8 years later and people are still searching for the same answers......
↧
Re: SRX VPN uptime
↧
Re: SRX VPN uptime
I agree this is missing.
A workaround if you do route-based VPN you can indirectly see the VPN uptime looking at the ago of the route via the st0.x interface. This of course requires that you don't have multiple tunnels with dynamic routing to be sure that this number matches.
Example:
user@srx> show route 10.252.0.0
inet.0: 37 destinations, 37 routes (37 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.252.0.0/16 *[Static/5] 1w2d 10:01:57
> via st0.0
↧
↧
Re: Juniper SRX320 LTE Mini-PIM
HI guys,
Does anyone knows a way, to access the router remotely on the LTE IP address?
I've tried few diffrent ways, but I can't work it out.
Thanks.
Regards.
Cristian
↧
Re: I'm close to getting it, what is missing to get ping between two virtual routers connected by a virtual switch?
Thanks lpaniagua, but that information had ignored it, I had not put there, only ping, but still putting there, it does not work for me, thank you anyway anyway and in thanks, I give it as a valid solution, a greeting.
↧
Question about Application hosting support for the MX and the SRX routers families
Hi experts!
I saw some posts about vmx and how its deployed to allow Docker support for app hosting and also the ones about the SRX family app hosting capabilities, However, I am not 100% clear whether the entire MX and SRX routers family have support for app hosting via Docker or any other containers for applications hosting on the Box itself.
Do the SRX/MX routers family have those supportabilities?
I looked at the user guides, but apart from an on box Python scripting, I didnt see that there are options to allow applications hosting...
If there is such support, can you please refer me to some documentations about that, so that Ill be able to educate my customes about this?
Thanks,
Tom
↧
↧
Re: Security policy place
I agree with @lpaniagua
↧
Re: Question about Application hosting support for the MX and the SRX routers families
Hi tom,
Docker/App-hosting is not supported on physical SRXs nor in vSRX. This is supported on cSRX:
https://www.juniper.net/us/en/products-services/security/srx-series/csrx/
I was able to find a couple of guides in a quick search:
cSRX Deployment Guide for Contrail
cSRX Deployment Guide for Bare-Metal Linux Server
You might want to ask on the vSRX and vMX forums as well:
https://forums.juniper.net/t5/vMX/bd-p/vMX#
https://forums.juniper.net/t5/vSRX/bd-p/vGW
Hope this information helps you.
↧
Re: traceoptions issue on physical interfaces of SRX345
Hi Ben Ben,
Based on my personal experience Interface Traceoptions doesnt show the information you are looking for (interface flaps). I have tried them in the past and I was never able to get any useful info from those traces.
I just tried configure them and it is still the same situation:
[edit]
root@jtac-SRX320-r006# show interfaces traceoptions
file INT_TRACES size 1g;
[edit]
root@jtac-SRX320-r006# show interfaces ge-0/0/2
traceoptions {
flag all;
}
Results:
