packet-----
PFE proto 2 (ipv4): (tos 0x0, ttl 20, id 1, offset 0, flags [none], proto: UDP (17), length: 576) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:6c:06, length 548, xid 0x6b476c06, secs 4, Flags [Broadcast] (0x8000)
Client-Ethernet-Address ac:1f:6b:47:6c:06
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 36:
Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
IEN-Name-Server, Domain-Name-Server, RL, Hostname
BS, Domain-Name, SS, RP
EP, RSZ, TTL, BR
YD, YS, NTP, Vendor-Option
Requested-IP, Lease-Time, Server-ID, RN
RB, Vendor-Class, TFTP, BF
Option 128, Option 129, Option 130, Option 131
Option 132, Option 133, Option 134, Option 135
MSZ Option 57, length 2: 1260
GUID Option 97, length 17: 0.0.0.0.0.0.0.0.0.0.0.172.31.107.71.108.6
ARCH Option 93, length 2: 0
NDI Option 94, length 3: 1.2.1
Vendor-Class Option 60, length 32: "PXEClient:Arch:00000:UNDI:002001"
Here it is fine we got the correct Ip that is mapped to the mac. Then, the client starts to download the root filesystem, at that time a new request is sent to the DHCP server (a new option 61: client identifier is specified). The problem occurs here the DHCP server assigns another address from the dynamic range to the client despite the static binding for that mac address is specified.
09:47:47.388131 In
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35072
Logical Interface Index Extension TLV #4, length 4, value: 74
-----original packet-----
PFE proto 2 (ipv4): (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:69:e4, length 300, xid 0xeec66346, secs 5, Flags [none] (0x0000)
Client-Ethernet-Address ac:1f:6b:47:69:e4
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Client-ID Option 61, length 19: hardware-type 255, 6b:47:69:e4:00:01:00:01:25:4c:13:ef:ac:1f:6b:47:69:e4
Parameter-Request Option 55, length 21:
RN, RB, Subnet-Mask, BR
MTU, Classless-Static-Route, Default-Gateway, Static-Route
Hostname, Option 119, Domain-Name, Domain-Name-Server
YD, YS, NTP, RP
Option 85, Option 86, Option 87, PRTR
MDHCP
MSZ Option 57, length 2: 1500
09:47:47.846931 Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35072
Logical Interface Index Extension TLV #4, length 4, value: 74
-----original packet-----
58:00:bb:af:e7:42 > ac:1f:6b:47:69:e4, ethertype IPv4 (0x0800), length 321: (tos 0x0, ttl 64, id 35562, offset 0, flags [none], proto: UDP (17), length: 307) 10.22.102.1.bootps > 10.22.102.214.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 279, xid 0xeec66346, Flags [none] (0x0000)
Your-IP 10.22.102.214
Server-IP 10.22.100.11
Client-Ethernet-Address ac:1f:6b:47:69:e4
file "pxelinux.0"
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Server-ID Option 54, length 4: 10.22.102.1
Default-Gateway Option 3, length 4: 10.22.102.1
Domain-Name-Server Option 6, length 8: 1.1.1.1,1.0.0.1
Any ideas? How to disable the client-id option on the DHCP server?
Great that everything now works as expected :-)
I did some testing and from what I can see, Junos 15.1X49 is missing a commit constraint check on having vlan-tagging and family ethernet-switching on the same interface. In later releases (tested on 19.2 and 19.3) you cannot commit a configuration with both defined on an interface.
Allowing vlans per vlan-id instead of names works as documented. I can both allow vlan names and vlan id (even a mix of both on the same port). The main issue here was having vlan-tagging defined on a switching interface and Junos not correctly throwing a commit error.
Thank you for your reassurance and clarifications.
Your information relating to RT_FLOW_SESSION was very helpful, thank you. What would you consider to be a high logging rate?
I am trying to set up a DHCP server on an SRX 345 device. The DHCP server should send back some options (bootfile, router, domain-names...). The DHCP is involved in the boot process so a static dhcp binding is used where every mac address has a mapped IP in the pool. The dhcp client requests the DHCP server for the first time during the pxe boot, it gets the correct IP that was mapped to it's mac so the client will use the TFTP-server option specified in the DHCP offer and download the boot file, kernel and the initramd.
The packet capture shows
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35072
Logical Interface Index Extension TLV #4, length 4, value: 74
-----original packet-----
PFE proto 2 (ipv4): (tos 0x0, ttl 20, id 1, offset 0, flags [none], proto: UDP (17), length: 576) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:6c:06, length 548, xid 0x6b476c06, secs 4, Flags [Broadcast] (0x8000)
Client-Ethernet-Address ac:1f:6b:47:6c:06
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 36:
Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
IEN-Name-Server, Domain-Name-Server, RL, Hostname
BS, Domain-Name, SS, RP
EP, RSZ, TTL, BR
YD, YS, NTP, Vendor-Option
Requested-IP, Lease-Time, Server-ID, RN
RB, Vendor-Class, TFTP, BF
Option 128, Option 129, Option 130, Option 131
Option 132, Option 133, Option 134, Option 135
MSZ Option 57, length 2: 1260
GUID Option 97, length 17: 0.0.0.0.0.0.0.0.0.0.0.172.31.107.71.108.6
ARCH Option 93, length 2: 0
NDI Option 94, length 3: 1.2.1
Vendor-Class Option 60, length 32: "PXEClient:Arch:00000:UNDI:002001"
Here it is fine we got the correct Ip that is mapped to the mac. Then, the client starts to download the root filesystem, at that time a new request is sent to the DHCP server (a new option 61: client identifier is specified). The problem occurs here the DHCP server assigns another address from the dynamic range to the client despite the static binding for that mac address is specified.
