All you would need to have enabled is both ping and traceroute under the zone that the responding interface is a member of.
security zone security-zones NAME host-inbound-traffic system-services ping
security zone security-zones NAME host-inbound-traffic system-services traceroute
To get an offical response on which features are in upcoming releases you will need to either open a JTAC ticket or talk to your sales engineer.
These are informal user to user forums and generally Juniper does not talk about future release specifics like that in public forums.
I have not done this but dhcp relay on the remote side may be what would work for this application.
You might configured some URL lookup, but no effective DNS is configured.
Hello
What is the correct way to create port-channel between Juniper Srx5400 and for example cisco 2960x?
i have read that ethernet-switching is not supported on srx 4100 and higher but most demo configs go that route.
Can you please share the diagram of the infrastructure you want to create? L2/L3? Standalone/Cluster SRX?
Srx LinkA -> Cisco nexusA
Srx LinkB -> Cisco nexusB
Nexus A/B are connected together with VPC.
PortChannel needs to be Trunk and pass few vlans.
Currently i am testing with Srx345 and Cisco 2960 with simple 2 link port channel.
Hi,
I am trying to upgrade Junos on SRX210HE(EOL)From --> 12.1X44-D45.2 To --> Junos 12.1X46-D86
But i am getting below error. Please suggest correct next upgrade version or how to fix the below issue
Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required
Formatting alternate root (/dev/da0s2a)...
newfs: /dev/da0s2a: failed to open disk for writing
ERROR: Could not format alternate root
-V verify if release based licenses are present
Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: commit complete
Validation succeeded
Validating against /config/rescue.conf.gz
root@SRX> request system software add /var/tmp/junos-srxsme-12.1X46-D86-domestic.tgz no-copy unlink reboot
NOTICE: Validating configuration against junos-srxsme-12.1X46-D86-domestic.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/da0s2a)...
newfs: /dev/da0s2a: failed to open disk for writing
ERROR: Could not format alternate root
Removing /var/tmp/junos-srxsme-12.1X46-D86-domestic.tgz
Thank in advance..
Okay, will look into it. But if I understand it, my remote site would still need a subnet set up to assign to the VLAN/interface for connected computers, so then I'd still be double-NATing to traverse the GRE?
I've also looked into IPSEC tunnel, but it seems there'd be a speed penalty at scale, and I'd still have the same double NAT problem regardless of tunnel type?
Hello guys,
1. i would like to know how to make ftp active and passive work with using FTP ALG. what I've configured so far is the following config with policy, but i cant established connection.If I disabled FTP ALG, then ftp active works, but not passive.what am I doing wrong.I have looked at several forums for the same solution but it doesn't seem to work for me.
tried option1:
FTP ALG:
ftp disabled ftps-extension
policy:
policy DATAHUB_TEST {
match {
source-address SRV-DATAHUB-TEST;
destination-address NET_TEST;
application [junos-ftp PASSIVE_FTP_PORTS];
}
then {
permit;
PASV ports:
application PASSIVE_FTP_PORTS {
protocol tcp;
destination-port 1024-65535;
2. I have also tried to do with a ftp-ALGignore and apply it on the policy. when i commit the policy you see that ftp active connection is established only because of PASSIVE_FTP_PORTS. But when i delete PASSIVE_FTP_PORTS from application then ftp active does not work anymore. I Think, by using this methode i am making a pinholes to permit data channel connections to be established. this means i am opening a gate from outsde?.
tried iption2:
FTP ALG:
ftp ftps-extension
policy:
policy DATAHUB_TEST {
match {
source-address SRV-DATAHUB-TEST;
destination-address NET_TEST;
application [ftp-ALGignore PASSIVE_FTP_PORTS];
}
then {
permit;
PASV ports:
application PASSIVE_FTP_PORTS {
protocol tcp;
destination-port 1024-65535;
FTP ALG ignore:
set applications application ftp-ALGignore application-protocol ignore protocol tcp destination-port 21
thnx
Hi,
You need to use reth interface for redundancy. I'm pasting similer configuration for reth interface but not tested in LAB. It will help you in guiding.
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces irb unit 202 family inet address 192.168.1.254/24
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 redundant-ether-options lacp active
set interfaces reth0 redundant-ether-options lacp periodic slow
set interfaces reth0 unit 0 family ethernet-switching interface-mode trunk
set interfaces reth0 unit 0 family ethernet-switching vlan members vlan202
set vlans vlan202 vlan-id 202
set vlans vlan202 l3-interface irb.202
Hello,
Yes, for DHCP relay to work, You'd need a local IRB.X/vlan.X L3 logical interface on site1 SRX to serve as src.IP/Gateway in relayedDHCP packets.
If You prefer Your GRE tunnel to forward L2 traffic from computers attached to SRX (including ARP and all DHCP stuff) as opposed to route them as L3, then have a look into VPLS over GRE over IPSEC - it's been supported on SRX since 2011-ish
https://www.juniper.net/documentation/en_US/junos/topics/example/vpls-over-gre-ipsec.html
You can skip IPSEC in this setup if You want to.
