1. https://en.wikipedia.org/wiki/
2. JTAC's suggestion is to diable the interface with a commit confirm. Not an elegant solution, but there you go.
3. Despite this article implying there is firmware, apparently none is available.
↧
Re: VDSL2 Mini-PIM questions
↧
Re: Persistent NAT with multiple Public IP address
I'm not sure I follow your setup correctly so apologies if this is not right.
I think you have a nat public pool that can be used on your two upstream isp so that your voip traffic can failover.
If that is the case you don't need to do anything for the session failover to work. You simply put both ISP interfaces into the same security zone. Sessions are based on Zone NOT interface. So the same session will still be valid when failover occurs as the traffic is still transiting the same zone for both ISP links.
↧
↧
Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .
Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails with the following errors:
request system software add /var/tmp/junos-srxsme-18.2R3.4.tgz no-copy unlink
NOTICE: Validating configuration against junos-srxsme-18.2R3.4.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da0s1a)...
/dev/da0s1a: 2510.1MB (5140780 sectors) block size 16384, fragment size 2048
using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,
3384608, 3760672, 4136736, 4512800, 4888864
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256
Using junos-18.2R3.4 from /altroot/cf/packages/install-tmp/junos-18.2R3.4
Copying package ...
veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/php_mod.ini: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/mime.types: No such file or directory
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libpsu.so.3: Too many links
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libyaml.so.3: Too many links
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libext_db.so.3: Too many links
veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory
Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
Network security daemon: <source-daemon>nsd</source-daemon>
Network security daemon: <message>certificate 'device': certificate does not exist .</message>
Network security daemon: </xnm:error>
mgd: error: configuration check-out failed
Validation failed
Validating against /config/rescue.conf.gz
Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
Network security daemon: <source-daemon>nsd</source-daemon>
Network security daemon: <message>certificate 'device': certificate does not exist .</message>
Network security daemon: </xnm:error>
mgd: error: configuration check-out failed
Validation failed
ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-18.2R3.4
Any ideas how to make this work?
↧
Re: SRX 345 QinQ - 802.1ad
Hi All
Can juniper representative agree with above comments, and if so please advise next steps(would this be available on next release)
Thank you.
↧
Re: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .
Try the following commands:
request system configuration rescue save
request system software add no-copy no-validate /var/tmp/junos-srxsme-18.2R3.4.tgz
Do not use "unlink" on SRX platform, it is only supported on M, T and MX platforms.
↧
↧
error: the redundancy-interface-process subsystem is not running
Hi,
I have configured chassis cluster srx340 in transparent mode. All interfaces are up as expected however I can't ping from my untrust to trust zone after troubleshoooting, I ran "show interfaces redundancy" and it return the following error
error: the redundancy-interface-process subsystem is not running
Has any one come acorss this error and how to resolve it.
Thanks
Harry.
↧
Re: error: the redundancy-interface-process subsystem is not running
That's not a valid command on the srx, redundant or not. Perhaps you want show chassis cluster interfaces?
↧
flow session
Hi I am using Juniper SRX240 and for last week I find records like this in session table.
Session ID: 668, Policy name: allow-public-mail/11, State: Active, Timeout: -1, Valid
In: 47.74.61.85/60414 --> x.x.x.x/587;tcp, If: reth1.0, Pkts: 1, Bytes: 40
Out: 192.168.200.16/587 --> 47.74.61.85/60414;tcp, If: reth0.994, Pkts: 6, Bytes: 264
This records stay in table forever and I have to make clear session table. Can you please explain me why the timeout is -1 ?
Thanks
↧
Internet failover with dual-ISP configuration - selecting the "primary" ISP
I have an SRX300 running version 15.1X49-D150.2
I have it configured for dual-ISP configuration using IP monitoring. This works great.
My problem is when both connections are working, I have a perferred ISP (which we have more bandwidth from) - and I cant figure out how to default it to that ISP
The preferred ISP in the configuration below is called ATT - but if both connections are up - it always goes out the COMCAST
Any suggestions?
