Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: SRX550M Upgrade Path

November 4, 2019, 3:40 am
$
0
0

Hi,

 

There is no need to go for intermediate Junos version.

You can directly upgrade from 15.1x49 to 18.2.

 

Please refer to the below link:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&actp=METADATA

 

Please do look into the notes section of the above KB document.

 

Notes:

  1. Notes for upgrading from Junos 15.1X49 releases to 18.2R3 or 18.2R3 based Service Releases:

    • Junos OS upgrade from 15.1X49 directly to 18.2R3 or 18.2R3 based Service Releases is supported for all SRX platforms, except vSRX. To upgrade vSRX from 15.1X49 to higher versions, deploy a new vSRX VM.

    • ISSU is not supported when upgrading from Junos 15.1X49 to higher versions.

Regards,

PK

Search

Re: error: the redundancy-interface-process subsystem is not running

November 4, 2019, 3:50 am
$
0
0

Hi,

I ran the command show chassis cluster interfaces. The control link is up but the fabric is down. The full configuration is the previous post, any idea why the fabric is down? The cable are connected back to back and I have also tried another cable.

 

root@bluec-srx-a> show chassis cluster interfaces
Control link status: Up
Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       fxp1        Up                 Disabled      Disabled
Fabric link status: Down
Fabric interfaces:
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0
    fab0
    fab1
    fab1
 
Thanks
Harry
 

Re: SRX 320 PPPOE issue after JUNOS upgrade

November 4, 2019, 6:32 am
$
0
0

JUNOS Software Release [15.1X49-D170.4]

BTW, I tried upgrading to the latest JTAC recommended version and it did not work again. For now, I will stay on the stable Junos that I am running.

IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation.

November 4, 2019, 6:52 am
$
0
0

Hi folks,

 

I am getting the following log message when I try IKEv2 VPN from my iPhone ios 13 to my Juniper SRX 320.

Please note that I can connect to my Juniper using Pulse Secure using my laptop remotely, however looking for connectivity to the Juniper using iPhone standard VPN client. 

 

IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation.

 

Nov 4 09:21:39 HOME-SRX kmd[1754]: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. IKE Version: 2, VPN: Not-Available Gateway: Not-Available, Local: 42.41.232.22/500, Remote: 69.158.246.169/1526, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

 

I appreciate your help. Please find the running configuration attached.

Re: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation.

November 4, 2019, 7:00 am

Re: error: the redundancy-interface-process subsystem is not running

November 4, 2019, 7:30 am
$
0
0

I have manage to get the fab interfaces up after reconfiguring the interfaces as fab rather than swfab.  I ran into in post which state the config is required regardless of the type of cluster you are deploying. 

set interfaces fab0 fabric-options member-interfaces ge-0/0/2

set interfaces fab1 fabric-options member-interfaces ge-5/0/2

However, the following config is required for the layer 2 clustering.

set interfaces swfab0 fabric-options member-interfaces  ge-0/0/0
set interfaces swfab1 fabric-options member-interfaces  ge-5/0/0

 

It is required to to enable switching between the two nodes, I applied the config, ran the following comand, the output: 

   Probe state is DOWN. Both nodes are in separate ethernet switching domain(s).

 

Has anyone come across this or understand how to resolve it ?

 

root@bluec-srx-a> show chassis cluster ethernet-switching status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring      RE  Relinquish monitoring
Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures
Redundancy group: 0 , Failover count: 1
node0  200      primary        no      no       None
node1  100      secondary      no      no       None
Redundancy group: 1 , Failover count: 1
node0  200      primary        no      no       None
node1  100      secondary      no      no       None
Ethernet switching status:
    Probe state is DOWN. Both nodes are in separate ethernet switching domain(s).
{primary:node0}
root@bluec-srx-a>

 

Re: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation.

November 4, 2019, 8:20 am
$
0
0

Thanks for the info. Do you know if there is any ios application to connect my iphone to SRX? Are you aware of Pulse having such an application? 

