thanks!
↧
Re: is it possible to make srx340 NOT to check global address-book entry
↧
Re: How to configure incoming traffic on secondary ISP connection
Thank you for the response!
There are other rules on there, but I don't think any of them would cover going to 'MyPC'.
When I'm testing from a specific address, here's the result of that command that I get:
show security flow session source-prefix 69.245.214.184/32 destination-prefix 206.40.37.185/32 Session ID: 250706, Policy name: TESTMFT-MyPC/42, Timeout: 4, Valid In: 69.245.214.184/37732 --> 206.40.37.185/443;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60 Out: 192.168.1.238/443 --> 69.245.214.184/37732;tcp, If: ge-0/0/12.0, Pkts: 5, Bytes: 260 Total sessions: 1
While I'm happy that it shows something, I find it odd that it shows "ge-0/0/0.0" for the interface, there. Should it not show "ge-0/0/2.0"? The interface actually connected to that IP?
When I initiate a connection from my test computer, I get the following security flow:
Session ID: 219320, Policy name: All_Internal_Internet/8, Timeout: 284, Valid In: 192.168.1.238/35381 --> 50.16.234.229/80;tcp, If: ge-0/0/12.0, Pkts: 2, Bytes: 92 Out: 50.16.234.229/80 --> 206.40.37.178/1103;tcp, If: ge-0/0/2.0, Pkts: 1, Bytes: 44
Which does show it going out over interface 2.
↧
↧
Re: Significance of subtype 43 and 44 errors
Do you know what this entry indicates?
chassisd[1747]: CHASSISD_IPC_UNEXPECTED_RECV: Received unexpected message from craftd: type = 4, subtype = 44
I've looked up chassisd[1747], but can fidn nothing.
↧
Re: Significance of subtype 43 and 44 errors
Nothing unusual here, these log messages are expected with alarm set/cleared.
- When the alarm is set, LED on the craft interface turns on and the chassisd gets the message with "type = 4, subtype = 43" from the craftd.
- When the alarm cleared, the LED on the craft interface also turns off, and the chassis gets the message with "type = 4, subtype = 44" from the craftd.
↧
Re: How to configure incoming traffic on secondary ISP connection
Ok, I'm now certain this is a routing issue, but I'm still uncertain of how to get it to behave how I'd like it to.
I am seeing traffic coming to and leaving the 'MyPC' system successfully, and the Juniper is seeing the return traffic, it's just not routing it properly.
If I make the new ISP the default route in the system overall, it works. Obviously, I'm hoping to avoid that, since that winds up cutting off the existing connections that still need to get moved over.
Anyone have any hints on where to look? Thank you!
↧
↧
Outgoing issues on same LAN Subnet in dual WAN ISP Setup for SRX650
Hi,
Recently, we subscribed a second ISP (ISP2)
Our firewall setup is in the cluster mode setup.
Firewall Interface
ISP1=vlan81= untrust reth0.81 = 1.1.1.254/24 = GW 1.1.1.1
ISP2= vlan82= reth0.82 = 2.2.2.2/25 = GW 2.2.2.1
LAN= vlan412 = reth1.412= 192.168.1.1/24
Below is our goal with our Linux box.
Outgoing
Webserver 1: 192.168.1.51 ----> ISP1: 1.1.1.51/24
Incoming
Client---->ISP1: 1.1.1.51/24----> Webserver 1: 192.168.1.51
Default Outgoing(source NAT) should be in ISP 1 and should work also in ISP2 if I change the source NAT in a pool of specific source IP manually to ISP2.
inet0 is my master routing table.
ISP2.inet0 newly created routing instance
ISP1 and LAN networks are in the default routing instance which is the inet0, so I imported the routes from inet0 to ISP2.inet0 using RIB.
The incoming is working after I configured RIB, so this one is working.
Client---->ISP1: 1.1.1.51/24----> Webserver 1: 192.168.1.51
However, I have a problem with outgoing traffic as it's always routed to ISP 1, we want it to go via ISP2.
