Hi F1gh3r,

Thanks for your reply. 

I have checked on SRX550 and you are right the behaviour is the same as SRX345. 

Regards to below process: 

Formatting alternate root (/dev/da0s1a)...
Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes)
The following filesystems were archived: /dev/da0s2a' to '/dev/da0s1a,

I guess the current version resides on da0s2a storage and da0s1a is a backup partition. Both storages are compact flash?

Regards,

Hello

Has anyone came into this kind of issue?

Jan 14 12:47:16  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 2 transitioned from 'primary' to 'secondary-hold' state due to Monitor failed: IF
Jan 14 12:47:16  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 3 transitioned from 'primary' to 'secondary-hold' state due to Monitor failed: IF
Jan 14 12:47:17  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 2 transitioned from 'secondary-hold' to 'secondary' state due to Back to back failover interval expired
Jan 14 12:47:17  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 3 transitioned from 'secondary-hold' to 'secondary' state due to Back to back failover interval expired
Jan 14 13:11:16  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 2 transitioned from 'secondary' to 'primary' state due to Remote yield (1/0)
Jan 14 13:14:59  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 3 transitioned from 'secondary' to 'primary' state due to Remote node is in secondary hold
Jan 14 13:42:20  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 2 transitioned from 'primary' to 'secondary-hold' state due to Monitor failed: IF
Jan 14 13:42:20  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 3 transitioned from 'primary' to 'secondary-hold' state due to Monitor failed: IF
Jan 14 13:42:21  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 2 transitioned from 'secondary-hold' to 'secondary' state due to Back to back failover interval expired
Jan 14 13:42:21  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 3 transitioned from 'secondary-hold' to 'secondary' state due to Back to back failover interval expired
Jan 14 17:29:58  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 2 transitioned from 'secondary' to 'primary' state due to Remote yield (1/0)
Jan 14 17:41:46  SUP-FW-SRX650B jsrpd[1323]: JSRPD_RG_STATE_CHANGE: Redundancy-group 3 transitioned from 'secondary' to 'primary' state due to Remote yield (1/0)

I searched in google for this but found only this article, which not sure if related to my issue:

https://puck.nether.net/pipermail/juniper-nsp/2014-May/028884.html

I'm also seeing fpc cpu spikes to 100%

Does the above log messages might be related to fpc spikes?

Jan 14 12:31:36  SUP-FW-SRX650B PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 9 PIC 0 CPU utilization exceeds threshold, current value=96
Jan 14 12:31:50  SUP-FW-SRX650B PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 9 PIC 0 CPU utilization exceeds threshold, current value=91
Jan 14 12:31:56  SUP-FW-SRX650B PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 9 PIC 0 CPU utilization exceeds threshold, current value=87
Jan 14 12:32:08  SUP-FW-SRX650B PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 9 PIC 0 CPU utilization exceeds threshold, current value=87
Jan 14 12:32:10  SUP-FW-SRX650B PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 9 PIC 0 CPU utilization exceeds threshold, current value=86

{primary:node1}
admin@SUP-FW-SRX650B> show security monitoring fpc 0    
node0:
--------------------------------------------------------------------------
FPC 0
  PIC 0
    CPU utilization          :   51 %
    Memory utilization       :   76 %
    Current flow session     : 29571
    Current flow session IPv4: 29571
    Current flow session IPv6:    0
    Max flow session         : 524288
Total Session Creation Per Second (for last 96 seconds on average): 1314
IPv4  Session Creation Per Second (for last 96 seconds on average): 1314
IPv6  Session Creation Per Second (for last 96 seconds on average):    0

node1:
--------------------------------------------------------------------------
FPC 0
  PIC 0
    CPU utilization          :    1 %
    Memory utilization       :   76 %
    Current flow session     : 34668
    Current flow session IPv4: 34668
    Current flow session IPv6:    0
    Max flow session         : 524288
Total Session Creation Per Second (for last 96 seconds on average): 1306
IPv4  Session Creation Per Second (for last 96 seconds on average): 1306
IPv6  Session Creation Per Second (for last 96 seconds on average):    0

Hello all,

I'm troubleshooting an issue of some traffic not successfully making it to a destination, and the only difference in the security flow logs between a working and non-working flow is the presence of this message in the non-working flow; that said, an online search shows a lot of these messages in other people's traces as well so it's probably not relavent. I've not been able to find any documentation explaining what it means, though -- does anyone know, or have any documentation about this?