services {
rpm {
probe COMCAST {
test GOOGLE {
target address 8.8.8.8;
probe-count 3;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/5.0;
next-hop 2.2.2.238;
}
}
probe ATT {
test GOOGLE {
target address 8.8.8.8;
probe-count 3;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/0.0;
next-hop 1.1.1.97;
}
}
}
ip-monitoring {
policy ATT {
match {
rpm-probe ATT;
}
then {
preferred-route {
routing-instances ATT {
route 0.0.0.0/0 {
next-hop 2.2.2.238;
metric 10;
}
}
}
}
}
policy COMCAST {
match {
rpm-probe COMCAST;
}
then {
preferred-route {
routing-instances COMCAST {
route 0.0.0.0/0 {
next-hop 1.1.1.97;
}
}
}
}
}
}
}
security {
log {
mode stream;
report;
}
nat {
source {
rule-set LAN-to-COMCAST {
from zone LAN;
to zone COMCAST;
rule NAT-COMCAST {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set LAN-to-ATT {
from zone LAN;
to zone ATT;
rule NAT-ATT {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone LAN to-zone COMCAST {
policy ALL_LAN_COMCAST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone LAN to-zone ATT {
policy ALL_LAN_ATT {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone LAN to-zone LAN {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone COMCAST {
interfaces {
ge-0/0/5.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
rpm;
}
}
}
}
}
security-zone ATT {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
rpm;
}
}
}
}
}
security-zone LAN {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.99/28;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 2.2.2.233/28;
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet;
}
}
irb {
unit 0 {
family inet {
filter {
input OUTPUT-ISP;
}
address 10.128.105.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input ADMIN-FILTER;
}
}
}
}
}
routing-options {
interface-routes {
rib-group inet IMPORT-PHY;
}
static {
route 0.0.0.0/0 next-table ATT.inet.0;
}
rib-groups {
IMPORT-PHY {
import-rib [ inet.0 ATT.inet.0 COMCAST.inet.0 ];
}
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
/* ADMIN-IPS are permitted ssh access */
policy-options {
prefix-list ADMIN-IPS {
10.128.105.0/24;
3.3.3.3/32;
}
}
firewall {
filter ADMIN-FILTER {
term BLOCK-NON-ADMIN {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
ADMIN-IPS except;
}
protocol tcp;
destination-port [ ssh https telnet http ];
}
then {
discard;
}
}
term accept_everything_else {
then accept;
}
}
filter OUTPUT-ISP {
term TO-COMCAST {
from {
source-address {
0.0.0.0/0;
}
}
then {
routing-instance COMCAST;
}
}
term TO-ATT {
from {
source-address {
0.0.0.0/0;
}
}
then {
routing-instance ATT;
}
}
}
}
routing-instances {
COMCAST {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 2.2.2.238;
metric 10;
}
}
}
}
ATT {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/32 next-hop 1.1.1.97;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
↧
↧
Re: Internet failover with dual-ISP configuration - selecting the "primary" ISP
Hi,
is this really supposed to be 0/32?
ATT {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/32 next-hop 1.1.1.97;
}
Regards,
Radek
↧
Re: error: the redundancy-interface-process subsystem is not running
Hi,
Thanks for the reply. I have ran show chassis cluster interfaces and all interfaces are up both, swfab, control and reth interfaces.
May be I'm missing something, this is my config. I can't ping from the host on the inside to outside or vice versa.
> set chassis cluster cluster-id 1 node 0 reboot
> set chassis cluster cluster-id 1 node 1 reboot
configure
set groups node0 system host-name bluec-srx-a
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.10.53/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.10.55/24 master-only
set groups node0 system backup-router 10.10.10.254 destination 0.0.0.0/0
set groups node0 system services ssh
set groups node1 system host-name bluec-srx-b
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.10.54/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.10.55/24 master-only
set groups node1 system backup-router 10.10.10.254 destination 0.0.0.0/0
set groups node1 system services ssh
set apply-groups "${node}"
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set interfaces swfab0 fabric-options member-interfaces ge-0/0/2
set interfaces swfab1 fabric-options member-interfaces ge-5/0/2
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-5/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-5/0/4 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family ethernet-switching interface-mode access
set interfaces reth0 unit 0 family ethernet-switching vlan members vlan-10
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family ethernet-switching interface-mode access
set interfaces reth1 unit 0 family ethernet-switching vlan members vlan-10
set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Untrusted interfaces reth0.0
set security zones security-zone Trusted interfaces reth1.0
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set security policies from-zone Trusted to-zone Untrusted policy TRUST-UNTRUST match source-address any
set security policies from-zone Trusted to-zone Untrusted policy TRUST-UNTRUST match destination-address any
set security policies from-zone Trusted to-zone Untrusted policy TRUST-UNTRUST match application any
set security policies from-zone Trusted to-zone Untrusted policy TRUST-UNTRUST then permit
set security policies from-zone Untrusted to-zone Trusted policy UNTRUST-TRUST match source-address any
set security policies from-zone Untrusted to-zone Trusted policy UNTRUST-TRUST match destination-address any
set security policies from-zone Untrusted to-zone Trusted policy UNTRUST-TRUST match application any
set security policies from-zone Untrusted to-zone Trusted policy UNTRUST-TRUST then permit
set protocols l2-learning global-mode transparent-bridge
set vlans vlan-10 vlan-id 10
Regards
Tao.