09:47:47.388131 In
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35072
Logical Interface Index Extension TLV #4, length 4, value: 74
-----original packet-----
PFE proto 2 (ipv4): (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:1f:6b:47:69:e4, length 300, xid 0xeec66346, secs 5, Flags [none] (0x0000)
Client-Ethernet-Address ac:1f:6b:47:69:e4
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Client-ID Option 61, length 19: hardware-type 255, 6b:47:69:e4:00:01:00:01:25:4c:13:ef:ac:1f:6b:47:69:e4
Parameter-Request Option 55, length 21:
RN, RB, Subnet-Mask, BR
MTU, Classless-Static-Route, Default-Gateway, Static-Route
Hostname, Option 119, Domain-Name, Domain-Name-Server
YD, YS, NTP, RP
Option 85, Option 86, Option 87, PRTR
MDHCP
MSZ Option 57, length 2: 1500
09:47:47.846931 Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35072
Logical Interface Index Extension TLV #4, length 4, value: 74
-----original packet-----
58:00:bb:af:e7:42 > ac:1f:6b:47:69:e4, ethertype IPv4 (0x0800), length 321: (tos 0x0, ttl 64, id 35562, offset 0, flags [none], proto: UDP (17), length: 307) 10.22.102.1.bootps > 10.22.102.214.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 279, xid 0xeec66346, Flags [none] (0x0000)
Your-IP 10.22.102.214
Server-IP 10.22.100.11
Client-Ethernet-Address ac:1f:6b:47:69:e4
file "pxelinux.0"
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Server-ID Option 54, length 4: 10.22.102.1
Default-Gateway Option 3, length 4: 10.22.102.1
Domain-Name-Server Option 6, length 8: 1.1.1.1,1.0.0.1
Any ideas? How to disable the client-id option on the DHCP server?
Looks like the capture is for two different clients:
1st Discover pkt has
Client-Ethernet-Address ac:1f:6b:47:6c:06
2nd Discover pkt has
Client-Ethernet-Address ac:1f:6b:47:69:e4
This should be the reason for SRX to assign different IP address
Hi folks,
I have an interesting dilemma that we're trying to get working with Persistent NAT and two internet connections on the SRX110H2.
Each has a static default route; one with higher preference.
x.x.x.x/32 preference 5
y.y.y./32 preference 10
Currently there is an internal 3CX host that requries port address mapping from it's internal IP address to the external public IP address.
The config used is working successfully at the moment; however I'm trying to address if it's possible to timeout the address mapping if the primary internet service goes down; and traffic moves over to the secondary default route which has a different public IP address.
Of course flow will need to timeout on the inactive public IP route.
The dilemma is how to utilise a failover method with persistent NAT to use the other Public IP and new route.
If I could use interface-nat rather than source nat pools it may work; so I don't have to account for source nat pool processes.
I havent' been able to test the concept as yet; but reading through the documentation it may or may not be possible using
- source nat inactivity timeout to 60 seconds to re-establish source nat flow mapping with persistent NAT
- using interface-nat rather than source nat pools.
- use target-host-port rather than any-remote-host
Given that were using address-mapping here it seems that can only use source nat pool IP's and not interface-nat IP.
Ive' excluded other configuration below; as what's below is the crux of the configuration issue with source nat dilemma I'm having.
Has anyone come across a solution to this one?
Thanks
pool voip {
address {
x.x.x.x/32;
}
port {
no-translation;
}
}
rule-set 3cx-to-untrust {
from interface irb.30;
to zone untrust;
rule voip {
match {
source-address 10.10.20.17/32;
source-port {
9000 to 9255;
5090;
5060;
5000;
3478;
2528;
5001;
5228 to 5230;
}
}
then {
source-nat {
pool {
voip;
persistent-nat {
permit any-remote-host;
address-mapping;
max-session-number 800;
}
}
}
}
}
}
Hi folks,
I have an interesting dilemma that we're trying to get working with Persistent NAT and two internet connections on the SRX110H2.
Each has a static default route; one with higher preference.
x.x.x.x/32 preference 5
y.y.y.y/32 preference 10
Currently there is an internal 3CX host that requries port address mapping from it's internal IP address to the external public IP address.