HTH
Thx
Alex
Looks interesting, will dig into it. How much would the IPSEC slow down traffic at scale? How important would be (and expensive) to get the IDP license?
I really want an end-to-end L2 setup, routed at the head end SRX345. Ideally, I would eventually like to tunnel other traffice without double NAT across the tunnel as well.
If I get it working I'll post the whole config here in case someone else wants to try to do the same thing.
Hi,
Can you please share "show system snapshot media internal" output?
The issue might be related to lack of dual partition on your hardware... If yes, you need to install dual partition.
Hello,
wrote: Looks interesting, will dig into it. How much would the IPSEC slow down traffic at scale?
When I tested it back in 2011-ish, it was smthg like ~100Mbps on SRX100 without IPSEC frag + reassembly, ~50Mbps with IPSEC frag + reassembly. IPSEC reassembly is different from IDP IP reassembly, it is done without IDP involvement in the context of IPSEC packet reception.
wrote: How important would be (and expensive) to get the IDP license?
AFAIK, IDP license is not required for simple IP reassembly, not accompanied by inspection.
HTH
Thx
Alex
Hello,
Is the above example ment for chassi cluster ? Currently i am running only one router and i would like to attach 2 switches that are redundant. But if possible use both at the same time, if not then switch over to other when first fails. Dirty solution would be to script interface enable/disable when sw1 fails, but surely there is somthing that can create simple portchannel to switch.
Hi, Egert
In Junos an Aggregated-Ethernet (ae) interface is the same thing as a port-channel in Cisco. An ae interface is just a bundle of physical interfaces; this bundle can be a group of L2 (family ethernet-switching) or L3 (family inet) interfaces. As you mentioned, ethernet-switching is not supported in high end SRX, however you can configure a L3 interface with sub-interfaces that will understand vlan-tagging.
Based on the provided configuration I can see that you have two L3 interfaces (one with vlan-tagging) acting as VRRP gateways and you mentioned that you dont have a chassis cluster. The steps you will need to follow are:
1. Enable, at least, 1 ae interaface:
user@host# set chassis aggregated-devices ethernet device-count 1
2. Create an ae interface (ae0) by bundling ge-0/0/0 and ge-0/0/2:
user@host# set interfaces ge-0/0/0 gigether-options 802.3ad ae0 user@host# set interfaces ge-0/0/2 gigether-options 802.3ad ae0
3. Configure ae0 with subinterfaces using vlan-tagging (Router-on-a-stick):
user@host# set interfaces ae0 vlan-tagging
user@host# set interfaces ae0 unit 202 vlan-id 202 user@host# set interfaces ae0 unit 202 family inet address 192.168.3.254/24 vrrp-group 1 virtual-address 192.168.3.1 priority 200 user@host# set interfaces ae0 unit 202 family inet address 192.168.3.254/24 vrrp-group 1 accept-data authentication-type md5 authentication-key [password]
user@host# set interfaces ae0 unit 205 vlan-id 205
user@host# set interfaces ae0 unit 205 family inet address 192.168.1.4/29 vrrp-group 2 virtual-address 192.168.1.2 priority 200
user@host# set interfaces ae0 unit 205 family inet address 192.168.3.254/24 vrrp-group 1 accept-data authentication-type md5 authentication-key [password] Follow the same format to configure other sub-units and note they have to have their own vlan-ids.
With above configuration you just need to make sure that your switch also has a L2 port-channel created acting as a trunk port and passing the vlan-ids created on the sun-units (202 and 205).
Remember that ge-0/0/0 and ge-0/0/2 are currently part of a security-zone; you will need to include ae0.202 and ae0.205 within those security-zones as well.
I really hope this was the information you were looking for. Please mark my comment as "Solution" if it applies.
Hi,
I am assuming you are pinging the addresses on the physical interfaces. Please use the following command to see the services enabled on a working interface and a non-working interface:
> show interfaces [interface_name] extensive | find security
It will show something similar to:
Logical interface ge-0/0/1.0 (Index 70) (SNMP ifIndex 49)
Flags: SNMP-Traps Encapsulation: ENET2
Input packets : 5161
Output packets: 83Security: Zone: zone2Allowed host-inbound traffic : bootp bfd bgp dns dvmrp ldp msdp nhrp ospf pgm
pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike
netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
Look for ping under Allowed host-inbound traffic.
Also look for any firewall filters applied to these interfaces or to the loopback interface that might be allowing/blocking ping/icmp.
Hi C0d3,
I can see that there is no host-inbound-traffic configured on the interfaces, please include:
# set security zones security-zone VRPrincipalZone interfaces ge-0/0/5.0 host-inbound-traffic system-services all # set security zones security-zone VRBOXExampleZone interfaces ge-0/0/4.0 host-inbound-traffic system-services all # commit
After that try the pings again. Note that for the ping to work we need to include the routing-instance we are sourcing the ping from:
> run ping 192.168.2.1 routing-instance VRBOXExample> run ping 192.168.2.2 routing-instance VRPrincipal
Please mark my comment as "Solution" if it applies.
Thanks, that was exactly what i needed. i made 2 ae interfaces [ ae0 (g0,g1) / ae1 (g2,g3) ] same in switch side. Now i have two working port channels.