As Steve pointed out, the security zone has to be configured to accept icmp messages (host-inbound-traffic). But also make sure that no firewall filter applied to either the physical interface or the loopback interface is blocking your icmp traffic, and that you have proper policies in place:
Hi,
Whenever we deploy SRXs we use interface monitors with redundancy groups and reths... this is the first time I've deployed on a SRX345 and also the first time I've had a major problem.
If I pull a cable (simulating an event) the interface monitor will identify there was an event and depending on the weight, move to the other node for that RG or simply subtract the weight from 255.
The issue is when I plug back in the cable, the LED status light is green but the interface shows down in the CLI , if I pull and put back in both interfaces in a RG... neither come back.
Can't replicate it on other SRXs and have never had this issue before. Software - we upgraded to the recommended JTAC version, which has a lot more layer2 default config and functionallity than older junos's so I reverted back to 15.1 which works on SRX 1500 and 4100, 4200's without any issue
show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA Security
0 fxp1 Up Disabled Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status Security
(Physical/Monitored)
fab0 ge-0/0/14 Up / Up Disabled
fab0
fab1 ge-5/0/14 Up / Up Disabled
fab1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Down Not configured
reth1 Up 1
reth2 Down 2
reth3 Down Not configured
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
Interface Monitoring:
Interface Weight Status Redundancy-group
(Physical/Monitored)
ge-5/0/12 128 Up / Up 1
ge-5/0/11 128 Down / Down 1
ge-0/0/12 128 Up / Up 1
ge-0/0/11 128 Up / Up 1
ge-5/0/8 255 Down / Down 2
ge-0/0/8 255 Down / Down 2
set chassis cluster reth-count 4
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 preempt
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/11 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/12 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/11 weight 128
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/12 weight 128
set chassis cluster redundancy-group 2 node 0 priority 200
set chassis cluster redundancy-group 2 node 1 priority 100
set chassis cluster redundancy-group 2 interface-monitor ge-0/0/8 weight 255
set chassis cluster redundancy-group 2 interface-monitor ge-5/0/8 weight 255
Anyone come across this ?
Hi,
root@SRX> show system snapshot media internal
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Sep 25 11:15:30 2015
JUNOS version on snapshot:
junos : 12.1X44-D45.2-domestic
error: cannot mount /dev/da0s2a
Hi
I have an SRX320 running 15.1X49-D70.3 and am struggling to get any useful DHCP information from the box, just as you can do with a Cisco equivilent.
Simply put, I want to check the the pool has not been exhausted, however the only meaningful commands to run are;
user@SRX> show dhcp server statistics
Packets dropped:
Total 7
Send error 3
No binding found 4
Messages received:
BOOTREQUEST 120659
DHCPDECLINE 17
DHCPDISCOVER 26217
DHCPINFORM 752
DHCPRELEASE 263
DHCPREQUEST 93410
DHCPLEASEQUERY 0
DHCPBULKLEASEQUERY 0
Messages sent:
BOOTREPLY 114861
DHCPOFFER 22805
DHCPACK 86431
DHCPNAK 5625
DHCPFORCERENEW 0
DHCPLEASEUNASSIGNED 0
DHCPLEASEUNKNOWN 0
DHCPLEASEACTIVE 0
DHCPLEASEQUERYDONE 0
Or 'show dhcp server binding'
Is there a way to check the pool to show available addresses and perhaps conflicts?
Thanks!
I have a device that I need to open up a range of internet facing ports (UDP and TCP). I want to do this in as secure a way as possible (I know opening up ports permently isn't secure by nature....), But the lack of upnp means I need to have these ports opened up in the traditional way.
What is my best way to achieve this? Is it best to assign this via a specific physical fast ethernet port, or a specific internal IP address. All my devices are currently behind a firewall and nat. Can I create a zone where this single device can see my internal network and the internet, and have unrestricted incoming services?
I have had a go at this a few times, but always fail. It sure what I am doing wrong. Here is my current configuration. If someone can help with my config, or point me in the right direction, I would very much appreciate it.
https://pastebin.com/raw/T6TV6mVa
Thanks
Can you please use "request system snapshot slice alternate" and then reboot the device?