The config used is working successfully at the moment; however I'm trying to address if it's possible to timeout the address mapping if the primary internet service goes down; and traffic moves over to the secondary default route which has a different public IP address.
Of course flow will need to timeout on the inactive public IP route.
The dilemma is how to utilise a failover method with persistent NAT to use the other Public IP and new route.
If I could use interface-nat rather than source nat pools it may work; so I don't have to account for source nat pool processes.
I havent' been able to test the concept as yet; but reading through the documentation it may or may not be possible using
- source nat inactivity timeout to 60 seconds to re-establish source nat flow mapping with persistent NAT
- using interface-nat rather than source nat pools.
- use target-host-port rather than any-remote-host
Given that were using address-mapping here it seems that can only use source nat pool IP's and not interface-nat IP.
The other thinking is I could maybe? .. use two source pools and two source nat rules dependant on traffic flow on the given active route in inet.0 ?
Use:
rule-set primary-pnat to be from interface irb.30; to interface ge-0/0/1 for PublicIP1
rules-set secondary-pnay to be from interface irb.30; to interface pp0.0 for PublicIP2
Like the below:
pool voip1 {
address {
x.x.x.x/32;
}
port {
no-translation;
}
}
pool voip2 {
address {
x.x.x.x/32;
}
port {
no-translation;
}
}
rule-set 3cx-to-untrust-1{
from interface irb.30;
to interface ge-0/0/0.0;
rule voip {
match {
source-address 10.10.20.17/32;
source-port {
9000 to 9255;
5090;
5060;
5000;
3478;
2528;
5001;
5228 to 5230;
}
}
then {
source-nat {
pool {
voip1;
persistent-nat {
permit any-remote-host;
address-mapping;
inactivity-timeout 60;
max-session-number 800;
}
}
}
}
}
}
rule-set 3cx-to-untrust-2 {
from interface irb.30;
to interface pp0.0;
rule voip {
match {
source-address 10.10.20.17/32;
source-port {
9000 to 9255;
5090;
5060;
5000;
3478;
2528;
5001;
5228 to 5230;
}
}
then {
source-nat {
pool {
voip2;
persistent-nat {
permit any-remote-host;
address-mapping;
inactivity-timeout 60;
max-session-number 800;
}
}
}
}
}
}
Below is my current working configuration with just the one internet connection.
Ive' excluded other configuration below; as what's below is the crux of the configuration issue with source nat dilemma I'm having.
Has anyone come across a solution to this one?
Thanks
pool voip {
address {
x.x.x.x/32;
}
port {
no-translation;
}
}
rule-set 3cx-to-untrust {
from interface irb.30;
to zone untrust;
rule voip {
match {
source-address 10.10.20.17/32;
source-port {
9000 to 9255;
5090;
5060;
5000;
3478;
2528;
5001;
5228 to 5230;
}
}
then {
source-nat {
pool {
voip;
persistent-nat {
permit any-remote-host;
address-mapping;
max-session-number 800;
}
}
}
}
}
}
Hi Juniper Masters,
what is the maximum distance to cluster the 2 SRX1500? thanks!
Hi,
the guidelines are no more than 100ms latency. That technically converts to at least 2000-3000 kilometers (probably more).
Deploying on such distances does not make sense, but due cross datacenter with 10-20 kilometers is realistic.
A very old reference but still valid can be found her: https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf
Actually not. The capture is not 100% correct I pasted the wrong part
I am trying to set multiple subnets on SRX device each subnet has its own DHCP pool. I have 5 ports each port is connected to a group of servers. So, I configured 5 pools and 5 groups each group contains an interface. The problem is that hosts are getting addresses from different pools for example: Host1 is linked to interface1 on the router which has an address (10.0.0.1), the address assigned to Host1 should belong to the pool that has the network address(10.0.0.0/24) but it gets an address from a different pool.
these are the pools and the groups:
these are the interfaces:
and below is an example of how addresses from wrong pools are assigned to clients
address pools and assignements
I am getting it wrong? A pool is mapped to the interface based on the network address of the interface and the one specified on the DHCP pool configuration?
How to map a group to a pool ? or how to make the SRX gives an IP address that really belongs to the pool that has the same network address as the interface?
Note: The pool match order is set to ip-address-first (default)
[1]: https://i.stack.imgur.com/tKsZb.png
[2]: https://i.stack.imgur.com/jjCrZ.png
[3]: https://i.stack.imgur.com/bcJly.png
Yeah, Mac iterm2 seems to have an option in Edit > Paste Special > Paste Slowly, maybe I'll try that. Weird it worked the other day without doing this. Meanwhile, I can't really tell which } it doesn't like, so I've identified and isolated the code blocks I want to updated in a separate window, and will just try to manually change them when I get onsite to the unit I'm testing.
I have a shelf spare unit on my test bench where I test code, then go to the production site and try to upload/commit code. When the upload/commit option on the GUI fails, I drop to the terminal to try to make it work. I figured some kind of encoding was causing problems in translation.
Is there some online way to test candidate configs to check for errors before pushing to a real box?