CID-0:RT:get NULL sess plugin info 0x5a8305d8

and context:

Jan 14 17:02:57 17:02:56.927205:CID-0:RT:Installing s2c NP session wing
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:get NULL sess plugin info 0x5a8305d8
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:get NULL sess plugin info 0x5a8305d8
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:get NULL sess plugin info 0x5a8305d8
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:first path session installation succeeded

Hi HJH,

Can you share switch and NPS config?

• vSRX - did you configure source-address? If your NPS logging is correctly set, you can see errors if the source-address does not match with what is set on NPS. Without source-address specified Junos might use a different IP depending on your configuration

  ex3400vc> show configuration system radius-server
  192.168.0.1 {
      port 1812;
      secret "$9$1encryptedpasswordhere"; ## SECRET-DATA
      source-address 10.1.1.1;
  }

• vSRX - make sure your secret did not include some special characters, keep it simple first like Password123 to test
• NPS - show what you have set in Connection Request Policies and Network Policies
• NPS - Network Policies most important setting would be Vendor-Specific will need to match your vSRX login user remote to be mapped to super-user (default)

hope that helps

Hi CP1,

correct, da0s2a is the primary and da0s1a is the backup. These are just partitions, which are stored on the physical internal CompactFlash card. So if the CompactFlash card is faulty, both partitions are faulty as well.

Hi Abed Al-R,

These messages are indicating events about failover that happened in SRX cluster nodes, the jsrpd process handles the Chassis cluster events.  When one node is rebooting, it performs a failover to the secondary node in order to avoid loss connectivity that is the high availability method used by SRX, and these logs are generated.

Please check if the notes were rebooted or crashed recently and troubleshoot the reason for that.  As you mentioned, CPU is high, that could be resulting in an issue with the cluster. 

If there are any core files, better to log a TAC case to have them analyzed.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .

Hello,

I configured DHCP server on a chassis cluster (SRX340) but it doesn't work. Here's my configuration:

root@SRX1# show system services dhcp-local-server 
group office {
    interface reth0.10;
}

address-assignment {
    pool office {
        family inet {
            network 192.168.4.0/24;
            range range1 {
                low 192.168.4.20;
                high 192.168.4.253;
            }
            dhcp-attributes {
                name-server {
                    192.168.4.1;
                }
                router {
                    192.168.4.1;
                }
                propagate-settings reth0.10;
            }
        }
    }
}

root@SRX1# show security zones security-zone trust 
interfaces {
    reth0.10 {
        host-inbound-traffic {
            system-services {
                ping;
                ssh;
                traceroute;
                dhcp;
            }
        }
    }
    st0.1;
    st0.2;
}

root@SRX1# show interfaces reth0 
vlan-tagging;
redundant-ether-options {
    redundancy-group 1;
    minimum-links 1;
    lacp {
        passive;
        periodic fast;
    }
}
unit 10 {
    vlan-id 10;
    family inet {
        address X.X.X.X/24;
        address 192.168.4.1/24;
    }
}
unit 666 {
    vlan-id 666;
    family inet {
        address 10.10.10.1/24;
    }
}

I configured traceoptions to see the traffic:

root@SRX1# show security flow traceoptions 
file dhcp1.log;
flag all;
packet-filter pf1 {
    destination-port 68;
}
packet-filter pf2 {
    destination-port 67;
}

