There is no aggressive mode in ikev2. Try below steps and update us
> Remove aggressive mode config
> Remove PFS config from SRX side. Fortinet side it is disabled
> Remove proxy-identity config from SRX side
> Assign st0.0 interface to a security zone.
Hi Nellikka
Thanks for your quick responce.
i have done the changes that you have mentioned below. but still it is not working . please find latest configuration and debug traces for IKE
> Remove aggressive mode config--------------------------------Removed
> Remove PFS config from SRX side. Fortinet side it is disabled-----------------------Removed
> Remove proxy-identity config from SRX side--------------while using traffic selector i'm getting error "IKEv2 does not support traffic-selectors" thats why i am using proxy identity for traffic selection
> Assign st0.0 interface to a security zone.---------------Assigned to security Zone
set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services web-management https pki-local-certificate 12345
set system services web-management https interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description TO_FORTINET
set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
set interfaces ge-0/0/2 description TO_R4
set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
set security ike traceoptions file IKE
set security ike traceoptions file size 10k
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
set security ike proposal AES256-SHA256-DH2 dh-group group2
set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
set security ike gateway ike01-DUB-Three address 192.168.86.4
set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
set security ike gateway ike01-DUB-Three version v2-only
set security ipsec proposal AES256-SHA256-PFS protocol esp
set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
set security ipsec vpn vpn01-DUB-Three df-bit clear
set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all
[May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 05:55:43]Deleting existing ipsec trace cfg with key: 16777216
[May 4 05:55:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 05:55:43]No SPUs are operational, returning.
[May 4 05:55:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 05:55:43]Config download: Processed 7 - 8 messages
[May 4 05:55:43]Config download time: 0 secs
[May 4 05:55:43]iked_config_process_config_list, configuration diff complete
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615776 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 05:58:43]Deleting existing ipsec trace cfg with key: 16777216
[May 4 05:58:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 05:58:43]No SPUs are operational, returning.
[May 4 05:58:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 05:58:43]Config download: Processed 8 - 9 messages
[May 4 05:58:43]Config download time: 0 secs
[May 4 05:58:43]iked_config_process_config_list, configuration diff complete
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 06:49:36]Error: Unknown record, type = 25
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 40, reclen = -1876617120 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 41c, reclen = -1876616672 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
[May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 06:49:36]No SPUs are operational, returning.
[May 4 06:49:36]Config download: Processed 9 - 10 messages
[May 4 06:49:36]Config download time: 0 secs
[May 4 06:49:36]iked_config_process_config_list, configuration diff complete
[May 4 08:30:46]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 08:30:46]Config download: Processed 1 - 1 messages
[May 4 08:30:46]Config download time: 0 secs
[May 4 08:30:46]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
[May 4 08:30:46]Creating PM instance for service_set: root
[May 4 08:30:47]ssh_ike_init: Start
[May 4 08:30:47]ssh_ike_init: params->ignore_cr_payloads = FALSE
[May 4 08:30:47]ssh_ike_init: params->no_key_hash_payload = FALSE
[May 4 08:30:47]ssh_ike_init: params->no_cr_payloads = FALSE
[May 4 08:30:47]ssh_ike_init: params->do_not_send_crls = FALSE
[May 4 08:30:47]ssh_ike_init: params->send_full_chains = FALSE
[May 4 08:30:47]ssh_ike_init: params->trust_icmp_messages = FALSE
[May 4 08:30:47]ssh_ike_init: params->spi_size = 0
[May 4 08:30:47]ssh_ike_init: params->zero_spi = TRUE
[May 4 08:30:47]ssh_ike_init: params->max_key_length = 512
[May 4 08:30:47]ssh_ike_init: params->max_isakmp_sa_count = 8192
[May 4 08:30:47]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
[May 4 08:30:47]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_cnt = 1
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_retry = 2
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_cnt = 1
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
[May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_retry = 2
[May 4 08:30:47]ssh_ike_attach_audit_context: Attaching a new audit context
