Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

$
0
0

Please see the config below:

 

services {
ssh;
web-management {
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 10.0.10.0/24 {
address-range low 10.0.10.20 high 10.0.10.30;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.0.10.3;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
interface-range interfaces-vlan10 {
member-range ge-0/0/2 to ge-0/0/5;
unit 0 {
family ethernet-switching {
vlan {
members vlan-internal;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.253/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.10.1/24;
}
}
}
ge-0/0/2 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/3 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/4 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/5 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
vlan {
unit 0 {
family inet {
address 10.0.10.3/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
protocols {
stp;
}
security {
utm {
feature-profile {
web-filtering {
juniper-local {
profile junos-wf-local-default {
default permit;
}
}
juniper-enhanced {
profile junos-wf-enhanced-default {
category {
Enhanced_Streaming_Media {
action permit;
}
Enhanced_Internet_Radio_and_TV {
action permit;
}
Enhanced_Entertainment_Video {
action permit;
}
}
site-reputation-action {
very-safe permit;
moderately-safe permit;
fairly-safe permit;
suspicious permit;
harmful permit;
}
default permit;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set vlan_srcnat {
from interface vlan.0;
to zone Internet;
rule vlan_srcnat_rule {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy internet_usage {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-http junos-ssh junos-smtp junos-https junos-pop3 junos-ntp junos-imap junos-imaps junos-dns-udp junos-dns-tcp junos-icmp-ping junos-bgp ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy apple_google_sync {
match {
source-address any;
destination-address [ google1 google2 apple1 apple2 google3 ];
application [ tcp-5228 tcp-5223 tcp-8443 ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone Internet {
address-book {
address google1 64.233.166.188/32;
address google2 172.217.169.33/32;
address apple1 17.57.146.148/32;
address apple2 17.57.146.149/32;
address google3 74.125.71.188/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
}
}
}
}
}
}
}
applications {
application tcp-5228 protocol tcp;
application tcp-5223 {
protocol tcp;
destination-port 5223;
}
application tcp-8443 {
protocol tcp;
destination-port 8443;
}
}
vlans {
vlan-internal {
vlan-id 10;
l3-interface vlan.0;
}
}


Re: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

$
0
0

You can remove ge-0/0/2-ge-0/0/5 from security-zone Internal, these are layer 2 interfaces. Your layer 3 interface vlan.0 is already specified.

 

Is there a reason you've set MTU on those interfaces? Those settings drop MTU from 1514 down to 1500 and are likely blocking large inbound packets.

 

For that matter you can delete speed 1g, link-mode full-duplex, and gigether-options auto-negotiation since auto-negotiation is on by default and these are all conflicting settings.

Re: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

$
0
0

Thanks for your reply. I have commited the change as per your recommendation.  The settings are as below now. Still no luck.

 

services {
ssh;
web-management {
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 10.0.10.0/24 {
address-range low 10.0.10.20 high 10.0.10.30;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.0.10.3;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
interface-range interfaces-vlan10 {
member-range ge-0/0/2 to ge-0/0/5;
unit 0 {
family ethernet-switching {
vlan {
members vlan-internal;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.253/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.10.1/24;
}
}
}
ge-0/0/2 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/3 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/4 {
description "internal switchport";
speed 1g;
mtu 1500;
link-mode full-duplex;
gigether-options {
auto-negotiation;
}
}
ge-0/0/5 {
description "internal switchport";
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-internal;
}
}
}
}
vlan {
unit 0 {
family inet {
address 10.0.10.3/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
protocols {
stp;
}
security {
utm {
feature-profile {
web-filtering {
juniper-local {
profile junos-wf-local-default {
default permit;
}
}
juniper-enhanced {
profile junos-wf-enhanced-default {
category {
Enhanced_Streaming_Media {
action permit;
}
Enhanced_Internet_Radio_and_TV {
action permit;
}
Enhanced_Entertainment_Video {
action permit;
}
}
site-reputation-action {
very-safe permit;
moderately-safe permit;
fairly-safe permit;
suspicious permit;
harmful permit;
}
default permit;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set vlan_srcnat {
from interface vlan.0;
to zone Internet;
rule vlan_srcnat_rule {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy internet_usage {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-http junos-ssh junos-smtp junos-https junos-pop3 junos-ntp junos-imap junos-imaps junos-dns-udp junos-dns-tcp junos-icmp-ping junos-bgp ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy apple_google_sync {
match {
source-address any;
destination-address [ google1 google2 apple1 apple2 google3 ];
application [ tcp-5228 tcp-5223 tcp-8443 ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone Internet {
address-book {
address google1 64.233.166.188/32;
address google2 172.217.169.33/32;
address apple1 17.57.146.148/32;
address apple2 17.57.146.149/32;
address google3 74.125.71.188/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
}
}
}
}
}
}
}
applications {
application tcp-5228 protocol tcp;
application tcp-5223 {
protocol tcp;
destination-port 5223;
}
application tcp-8443 {
protocol tcp;
destination-port 8443;
}
}
vlans {
vlan-internal {
vlan-id 10;
l3-interface vlan.0;
}
}