Disabled Interface ge-0/0/2: Nov 20 14:00:38 jtac-SRX320-r006 clear-log[19183]: logfile cleared Nov 20 14:01:03.110487 1846 dcd_ui.c:950 dcd_commit_check() INFO : Created child process with pid 19208 Nov 20 14:01:03.153954 1846 dcd.c:3233 run_daemon() INFO : Received SIGCHLD, collecting zombies. Nov 20 14:01:03.154072 1846 dcd.c:3237 run_daemon() INFO : Child with pid 19208 exited Nov 20 14:01:09.448646 1846 dcd.c:3246 run_daemon() INFO : Received SIGHUP, time to reparse. Nov 20 14:01:16.209698 1846 dcd.c:3019 run_daemon() INFO : Pending config request now being serviced Nov 20 14:01:20.770981 1846 usage.c:75 dcd_trace_times() INFO : Phase Usage for IDLE : user 0.000 s, sys 0.050 s, wall 194.314 s Nov 20 14:01:20.771789 1846 dcd.c:726 dcd_new_phase() INFO : New phase is PRE_CONFIG Nov 20 14:01:20.771852 1846 usage.c:75 dcd_trace_times() INFO : Static Config Read time measurements for dep delete : user 0.000 s, sys 0.000 s, wall 0.000 s Nov 20 14:01:20.771897 1846 usage.c:75 dcd_trace_times() INFO : Static config read usage : user 0.000 s, sys 0.029 s, wall 4.562 s Nov 20 14:01:20.772133 1846 usage.c:75 dcd_trace_times() INFO : Phase Usage for PRE_CONFIG : user 0.000 s, sys 0.000 s, wall 0.000 s Nov 20 14:01:20.772184 1846 dcd.c:726 dcd_new_phase() INFO : New phase is CONFIG Nov 20 14:01:20.775111 1846 usage.c:75 dcd_trace_times() INFO : Config db overlay usage : user 0.000 s, sys 0.002 s, wall 0.002 s Nov 20 14:01:20.775250 1846 dcd.c:871 dcd_new_phase() INFO : dcd_new_phase:recover_type = 1, dcd_is_protocol_master = 1,sdb_state = 2,run_dynamic_db_diff = 0 Nov 20 14:01:20.775303 1846 dcd.c:878 dcd_new_phase() INFO : dcd_new_phase - Running db_diff on static db Nov 20 14:01:20.781069 1846 usage.c:75 dcd_trace_times() INFO : Config static db diff usage : user 0.000 s, sys 0.005 s, wall 0.005 s Nov 20 14:01:20.874804 1846 usage.c:75 dcd_trace_times() INFO : Config sync io : user 0.000 s, sys 0.016 s, wall 0.093 s Nov 20 14:01:20.876398 1846 usage.c:75 dcd_trace_times() INFO : Config depenency cleanup usage : user 0.000 s, sys 0.000 s, wall 0.000 s Nov 20 14:01:20.876506 1846 usage.c:75 dcd_trace_times() INFO : Phase Usage for CONFIG : user 0.000 s, sys 0.025 s, wall 0.104 s Nov 20 14:01:20.876548 1846 dcd.c:726 dcd_new_phase() INFO : New phase is IDLE Nov 20 14:01:20.881388 1846 dcd.c:3153 run_daemon() INFO : Going idle, 11 sync writes, 9 sync reads, 9 ifstate msgs, 9 ifstate reads, 9 async ifd msgs, 0 async rtb msgs, 0 async bd msgs, 0 async mesh group msgs, 109287 usec Enabled interface ge-0/0/2: Nov 20 14:03:04 jtac-SRX320-r006 clear-log[19251]: logfile cleared Nov 20 14:03:14.020567 1846 dcd_ui.c:950 dcd_commit_check() INFO : Created child process with pid 19272 Nov 20 14:03:14.063730 1846 dcd.c:3233 run_daemon() INFO : Received SIGCHLD, collecting zombies. Nov 20 14:03:14.064447 1846 dcd.c:3237 run_daemon() INFO : Child with pid 19272 exited Nov 20 14:03:20.434990 1846 dcd.c:3246 run_daemon() INFO : Received SIGHUP, time to reparse. Nov 20 14:03:27.179766 1846 dcd.c:3019 run_daemon() INFO : Pending config request now being serviced Nov 20 14:03:32.917698 1846 usage.c:75 dcd_trace_times() INFO : Phase Usage for IDLE : user 0.000 s, sys 0.045 s, wall 132.041 s Nov 20 14:03:32.920608 1846 dcd.c:726 dcd_new_phase() INFO : New phase is PRE_CONFIG Nov 20 14:03:32.920676 1846 usage.c:75 dcd_trace_times() INFO : Static Config Read time measurements for dep delete : user 0.000 s, sys 0.000 s, wall 0.000 s Nov 20 14:03:32.920722 1846 usage.c:75 dcd_trace_times() INFO : Static config read usage : user 0.000 s, sys 0.030 s, wall 5.740 s Nov 20 14:03:32.922894 1846 usage.c:75 dcd_trace_times() INFO : Phase Usage for