Good afternoon, I am trying to pin down information regarding the SRX320 device. We are being told we have to replace this device because it is coming up on end of support (EOS)/end of life (EOL). I checked the list at https://support.juniper.net/support/eol/hardware/srx_series/ and was unable to find the SRX320 on the list when I searched on it. Is there another web page to which I should refer for this information, or another source that can provide definitive EOS/EOL dates? Thanks in advance.

Hi, all,

 Let me copy&paste this KB article, because it directly relates to my question:

SUMMARY:
This article explains why traffic that goes to node 1 is blocked when HA data plane is running in active-active mode, and source NAT pool (no port translation) contains only one IP address.

SYMPTOMS:
The Source Network Address Translation (NAT) in high availability (HA) was configured as follows:

{primary:node0}[edit security nat]
root# show | display set
set security nat source pool 1 address 1.1.1.1/32
set security nat source pool 1 port no-translation
set security nat source rule-set 1 from zone untrust
set security nat source rule-set 1 to zone trust
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat pool 1

After committing, the following error was seen:
 
{primary:node0}[edit]
root# commit
[edit security nat source pool 1]
'port'
warning: Ha data plane will be running in active-active mode, source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), traffic goes to node 1 will be BLOCKED!
node0:
configuration check succeeds
node1:
[edit security nat source pool 1]
'port'
warning: Ha data plane will be running in active-active mode, source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), traffic goes to node 1 will be BLOCKED!
commit complete
node0:
commit complete

Even when the commit was successful, after data RG (for example RG1) failover from Node0 to Node1, the traffic was blocked.
CAUSE:
By default, on SRX devices when running in chassis cluster (SRX runs in Active-Active setup), if an IP based source NAT is done, then ports are equally divided on both nodes, 1-32k on node1, and 32k-65k on node0 for the NAT purpose.

However, in this case, there was only one IP address but not the ports for translation. This means only one IP is present with no port translation. Therefore, a minimum of two IP addresses would be required to distribute the pool among two nodes.

SOLUTION:
Add more IP addresses into the pool

set security nat source pool 1 address 1.1.1.0/30 <-- here
set security nat source pool 1 port no-translation
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat pool 1

Or without the port no-translation

set security nat source pool 1 address 1.1.1.1/32
delete security nat source pool 1 port no-translation <--here
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat pool 1

Or change to use Static NAT

set security nat static rule-set 1 from zone untrust
set security nat static rule-set 1 rule 1 match destination-address 1.1.1.1/32
set security nat static rule-set 1 rule 1 then static-nat prefix 10.1.1.1/32

We have a bunch of SIP trunks across SRX, all of our SIP signalling servers and media servers are using private IP addresses with SRX currently doing static NAT address translation for all signaling and media servers ( NAT related SIP signaling/SDP issues are handled at software, SRX has SIP ALG intentionally turned off, SRX is not aware of SIP). Now when business grows, we are running out of public IP addresses, I need to figure out way to solve this problem, I want to achieve is a SIP media load balancer on SRX, 

Since SIP SDP allocates media server IP and port for a SIP session without SRX's awareness (there will be NO STUN involved),  SRX can not change source port when performing NAT (port  n-otranslation), we can only give out one IP addresses for media servers, because SRX would not dynamically know which public IP to source NAT with if we have a NAT address pool. 

While I can change software behavior to start media first in order to establish the session on SRX so return traffic can flow to the right media server and I can also make sure no backend media servers use the same source port, this "Traffic to node 1 is blocked when HA data plane is in active-active mode" is now a show stopper for me, none of the work around is applicable to my situation.

I am confused that why active-active cluster is relavent, I am running active-standby cluster, should SRX just use the whole 65K port (in my case, no port translation), or this KB article only applies to active-active cluster, and I can safely ignore the warning if I am running active-stanby HA cluster?

Hi All,

I am using DNS for some address book entries used in security policies. However, I am repeatedly running into issues where the cached resolution of the hostname on the SRX is different from what it is when traffic is received. This happens frequently with CDN's and is a little outside of my control. There have been some posts regarding this in the past, but those have not come to any resolution so I would figure I'd bring this topic up again. Is it possible to set the TTL of the cached entries on the SRX itself? I'd love to force the device to just do a lookup everytime it receives traffic, rather than using a cached entry that is incorrect...