[May 4 08:30:47]ssh_ike_init: params->base_retry_limit = 5
[May 4 08:30:47]ssh_ike_init: params->base_retry_timer = 10.000000
[May 4 08:30:47]ssh_ike_init: params->base_retry_timer_max = 150.000000
[May 4 08:30:47]ssh_ike_init: params->base_expire_timer = 180.000000
[May 4 08:30:47]ssh_ike_init: params->extended_retry_limit = 5
[May 4 08:30:47]ssh_ike_init: params->extended_retry_timer = 5.000000
[May 4 08:30:47]ssh_ike_init: params->extended_retry_timer_max = 300.000000
[May 4 08:30:47]ssh_ike_init: params->extended_expire_timer = 240.000000
[May 4 08:30:47]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
[May 4 08:30:47]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
[May 4 08:30:47]iked_config_process_config_list, configuration diff complete
[May 4 08:30:47]IKED-PKID-IPC
[May 4 08:30:47]kmd_rpd_init
[May 4 08:30:47]rpd session connected
[May 4 08:30:47]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[May 4 08:30:48]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[May 4 08:30:48]kmd_rpd_cb_session_connect
[May 4 08:30:48]kmd_rpd_cb_session_connect: rpd session established
[May 4 08:30:48]kmd_rpd_db_read
[May 4 08:30:48]kmd_rpd_db_read: gw handle 38
[May 4 08:30:48]kmd_rpd_cb_protocol_register gw handle 0 return code 1
[May 4 08:30:48]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
[May 4 08:30:48]kmd_rpd_db_write
[May 4 08:30:48]kmd_rpd_shutdown_session
[May 4 08:30:53]kmd_rpd_init
[May 4 08:30:53]rpd session connected
[May 4 08:30:53]kmd_rpd_cb_session_connect
[May 4 08:30:53]kmd_rpd_cb_session_connect: rpd session established
[May 4 08:30:53]kmd_rpd_db_write
[May 4 08:30:53]kmd_rpd_cb_protocol_register gw handle 39 return code 0
[May 4 08:30:53]kmd_rpd_db_write
[May 4 08:30:53]kmd_rpd_refresh_routes
[May 4 08:31:10]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
[May 4 08:31:11]Couldn't get the zone information for interface ext st0, error No such file or directory
[May 4 08:31:14]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876606944 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 08:34:05]Deleting existing ipsec trace cfg with key: 16777216
[May 4 08:34:05]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 08:34:05]No SPUs are operational, returning.
[May 4 08:34:05]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 08:34:05]Config download: Processed 1 - 2 messages
[May 4 08:34:05]Config download time: 0 secs
[May 4 08:34:05]iked_config_process_config_list, configuration diff complete
[May 4 08:35:35]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
[May 4 08:35:35]Successfully added SA Config
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876615520 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 08:37:08]Deleting existing ipsec trace cfg with key: 16777216
[May 4 08:37:08]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 08:37:08]No SPUs are operational, returning.
[May 4 08:37:08]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 08:37:08]Config download: Processed 2 - 3 messages
[May 4 08:37:08]Config download time: 0 secs
[May 4 08:37:08]iked_config_process_config_list, configuration diff complete
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 08:38:07]Error: Unknown record, type = 25
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876616416 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
[May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 08:38:07]No SPUs are operational, returning.
[May 4 08:38:07]Config download: Processed 3 - 4 messages
[May 4 08:38:07]Config download time: 0 secs
[May 4 08:38:07]iked_config_process_config_list, configuration diff complete
root> ping 192.168.86.4
PING 192.168.86.4 (192.168.86.4): 56 data bytes
64 bytes from 192.168.86.4: icmp_seq=0 ttl=255 time=13.466 ms
64 bytes from 192.168.86.4: icmp_seq=1 ttl=255 time=7.005 ms
64 bytes from 192.168.86.4: icmp_seq=2 ttl=255 time=6.879 ms
64 bytes from 192.168.86.4: icmp_seq=3 ttl=255 time=11.194 ms
64 bytes from 192.168.86.4: icmp_seq=4 ttl=255 time=7.379 ms
64 bytes from 192.168.86.4: icmp_seq=5 ttl=255 time=8.763 ms
Do below config and update us:
set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32
show security ike security-associations
show security ipsec security-associations
show security ipsec security-associations detail
Hello,
In which part of the world Your VPN users are located? Nowadays there are very few countries that do NOT do Deep Packet Inspection on their residential internet traffic, and Pulse using IPSEC over UDP/4500 for data transfer makes it a prime candidate for such inspections. Not for on-the-fly decryption (not yet possible) but for policing/deprioritising "known encrypted" ports, and in case of very advanced DPI also "unknown|undefined encrypted" ports.
If that's the case, I doubt that any QoS/CoS would improve Your VPN user experience.
HTH
Thx
Alex
Hi All,
I am facing the below issue and I was wondering if anyone else have seen this before in the past.
