Hello Mark,
You can configure primary/backup VPN.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227&actp=METADATA
Please follow below KB to understand it better and let me know your queries.
Thanks,
Shina
↧
Re: ike/ipsec tunnel with fallback interface
↧
Re: [SRX550, 12.1X44] issue when test failover
I think the issue will be with how hsrp works on the switch ports.
The SRX cluster works using redundant ethernet standard for failover.
So both ports are up/up but only the active port is passing traffic.
On the hsrp side since the primary port is still up but the failover has occured your vip address still remains on the SRX A port but that port is now no longer passing traffic
Can you move the ip addresses on the switches to virtual interfaces instead of the physical ones?
In juniper this would be irb.x or vlan.x format. I'm not sure what the cisco equivilent is.
↧
↧
Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall
Hi,
Thanks for helping me, I followed a guide found here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJbCAK , I think created by you to configure the tunnel but I am using a static route instead of OSPF. It is working perfectly without any issue. But the response time for different clients to servers is different, for example, response time for client 172.16.2.1 to server 172.16.0.135 is 186 ms but at the same time, another client 172.16.2.2 to 172.16.0.135 is 50ms at the same time. If I ping another server 172.16.0.136 from 172.16.2.1 it will be 50ms, but the response time from 172.16.2.2 is 186 ms, what I am trying to say is response time is random and is not following a pattern. In the guide, it is mentioned to change the MTU size to 1350 in SRX side, do I need to change it at the Paloalto side also.
↧
Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall
You are right since the problem is random not fixed a good candidate is MSS on the vpn. I did create that article on the PAN forums. At the time MSS settings were not supported but they are now so you can match the 1350 on both sides to see if that helps.
↧
Re: [SRX550, 12.1X44] issue when test failover
on switches side, all are configured using interface vlan.
on the switch's physical port only configured as access mode, with connection between switches configured as trunk
↧
↧
SRX and tcp-mss all-tcp
Hello Community,
Question for folks who know SRX in depth. if one does tcp-mss all-tcp, will SRX adjust mss for tunneled traffic like VxLAN thats passing through it. The 'through' traffic in this case will be the UDP tunnel/VxLAN encaped traffic.
I am interested in this as i am looking to do VxLAN over internet and SRX with IPSec to encrypt the traffic. Has anyone tried this before?
Thanks
↧
Re: SRX and tcp-mss all-tcp
Hi, unfortunately SRX can not adjust mss for tunneled traffic.
↧
Re: SRX and tcp-mss all-tcp
Hi,
As VXLAN traffic is UDP encapsulated, the TCP MSS settings simply do not apply to the VXLAN traffic.
Hope this helps.
Thanks and Regards,
Pradeep Kumar M
↧
Re: SRX and tcp-mss all-tcp
Thank you for the response.
↧
↧
ruVPN /31
Hi
Kit: SRX300
FW: 18.2R3.4
Outline
I have a P2P on the WAN and a /32 to NAT to for internet access. Operational.
The client has forwarded port 443 internally (and cannot map to a differnet external port) - so I cannot deploy the ruVPN without breaking their internal services.
I have tried to increase the available pool to a /31 and use the additonal IP address as the VPN gateway, however I cannot get the VPN to connect.
Have I missed something obvious along the way? The /31 has internet connectivity, so it is not a routing issue.
Thanks in advance!
Clearly I have misse
↧
Re: Chassis cluster control link clarification
Hi,
Thanks for taking the time to reply but this isn't the answer to the question :-)
↧
Re: SRX 210 - 340
The change is needed from vlan to irb in the configuration section under interfaces.
old style interfaces vlan
new style interfaces irb
In the main vlan section that stays the same.
But the interfaces listed under vlans
old style is vlan.0
new style irb.0
↧
SRX340 NAT hairpinning
Hello,
Currently we use source NAT to access the Internet from LAN:
pool src-nat-pool-office {
address {
1.1.1.2/32;
}
}
rule-set rs1 {
from zone trust;
to zone untrust;
rule office-nat {
match {
source-address 192.168.4.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-pool-office;
}
}
}
}
}
In the same time we use destination NAT to access some resources from the Internet using one of our public IP addresses (BGP):
pool server1 {
address 192.168.4.123/32;
}
rule-set dnat-rs1 {
from zone untrust;
rule r1 {
match {
destination-address 1.1.1.3/32;
destination-port {
80;
}
}
then {
destination-nat {
pool {
server1;
}
}
}
}Now, we would like to access the "server1" from LAN using public IP address - 1.1.1.3 (this one from destination NAT). How to do that? I read something about NAT hairpinning, but I'm not sure how to use it here.