So, I have configured a firewall filter for redirection of the specific subnet to ISP2 and attached it to the LAN interface.
After that, I can ping to the internet domain or IP but I can't ping the LAN gateway interface which is 192.168.1.1 and even I can't download a Linux package or curl on a specific website.
When I removed the attached filter in the interface. I can ping the gateway but no more internet.
I think there is something wrong with my outgoing setup.
Please advise what should be the configuration.
Below are the current configurations.
#################################################
#INTERFACE CONFIG
run show configuration interfaces reth0.82
description ISP2_82;
vlan-id 82;
family inet {
address 2.2.2.2/25;
}
run show configuration interfaces reth0.81
description COGENT_WAN_81_INT;
vlan-id 81;
family inet {
address 1.1.1.254/24;
}
run show configuration interfaces reth1.412
description APP_NET_412;
vlan-id 412;
family inet {
filter {
input VLAN12_REDIRECT_TO__ISP2;
}
address 10.40.12.1/24;
}
#################################################
#ROUTING OPTIONS
show routing-options
interface-routes {
rib-group inet MASTER_TO_ISP2;
}
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
rib-groups {
MASTER_TO_ISP2 {
import-rib [ inet.0 ISP2_VR_82.inet.0 ];
}
}
router-id 10.40.1.1;
#################################################
#ROUTING INSTANCE
show routing-instances
ISP2_VR_82 {
instance-type virtual-router;
interface reth0.82;
routing-options {
interface-routes {
rib-group inet MASTER_TO_ISP2;
}
static {
route 0.0.0.0/0 next-hop 2.2.2.1;
}
}
}
#FILTER
family inet {
filter VLAN12_REDIRECT_TO__ISP2 {
term TO-ISP2-ISP {
from {
source-address {
192.168.1.0/24;
}
}
then {
routing-instance ISP2_VR_82;
}
}
}
}
#################################################
Static NAT
run show security nat static rule ISP2-nat-test
node0:
--------------------------------------------------------------------------
Static NAT rule: ISP2-nat-test Rule-set: internet2-static-nat
Rule-Id : 32
Rule position : 32
From zone : untrust2
Destination addresses : 2.2.2.51
Host addresses : 192.168.1.51
Netmask : 32
Host routing-instance : ISP2_VR_82
Translation hits : 62443
node1:
--------------------------------------------------------------------------
Static NAT rule: ISP2-nat-test Rule-set: internet2-static-nat
Rule-Id : 32
Rule position : 32
From zone : untrust2
Destination addresses : 2.2.2.51
Host addresses : 192.168.1.51
Netmask : 32
Host routing-instance : ISP2_VR_82
Translation hits : 0
############################################
Source NAT
run show security nat source rule app412-to-internet-rule
node0:
--------------------------------------------------------------------------
source NAT rule: app412-to-internet-rule Rule-set: app412-to-internet
Rule-Id : 8
Rule position : 8
From zone : app
To zone : untrust2
Match
Source addresses : 192.168.1.0 - 192.168.1.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Destination port : 0 - 0
Action : app412-src-nat-pool2
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 152031
node1:
--------------------------------------------------------------------------
source NAT rule: app412-to-internet-rule Rule-set: app412-to-internet
Rule-Id : 8
Rule position : 8
From zone : app
To zone : untrust2
Match
Source addresses : 192.168.1.0 - 192.168.1.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Destination port : 0 - 0
Action : app412-src-nat-pool2(2.2.2.3/32)
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 0
############################################
#ROUTES
inet.0: 83 destinations, 87 routes (83 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 1d 02:15:44
> to 1.1.1.1 via reth0.81
192.168.1.0/24 *[Direct/0] 1d 16:26:49
> via reth1.412
192.168.1.1/24 *[Local/0] 1d 16:26:49
Local via reth1.412
ISP2_VR_82.inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 16:02:59
> to 2.2.2.1 via reth0.82
192.168.0/24 *[Direct/0] 1d 14:19:37
> via reth1.412
192.168.1.1/24 *[Local/0] 1d 14:19:37
2.2.2.3/32 *[Static/1] 15:30:11
Discard
2.2.2.51 *[Static/1] 16:51:24
Discard
I appreciate your help. Thanks!