We have x2 P2P Layer 2 links with Q-in-Q configured on both of them and we are using on both of the end points of Q-in-Q SRX300 (Junos: 15.1X49-D150.2) in packet mode.
Now the Q-in-Q is working for both of the links just fine but the issue is that behind of the SRXs we have cisco devices and it seems that for only of the 1 P2P links CDP is working.
Now i have checked the configuration for all of the SRXs and it is identical.
P.S. cdp is enabled on the cisco devices
Any help will be appreciated.
Thanks
Thanks for the response Pradeep. I understand the concerns about potential performance issues, makes sense to me. I agree the best option here would be to adjust the TTL at the server level. Just wanted to see if it could be done on the SRX level.
Thanks.
Hi Nellikka,
i have done the changes that you have mentioned below , but still it is not working . Please find below results
set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately---------------Configured
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32----------Configured
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32--------------Configured
root> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2089264 DOWN b6f334ca1da64432 0000000000000000 IKEv2 192.168.86.4
root>
root> show security ipsec security-associations
Total active tunnels: 0
root>
root> show security ipsec security-associations detail
root>
Please find below latest IPSEC COnfiguration and IKE traces
set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services web-management https pki-local-certificate 12345
set system services web-management https interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description TO_FORTINET
set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
set interfaces ge-0/0/2 description TO_R4
set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
set security ike traceoptions file IKE
set security ike traceoptions file size 10k
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
set security ike proposal AES256-SHA256-DH2 dh-group group2
set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
set security ike gateway ike01-DUB-Three address 192.168.86.4
set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
set security ike gateway ike01-DUB-Three version v2-only
set security ipsec proposal AES256-SHA256-PFS protocol esp
set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
set security ipsec vpn vpn01-DUB-Three df-bit clear
set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all
root> show log IKE
[May 4 19:57:44]Config download time: 0 secs
[May 4 19:57:44]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
[May 4 19:57:44]Creating PM instance for service_set: root
[May 4 19:57:44]ssh_ike_init: Start
[May 4 19:57:44]ssh_ike_init: params->ignore_cr_payloads = FALSE
[May 4 19:57:44]ssh_ike_init: params->no_key_hash_payload = FALSE
[May 4 19:57:44]ssh_ike_init: params->no_cr_payloads = FALSE
[May 4 19:57:44]ssh_ike_init: params->do_not_send_crls = FALSE
[May 4 19:57:44]ssh_ike_init: params->send_full_chains = FALSE
[May 4 19:57:44]ssh_ike_init: params->trust_icmp_messages = FALSE
[May 4 19:57:44]ssh_ike_init: params->spi_size = 0
[May 4 19:57:44]ssh_ike_init: params->zero_spi = TRUE
[May 4 19:57:44]ssh_ike_init: params->max_key_length = 512
[May 4 19:57:44]ssh_ike_init: params->max_isakmp_sa_count = 8192
[May 4 19:57:44]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
[May 4 19:57:44]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_cnt = 1
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_retry = 2
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_cnt = 1
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
[May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_retry = 2
[May 4 19:57:44]ssh_ike_attach_audit_context: Attaching a new audit context
[May 4 19:57:44]ssh_ike_init: params->base_retry_limit = 5
[May 4 19:57:44]ssh_ike_init: params->base_retry_timer = 10.000000
[May 4 19:57:44]ssh_ike_init: params->base_retry_timer_max = 150.000000
[May 4 19:57:44]ssh_ike_init: params->base_expire_timer = 180.000000
[May 4 19:57:44]ssh_ike_init: params->extended_retry_limit = 5
[May 4 19:57:44]ssh_ike_init: params->extended_retry_timer = 5.000000
[May 4 19:57:44]ssh_ike_init: params->extended_retry_timer_max = 300.000000
[May 4 19:57:44]ssh_ike_init: params->extended_expire_timer = 240.000000
[May 4 19:57:44]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
[May 4 19:57:44]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
[May 4 19:57:44]iked_config_process_config_list, configuration diff complete
[May 4 19:57:44]IKED-PKID-IPC
[May 4 19:57:44]kmd_rpd_init
[May 4 19:57:44]rpd session connected
[May 4 19:57:44]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[May 4 19:57:45]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[May 4 19:57:45]kmd_rpd_cb_session_connect
[May 4 19:57:45]kmd_rpd_cb_session_connect: rpd session established
[May 4 19:57:45]kmd_rpd_db_read
[May 4 19:57:45]kmd_rpd_db_read: gw handle 39
[May 4 19:57:45]kmd_rpd_cb_protocol_register gw handle 3216496872 return code 1
[May 4 19:57:45]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
[May 4 19:57:45]kmd_rpd_db_write
[May 4 19:57:45]kmd_rpd_shutdown_session
[May 4 19:57:50]kmd_rpd_init
[May 4 19:57:50]rpd session connected
[May 4 19:57:50]kmd_rpd_cb_session_connect
[May 4 19:57:50]kmd_rpd_cb_session_connect: rpd session established
[May 4 19:57:50]kmd_rpd_db_write
[May 4 19:57:50]kmd_rpd_cb_protocol_register gw handle 39 return code 0
[May 4 19:57:50]kmd_rpd_db_write
[May 4 19:57:50]kmd_rpd_refresh_routes
[May 4 19:57:54]Couldn't get the zone information for interface ge-0/0/1, error No such file or directory
[May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
[May 4 19:58:23]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
[May 4 19:58:23]Successfully added SA Config
[May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615264 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
[May 4 20:06:07]Deleting existing ipsec trace cfg with key: 16777216
[May 4 20:06:07]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
[May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
[May 4 20:06:07]No SPUs are operational, returning.
