Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

January 7, 2020, 2:03 pm

≫ Next: Re: web filtering categories are inconsistent / make work

Hi Egert,

Just going by the log provided from the switch, its pretty interesting that the switch sees the VRRP packet as an IPsec packet and tries to decapsulate it in which it fails.
1. this is a VRRP packet destined to 224.0.0.18 so it should just switch it unless it is also running VRRP.
2. The IP protocol found by the switch seems to be "prot=51" which is for AH. the VRRP packet should have ip proto 112 in it.

Just took a quick packet capture on one of the vSRXs in my lab and i could see it using the correct protocol number in the VRRP packet.

wonder if the packet is getting read incorrectly by the intermediate device in question.

Let us know if you find out the solution. it does not appear to be VRRP device issue.

Thanks,

Kinshuk

↧

Re: web filtering categories are inconsistent / make work

January 7, 2020, 2:59 pm

≫ Next: Re: How Syslog works in VPN

≪ Previous: Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

What is the complete error message being logged when the site is blocked and when it is allowed (in session log) ?

wonder if issue is related to a specific IP address that is getting denied due to category or site reputation score

This link describes how SRX gets the category / reputation score of a site and then takes action as configured.

As per the link, Websense ThreatSeeker Cloud (TSC) returns both category and reputation score so may be you can try reporting this to TSC if you believe the site is getting incorrect category.

Hope it helps!

↧

Re: How Syslog works in VPN

January 7, 2020, 4:49 pm

≫ Next: Re: SRX340 19.4R1 Firmware upgrade issue

≪ Previous: Re: web filtering categories are inconsistent / make work

You will need an interface ip address on the Juniper that is included across the vpn to reach the syslog server.

Once you have a valid address you can test this using ping sourced from that interface

ping 1.1.1.1 interface ge-0/0/0.0

and then also configure your syslog stanza to use that ip address as the source

set system syslog source-address 2.2.2.2

↧

Re: SRX340 19.4R1 Firmware upgrade issue

January 7, 2020, 5:18 pm

≫ Next: Re: SRX340 19.4R1 Firmware upgrade issue

≪ Previous: Re: How Syslog works in VPN

Hi Adam,

I have upgraded from the ex-factory firmware version, 15.1X49-D150.2.

The firmware upgraded in JWeb UI interface without any issue.

Now I rollback the SRX340 to 15.1X49-D150.2 firmware version, everything back to normal.

Best Regards

Matthew Ho

↧

Re: SRX340 19.4R1 Firmware upgrade issue

January 7, 2020, 8:25 pm

≫ Next: Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

≪ Previous: Re: SRX340 19.4R1 Firmware upgrade issue

Hello,

The JTAC Recommended version for SRX340 is 18.4, so you can go to 18.4R3. Any reason you are looking at 19.4R1?

https://kb.juniper.net/KB21476

Regards,

Vikas

↧

Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

January 7, 2020, 9:16 pm

≫ Next: Re: SRX340 19.4R1 Firmware upgrade issue

≪ Previous: Re: SRX340 19.4R1 Firmware upgrade issue

Hello,

VRRP for IPv4 uses IPSec AH to authenticate packets, see https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/vrrp-authentication-for-ipv4-configuring-qfx-series.html

wrote:
Some vlans cross switches that are not mine to manage and i have recived a notice stating that my lan ip (vrrp logical ip) is generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors on switch log. Vrrp itself is working as expected, router A is master and B is bacup.

Someone managing these VLANs has hijacked Your router IP 10.0.1.253 && also decided to use VRRP but his/her password is not same as Yours, thankfully. Please ask for packet capture as suggested by other poster, and look for src MAC.

I hope You are not using common words such as "password123" for Your VRRP authentication, otherwise You'd end up having Your traffic sent to wrong router Smiley LOL

HTH

Thx

Alex

↧

Re: SRX340 19.4R1 Firmware upgrade issue

January 7, 2020, 10:31 pm

≫ Next: Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

≪ Previous: Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

HI Vikas,

just to clarify, JTAC recommended for SRX340 is currently 18.2R3 - not 18.4R3.... but your comment about why using 19.4 is still very valid :-)

@Matthew: I have an SRX300 installed via USB via Junos 19.3R1 and just upgraded to 19.4R1. There the Zone-overview works as expected. The same goes for an SRX340 which has been incrementally upgraded from 15.1X49 to 19.4R1 via every major release since 18.2 and zone overview still works (15.1X49 -> 18.2 -> 18.3 -> 18.4 -> 19.1 -> 19.2 -> 19.3 -> 19.4).