↧
Re: Internet failover with dual-ISP configuration - selecting the "primary" ISP
That was a typo. I fixed it to be 0.0.0.0/0 - but unfortunately, the original problem is still there!
↧
Re: Internet failover with dual-ISP configuration - selecting the "primary" ISP
I think the issue is due to the forwarding filter since the first term is TO-COMCAST which matches on any source and directs the traffic to the COMCAST instances so the traffic will always be forwarded via the COMCAST routing-instance despite ATT having better metric..
filter OUTPUT-ISP {
term TO-COMCAST {
from {
source-address {
0.0.0.0/0;
}
}
then {
routing-instance COMCAST;
}
}
term TO-ATT {
from {
source-address {
0.0.0.0/0;
}
}
then {
routing-instance ATT;
}
}
}
}
Did a quick test in lab and was getting the same results
root@R1# show routing-instances
ATT {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.30.0.2;
}
}
}
COMCAST {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 172.30.0.6;
metric 10;
}
}
}
}
[edit firewall family inet filter FBF]
root@R1# show
term COMCAST {
from {
source-address {
0.0.0.0/0;
}
}
then {
routing-instance COMCAST;
}
}
term ATT {
from {
source-address {
0.0.0.0/0;
}
}
then {
routing-instance ATT;
}
}
root@R1# show interfaces ge-0/0/5.300
vlan-id 300;
family inet {
filter {
input FBF;
}
address 192.168.1.1/24;
}
root@CE# run traceroute 192.168.0.2 source 192.168.1.3 routing-instance CE
traceroute to 192.168.0.2 (192.168.0.2) from 192.168.1.3, 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 7.540 ms 3.277 ms 4.164 ms
2 172.30.0.6 (172.30.0.6) 11.686 ms 14.695 ms 8.026 ms <<---- COMCAST next-hop
3 172.30.0.21 (172.30.0.21) 10.847 ms 8.088 ms 7.622 ms
4 192.168.0.2 (192.168.0.2) 10.467 ms 12.881 ms 10.617 ms
making ATT term the first one changes the routing
[edit firewall family inet filter FBF]
root@R1# insert term ATT before term COMCAST
[edit firewall family inet filter FBF]
root@R1# commit
commit complete
root@CE# run traceroute 192.168.0.2 source 192.168.1.3 routing-instance CE
traceroute to 192.168.0.2 (192.168.0.2) from 192.168.1.3, 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 5.435 ms 3.750 ms 8.480 ms
2 172.30.0.2 (172.30.0.2) 7.569 ms 4.267 ms 7.572 ms <<---- ATT next-hop
3 172.30.0.14 (172.30.0.14) 14.135 ms 8.877 ms 5.959 ms
4 192.168.0.2 (192.168.0.2) 10.060 ms 12.412 ms 8.191 msI wonder if you really need two forwarding instances & ip-monitoring policies in this case? Wouldn't it be enough to have one ip-monitoring policy which changes the next-hop in the ATT policy to the COMCAST next-hop 2.2.2.238?
↧
↧
Re: Internet failover with dual-ISP configuration - selecting the "primary" ISP
That fixed it! Removing the
security ip-monitoring policy COMCAST
and
firewall filter OUTPUT-ISP term TO-COMCAST
did it!
Now ATT is the preferred isp
Thank you!!!
↧
Re: error: the redundancy-interface-process subsystem is not running
While I don't do a lot of srx layer 2 the config does look complete. Do you see the two hosts on the expected interfaces if you run show ethernet-switching table? Do the hosts have each other in thier arp tables?
↧
Re: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .
Thanks! Worked like a charm...
↧
Re: error: the redundancy-interface-process subsystem is not running
Hi Smicker,
Thanks for your reply. I'm back in the office tomorrow. I will check the arp and get back to you.
Regards
Tao.
↧
↧
Is it possible to implement this topology? image
Good morning, I would like to know if my Juniper SRX550 could support this topology, thanks in advance.
↧
Re: flow session
Hi
Please confirm the inactivity-timeout defined for the application.
Additionally, please refer to the below KB articles, which explains this behavior.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB34581
https://kb.juniper.net/InfoCenter/index?page=content&id=KB31979
Regards,
PK
↧
Re: ADVPN. only one tunnel works
Hi,
Please refer to the below link for the detailed configuration and make the changes accordingly.
Regards,
PK
↧