Re: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

$
0
0

You still have MTU settings on your switching interfaces.

Re: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

$
0
0

It is working after removing all MTU settings. Many thanks. : D

Re: Cannot use Netflix from internal zone interface vlan.0, but Youtube is working!!!

Re: Juniper SRX cluster tagging issue

$
0
0

Your cluster looks fine and configuration is synced to node0 already. Your status command would show "CS" under monitor-failures if it wasn't.

 

redundancy group (RG) 0 you will have to manually fallback via "request chassis cluster failover redundancy-group 0 node 0" - expect your ssh session will fail but it will not affect operation.

 

If you change the priority for node0 on RG1 to a higher priority than 101, then preempt will automatically failover RG1 from node1 to node0.

Re: enhanced Web Filtering with a scheduler

$
0
0

You need to tie it to the interfaces and security policies Smiley Happy

KR
Adam 


Re: Juniper SRX cluster tagging issue

$
0
0

Dear Jason,

Thanks !

Actually these are remote devices and far away from my location

 

What I am facing is while trying to connect  using 

request routing-engine login node 0

 from node 1 its prompting credentials and no passwords are accepting ! (I suspect config is not yet synced at ths point)

I am dare to #commt syncronize (I hope this will replicate the configuration from primary to secondary)

 

 

I dont have a local resource at remote location to coordinate.To confirm any issue there please advice me on this;

THanks & Regards,

SS

 

 

Meaning of message: CID-0:RT:get NULL sess plugin info?

$
0
0

Hello all,

I'm troubleshooting an issue of some traffic not successfully making it to a destination, and the only difference in the security flow logs between a working and non-working flow is the presence of this message in the non-working flow; that said, an online search shows a lot of these messages in other people's traces as well so it's probably not relavent. I've not been able to find any documentation explaining what it means, though -- does anyone know, or have any documentation about this?


CID-0:RT:get NULL sess plugin info 0x5a8305d8


and context:

Jan 14 17:02:57 17:02:56.927205:CID-0:RT:Installing s2c NP session wing
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:get NULL sess plugin info 0x5a8305d8
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:get NULL sess plugin info 0x5a8305d8
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:get NULL sess plugin info 0x5a8305d8
Jan 14 17:02:57 17:02:56.927205:CID-0:RT:first path session installation succeeded

Re: Juniper SRX cluster tagging issue

$
0
0

Agreed that it indeed looks like something isn't properly syncronized.

 

As your configuration will keep node1 as primary for both RG0 and RG1 (node1 has higher priority for RG1 and RG0 will never actively move to another node as long as the current one is operational), I see no problem in trying both a 'commit synchronize' and 'commit full' and test if you can login to node0.

 

Which Junos version is the cluster running?

Help with source NAT for home SRX

$
0
0

I'm trying to set up an SRX for a home ISP connection. I'm able to ping out from the SRX and can ping devices within the LAN but can't get out from devices on the LAN. I'm pretty sure it's an issue with NAT but can't figure out what's wrong. Its an SRX300 on 18.2R3-S2.9.