Please note that upgrading directly from 15.1X49 to 19.4 is not officially supported. A Maximum number of 3 major releases meaning you would have to go via a couple of intermediate releases - alternately you can do a clean USB installation of Junos 19.4R1 and try again.

But as Vikas asks: Any specific reason to go for Junos 19.4R1? If you intend to use J-web I understand your decision. There are some performance upgrades in 19.3R1 and even more in 19.4R1.

/Jonas

↧

Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

January 8, 2020, 12:51 am

≫ Next: SRX300 Web Gui Unusable Disk Full

≪ Previous: Re: SRX340 19.4R1 Firmware upgrade issue

i dont realy think that there are some duplicate ip-s on that specific vlan. However i found something that i would like to clarify. When i set vrrp authentication-key with md5, should the secret data be identical on both routers ?

For example if i set "Test1234":

Router A: $9$78NsgGUHm5FiktuB1hcwY2gGD

Router B: $9$AHBLt1EleWx-wM8JGji.mBIRElK

On the other hand vrrp comes up as backup on router B, if password would be wrong then both would be active correct ?

↧

SRX300 Web Gui Unusable Disk Full

January 8, 2020, 8:03 am

≫ Next: bgp manual path seletion for source address

≪ Previous: Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

When trying to access our firewall through the web GUI we are faced with this error

"J-Web is unable to access user information as the device file system is full. Please clear the storage from CLI using (request system storage cleanup) to continue with J-web access."

I don't want to start randomly deleting stuff, is there a normal culprit that I can start with?

Model: srx300
Junos: 15.1X49-D130.6
JUNOS Software Release [15.1X49-D130.6]

I've noticed a 200MB package file in /cf/packages1 not sure if this was from the last update and can be removed as its current firmware version.

Search using winscp as revealed 4 files larger than 50MB, shown in the screenshot attached

Thanks,

↧

bgp manual path seletion for source address

January 8, 2020, 8:09 am

≫ Next: Re: SRX300 Web Gui Unusable Disk Full

≪ Previous: SRX300 Web Gui Unusable Disk Full

I have configured ECMP methed bgp with two ISP for internet uplink in Juniper SRX .i need to router some of source ip via single path(ISP1) if that link down that ip send data via secondary ISP(ISP2) Kindly advice

↧

Re: SRX300 Web Gui Unusable Disk Full

January 8, 2020, 9:01 am

≫ Next: Re: bgp manual path seletion for source address

≪ Previous: bgp manual path seletion for source address

Hi Dpullen87,

Basically the Cleanup command is a spring clean command for tmp and none essential or critical files. It won't get rid fo log files for example.

The below document should help you. It's a little old but it'll work fine Smiley Happy

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19466&actp=search

KR
Adam

↧

Re: bgp manual path seletion for source address

January 8, 2020, 9:38 am

≫ Next: Re: sp-0/0/0 port question

≪ Previous: Re: SRX300 Web Gui Unusable Disk Full

Hi Suresh,

Question is not celar to me. Do you want ECMP or primay and secondary links to ISP?

Please refer following link and confirm if this is what you are looking for:

http://www.mustbegeek.com/configure-dual-isp-link-failover-in-juniper-srx/#.XhYP6Px7mUk

Or you want you leverage BGP multipath multias feature for ECMP:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/bgp-multipath.html

PS: Please mark my response as solution if it answers your query. Kudos are appreciated too!

Thanks

Vishal

↧

Re: sp-0/0/0 port question

January 8, 2020, 10:32 am

≫ Next: snapshot commands difference

≪ Previous: Re: bgp manual path seletion for source address

Anyone know how to disable this or do something to exclude the sp- port?

↧

snapshot commands difference

January 8, 2020, 3:24 pm

≫ Next: Re: snapshot commands difference

≪ Previous: Re: sp-0/0/0 port question

Hi,

For SRX550:

What is the difference between "request system snapshot slice alternate" & "request system snapshot media internal"?

