That was it...I was attempting to "squeeze" in "tunnel mode" somewhere and couldn't..just removing transport mode was it.! Thanks
↧
Re: Route-based ipsec SRX4100-ASA traffic selectors 1 subnet to many behind ASA
↧
Re: how to use "show security match policies" for icmp or ping traffic
I stumbled on the fix for this while doing a traceoptions on icmp on SRX 550 and via GNS3 SRX image.
set your source-port 2048
show security match-policies protocol icmp destination-port 12345 destination-ip <dst-IP> source-port 2048 source-ip <src-IP> from-zone <From-Zone> to-zone <To-Zone>
2048 only, nothing else will work. Least for the versions of IOS was using. 12.3.xxx and 12.1xxx respectively.
↧
↧
Re: flow session
Hi, flows are still in table I din't clear the table.
node0:
--------------------------------------------------------------------------
Session ID: 668, Status: Normal, State: Active
Flag: 0x4c000000
Policy name: allow-public-mail/11
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 131070, Current timeout: -1
Session State: Valid
Start time: 612189, Duration: 335814
In: 47.74.61.85/60414 --> 80.94.48.253/587;tcp,
Interface: reth1.0,
Session token: 0x6, Flag: 0x1021
Route: 0xc21bc2, Gateway: 80.94.48.249, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 40
Out: 192.168.200.16/587 --> 47.74.61.85/60414;tcp,
Interface: reth0.994,
Session token: 0xa, Flag: 0x1020
Route: 0xc19bc2, Gateway: 192.168.200.16, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 6, Bytes: 264
Total sessions: 1and
node0: -------------------------------------------------------------------------- Unicast-sessions: 18307 Multicast-sessions: 0 Failed-sessions: 2069 Sessions-in-use: 18460 Valid sessions: 18307 Pending sessions: 0 Invalidated sessions: 153 Sessions in other states: 0 Maximum-sessions: 65536
Thanks
↧
Re: Can we create custom Role class user using JWEB in SRX?
For features like this that are not directly available in jweb you can use the cli tools in jweb for the task.
configure tab > cli tools > cli editor
↧
Re: 'ge-0/0/0' HA management port cannot be configured error: configuration check-out failed
the best so for!!! thanks
↧
↧
Enable multicast traffic into the same security zone
Hi,
I would like to send a multicast stream from a source connected on one interface to an other interface on an Juniper SRX240 (12.1X46).
Mutlicast source is connected on ge-0/0/3 interface.
Clients are connected on ge-0/0/1 interface.
Here we have the interfaces :
interfaces {
ge-0/0/1 {
unit 0 {
description stb;
family inet {
address 172.16.1.254/24;
}
}
}
ge-0/0/3 {
unit 0 {
description local-stream;
family inet {
address 172.16.3.254/24;
}
}
}
IGMP and PIM configuration :
> show configuration protocols
igmp {
interface all {
version 2;
}
}
pim {
interface all {
mode dense;
version 2;
}
}To simplify the setup, I put the 2 interfaces in the same secury zone named "trust" :
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}Since all interfaces are in the same zone, I don't need security rules to allow the multicast traffic between source and receiver.
Multicast routing from Multicast source looks good. But When I call stream from a PC I have nothing.
> show multicast route group 232.1.20.2 detail
Instance: master Family: INET
Group: 232.1.20.2
Source: 172.16.3.1/32
Upstream interface: ge-0/0/3.0
Session description: Source specific multicast
Statistics: 0 kBps, 0 pps, 0 packets
Next-hop ID: 0
Upstream protocol: PIM
The show multi route command should display a downstream interface list, containing a least the receiver interface ge/0/0/1.0
Here we can see the IGMP request done by the client :
Is it possible that my problem come from the TTL value send by the client, which is equal to 1 on the wireshark screenshot.
Any idea ?
Best Regards,
Bernado
↧
Re: Enable multicast traffic into the same security zone
Configure trust to trust (intra-zone) policy to allow the multicast traffic and let us know the results. Intra-zone traffic is denied by default
↧
Security Director Hit Count shows NA
I have a few rules that show the designation "NA" for the hit count. This means "not available". Does anyone know why the hit count would be unavailable for these rules?
↧
Re: Enable multicast traffic into the same security zone
Hi Nellikka, first of all thanks you for helping me.
Even if I didn't know that intra-zone traffic is denied by default I already add a basic rules which allow anything, just in case :
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}I can send ping from the receiver to the source, and on the other direction.