Re: BGP sessions over IPSec fail when SA recreated

November 4, 2019, 9:17 am
$
0
0

Thanks for the support on this. It turns out the issue was occuing because our ISP is blocking / dropping ESP packets intermittently. This especially happens during the IKE CREATE_CHILD_SA messages. At this point ESP packets are dropped. To work around this I enabled UDP encapsulation. This stopped the packets from being blocked after a rekey, but the BGP session is still dropped temporarily. The Barracuda peer still reports that LLGR is not supported. To stop the SRX sending the option I used diasbled it under graceful-restart.

 

set protocols bgp group bgp-group neighbor 169.254.44.1 graceful-restart long-lived receiver disable

 

The Barracuda no longer reports an error during the BGP session start, but I will continue to monitor to see if the session restarts.

 

Thanks again

Search

Re: flow session

November 4, 2019, 12:29 pm
$
0
0

Hi,

Thanks.

 

 

> show configuration applications application 587-tcp 
protocol tcp;
destination-port 587;
inactivity-timeout 300;

and I am not using ALG for submission. It looks like some type of attack, because this fllows apperad one week ago and I had to clear all session flows because they all stayed in table and there was no more free session and my srx box couldn't forward any traffic.

 

thanks

 

Re: error: the redundancy-interface-process subsystem is not running

November 4, 2019, 5:28 pm
$
0
0

You're correct that you need swfab for switching. Can you send output of show chassis hardware and show version?

Re: Can we create custom Role class user using JWEB in SRX?

November 4, 2019, 9:59 pm

Re: flow session

November 5, 2019, 12:58 am

Re: error: the redundancy-interface-process subsystem is not running

November 5, 2019, 2:11 am
$
0
0

Hi,

 

Here is the output from both node;

root@bluec-srx-a> show chassis hardware
node0:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                CY0219AF0565      SRX340
Routing Engine   REV 0x15 650-065043   CY0219AF0565      RE-SRX340
FPC 0                                                    FPC
  PIC 0                                                  8xGE,8xGE SFP Base PIC
Power Supply 0
node1:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                CY0219AF0395      SRX340
Routing Engine   REV 0x15 650-065043   CY0219AF0395      RE-SRX340
FPC 0                                                    FPC
  PIC 0                                                  8xGE,8xGE SFP Base PIC
Power Supply 0
{primary:node0}
root@bluec-srx-a>
 
Node B
{secondary:node1}
root@bluec-srx-b> show chassis hardware
node0:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                CY0219AF0565      SRX340
Routing Engine   REV 0x15 650-065043   CY0219AF0565      RE-SRX340
FPC 0                                                    FPC
  PIC 0                                                  8xGE,8xGE SFP Base PIC
Power Supply 0
node1:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                CY0219AF0395      SRX340
Routing Engine   REV 0x15 650-065043   CY0219AF0395      RE-SRX340
FPC 0                                                    FPC
  PIC 0                                                  8xGE,8xGE SFP Base PIC
Power Supply 0
{secondary:node1}
root@bluec-srx-b>
 
SHOW VERSION
 
root@bluec-srx-a> show version
node0:
--------------------------------------------------------------------------
Hostname: bluec-srx-a
Model: srx340
Junos: 15.1X49-D150.2
JUNOS Software Release [15.1X49-D150.2]
 
NODE B. 
root@bluec-srx-b> show version
node0:
--------------------------------------------------------------------------
Hostname: bluec-srx-a
Model: srx340
Junos: 15.1X49-D150.2
JUNOS Software Release [15.1X49-D150.2]
node1:
--------------------------------------------------------------------------
Hostname: bluec-srx-b
Model: srx340
Junos: 15.1X49-D150.2
JUNOS Software Release [15.1X49-D150.2]
{secondary:node1}
root@bluec-srx-b>
node1:
--------------------------------------------------------------------------
Hostname: bluec-srx-b
Model: srx340
Junos: 15.1X49-D150.2
JUNOS Software Release [15.1X49-D150.2]
{primary:node0}
root@bluec-srx-a>

PPPoe not connecting

November 5, 2019, 5:10 am
$
0
0

Hello,

 