Hi,
If you have a way of NAT the traffic to the Internal Device then it is just a matter of configuring security-policies and keep them as restricted as you can. See attached topology and let me know if you have any doubts or questions.
Please mark my comment as "Solution" if it applies.
Hi firestars,
In the current DHCP version (recommended one) called JDHCP there are no commands to check the IP conflicts nor pool utilization as you stated.
In previous DHCP version there were commands to check this info:
> show system services dhcp pool [pool_name] detail> show system services dhcp conflict
The old DHCP version can still be configured but the hierarchy is hidden so some of the commands wont auto-complete when you type Tab key:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15754&actp=METADATA
I also checked if there was any SNMP OID that could show the pool utilization but on the 15.1X49 versions I only found the JDHCP MIB which doesnt have a way to monitor that information:
https://apps.juniper.net/mib-explorer/getMibContent.html?q=junos-os/15.1x49-D180/mib-jnx-jdhcp.txt
Hope this clarifies your concern. Please mark my comment as "Solution" if it applies.
nice! Im glad it worked
Hi all,
We have SRX_Main in main datacenter and SRX_Backup in backup datacenter.
Traffic form branches to backup datacenter goes through main datacenter - Branch router -> SRX_Main -> SRX_Backup.
In that case where is right place to put firewall policies (SRX_Main or SRX_Backup), when dsestination is in backup datacenter ?
Thanks
Hi Harut,
I believe that ideally the branch router should connect to the Main SRX and the Backup SRX separately. If the branch router connects to the backup SRX via the Main SRX, what would happen if the Main SRX malfuntions? You will lose connectivity to the backup SRX. Anyways, thats just my humble opinion.
Regarding your question:
I will go with Main SRX, this way you will filter/block non-desired traffic upfront. Besides, if you decide not to filter the traffic on the Main SRX and leave this task to the Backup SRX, the traffic will still need to be processed by a security-policy on the Main SRX (a sec-policy that will be permitting all the traffic).
Security-wise: non-desired traffic to be filtered as soon as possible.
Processing-wise: It makes no difference to the Main SRX, it will have process the traffic via security policies even if you deside to filter the traffic on the backup SRX.
I really hope this opinion helps you. Please mark my comment as "Solution" if it applies.
Hi, guys,
Issue found on traceoption on physical interfaces of SRX345 ( JUNOS 15.1X49-D110.4 built 2017-09-08 ).
I want to record/capture the event log of physical interface status, so the following configuration is set up:
set interfaces traceoptions file interface_status.txt
set interfaces traceoptions file size 10m
set interfaces traceoptions file files 24
set interfaces traceoptions file world-readable
set interfaces traceoptions flag config-states
commit and-quit
Strangely, interface event status could not be found in "/var/log/interface_status.txt", but found in "/var/log/messages",
any issue/advice, thx ?
Also, any recommended configuration to traceoption the event log logical physical, such as GRE interface of "gr-0/0/0.10" ?
Interface status in "Messages" :
root@labtest-fw2% cat messages
Nov 15 07:00:00 labtest-fw2 newsyslog[25618]: logfile turned over due to size>100K
Nov 15 07:02:14 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 519, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/7
Nov 15 07:02:14 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName irb.733
Nov 15 07:12:29 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 519, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/7
Nov 15 07:12:29 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName irb.733
Nov 15 07:12:43 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 512, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/1
Nov 15 07:12:43 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 554, ifAdminStatus up(1), ifOperStatus down(2), ifName gr-0/0/0.40
Nov 15 07:12:44 labtest-fw2 rmopd[1718]: RMOPD_ICMP_SENDMSG_FAILURE: sendmsg(ICMP): Network is down
How to configure the interface traceoption for recording these messages in the traceoption file "interface.txt" ?
Is there any example configurations of this I can adapt? Should the zone contain a device IP address, or a FE port?
Hi, guy,
Due to geographical reason, I would like to create RPM service in SRX345 (two sites) for keeping ping between two sites,
Any advice on: how to set up traceoption in order to record the ping result in terms of RTT and Jitter ?
