thanks for the information, but what about thre accepted traffic logs? I'm not seeing it there. I had seen another forum note about the path to the file not being mapped properly? I can't find info on how to confirm that.
If I use the webui I can get one working, but I then need to make some edits to filter the data.
Thanks for all the replies it turned out I used the wrong DHCP attribute for default gateway. I should have used "router" instead of "server-identifier" I was getting DHCP setting but never looked closer to check for default gateway.
Could you confirm that the deny security policy had the log set the session-init this is required to generate the deny log.
Typically you will create the address and address-set objects under the zone hierarchy.
The top level is for the global zone.
set security zones security-zone trust address-book address admin-cable 192.168.3.10/32
set security zones security-zone trust address-book address-set address permit-admins address admin-cable
The cluster looks correct then failing over.
When the reth interfaces switchover they issue a garp to take control of the reth ip address.
Can you verify the mac address moves to the associated port on both swb and cs b during the switchover event
Dear Friends,
I have SRX650 and which is in HA ,Cluster status showingfin(PFA). But while commiting the configuration it is not syncing config with the secondary device.
Note:
1.Node 1 is Primary and node 0 is secondary, Since for long Node 0 was down due to hardware failure and we fixed the issue. Bur after that cluster status seems ok. But configuration not synced yet.
2.What could be the possible reasons (when Node 0 goes down it was properly switched to secondary)
Attached details
Thanks & Regards,
SS
Hello,
Yes, cluster status seems ok. There could be a few reasons for this.
> Can you please check if there are any licenses on node1 which are missing on node0 "show system licenses"
> Any scripts on node1 you use which are not present on node0 - ls /var/db/scripts/
> How do you know the config is not synchronized?
> Did you do a "show configuration | count" from both nodes and match the number of lines?
> Btw if there are no changes to commit it will not show the other node in the commit output
> Did you ensure there are changes to commit "show | compare"
> Output of "commit | display detail" will help
Regards,
Vikas
Regards,
Vikas
Dear Friends,
Thanks For your reply.
1. This devices are sitting in a remote location and I dont have physical access to devices / there is no local engineer to support me.
I am trying to figure out everything remotely if possible.
2. Node 0 hardware went faulty at that time it switched to Node 1 and everything was fine. (We changed root password ,added some /deleted some VPN users after Node 0 down, Apart from that there is no major change we amde in Node 1(now its primary))
3. Once replaced the faulty power unit (we didnt even touched the cabling part since it is a plug n play) we tried to connect to node 0 using "request routing-engine login node 0" its prompting password field and unfortunately it is not accepting any paswords)
4. "commit syncronize" also not showing node 0.
commit | display detail
node1:
2020-02-02 07:15:38 GMT: commit complete
commit complete
{primary:node1}[edit]
# show | compare
{primary:node1}[edit]
Please guide me on this
Thanks & Regards,
Sarath.S
Hello Sarath,
There seems to be nothing to commit.
What is the output of "show | compare" ? I do not see any output in your post. As I mentioned, if there is nothing to commit the other node will not show in the output.
I suggest to do "show configuration | count" by logging into each node. If the number of lines are the same there is nothing to worry about the sync.
Regards,
Vikas
Hi Vikas,
Its already there , but which is not displaying Node 0
show | compare
{primary:node1}[edit]
As I mentioned its a remote location I dont have physical access now. I am trying to resolve all remotely.
Thanks & Regards,
Sarath
Hello Sarath,
Have you tried checking the "show configuration | count" from both nodes to compare?
Which version are you running? If all RGs are active on node1. You can simply reboot node0 and during bootup the config will be synchronized to node0.
Regards,
Vikas
HI Vishal,
Thaks for your responce.
i was wondring, if you can share the behaviour of JunOS while receiving packet with MTU 0 in DBD. this is the default behaviour of Huawei devices. OSPF-enabled Huawei device adds the MTU 0 in DD packets to be sent and does not check the MTUs in received DD packets. i'm facing an issue where huawei is connected with Juniper and ospf peering is stuck in Exchange/Extart state.
Sunil Kumar
Hi, Guys,
I want to set up a policy hence some internal source IP subnets can only use sum up to 50Mbps (both incoming = outoging traffic, max bandwidth consumption = 50Mbps ) i.e. max internet line bandwidth consumption by some internal IP subnets ?