Jan 15 15:24:05 15:24:05.089933:CID-2:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:packet [328] ipid = 15780, @0x5ee7d324
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x5ee7d100, rtbl_idx = 0
Jan 15 15:24:05 15:24:05.089933:CID-2:RT: flow process pak fast ifl 71 in_ifp reth0.10
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:pkt info: 0.0.0.0(68) -> 255.255.255.255(67), 17, flags (0x1000)
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:Received pkt on non-active link of reth/vsd (reth0.10/1)
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:flow_proc_rc: -1.
Jan 15 15:24:05 15:24:05.089933:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:packet [328] ipid = 15780, @0x5ebeda24
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x5ebed800, rtbl_idx = 0
Jan 15 15:24:05 15:24:05.089059:CID-1:RT: flow process pak fast ifl 71 in_ifp reth0.10
Jan 15 15:24:05 15:24:05.089059:CID-1:RT: find flow: table 0x53f2ac0, hash 42465(0xffff), sa 0.0.0.0, da 255.255.255.255, sp 68, dp 67, proto 17, tok 7, conn-tag 0x00000000
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:check self-traffic on reth0.10, in_tunnel 0x0
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:retcode: 0xc02
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:pak_for_self : proto 17, dst port 67, action 0x2
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:insert usp tag for apps
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:  flow bypass session.
Jan 15 15:24:05 15:24:05.089059:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:packet [328] ipid = 15783, @0x5ebf0d24
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x5ebf0b00, rtbl_idx = 0
Jan 15 15:25:30 15:25:30.635069:CID-1:RT: flow process pak fast ifl 71 in_ifp reth0.10
Jan 15 15:25:30 15:25:30.635069:CID-1:RT: find flow: table 0x53f2ac0, hash 42465(0xffff), sa 0.0.0.0, da 255.255.255.255, sp 68, dp 67, proto 17, tok 7, conn-tag 0x00000000
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:check self-traffic on reth0.10, in_tunnel 0x0
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:retcode: 0xc02
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:pak_for_self : proto 17, dst port 67, action 0x2
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:insert usp tag for apps
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:  flow bypass session.
Jan 15 15:25:30 15:25:30.635069:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Jan 15 15:25:31 15:25:31.930980:CID-1:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
Jan 15 15:25:31 15:25:31.930980:CID-1:RT:packet [328] ipid = 15784, @0x5ec003a4
Jan 15 15:25:31 15:25:31.930980:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x5ec00180, rtbl_idx = 0
Jan 15 15:25:31 15:25:31.930980:CID-1:RT: flow process pak fast ifl 71 in_ifp reth0.10
Jan 15 15:25:31 15:25:31.930980:CID-1:RT: find flow: table 0x53f2ac0, hash 42465(0xffff), sa 0.0.0.0, da 255.255.255.255, sp 68, dp 67, proto 17, tok 7, conn-tag 0x00000000

Clearly, there is some DHCP traffic coming to SRX, but endclient doesn't get any IP address from DHCP pool.

Hi

Thanks for your reply

But bot nodes were not rebooted

Both is up all the time

I check the uptime and it is OK on both cluster members

I have three reth interfaces , and those logs shows only on two reth: reth2 and reth3 . description above.

So it must be something else, maybe only the reth failed ? what could be the reason for this?

Greetings,

• We have an old EdgeRouter that we're upgrading to an SRX.
• We have an mid-size network with 100 workstations and 20 servers, some servers are public facing
• We have a split-view DNS system for public WAN and private LAN queries
• We're migrating to a new IP block for the SRX
• We're trying to make this migration a seamless one with very little downtime

We're documenting and testing as much as we can think of, but what are we not thinking about?

Does anyone have experience in migrating from an older system to a new one and doing IP address migrations?

What have you done in your experience to make sure your transition was a smooth one?

What other advice can you recommend?

Thank you.

Hi all,

I am not sure if a rpm based failover can be achieved in such a static setup. The scenario is as follows:

Subnets A to G are internal and go through ISP link 1. There is a Zscalerredirect filter applied to the LAN interface of the firewall thatpicks these internal subnets and causes them to take exit point (ISP link 1) as per the custom routing table to traverse to Zscaler.

Subnets H to L are public subnets and go through ISP link 2. There is Publicredirect filter that causes these subnets to take exit point (ISP link 2) as per the custom routing table to direct egress to internet. (This filter is NOT applied to LAN interface of firewall). The internal and public subnets are in the same major class network i.e 10.0.0.0/8.

In both these routing tables exit hop to ISP Link 1 and ISP Link 2 is setup as below

Routing table Internal
primary exit path >>> ISP Link 1
backup exit path >>> ISP Link 2

Routing table Public
primary exit path >>> ISP Link 2
backup exit path >>> ISP Link 1

Is there a way to achieve automatic failover using RPM / ip-monitoring probes provided that there is static routing tables already setup for these two different classes of INTERNAL and PUBLIC subnets ?

Note : There is dynamic routing protocol used, the setup of routing table entries is all static..

The physical setup is very typical as below:
Single LAN connection on gig interface of the firewall and ISP link 1 on port 1 and ISP link 2 on port 2 respectively.