Such as my rpm configurations:
=======================
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp probe-type tcp-ping
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp target address 10.10.12.18
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp probe-count 2
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp probe-interval 1
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp test-interval 1
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp destination-port 53201
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp source-address 10.10.12.17
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp thresholds successive-loss 2
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp probe-type udp-ping
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp target address 10.10.12.13
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp probe-count 6
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp probe-interval 3
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp test-interval 3
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp destination-port 53201
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp source-address 10.10.12.14
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp thresholds successive-loss 5
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp thresholds total-loss 5
For traceoption configuration :
=======================
set services rpm traceoptions file RPM_status.txt
set services rpm traceoptions file size 10m
set services rpm traceoptions file files 24
set services rpm traceoptions file world-readable
set services rpm traceoptions flag all
RPM log as below:
==============
SRX1> show log RPM_status.txt
Sep 1 23:51:41 rmop_calc_jitter: rdiff: 4998925, sdiff: 5000898, jitter: -1973
Sep 1 23:51:42 received SIGCHLD, PID: 1789
Sep 1 23:51:42 RMOPD_SIGCHLD: Received SIGCHLD signal
Sep 1 23:51:42 waitpid() returned: No child processes
Sep 1 23:51:43 rmop_calc_jitter: rdiff: 5010840, sdiff: 5002035, jitter: 8805
Sep 1 23:51:46 rmop_calc_jitter: rdiff: 5054230, sdiff: 5003636, jitter: 50594
Sep 1 23:51:46 test_done: sent 5, test 0
Sep 1 23:51:46 PING_TEST_COMPLETED: pingCtlOwnerIndex = Probe5120d1Gw7065, pingCtlTestName = TestH5120d0
Sep 1 23:51:46 RTM_CHANGE gencfg for probe Probe5120d1Gw7065, test TestH5120d0 to state PASS
Sep 1 23:51:46 rmop_calc_jitter: rdiff: 5024705, sdiff: 5003303, jitter: 21402
Sep 1 23:51:46 test_done: sent 5, test 15
Sep 1 23:51:46 PING_TEST_COMPLETED: pingCtlOwnerIndex = Probe2aGw7065+4129, pingCtlTestName = Test2aGw7065
Sep 1 23:51:46 RTM_CHANGE gencfg for probe Probe2aGw7065+4129, test Test2aGw7065 to state PASS
Sep 1 23:51:48 rmop_calc_jitter: rdiff: 4999952, sdiff: 5000957, jitter: -1005
Sep 1 23:51:51 rmop_calc_jitter: rdiff: 4946028, sdiff: 5001119, jitter: -55091
Sep 1 23:51:51 rmop_calc_jitter: rdiff: 4996843, sdiff: 5001355, jitter: -4512
Sep 1 23:51:53 rmop_calc_jitter: rdiff: 5009813, sdiff: 5002119, jitter: 7694
Sep 1 23:51:53 test_done: sent 5, test 30
Sep 1 23:51:53 PING_TEST_COMPLETED: pingCtlOwnerIndex = Probe2aGw7065+4129, pingCtlTestName = Test2aGw4129
Sep 1 23:51:53 RTM_CHANGE gencfg for probe Probe2aGw7065+4129, test Test2aGw4129 to state PASS
I just want to get the RTT and Jitter test results, how to configuration the traceoption, thx a lot ?
Hi spuluka,
I need to this for an Arena that we look after. If I did have a "Public Zone" with external IPs, am I able to impliment bandwidth limit policer?
KR
Baz
Thanks for that reply, a rather odd thing for Juniper to overlook right? 
Hi, Guys,
Any advice on keeping saving the results " show services rpm history-results owner test" and " show services rpm probe-results", thx a lot ?
Thanks a lot
Benson
Yes the bandwidth policer can be used in a setup where you have public ips directly on the devices. There is no difference in that setup.
Hi,
You can use SNMP to collect datas to your monitoring software.
https://www.juniper.net/documentation/software/topics/concept/mib-rpm-junos-overview.html
Hello,
Should easy if You have a proper SNMP NMS - just keep polling Juniper Ping MIB and save the results until You run out of disk space on that NMS 
https://www.juniper.net/documentation/en_US/junos/topics/reference/mibs/mib-jnx-ping.txt
HTH
Thx
Alex