Can I ask for help? 
↧
↧
Re: SRX340 NAT hairpinning
Hi Gabriel,
Adding the zone trust to the existing destination NAT rule would solve your purpose.
set security nat destination rule-set dnat-rs1 from zone trust
This will help to trigger the destination NAT for traffic from internal LAN and the soure NAT will also be done which is necessary. Please refer to the KB at https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639 which has an example for hairpin NAT and the requirements.
Hope this helps.
Thanks and Regards,
Pradeep Kumar
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
↧
10 maximum source-address in policy match
Hi,
I have some policies in my untrust-to-trust zones where I want to block subnets for ssh. The policy looks like
policy UNTRUST-to-TRUST-SSH {
match {
source-address [ address1 address2 .... addressn ];
destination-address any;
source-address-excluded;
application junos-ssh;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}If there are more than 10 source-addresses, commits will fail. I thought I could use an address-set but if I reference an address-set, JunOS just dereferences it and still complains that I have more than 10 entries. Currently I have another policy that's exactly the same but with a different name with other source-addresses.
Is there a more elegant way to work around this limitation?
↧
Re: SRX340 NAT hairpinning
Thank you, it worked for me!
↧
Re: ike/ipsec tunnel with fallback interface
Good day Shina,
So the solution is to make 2 vpn connections. one for both interfaces.
it was not the expected solution but it will be an acceptable one.
Thanks
↧
↧
IDP failing with firewall filter
I am trying to setup the IDP service on an SRX device. When I try download the security package it fails with the below error:
admin@srx-01> request security idp security-package download check-server error: timeout communicating with idp-policy daemon
When I take my firewall filter (which is applied to the loopback) off it works. When it's working, If I do a netstat on the SRX I can see connections going to some Juniper internet address on HTTPS. If I re-apply the firewall filter, I don't even see those attemps.
I have followed the below article and added the lines to my firewall filter (above the final deny policy) but it still doesn't work.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30374
set firewall filter MGMT term Allow-IDP-Downloads-2 from source-port 443 set firewall filter MGMT term Allow-IDP-Downloads-2 from tcp-established set firewall filter MGMT term Allow-IDP-Downloads-2 then accept set firewall filter MGMT term DENY_OTHER_TRAFFIC then log set firewall filter MGMT term DENY_OTHER_TRAFFIC then discard
set interfaces lo0 unit 0 family inet filter input MGMT
Anybody have any tips or a working configuration?
↧
Anyone here has facing IOC II CPU utlization 100%
Hi all,
Currently i have 4 pair SRX5800 chassis cluster and all the cluster facing issue on FPC11 (IOC II - that all the interface traffic) CPU 100% High Utilization. I already open JTAC case and JTAC said need to reseat the FPC but when i request PR no then they said no PR number. So it difficult to get RFC to execute activity reseat FPC. So i ask in this forum incase have someone facing issue same as me.
{primary:node0}
root@SRX5800> show chassis fpc
node0:
--------------------------------------------------------------------------
Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)
Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer
0 Online 30 2 0 2 2 2 1024 5 26
1 Online 26 20 0 20 20 20 1024 5 26
2 Online 26 2 0 2 2 2 1024 5 26
3 Online 26 2 0 2 2 2 1024 5 26
4 Empty
5 Empty
6 Empty
7 Empty
8 Empty
9 Empty
10 Online 28 10 0 9 9 9 2048 15 14
11 Online 28 100 0 99 99 99 2048 16 27
node1:
--------------------------------------------------------------------------
Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)
Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer
0 Online 31 2 0 2 2 2 1024 5 26
1 Online 27 21 0 20 20 20 1024 5 26
2 Online 26 2 0 2 2 2 1024 5 26
3 Online 26 2 0 2 2 2 1024 5 26
4 Empty
5 Empty
6 Empty
7 Empty
8 Empty
9 Empty
10 Online 30 9 0 9 10 10 2048 15 14
11 Online 30 100 0 99 99 99 2048 16 27
Thanks
↧
Re: IDP failing with firewall filter
Figured it out, I added DNS to the firewall filter and it works now if anybody else has the same issue.
↧