I think this kb article on using FBF (filter based forwarding) for the dual ISP with failover should work in your scenario.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

Anyone, please? 

I see some dropped dhcp packets:

root@SRX1# run show dhcp server statistics    
Packets dropped:
    Total                      193
    No available addresses     193

Offer Delay:
    DELAYED                    0
    INPROGRESS                 0
    TOTAL                      0

Messages received:
    BOOTREQUEST                193
    DHCPDECLINE                0
    DHCPDISCOVER               193
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                0
    DHCPLEASEQUERY             0
    DHCPBULKLEASEQUERY         0

Messages sent:
    BOOTREPLY                  0
    DHCPOFFER                  0
    DHCPACK                    0
    DHCPNAK                    0        
    DHCPFORCERENEW             0        
    DHCPLEASEUNASSIGNED        0        
    DHCPLEASEUNKNOWN           0        
    DHCPLEASEACTIVE            0        
    DHCPLEASEQUERYDONE         0        

Hello,

Please remove this line from Your config

               propagate-settings reth0.10;

This for scenarios when You have DHCP client on untrust interface and You want Your trust zone clients to have the same DNS/WINS etc settings. 

HTH

Thx

Alex

Your DHCP pool will only be matched for your primary IP address on the interface. In this case I suspect your X.X.X.X/24 is the primary address... and you don't have a DHCP pool for this prefix.

Try configuring 192.168.4.1/24 as the primary address on reth0.10:

set interfaces reth0.10 family inet 192.168.4.1/24 primary

Let us know if this solves your issue.

Hi A.Vanson

Some points I consider important:

• It is important you understand every feature configured on the old router and if possible test the funtionality of the same features in the SRX before performing the swap. Having the SRX working in a lab enviroment simulating the production enviroment will give you a very good idea of how the firewall will be working after the change.

• Always have a rollback plan, meaning that if you performed the swap and the SRX is not working as expected you could always replace it with the old router until further testing is done on the SRX.

• You can migrate the router configuration to the SRX, using the old public address, and take advantage of the "replace pattern" command on the SRX to replace the old public addresses with the new ones. Put special attention to NAT/Proxy-ARP configurations, if there are any, because they will be affected the most.

• I am assuming that when you say "split-view DNS" you mean that you host a public facing DNS server that will be contacted also by your internal hosts, always to its public address. Make sure you understand how the SRX needs to be configured in order to have this working. Maybe you need to implement some sort of hairpining NAT? https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639

Hi.

Did you manage to solve this ?

Hi folks,

Is there a way to store or reference a file that has a list of prefixes that I can reference in the configuration but not store it in the configuration?

The idea here, is that I want to create a whitelist based on a GeoIP database and block everything outside of the whitelist. The Geo block I'm concerned about is 65-70,000 prefixes. I don't want to store that in my config. But I'd like to reference a file that stores this. There are a few other Network vendors that provide this capability, but I'm not sure if Junos allows for a pointer to a text file like this.

Just to be clear, I'm not asking about merging the configuration. I want to keep this separate so the config doesn't grow so large that its a pain to read.

The next question, how many entries are supported on an SRX300 for a prefix-list? That might ultimately be another limiting factor.

I script all this today on my Linux hosts referencing an  'ip set' in iptables to block a lot of the countries I don't do business with. Its a sledgehammer approach, but works for what I need. I want to take this a step further and block the traffic before it even gets on the 'trust' zone of the network.

All I need is plain old Junos firewall rules (stateless) applied to the ingress interface as a prefix-list. That is what I'm ultimately trying to accomplish, but didn't know if Junos has a feature to reference a file for the prefix-list.

Thanks,

-J

Thanks for your reply, @epaniagua,

In order to do this in a gradual manner, by changing our DNS first before moving complety to the new router, is this feasible?

NEW IP from Internet --> SRX --> Static Route from SRX to old router --> DMZ

If so, how do we handle return traffic to the requesting IP?

Thank you for your assistance.

Hi archjeb,

I'm not using GeoIP blocking, however, it seems that Juniper has an additional product to support this natively, named "Juniper Advanced Threat Prevention":

https://www.juniper.net/us/en/products-services/security/advanced-threat-prevention/

Here is some FAQ for this:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32099

I'm at least not aware of the possibility to reference prefix-lists inside the Junos config to a stored file.

HTH