I have a SRX320 with a VDSL card that worked first time to successfully dial out but then after that it suddenly stopped working

 

My pppoe config is as follows:

 

show configuration interfaces pt-2/0/0
vlan-tagging;
vdsl-options {
vdsl-profile auto;
}
unit 0 {
encapsulation ppp-over-ether;
vlan-id 101;
}

 

 

pp-options {
chap {
default-chap-secret  ## SECRET-DATA
local-name "abcd@xxxx.com";
passive;
}
}
pppoe-options {
underlying-interface pt-2/0/0.0;
client;

 

VDSL card is attached to fpc slot 2 and I get the following unsure what pt-2/0/0.32767 is ???

 

pt-2/0/0 up up
pt-2/0/0.0 up up
pt-2/0/0.32767 up up
fxp2 up up
fxp2.0 up up tnp 0x1

 

traceoptions added but I see the following?

 

 

show log pppoed
Nov 5 12:59:19 uifl not found for pt-2/0/0.32767 !
Nov 5 12:59:50 allocated 88 bytes at 0x4e4500
Nov 5 12:59:50 allocated 212 bytes at 0x4f6000
Nov 5 12:59:50 allocated 4 bytes at 0x4e30b0
Nov 5 12:59:50 allocated 4 bytes at 0x4e30c0
Nov 5 12:59:50 allocated 592 bytes at 0x4f8000
Nov 5 12:59:50 allocated 8 bytes at 0x4e30d0
Nov 5 13:00:18 allocated 1510 bytes at 0x4fd000
Nov 5 13:03:16 SIGHUP received

 

 

Please can someone guide where potentially the issue could be ?

 

 

Thanks

 

 

 


}
family inet {
negotiate-address;

Re: Is it possible to implement this topology? image

November 5, 2019, 5:40 am
$
0
0

Hello!

This is my configuration:

 

set sytem services web-management https port 443 system-generated-certificate interface vlan.0
set system max-configuration-rollbacks 5
set system max-configurations-on-flash 5
set security policies from-zone VRPrincipalZone to-zone VRBOXExampleZone policy default-permit match source-address any
set security policies from-zone VRPrincipalZone to-zone VRBOXExampleZone policy default-permit match destination-address any
set security policies from-zone VRPrincipalZone to-zone VRBOXExampleZone policy default-permit match application any
set security policies from-zone VRPrincipalZone to-zone VRBOXExampleZone policy default-permit then permit
set security policies from-zone VRBOXExampleZone to-zone VRPrincipalZone policy default-permit match source-address any
set security policies from-zone VRBOXExampleZone to-zone VRPrincipalZone policy default-permit match destination-address any
set security policies from-zone VRBOXExampleZone to-zone VRPrincipalZone policy default-permit match application any
set security policies from-zone VRBOXExampleZone to-zone VRPrincipalZone policy default-permit then permit
set security zones security-zone VRPrincipalZone interfaces ge-0/0/5.0
set security zones security-zone VRBOXExampleZone interfaces ge-0/0/4.0
set security zones security-zone ZonaDeConfianza interfaces vlan.0 host-inbound-traffic system-services https
set interfaces ge-0/0/1 unit 0 family inet address 192.168.7.1/24
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/5 unit 0 family inet address 192.168.2.1/24
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set interfaces vlan unit 2888 family inet address 192.168.4.1/24
set routing-instances VRBOXExample instance-type virtual-router
set routing-instances VRBOXExample interface vlan.2888
set routing-instances VRPrincipal instance-type virtual-router
set routing-instances VRPrincipal interface ge-0/0/5.0
set routing-instances VSNuestro instance-type virtual-switch
set routing-instances VSNuestro interface ge-0/0/3.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

 

 

Sorry for my ignorance, I have little in networks, if you have a book or a source I would appreciate it, thanks again.

Search

Re: error: the redundancy-interface-process subsystem is not running

November 5, 2019, 7:12 am
$
0
0

I wonder if this is by nature of being in transparent mode instead of switching? Do the swfab interfaces come up if you change to switching and reboot? 