PRE_CONFIG : user 0.000 s, sys 0.000 s, wall 0.002 s Nov 20 14:03:32.922971 1846 dcd.c:726 dcd_new_phase() INFO : New phase is CONFIG Nov 20 14:03:32.929770 1846 usage.c:75 dcd_trace_times() INFO : Config db overlay usage : user 0.000 s, sys 0.002 s, wall 0.006 s Nov 20 14:03:32.932002 1846 dcd.c:871 dcd_new_phase() INFO : dcd_new_phase:recover_type = 1, dcd_is_protocol_master = 1,sdb_state = 2,run_dynamic_db_diff = 0 Nov 20 14:03:32.932088 1846 dcd.c:878 dcd_new_phase() INFO : dcd_new_phase - Running db_diff on static db Nov 20 14:03:32.945491 1846 usage.c:75 dcd_trace_times() INFO : Config static db diff usage : user 0.000 s, sys 0.005 s, wall 0.013 s Nov 20 14:03:33.061790 1846 usage.c:75 dcd_trace_times() INFO : Config sync io : user 0.000 s, sys 0.017 s, wall 0.116 s Nov 20 14:03:33.061897 1846 usage.c:75 dcd_trace_times() INFO : Config depenency cleanup usage : user 0.000 s, sys 0.000 s, wall 0.000 s Nov 20 14:03:33.062003 1846 usage.c:75 dcd_trace_times() INFO : Phase Usage for CONFIG : user 0.000 s, sys 0.025 s, wall 0.139 s Nov 20 14:03:33.062043 1846 dcd.c:726 dcd_new_phase() INFO : New phase is IDLE Nov 20 14:03:33.067841 1846 dcd.c:3153 run_daemon() INFO : Going idle, 11 sync writes, 9 sync reads, 9 ifstate msgs, 9 ifstate reads, 9 async ifd msgs, 0 async rtb msgs, 0 async bd msgs, 0 async mesh group msgs, 145001 usec
In both scenarios the same type of logs were generated and didnt show much information. Im using a SRX230 running 15.1X49-D180.
My suggestion will be to create a syslog file where you can log only interface flaps:
# set system syslog file INT_FLAPS any any # set system syslog file INT_FLAPS match (SNMP_TRAP_LINK_DOWN|SNMP_TRAP_LINK_UP)
Hope this helps you.
↧
Re: SRX 345 - interface monitors not working
Hi,
Did you experience the same problem while on the recommended code 18.2R3?
How are you recovering the interfaces when they dont come up?
It definately sounds like a bug, I will suggest opening a ticket with JTAC if possible.
↧
↧
Re: Question about Application hosting support for the MX and the SRX routers families
thanks a lot for the info,
So just to make it clear - if I want to have an SRX that will be programmable enough for me to host applications (I saw that in the bare metal Linux deployment guide), you can have even Docker support if needed), you cannot achieve that from the physicaly SRX device - what you will need is a Linux host, on which you install the cSRX application - and on top of that one, you can host applications to be run on the cSRX, is that correct?
Thanks again,
Tom
↧
Re: Security policy place
You need security policies in both. Traffic is not allowed from one interface to another without being allowed by a policy.
↧
Re: Question about Application hosting support for the MX and the SRX routers families
Yes, Docker/containers/app-hosting is not supported on physical SRXs. Not sure if the cSRX can be installed in a OS different than Linux but definately you cant do it in a physical SRX.
Hope it helps.
↧
Re: traceoptions issue on physical interfaces of SRX345
Hi, MROJAS,
Your suggestion may be a solution, if the file "INT_FLAPS" is just a copy of system syslog file, but not move the wanted messages from system syslog, how to achieve this ?
We want to keep the whole system syslog file sending to syslog server; and just copy the wanted messages to the file "INT_FLAPS".