Bernardo
↧
↧
Re: Enable multicast traffic into the same security zone
Hi Bernardo,
can you change IGMP to version 3 and PIM to sparse or sparse-dense mode?
You are using Source Specific Multicast (SSM) which requires IGMPv3 to accept S,G joins from the receivers and PIM sparse mode to create Source tree between the source and the receiver.
Cheers,
Radek
↧
Re: Enable multicast traffic into the same security zone
Hello Radek,
What makes you say that I use SSM ? Maybe the multicast address ? I chose it arbitrarily and I can use another one if necessary.
Anyway, I just set igmp version 3 and pim mode sparse (and then mode sparse-dense) but the problem still present.
Be advised that I can not manage receiver (it's a Set Top Box client), and the IGMP version is set on v2.
If you know any test tool simulating multicast receiver, please let me know. I also tried with VLC opening network stream.
BR,
Bernardo
↧
Re: Enable multicast traffic into the same security zone
Yes the multicast address which is in the reserved SSM range - even the router tells that
> show multicast route group 232.1.20.2 detail
Instance: master Family: INET
Group: 232.1.20.2
Source: 172.16.3.1/32
Upstream interface: ge-0/0/3.0
Session description: Source specific multicast
Statistics: 0 kBps, 0 pps, 0 packets
Next-hop ID: 0
Upstream protocol: PIM
If the receiver only supports v2 can you try using different group adress out of SSM range or configure the router with "set routing-options multicast asm-override-ssm" which should allow ASM *, G joins to groups in the SSM range.
Thanks,
Radek
↧
I'm close to getting it, what is missing to get ping between two virtual routers connected by a virtual switch?
Hello everyone, after many failed attempts, I think I am very close to pinging two virtual routers connected through a virtual switch, I would greatly appreciate your help, thank you very much.
My configuration is:
root@NewJuniper# show routing-instances
VR1 {
instance-type virtual-router;
interface ge-0/0/4.0;
}
VR2 {
instance-type virtual-router;
interface ge-0/0/5.0;
}
MyVirtualSwitch {
instance-type virtual-switch;
interface ge-0/0/3.0;
bridge-domains {
TestBridgeVS {
domain-type bridge;
vlan-id none;
}
}
}
[edit]
root@NewJuniper# show interfaces
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.2.2/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
This should work, right? have i missed something? Thanks again
↧
↧
Re: I'm close to getting it, what is missing to get ping between two virtual routers connected by a virtual switch?
Hello,
How does your topology (interface connection) look?
Thanks
Vishal
↧
Re: error: the redundancy-interface-process subsystem is not running
Hi Smicker,
Sorry for the late reply. Have been offsick. I was able to get the swfab interfaces up and the prob is up. I have already applied
set protocols l2-learning global-mode switching.
All the interfaces are up now, but enconter another issue during test after connecting the cables it create a loop. The switch config is fine , I can't understand why causing loop once all cable is connected.
↧
Re: locked out of srx240
This fixed the problem!
↧
Re: I'm close to getting it, what is missing to get ping between two virtual routers connected by a virtual switch?
Do you mean physically? I have a cable connected from port ge-0/0/4 to port ge-0/0/5, I don't know if I have it correctly installed, now that I think about it, if I have the switch on ge-0/0/3, How would the option be? could you please guide me, thank you
↧
↧
Re: PPPoe not connecting
This is what works for me at many sites, only minor tweaks:-
interfaces {
pt-1/0/0 {
vlan-tagging;
mtu 1492;
vdsl-options {
vdsl-profile 17a;
}
unit 0 {
encapsulation ppp-over-ether;
vlan-id 101;
}
}
pp0 {
unit 0 {
ppp-options {
chap {
default-chap-secret " ";
local-name " ";
passive;
}
}
pppoe-options {
underlying-interface pt-1/0/0.0;
auto-reconnect 10;
client;
}
family inet {
negotiate-address;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
Give it a try!
Since your successful connection, have you fully powered down the SRX and tried again?
↧
Re: SRX 320 PPPOE issue after JUNOS upgrade
Seems like a fair and reasonable plan. I'm running all of my SRX320s on 190 now. Message back if you try again and are successful, as I'll be keen to know for my kit!
↧
Re: I'm close to getting it, what is missing to get ping between two virtual routers connected by a virtual switch?
You need two connections:
VS <> VR1
VX <> VR2
Very basic topology like this
VR1 <> VS <> VR2
Currently you don't have any connection to the VS, it won't be able to talk to anywhere else
↧