↧
bandwidth limit in juniper srx
I have a problem when configuring a bandwidth limit. This script works but local traffic is also to the limit. How do you make the local traffic not limit?
admin@vSRX# show firewall policer L2M
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 256k;
}
then discard;
[edit]
admin@vSRX# show firewall policer L4M
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 1m;
}
then discard;
[edit]
admin@vSRX# show interfaces ge-0/0/1
unit 0 {
family inet {
policer {
input L2M;
output L4M;
}
address 10.20.30.1/24;
}
}
[edit]
admin@vSRX#
↧
There is issue when impletement static NAT + FBF in SRX240
Hi all JUNOS experts,
I meet a problem when implement static NAT and FBF in SRX240.
Before we only have ISP1 connect to SRX240, the default route to ISP1, the static NAT addresses are also in same segment with ISP1 interface. They are working well.
Now we add connection to ISP2 and we want to communicate with few servers only through ISP2. So I changed static NAT address in same segment with ISP2 interface. Then I created FBF on server interface.
Then I try to access this server but failed. Checked log, the traffic in coming from ISP2, NAT also ok, but outgoing traffic through ISP1. Seems the FBF not take effect.
Appreciated for anybody can help me.
reth4 to server, in trust zone;
reth13 to ISP2, in untrust zone;
reth15 to ISP1, in untrust zone;
The related configuration as below:
set interfaces reth4 unit 0 family inet filter input ISP2
set interfaces reth4 unit 0 family inet address 192.168.1.1/24
set interfaces reth13 unit 0 family inet address 2.2.2.1/24
set interfaces reth15 unit 0 family inet address 1.1.1.1/24
set routing-options interface-routes rib-group inet PBR_Group
set routing-options static route 192.168.2.0/24 next-hop 192.168.1.254
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.254
set routing-options rib-groups PBR_Group import-rib inet.0
set routing-options rib-groups PBR_Group import-rib PBR1.inet.0
set routing-instances PBR1 instance-type forwarding
set routing-instances PBR1 routing-options static route 0.0.0.0/0 next-hop 2.2.2.254
set firewall family inet filter ISP2 term 1 from source-address 192.168.2.2/32
set firewall family inet filter ISP2 term 1 then routing-instance PBR1
set firewall family inet filter ISP2 term 2 then accept
set security nat static rule-set ruleset1 from interface reth13.0
set security nat static rule-set ruleset1 rule rule1 match destination-address 2.2.2.2/32
set security nat static rule-set ruleset1 rule rule1 then static-nat prefix 192.168.2.2/32
set security nat proxy-arp interface reth13.0 address 2.2.2.2/32
↧
Re: bandwidth limit in juniper srx
What interface(s) is your local traffic on?
↧
↧
SRX100H and AirCard 320U
Hey Experts,
I have a remote box with an AirCard 320U, but the dial in is not working. If I put the SIM card to an AirCard 312U, it is working. I checked on my Linux laptop that the 320U is working. The reason why I prefer the 320U over the 312U is 4G.