 

set protocols l2-learning global-mode switching

Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

November 5, 2019, 8:52 am
$
0
0

The IPsec configured is failing at phase 2 with the error "[Nov 5 11:02:00][165.X.X.X <-> 74.X.X.X] Authenticated Phase-2 notification `No proposal chosen’ (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=ac 37 1d 45 16 59 9f a9 f2 c9 a0 54 37 5f 51 75 causes"

on the SRX I have the following:
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;

on the ASA I have the following:
object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0

access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

I assume this should work, but it doesn't fit quit into one of these: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA

I'm a bit stumped here. I have done this before, but its been a while and I don't recall.


detailed srx config:

SRX-01b> show configuration security ike proposal IKE_P1_PROPOSAL_1
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;

SRX-01b> show configuration security ike policy VLTFW_CORE_IKE_POLICY
mode main;
proposals IKE_P1_PROPOSAL_1;
pre-shared-key ascii-text "$9$WfE8NbaJDH.5x7P5Fn7dY2"; ## SECRET-DATA

SRX-01b> show configuration security ike gateway VLTFW_CORE
ike-policy VLTFW_CORE_IKE_POLICY;
address 74.X.X.X;
external-interface reth3;

SRX-01b> show configuration security ipsec proposal IPSEC_P2_PROPOSAL_1
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;

SRX-01b> show configuration security ipsec policy VLTFW_CORE_POLICY
perfect-forward-secrecy {
keys group5;
}
proposals IPSEC_P2_PROPOSAL_1;

SRX-01b> show configuration security ipsec vpn VLTFW_CORE_VPN
bind-interface st0.13;
ike {
gateway VLTFW_CORE;
ipsec-policy VLTFW_CORE_POLICY;
}
traffic-selector PROD2SL_1 {
local-ip 10.120.72.0/24;
remote-ip 10.1.0.0/23;
}
traffic-selector PROD2SL_2 {
local-ip 10.120.72.0/24;
remote-ip 10.4.200.0/24;
}
establish-tunnels immediately;


details ASA config:

crypto ikev1 policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400


tunnel-group 165.X.X.X type ipsec-l2l
tunnel-group 165.X.X.X ipsec-attributes
ikev1 pre-shared-key ABCDEFG

object-group network VLT_NETS_TO_SAV
network-object 10.1.0.0 255.255.254.0
network-object 10.4.200.0 255.255.255.0
object-group network SAV_NET_TO_VLT
network-object 10.120.72.0 255.255.255.0

access-list VLT-FW_TO_SAV_FW permit ip object-group VLT_NETS_TO_SAV object-group SAV_NET_TO_VLT

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
crypto map outside_vpn 60 set pfs group5
crypto map outside_vpn 60 set peer 165.X.X.X
crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
crypto map outside_vpn 60 set security-association lifetime seconds 86400

 

Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

November 5, 2019, 9:43 am
$
0
0

In Cisco config, mode should be "main" and the Phase2 lifetime should be 3600. Please modify and let know the result.

 

 

Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

November 5, 2019, 10:07 am
$
0
0

Added:

crypto map outside_vpn 60 match address VLT-FW_TO_SAV_FW
crypto map outside_vpn 60 set pfs group5
crypto map outside_vpn 60 set peer 165.X.X.X
crypto map outside_vpn 60 set ikev1 transform-set ESP-AES-256-SHA-TRANS
crypto map outside_vpn 60 set security-association lifetime seconds 3600 <<----

ran command:

crypto map outside_vpn 60 set ikev1 phase1-mode main

>doesn't show in configuration.

 

still see:

Nov 5 13:02:00]Authenticated Phase-2 notification `No proposal chosen' (14) data size 4 from 74.X.X.X for protocol ESP with invalid spi[0...16]=81 12 58 a3 b4 e0 b9 99 c8 45 d3 8b b5 f7 6a 4c causes IKE SA deletion and QM abort

 

and now:

st0.13 up down inet

 

 

 

Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA

November 5, 2019, 10:24 am
$
0
0
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport <----
Change mode to tunnel (not sure about this option) or remove this mode config
Viewing all 17645 articles
Browse latest View live
Search