 

nat {
    source {                            
        rule-set TRUST-to-UNTRUST {
            from zone TRUST;
            to zone UNTRUST;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }
}
policies {
    from-zone TRUST to-zone UNTRUST {
        policy TRUST-to-UNTRUST {
            match {
                source-address any;     
                destination-address any;
                application any;
            }
            then {
                permit;
                log {
                    session-init;
                    session-close;
                }
            }
        }
    }
}
zones {
    security-zone UNTRUST {
        screen SCREEN_UNTRUST;
        interfaces {
            ge-0/0/5.0 {
                host-inbound-traffic {
                    system-services {
                        dhcp;
                    }
                }                       
            }
        }
    }
    security-zone TRUST {
        interfaces {
            irb.100 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
    }
}
xxx@srx-rtr1> show security nat source rule all    
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: source-nat-rule        Rule-set: TRUST-to-UNTRUST
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : TRUST
  To zone                    : UNTRUST
  Match
    Source addresses         : 0.0.0.0         - 255.255.255.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 0
    Successful sessions      : 0
    Failed sessions          : 0
  Number of sessions         : 0

Re: Help with source NAT for home SRX

$
0
0

Hello there,

 

Output suggests that the NAT rule is not being hit. I would suggest you to check whether the traffic is hitting the SRX on the correct interface or not?

 

You may like to do a flow traceoptions to see the flow.

 

​# set security flow ​traceoptions file flow-trace
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter pf1 source-prefix <IP-1> destination-prefix <IP-2>
# set security flow traceoptions packet-filter pf2 source-prefix <IP-2> destination-prefix <IP-1>

To view the logs, use . "show log flow-trace"

 

Thanks!

Re: Help with source NAT for home SRX

$
0
0

What is the vlan configuration where irb.100 is the layer 3 interface?

Is the computer trying internet access connected to a port in this same vlan?

Is the irb.100 interface address configured as the default gateway for the computer and is it in the same subnet?

Is dns configured on the computer?

Does the irb.100 interface show up/up?

 

packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

$
0
0

We are experiencing a strange behavior for a VPN tunnel between srx100 and Palo alto firewall. SRX firewall is in branch and Paloalto firewall in HO. Some users behind Srx are complaining of packet loss and high response time when pinging to the server behind Paloalto. Please see the ping results.

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>ping 172.30.3.70

Pinging 172.30.3.70 with 32 bytes of data:
Reply from 172.30.3.70: bytes=32 time=193ms TTL=126
Request timed out.
Request timed out.
Reply from 172.30.3.70: bytes=32 time=185ms TTL=126

Ping statistics for 172.30.3.70:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 185ms, Maximum = 193ms, Average = 189ms

C:\Users\Administrator>ping 172.30.3.71

Pinging 172.30.3.71 with 32 bytes of data:
Reply from 172.30.3.71: bytes=32 time=2ms TTL=126
Reply from 172.30.3.71: bytes=32 time=2ms TTL=126
Reply from 172.30.3.71: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.71:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms
Control-C
^C
C:\Users\Administrator>ping 172.30.3.73

Pinging 172.30.3.73 with 32 bytes of data:
Reply from 172.30.3.73: bytes=32 time=2ms TTL=126
Reply from 172.30.3.73: bytes=32 time=2ms TTL=126
Reply from 172.30.3.73: bytes=32 time=7ms TTL=126
Reply from 172.30.3.73: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.73:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 7ms, Average = 3ms

C:\Users\Administrator>

C:\Users\Administrator>ping 172.30.3.74

Pinging 172.30.3.74 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 172.30.3.74: bytes=32 time=184ms TTL=126
Reply from 172.30.3.74: bytes=32 time=184ms TTL=126

Ping statistics for 172.30.3.74:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 184ms, Average = 184ms