The two LEDs of the 320U flash for a second during boot, but remain inactive, both.
root@remote> show modem wireless interface cl-0/0/8
Wireless modem firmware details
Modem firmware version: SWI9200X_03.05.23.09ap r5836 carmd-en-10527 2013/06/17 18:01:23
Modem Firmware build date: 06/17/13
Card type: AirCard 320U
Modem manufacturer: Sierra Wireless, Inc
Hardware version: 1.0
Current modem temperature: 23 deg C
Factory serial number (FSN): CC42353002110102
International mobile equipment identity
(IMEI): 357272045242728
Modem PIN security status: Enabled
SIM status: SIM Okay
SIM lock: Unlocked
SIM user operation needed: No Op
Retries remaining: 0
Wireless Modem Network Info
Current Modem Status: Low Power Mode
Current Service Status: No Service Available
Current Service Type: Invalid Service
Current Service Mode: None
Current Band: 0
Roaming Status: No
Network Selection Mode: Automatic
Network: 0
Mobile Country Code (MCC): 0
Mobile Network Code (MNC): 0
Location Area Code (LAC): 0
Routing Area Code (RAC): 255
Cell Identification: -1
Scrambling Code: 0
Radio statistics
Current radio signal strength: -110 dBHere are the configs for the modem interface:
root@remote> show configuration | display set | match cl-0/0/8 set interfaces cl-0/0/8 modem-options init-command-string AT+CGDCONT=1,IP,apn.carrier.tld set interfaces cl-0/0/8 dialer-options pool 1 priority 100 set interfaces cl-0/0/8 cellular-options gsm-options select-profile profile-id 1 set interfaces cl-0/0/8 cellular-options gsm-options radio-access automatic set interfaces cl-0/0/8 cellular-options gsm-options encrypted-sim-unlock-code "$9$NqdYgZUjfQFGU"
The profile-id 1 remains inactive:
root@remote> show modem wireless interface cl-0/0/8 profiles Profile details Max profiles: 16 Default profile Id: 16 Profile 1: Inactive Valid: TRUE Username: user Password: pass Access point name (APN): apn.carrier.tld Authentication: PAP
Is the firmware of the AirCard the right one? Or why is the card in the low power mode? I assume the card is not probably initialized, but I have no clue, how...
↧
SRX550 - upgrade from 15.1X49-D170.4 to 18.2R3-S2.9 - Validation failed
Hi.
I am trying upgrade software on SRX550m from 15.1X49-D170.4 to 18.2R3-S2.9 and I get Validation failed message. I am aware that I can use no-validate option. Howerver - is it safe to use that option? What this error exactly mean (mgd: error: Allocating memory for action maps 'no-ssh-rsa' failed)? I am able to log into device via ssh, so I think it is configure correctly.
root@srx550m> request system software add /var/tmp/junos-srxsme-18.2R3-S2.9.tgz no-copy unlink validate Formatting alternate root (/dev/ad0s2a)... /dev/ad0s2a: 599.0MB (1226700 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 149.75MB, 9584 blks, 19200 inodes. super-block backups (for fsck -b #) at: 32, 306720, 613408, 920096 Checking compatibility with configuration Initializing... Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256 Using junos-18.2R3-S2.9 from /altroot/cf/packages/install-tmp/junos-18.2R3-S2.9 Copying package ... veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/php_mod.ini: No such file or directory veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/mime.types: No such file or directory veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libpsu.so.3: Too many links veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libyaml.so.3: Too many links veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libext_db.so.3: Too many links veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256 Hardware Database regeneration succeeded Validating against /config/juniper.conf.gz mgd: error: Allocating memory for action maps 'no-ssh-rsa' failed Abort trap (core dumped) Validation failed Validating against /config/rescue.conf.gz mgd: commit complete Validation succeeded ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-18.2R3-S2.9 root@srx550m> show system software Information for junos: Comment: JUNOS Software Release [15.1X49-D170.4]
↧
Re: SRX550 - upgrade from 15.1X49-D170.4 to 18.2R3-S2.9 - Validation failed
Hello LukaszRz,
I think validation will always fail because there has been a change in internal file system starting 17 release.
An upgrade with "no-validate" is more likely to be successful.
If you are not comfortable with "no-validate" , I would suggest you to get JTAC involved when you are upgrading.
Also, as per the upgrade guidelines you are encouraged to upgrades "NOT more than 3 releases" at a time.