Thanks a lot
↧
↧
SRX WAN interface bandwidth limitation
Hi,
We have SRX210HE with Junos 11.4R10 version.
We have connected 50 Mbps WAN Link on fe-0/0/6 interface but total interface bandwidth
max 10 Mbps. Their is no limitation configuraed on interface.
Please suggest how to fix it. Is their any WAN interface bandwidth limitation matrix for branch SRX.
Regards,
Target..
↧
Re: SRX WAN interface bandwidth limitation
Hello,
There is no chassis-wide nor port-based BW limitation in existence for Juniper SRX products.
Things to check:
1/ speed/duplex mismatch on fe-0/0/6
2/ whether fragmentation happens for the traffic going out of/coming into fe-0/0/6
3/ whether packet loss happens for the traffic going out of/coming into fe-0/0/6
4/ TCP MSS for the traffic going out of/coming into fe-0/0/6, reduce if necessary
HTH
Thx
Alex
↧
Re: SRX WAN interface bandwidth limitation
Hi Alex,
Their is no error on interface, speed and duplex is correct, TCP-MSS is also correct.
Do i need to upgrade the Junos on SRX, will that help?
Regards,
Target
↧
Re: SRX WAN interface bandwidth limitation
Hi,
As aarseniev suggested, I once have a problem with TCP-MSS in srx devices, If it is connected to the internet lease line. I have changed the TCP-MSS and everything was fine, I started at 1350 going up until I get good speed.
↧
↧
Re: SRX110 Best way to open internet ports for a single device
Hi MARk,
1) Isolate the public-facing server by moving them to different zones and write zone to zone restrictive policies based on application.
2) Configure in such a way that the client can access these servers from the LAN side but the servers can't access the clients.
3) If you have a lot of servers, like my case, you can connect all the servers to a private VLAN configured switch and Uplink the switch to the firewall, where the uplink is placed in the restrictive zone.
4) You can also write policy stating only trusted public IP's that is the public IP od your remote offices can access my servers
50 You can also add a geography-based restrictive policy, like only allow traffic from the USA and not from china.
↧
Problems to ICU Upgrade SRX clusster from version 15.1X49-D45 to version 15.1X49-D190.2
Hello,
i am trying upgrade devices SRX340 in a chassis using ICU, but I get the following message:
user@SRX340> request system software in-service-upgrade /var/tmp/junos-srxsme-15.1X49-D190.2-domestic.tgz no-sync
WARNING: Not enabled dual root partition on secondary node
ISSU not allowed
Can someone help me with this problem?
Thanks in advance
Javier
↧
Re: SRX110 Best way to open internet ports for a single device
Hi,
The zone should contain either a logical interface VLAN or a physical port. In your configuration, there is only one VLAN and is assigned to all ports except the internet-facing port.
1) create a Zone called device
set security zones security-zone device interfaces fe-0/0/07
2) set a policy to allow traffic from lan to device
set security policies from-zone lan to-zone device policy lantodevice description "allow traffic from lan to device "
set security policies from-zone lan to-zone device policy lantodevice match source-address any (here you can add your lan address if you want to restrict only some part of your lan need to access this device)
set security policies from-zone lan to-zone device policy lantodevice match destination-address any (here you can add your device address if you want)
set security policies from-zone lan to-zone device policy lantodevice match application any (here you can mention your required application, there are a lot of predefined application)
set security policies from-zone lan to-zone device policy lantodevice then permit
3) write a policy from device to lan
set security policies from-zone device to-zone lan policy devicetolan description "allow traffic from device to lan "
set security policies from-zone device to-zone lan policy devicetolan match source-address any (here you can add your device address )
set security policies from-zone device to-zone lan policy devicetolan match destination-address any (here you can add your lan address range if you want)
set security policies from-zone device to-zone lan policy devicetolan match application any (here you can mention your required application, there are a lot of predefined application and you can also create custom applications)
set security policies from-zone device to-zone lan policy devicetolan then permit
I think these steps will suffice, Please change according to your likings, please let me know if you need any help.
↧