C:\Users\Administrator>ping 172.30.3.75

Pinging 172.30.3.75 with 32 bytes of data:
Reply from 172.30.3.75: bytes=32 time=2ms TTL=126
Reply from 172.30.3.75: bytes=32 time=2ms TTL=126
Reply from 172.30.3.75: bytes=32 time=2ms TTL=126
Reply from 172.30.3.75: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.75:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms

C:\Users\Administrator>ping 172.30.3.82

Pinging 172.30.3.82 with 32 bytes of data:
Reply from 172.30.3.82: bytes=32 time=185ms TTL=126
Reply from 172.30.3.82: bytes=32 time=185ms TTL=126
Reply from 172.30.3.82: bytes=32 time=184ms TTL=126
Reply from 172.30.3.82: bytes=32 time=185ms TTL=126

Ping statistics for 172.30.3.82:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 185ms, Average = 184ms

C:\Users\Administrator>ping 172.30.3.83

Pinging 172.30.3.83 with 32 bytes of data:
Reply from 172.30.3.83: bytes=32 time=3ms TTL=126
Reply from 172.30.3.83: bytes=32 time=2ms TTL=126
Reply from 172.30.3.83: bytes=32 time=3ms TTL=126
Reply from 172.30.3.83: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.83:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms

C:\Users\Administrator>ping 172.30.3.94

Pinging 172.30.3.94 with 32 bytes of data:
Reply from 172.30.3.94: bytes=32 time=184ms TTL=126
Reply from 172.30.3.94: bytes=32 time=185ms TTL=126
Request timed out.
Request timed out.

Ping statistics for 172.30.3.94:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 185ms, Average = 184ms

 

for example, ping from server 172.16.0.135 to client 172.30.3.70 is showing packet loss and high response time but at the same time, ping from server 172.16.0.135 to client 172.30.3.71 is not showing packet loss.

 

Can anyone help me to solve the issue?

 

 


Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

$
0
0

My srx configuration

 

set version 12.1X44-D36
set system host-name BOOKSTALL
set system root-authentication encrypted-password 
set system services ssh
set system services dns dns-proxy interface vlan.0
set system services dns dns-proxy default-domain * forwarders 8.8.8.8
set system services dns dns-proxy default-domain * forwarders 208.67.220.220
set system services dns dns-proxy default-domain mpp.com forwarders 172.16.0.130
set system services web-management http interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members book-lan
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members book-cctv
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members book-lan
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members book-lan
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members book-lan
set interfaces pp0 unit 0 apply-macro bsnl-ffth
set interfaces pp0 unit 0 ppp-options chap default-chap-secret ""
set interfaces pp0 unit 0 ppp-options chap local-name ""
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 ppp-options pap local-name ""
set interfaces pp0 unit 0 ppp-options pap no-rfc2486
set interfaces pp0 unit 0 ppp-options pap local-password ""
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 5
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 172.30.3.66/27
set interfaces vlan unit 0 family inet address 172.30.3.65/27
set interfaces vlan unit 1 family inet filter input output-limit
set interfaces vlan unit 1 family inet filter output output-limit
set interfaces vlan unit 1 family inet address 172.30.3.225/28
set routing-options static route 172.16.0.0/16 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 172.18.0.0/16 next-hop st0.0
set routing-options static route 10.10.0.0/16 next-hop st0.0
set security ike policy delhi mode main
set security ike policy delhi proposal-set standard
set security ike policy delhi pre-shared-key ascii-text ""
set security ike gateway ike-delhi ike-policy delhi
set security ike gateway ike-delhi address x.x.x.x
set security ike gateway ike-delhi external-interface pp0
set security ipsec policy delhivpn proposal-set standard
set security ipsec vpn ike-delhi bind-interface st0.0
set security ipsec vpn ike-delhi ike gateway ike-delhi
set security ipsec vpn ike-delhi ike ipsec-policy delhivpn
set security ipsec vpn ike-delhi establish-tunnels immediately
set security flow tcp-mss all-tcp mss 1350
set security flow tcp-mss ipsec-vpn mss 1350
set security nat source rule-set lan-untrust from zone trust
set security nat source rule-set lan-untrust to zone untrust
set security nat source rule-set lan-untrust rule lan-untrust match source-address 0.0.0.0/0
set security nat source rule-set lan-untrust rule lan-untrust match destination-address 0.0.0.0/0
set security nat source rule-set lan-untrust rule lan-untrust then source-nat interface
set security nat source rule-set cctv-untrust from zone cctv
set security nat source rule-set cctv-untrust to zone untrust
set security nat source rule-set cctv-untrust rule cctv-untrust match source-address 0.0.0.0/0
set security nat source rule-set cctv-untrust rule cctv-untrust match destination-address 0.0.0.0/0
set security nat source rule-set cctv-untrust rule cctv-untrust then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone vpn to-zone trust policy vpn-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-trust then permit
set security policies from-zone trust to-zone vpn policy trust-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-vpn then permit
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust match source-address any
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust match destination-address any
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust match application any
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces pp0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set security zones security-zone cctv host-inbound-traffic system-services all
set security zones security-zone cctv host-inbound-traffic protocols all
set security zones security-zone cctv interfaces vlan.1
set firewall family inet filter output-limit term 0 from source-address 0.0.0.0/0
set firewall family inet filter output-limit term 0 then policer policer-5mb
set firewall family inet filter output-limit term 0 then accept
set firewall policer policer-5mb if-exceeding bandwidth-limit 5m
set firewall policer policer-5mb if-exceeding burst-size-limit 625k
set firewall policer policer-5mb then discard
set vlans book-cctv vlan-id 3
set vlans book-cctv l3-interface vlan.1
set vlans book-lan vlan-id 2
set vlans book-lan l3-interface vlan.0