Hi klackey,

I would recommend you verify and clarify if what is going EoL is the hardware or the software you are running because if the hardware is not published on the link you shared that means that it is not announced. 

Here you can find all the rules and guidelines related to EOL, EOS, LRD, EOHE, EOSE.

https://support.juniper.net/support/pdf/eol/990833.pdf

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

By default in Cluster, data plane mode is in active-active mode, regardless of user configuration.

root@srx> show chassis cluster information detail
node0:
--------------------------------------------------------------------------
Redundancy mode:
Configured mode: active-active
Operational mode: active-active

You may change the cluster redundancy-mode to active-backup as mentioned in KB21263 to fix the issue
- Both nodes need to be rebooted simultaneously after the config change

root@srx> show chassis cluster information detail | match "mode|node[01]:"
node0:
--------------------------------------------------------------------------
Redundancy mode:
Configured mode: active-backup
Operational mode: active-backup
node1:
--------------------------------------------------------------------------
Redundancy mode:
Configured mode: active-backup
Operational mode: active-backup

Thank you so much,  I only have one redundancy-group (besides redundant group 0, of course), but the reboot part is a bummer.

Hello klackey,

SRX320 is definitely not EOL, as this is the most current Juniper SRX branch platform, there is no successor available. Here you can check if your used JUNOS release is EOE or EOL:

https://support.juniper.net/support/eol/software/junos/

Maybe they confused this with the SRX220.  That one is EOL for sure. 

Hi,

This issue of SRX cached resoltuion of hostname being different from the actual IP when traffic is received happens mostly in case of the TTL of the resolved address being very low. There is a difference in behavior on SRX based on the TTL value of the resolved address being above or below 16.

If the TTL received by the SRX is above 16, SRX keeps its dns-cache as it received. If the TTL received is less than 16, SRX will update the TTL as 16 even though its received a TTL value of 5. So this can be one example where such issues are observed.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB33986

Is it possible to set the TTL of the cached entries on the SRX itself? I'd love to force the device to just do a lookup everytime it receives traffic, rather than using a cached entry that is incorrect... -> This is not possible and for good reasons. Consider there are large number of such low TTL DNS entries and if you are do a DNS request at that rate or whenever you receive traffic, this is going to create performance issues on the device consuming too many resources. (NSD/FLOWD, session scans at high rate).

Possibilities to resolve this issue are to increase the TTL of those CDN's at the server or if the CDN's have a range of IP addresses they always resolve to, you can replace the DNS address to those range of addresses in the security policy.

Hope this helps.

Thanks and Regards,

Pradeep Kumar M

|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||

Hello,

I suggest You do packet captures first to see if there is IPSEC post-fragmentation (fragmentation after encryption) - this is usually the IPSEC perf killer.

If yes then You need to lower TCP MSS and "clear DF bit" knob applied to the payload traffic.

If You cannot do the above for whatever reason then the other option if to use GRE-inside-IPSEC so the GRE gets fragmented post-encapsulation, not IPSEC. GRE frag reassembly is less performance-taxing than IPSEC frag reassembly.

HTH

Thx

Alex  

Hello,

---

 wrote:
 the ESP authentication failures are very large. Would this fit in with your above narrative?

If fits perfectly _IF_ Your IPSEC gets post-fragmented and Your circuit provider drops non-initial fragments (some do).

ESP auth data is placed at the end of IPSEC packet

HTH

Thx

Alex

You will need to create a custom application that includes your desired port range either tcp or udp as needed before you can create the rule itself.