[May 4 20:06:07]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[May 4 20:06:07]Config download: Processed 1 - 2 messages
[May 4 20:06:07]Config download time: 0 secs
[May 4 20:06:07]ikev2_packet_allocate: Allocated packet 8c24800 from freelist
[May 4 20:06:07]iked_config_process_config_list, configuration diff complete
[May 4 20:06:37]P1 SA 2089251 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:06:37]IKE SA delete called for p1 sa 2089251 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:06:37]Freeing all P2 SAs for IKEv2 p1 SA 2089251
[May 4 20:06:37]P1 SA 2089251 reference count is not zero (1). Delaying deletion of SA
[May 4 20:06:37]iked_pm_p1_sa_destroy: p1 sa 2089251 (ref cnt 0), waiting_for_del 0x8c809a0
[May 4 20:06:37]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:06:37]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:07:34]ikev2_packet_allocate: Allocated packet 8c24c00 from freelist
[May 4 20:08:04]P1 SA 2089252 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:08:04]IKE SA delete called for p1 sa 2089252 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:08:04]Freeing all P2 SAs for IKEv2 p1 SA 2089252
[May 4 20:08:04]P1 SA 2089252 reference count is not zero (1). Delaying deletion of SA
[May 4 20:08:04]iked_pm_p1_sa_destroy: p1 sa 2089252 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:08:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:08:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:08:34]ikev2_packet_allocate: Allocated packet 8c39000 from freelist
[May 4 20:13:34]ikev2_packet_allocate: Allocated packet 8c3a400 from freelist
[May 4 20:14:04]P1 SA 2089258 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:14:04]IKE SA delete called for p1 sa 2089258 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:14:04]Freeing all P2 SAs for IKEv2 p1 SA 2089258
[May 4 20:14:04]P1 SA 2089258 reference count is not zero (1). Delaying deletion of SA
[May 4 20:14:04]iked_pm_p1_sa_destroy: p1 sa 2089258 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:14:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:14:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:14:34]ikev2_packet_allocate: Allocated packet 8c3a800 from freelist
[May 4 20:15:04]P1 SA 2089259 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:15:04]IKE SA delete called for p1 sa 2089259 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:15:04]Freeing all P2 SAs for IKEv2 p1 SA 2089259
[May 4 20:15:04]P1 SA 2089259 reference count is not zero (1). Delaying deletion of SA
[May 4 20:15:04]iked_pm_p1_sa_destroy: p1 sa 2089259 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:15:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:15:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:15:34]ikev2_packet_allocate: Allocated packet 8c3ac00 from freelist
[May 4 20:16:04]P1 SA 2089260 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:16:04]IKE SA delete called for p1 sa 2089260 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:16:04]Freeing all P2 SAs for IKEv2 p1 SA 2089260
[May 4 20:16:04]P1 SA 2089260 reference count is not zero (1). Delaying deletion of SA
[May 4 20:16:04]iked_pm_p1_sa_destroy: p1 sa 2089260 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:16:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:16:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:16:34]ikev2_packet_allocate: Allocated packet 8c3b000 from freelist
[May 4 20:17:04]P1 SA 2089261 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:17:04]IKE SA delete called for p1 sa 2089261 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:17:04]Freeing all P2 SAs for IKEv2 p1 SA 2089261
[May 4 20:17:04]P1 SA 2089261 reference count is not zero (1). Delaying deletion of SA
[May 4 20:17:04]iked_pm_p1_sa_destroy: p1 sa 2089261 (ref cnt 0), waiting_for_del 0x8c80a00
[May 4 20:17:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:17:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:17:34]ikev2_packet_allocate: Allocated packet 8c3b400 from freelist
[May 4 20:18:04]P1 SA 2089262 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:18:04]IKE SA delete called for p1 sa 2089262 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:18:04]Freeing all P2 SAs for IKEv2 p1 SA 2089262