"You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 15.1X49, 17.3, 17.4, 18.1 and 18.2 are EEOL releases. You can upgrade from one Junos OS Release to the next release or one release after the next release. For example you can upgrade from Junos OS Release 15.1X49 to Release 17.3 or 17.4, Junos OS Release 17.4 to Release 18.1 or 18.2, and from Junos OS Release 18.1 to Release 18.2 or 18.3 and so on."
Hope this is helpful.
Thanks!
↧
Re: Outgoing issues on same LAN Subnet in dual WAN ISP Setup for SRX650
Hello Bodok25,
A similar requirement is shown in the following KB article.
I hope you will be able to customize the above solution to your requirements.
Thanks!
↧
↧
Re: There is issue when impletement static NAT + FBF in SRX240
Hello Gao_YN,
Check out the following solution with Dual ISP. This may give you some ideas to make it work.
Thanks!
↧
Re: How to configure incoming traffic on secondary ISP connection
Hello Chrislverson,
Check this out . This article talks about dual ISP scenario.
Thanks!
↧
Range of Port - JUNIPER SRX300
Guys, sorry my english! I'm implementing a 3cx pabx but it requires me to put a range of ports (9000-10999) but the juniper does not have these functions. Not enabled, would someone help me? My juniper is the SRX300
↧
SRX SNAT FLOW SESSION
I am struggling in uderstanding the SNAT.
Below is the flow session:
Session ID: 443, Policy name: OK/6, Timeout: 2, ValidIn: 192.168.111.2/51744 --> 91.201.212.238/80;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 430,Out: 91.201.212.238/80 --> 172.30.124.59/16613;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 467,We can say, there is a SNAT applied as the source is changed from 192.168.111.2 to 172.30.124.59.
Now, when we look at the SRX packet handing diagram:
The route lookup actually happened before SNAT. So, my confusion is:
- If route lookup is done before SNAT, then how can SRX know to where forward the packet after doing SNAT as I mentioned in the above flow session example?
- If SNAT configuration has all the routing-related information such as zone, which interface to go then it still applies to policy check, however, the policy check also done before SNAT.
Please share your thoughts so that it makes sense how actually SRX behaves in this scenario.
Thank you.
↧
↧
Re: SRX SNAT FLOW SESSION
Hi,
The route lookup happens on the destination IP and hence the Dst-NAT if any is always done before the route lookup as you can see in the flow diagram.
Source NAT does not have any impact on the route lookup. Hope this helps.
Thanks and Regards,
Pradeep Kumar M
|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||
↧
Re: There is issue when impletement static NAT + FBF in SRX240
Hi Gao,
Can you please share the output of the command "show security flow session destination-prefix 2.2.2.2/32" after you initiate the connection. And also the output of "show route <x.x.x.x>" where x.x.x.x is the source IP address from which you are trying to access the server.
I see this issue similar to the one explained in the KB article https://kb.juniper.net/InfoCenter/index?page=content&id=KB27946 where FBF doesn't perform a route lookup for the return traffic as a everse route lookup is already performed during initial session creation.
Hope this helps.
Thanks and Regards,
Pradeep Kumar M
|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||
↧
SRX 100/240 to SRX 300 Config Issue
We currently have 11 locations setup and looking to add number 12. Main location is SRX240 and 10 other current locations are SRX100. They are setup with VPN mesh and everything works fine. I'm trying to add the new location with a SRX300.
I copied a SRX100 config and updated it with the information for the new site.
- From the SRX300 I can ping out to other locations, but only to the 150.160 IP. Can't ping any internal 10. IP or anything on the internet.
- Frrom other locations I cannot ping anything at the new location; router 150.160 IP or internal 10. IP.
I did have to add the line for "root-login allow" so I could SSH to the device, so I'm guessing I need to adjust some security for the SRX300 to allow inbound traffic different than the SRX100?
I've attached 3 configs.
↧