You can follow the process of creating the custom objects (address and application) followed by the actual rule in this kb article.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10140

Hi every body

im a cisco expert and its my first experince with junipper .

i have a pair of srx4100 in my network in front of my Cisco FTD .

ufortunently my network is isolated and no internet connection . 

im looking for download URL of Antivirus updates for my SRX bc. i have 3 years AV license (SRX4100-S-AV-3)

i will so please if some one do me a favor and show me how to download updates offline .

tnx in advance

Sorry for the delay in response, been a little busy here but had some time today to generate the sample config in my lab.  What I assume you need here is inbound connections from internet to your servers based on the ip addresses you have from each provider.  This would be the example just swap out the provider addresses and server address.

security {
    nat {
        destination {
            pool Server1 {
                address 192.168.1.1/32;
            }
            rule-set Server-ISP1 {
                from zone ISP1;
                rule mta-isp1 {
                    match {
                        destination-address 1.1.1.3/32;
                    }
                    then {
                        destination-nat {
                            pool {
                                Server1;
                            }
                        }
                    }
                }
            }
            rule-set Server-ISP2 {
                from zone ISP2;
                rule mta-isp2 {
                    match {             
                        destination-address 2.2.2.3/32;
                    }
                    then {
                        destination-nat {
                            pool {
                                Server1;
                            }
                        }
                    }
                }
            }
        }
    }

And if the ip addresses used for the provider side are NOT your actual interface address you will need to add proxy-arp to the provider interface.

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3/32

Thanks for the clarification, I'm not able to duplicate that behavior in my lab and your understanding is correct.  The SRX should only reply to ping of configured interface addresses directly not the network address itself.

Are there other devices in that subnet that might be replying?

Hi All,

Would like to know if QOS / COS / VPN Session affinity configurable to maintain a consistent stable connection for pulse secure VPN with the SRX 240 being SSL VPN server ? 

The SRX240 is the gateway as well as the VPN server and quite often it is noticed that users keep dropping off the VPN and sometimes take long time to reconnect.  Basic factors like bandwidth on the gateway, link condition etc was checked and no such issues were seen. Debug just shows the typical session flow that happens for the connection setup etc albiet bit of delay but the reason for delay etc is not detectable as such.

The users are all home based and connect over their internet and their internet speeds during the issue was checked and no such slowness or drops were seen. 

So i was researching to see if there is anyway to configure COS / QOS to priortize VPN sessions ?  

VPN is pulse secure over Juniper SRX 240, Firmware is 12.x44-D35.5

HI Team,

i'm new with ipsec, trying to setup a IPSEC vpn between fortinet and SRX but it is not working . i have captured the packet and found that SRX is not initiating ike communication. configuration and topo is as below. phase 1 is no comming up. Please help

set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services web-management https pki-local-certificate 12345
set system services web-management https interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description TO_FORTINET
set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
set interfaces ge-0/0/2 description TO_R4
set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
set security ike traceoptions file IKE
set security ike traceoptions file size 10k
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
set security ike proposal AES256-SHA256-DH2 dh-group group2
set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
set security ike policy ike01-DUB-Three mode aggressive
set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
set security ike gateway ike01-DUB-Three address 192.168.86.4
set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
set security ike gateway ike01-DUB-Three version v2-only
set security ipsec proposal AES256-SHA256-PFS protocol esp
set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
set security ipsec policy ipsec01-DUB-Three perfect-forward-secrecy keys group2
set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
set security ipsec vpn vpn01-DUB-Three df-bit clear
set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike

config vpn ipsec phase1-interface
edit "ike01-DUB-Three"
set interface "port2"
set ike-version 2
set local-gw 192.168.86.4
set keylife 28800
set peertype any
set net-device disable
set proposal des-md5 des-sha256
set comments "ike01-DUB-Three"
set dhgrp 2
set remote-gw 192.168.86.3
set psksecret ENC aGBmGGUZbROTSqjPLFzg6E5DGdFjhYuySFrv99s0NsQ3cJvYzW9sjkEANCZ22HyyNTLY+qnDMWxuE6xPKKu8FAnCO11UggEOQWKSH4gfZIl8jEl8u/dZ1Xc/ChSPaGXT7Ch/mFpQwkoR/HX/2CpOc8IDiQ806LhcyQ4edqlLrzTm+A+G/02qHXipb+bYiUUwA7uhpg==
next
end

FORTINET # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "ike01-DUB-Three"
set phase1name "ike01-DUB-Three"
set proposal des-md5 des-sha1
set pfs disable
set comments "ike01-DUB-Three"
set src-addr-type ip
set dst-addr-type ip
set keylifeseconds 3600
set src-start-ip 1.1.1.1
set dst-start-ip 2.2.2.2
next
end