Re: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

$
0
0
Hi,

Looks like there is some configuration which is missing in the device which is causing the validation to fail.
UTM Daemon: Anti-spam feature needs AS type configuration:
UTM Daemon: "set security utm default-configuration anti-spam type ..."
Please add the anti-spam type in the configuration and then try again and update us.

While doing the validation, device is checking for the Anti-spam type and since it is not able to find it, validation is failing.
Look forward for your response.




Thanks and Regards,
Guru Prasad



Juniper Business Use Only

Re: Juniper SRX cluster tagging issue

$
0
0

Dear Jonas,

Thanks for your support!

 

Am using the following model and IOS 

Model: srx650
JUNOS Software Release [12.1X46-D50.4]

 

Am pretty sure both IOS are same. Unfortunately when I cam trying to #commit syncronize its not communicating to secondary Node(node 0). As we discussed everything related to cluster seems fine !attaching the files

 

Thanks and Regards,

SS

[SRX550, 12.1X44] issue when test failover

$
0
0

Hello,

i think i encounter some issue when doing failover test.

My 1st scenario is to shutdown/disable interface 3/1/3 in CS-A.

The result of "show chassis cluster status" is as expected, but ping to 1.1.1.137 is RTO

 

Kindly need your assistance how to make 1.1.1.137 reachable when SRX-A is down.

Attached my configuration file

 

Regards,

Bram

Is virtual channel bandwidth shared among interfaces?

$
0
0

If I apply the same VC group (virtual-channel-groups) to multiple interfaces, does they share shaper bandwidth? Or maybe shaper quotas are separate for every one of the interfaces? Or maybe this is configurable? (vc-shared-scheduler maybe?) Cant find a doc on this…

virtual-channel-groups {

    A_vcg {

        1_vc {

            scheduler-map CoS_scheduler-map;

            shaping-rate 20m;

        }

….

interfaces {

    ge-0/0/1 {

        unit 1 {

            virtual-channel-group A_vcg;

        }

        unit 2 {

            virtual-channel-group A_vcg;

        }

        unit 3 {

            virtual-channel-group A_vcg;

        }

 

Does this 20m of shaper bandwidth gets shared among ge-0/0/1.1, ge-0/0/1.2 and ge-0/0/1.3 or they have 20m each?

 

Kind regards,

Pawel Mazurkiewicz

 

Viewing all 17645 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>