Assumed:
The internet line is configured as a logical interface, such as reth3.200 in SRX345
Many thanks in advance.
Dear Vikas,
Thanks !
As I told its a remote location and its around 500 Kms away from my location , unfortunately I dont have a local engineer to support there 
.
I am trying to solve this issue remotely. As we discussed the Node 0 was down and it came back (literally a reboot) Still the Node 1 is the Primary (please check the screenshots attached).
Its an older version IOSSh version command ,Cluststat all showing node 0 is active!
node0:
--------------------------------------------------------------------------
Hostname:
Model: srx650
JUNOS Software Release [12.1X46-D50.4]
node1:
--------------------------------------------------------------------------
Hostname:
Model: srx650
JUNOS Software Release [12.1X46-D50.4]
.............................................................................................................................................................................................
HA Config
set chassis cluster redundancy-mode active-backup
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 101
set chassis cluster redundancy-group 1 preempt
set chassis cluster redundancy-group 1 interface-monitor ge-6/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-15/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-6/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-15/0/3 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-15/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-15/0/1 weight 255
set interfaces ge-6/0/0 enable
set interfaces ge-6/0/0 gigether-options redundant-parent reth0
set interfaces ge-6/0/1 enable
set interfaces ge-6/0/2 enable
set interfaces ge-6/0/3 enable
set interfaces ge-6/0/3 gigether-options redundant-parent reth0
set interfaces ge-6/0/4 enable
set interfaces ge-6/0/4 gigether-options redundant-parent reth1
set interfaces ge-6/0/5 enable
set interfaces ge-6/0/5 gigether-options redundant-parent reth1
set interfaces ge-15/0/0 enable
set interfaces ge-15/0/0 gigether-options redundant-parent reth0
set interfaces ge-15/0/1 enable
set interfaces ge-15/0/1 gigether-options redundant-parent reth1
set interfaces ge-15/0/2 enable
set interfaces ge-15/0/2 gigether-options redundant-parent reth1
set interfaces ge-15/0/3 enable
set interfaces ge-15/0/3 gigether-options redundant-parent reth0
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-9/0/2
set interfaces lo0 unit 0 family inet filter input limit-mgmt-access
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 redundant-ether-options minimum-links 1
set interfaces reth0 redundant-ether-options lacp passive
set interfaces reth0 redundant-ether-options lacp periodic slow
set interfaces reth0 unit 0 family inet address (publicIP)/2X
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth1 unit 0 family inet address 192.168.50.2/24 primary
set interfaces reth1 unit 0 family inet address 192.168.51.2/24
What is the effect if I reboot the node 1 as per the following config
set chassis cluster redundancy-group 1 preempt
Please guide
Please fin the attached file as well.
Thanks & Regards,
Sarath
Hi Steve,
unfortunately, when i do failover, i can not reach 1.1.1.137
Hello,
You have 2 options with SRX product:
1/ use firewall filters with policers - advantage is You can use the same policer in both directions and it will rate-limit the sum of incoming and outgoing traffic. If You want to be granular/per-application rate-limiting then You have to specify IP addresses and TCP/UDP ports for each application You want to rate-limit separately.
2/ Use AppQos wil rate-limiters - You can be very granular with applications (i.e. it could differentiate FB from Youtube even if they both use tcp/443) but You'd need to set rate-limiters per direction (1 outgoing and 1 incoming rate-limiter)
HTH
Thx
Alex
Hello Sarath,
These are on very old code. Config will not sync when the node joins the cluster.
We would need to manually sync the config.
> request chassis cluster configuration-synchronize
Else manually move the config to the other node and commit.
https://kb.juniper.net/KB17410
Regards,
Vikas
Hello,
Нow using IDP on SRX, custom signature I can block the Brute Force log-in attacks for a corporate site - admin panel .For example, I have an admin panel located on the URL https://mysite.com/my_site_admin_panel.php, how to write a signature for protection?
Good day,
we have a main office & multiple sattelite locations.
the sattelite office have most of the times a fixed connection and sometimes a LTE connection.
when they need to switch from/to LTE we need to login and change the external interface in the IKE gateway.
However when this happens unplanned we need to drive to the location and change it.
is there any change to allow 2 external interfaces? so the tunnel will automatic switch to the default connection.
it is no problem to do a fysical change like unplug the cable to the broadband modem.
Kind regards
Mark