I think:

media internal - backup the OS on the internal flash.

slice alternate - writes the OS on the hard disk partition

Thank you.

↧

Re: snapshot commands difference

January 9, 2020, 12:10 am

≫ Next: Re: How to block the 'psiphon' application in juniper srx ?

≪ Previous: snapshot commands difference

Hello CP1,

I just have an SRX345, but I think the behavior is the same as SRX550. When you have look at the following website

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/request-system-snapshot-partition.html

"media internal" is the default option. When you execute this without the "slice alternate" option, you can see this:

> request system snapshot media internal
node0:
--------------------------------------------------------------------------
error: Cannot snapshot to current boot device

So you need the "slice alternate" option to make a snapshot to the backup partition, which is not in use:

> request system snapshot slice alternate
node0:
--------------------------------------------------------------------------
Formatting alternate root (/dev/da0s1a)...
Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes)
The following filesystems were archived: /

↧

Re: How to block the 'psiphon' application in juniper srx ?

January 9, 2020, 1:06 am

≫ Next: Routing Instance NAT

≪ Previous: Re: snapshot commands difference

Hi,

Are there any modifications on the signature to block this on version 15.1xx?? or 18.x??

↧

Routing Instance NAT

January 9, 2020, 9:52 am

≫ Next: Re: Routing Instance NAT

≪ Previous: Re: How to block the 'psiphon' application in juniper srx ?

Hi All,

I am trying to work through a scenario, and I've read some documentation/forum posts to help troubleshoot what I'm attempting to do but haven't gotten very far.

I have a subnet, lets call it subnet A, that is routable over link A, however, in order to test a specific scenario (this needs to be permanent), I need to route this over link B.

The setup:

Configure routing instance B, containing link B
Leave link A in default/master routing instance
Subnet A is routed over link A and link B via BGP
Setup a DNAT (Subnet B) to then put the pool (containing subnet A) in the routing instance B:

pool pool-dst-nat {
    routing-instance {
        B;
    }
    address 10.10.10.1/32;
}

rule-set dnat-1 {
    from zone trust;
    rule 1 {
        match {
            destination-address 10.20.20.1/32;
        }
        then {
            destination-nat {
                pool {
                    pool-dst-nat;
                }
            }

This way, routing instance B only has the route for subnet A over link B.

The default/master routing-instance only has the route for the DNAT address to routing instance B.

However, when implemented in my lab, traffic to subnet A over link A is working correctly, but I can't get traffic destined for the DNAT to even hit the rule. I suspect I have a knowledge gap when trying to DNAT between routing instances. Can anyone provide some assistance? Let me know if my description above is too confusing, I'm happy to provide some more info.

↧

Re: Routing Instance NAT

January 9, 2020, 12:12 pm

≫ Next: Re: How do you boot from usb from => mode?

≪ Previous: Routing Instance NAT

Sorry everyone, this is user error. I was trying to test via traffic generated from the device itself, which was causing me some issues. I was able to resolve it by moving my testing to an uplinked server and adjust my rules/routing accordingly. Thank you.

↧

Re: How do you boot from usb from => mode?

January 9, 2020, 1:10 pm

≫ Next: Re: SRX340 19.4R1 Firmware upgrade issue

≪ Previous: Re: Routing Instance NAT

I ran into this issue today.

I ran "bootd" and it started fine. After 5 sec, press "space" to get to => to "loader>" mode.

Once in loader mode, i ran 'Boot -s" command

You will end up at following prompt:

Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

Y(ou have 10 sec to enter 'recovery', else restart process.

then I ended up at root>. You can optionally reset root password or install new image or whatever you wanted..

HTH

↧

Re: SRX340 19.4R1 Firmware upgrade issue

January 9, 2020, 11:49 pm

≫ Next: SRX345 Recovery help

≪ Previous: Re: How do you boot from usb from => mode?

Hi Vikas, Jonas.

Thank you so much for your advise! I have reload the R18.4R3 and now everything back to normal.

Thanks again!!

Actually, I have no intention to upgrade the firmware to R19.4R1, however when I click the "Support -> SRX Series" and select SRX340, the Juniper portal page will display the "19.4R1 firmware" for download - and with the description box: "SRX300 & SRX500 - Series"

Anyway, your help and support is highly appreciated.

Best Regards

Matthew Ho

↧