[May 4 20:18:04]P1 SA 2089262 reference count is not zero (1). Delaying deletion of SA
[May 4 20:18:04]iked_pm_p1_sa_destroy: p1 sa 2089262 (ref cnt 0), waiting_for_del 0x8c80a60
[May 4 20:18:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:18:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:18:34]ikev2_packet_allocate: Allocated packet 8c3b800 from freelist
[May 4 20:19:04]P1 SA 2089263 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 4 20:19:04]IKE SA delete called for p1 sa 2089263 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
[May 4 20:19:04]Freeing all P2 SAs for IKEv2 p1 SA 2089263
[May 4 20:19:04]P1 SA 2089263 reference count is not zero (1). Delaying deletion of SA
[May 4 20:19:04]iked_pm_p1_sa_destroy: p1 sa 2089263 (ref cnt 0), waiting_for_del 0x8c80a60
[May 4 20:19:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[May 4 20:19:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 4 20:19:34]ikev2_packet_allocate: Allocated packet 8c3bc00 from freelist
As per the given output, SRX is initiating vpn traffic but not getting packets from Fortinet. Please enable debug at Fortinet side and check: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611
Which SRX model and Junos version you are using? Please share the output of "show chassis fpc detail"
Hi,
Thanks for your reply, so i infer that it is not possible to priortize VPN traffic to ensure stable connectivity.
Users are co-located in the same city as the infra that they access over vpn. But nevertheless, is there anything that can be tried to check if it betters the experience ?
Hello,
wrote:
Users are co-located in the same city as the infra that they access over vpn.
But is Your ISP infra is also confined to that city? Large ISPs have BNG farms geographically spread all over the country and do load-balancing all the time so Your residential users may be in e.g. London but BNG they are connected to could be in e.g. Sheffield, 250 miles away. This means 500 miles roundtrip for Your VPN connections and a dozen or so nodes to cross. That delay Your are experiencling could be partially attibutable to such roundtrip.
wrote:
Thanks for your reply, so i infer that it is not possible to priortize VPN traffic to ensure stable connectivity.
You can really prioritize traffic no further than exit from Your SRX, and that's it.
If You want to prioritize it further, talk to Your ISP about getting a business internet access package.
HTH
Thx
Alex
HI Nellikka
Thanks for your support , both phase 1 and phase are up now. there was issue with fortinet firewall policy after correcting it IPSEC came up. i have some questions:
1. how can i redirect the traffic over ipsec tunnel from source (2.2.2.2) to destination(1.1.1.1) as we can see in the routing table it is not showing route for it . do i need to configure static route for destination pointing towards st0.0 interface ?
2. what if "establish-tunnels immediately" not configured . what is the default behaviour of JunOS.
+ = Active Route, - = Last Active, * = Both
2.2.2.2/32 *[Static/5] 01:16:46
> to 23.0.0.2 via ge-0/0/2.0
23.0.0.0/24 *[Direct/0] 01:16:46
> via ge-0/0/2.0
23.0.0.1/32 *[Local/0] 01:16:59
Local via ge-0/0/2.0
192.168.86.0/24 *[Direct/0] 01:16:46
> via ge-0/0/1.0
192.168.86.3/32 *[Local/0] 01:17:00
Local via ge-0/0/1.0
root> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: vpn01-DUB-Three
Local Gateway: 192.168.86.3, Remote Gateway: 192.168.86.4
Local Identity: ipv4(any:0,[0..3]=2.2.2.2)
Remote Identity: ipv4(any:0,[0..3]=1.1.1.1)
Version: IKEv2
DF-bit: clear
Bind-interface: st0.0
Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Last Tunnel Down Reason: Lifetime expired
Direction: inbound, SPI: ea741b61, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3518 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2880 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 5e5575e7, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3518 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2880 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
root> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3264977 UP 2f31bcc0891ceff9 a1b8c28e9f518341 IKEv2 192.168.86.4
root> show chassis fpc detail
Slot 0 information:
State Online
Total CPU DRAM ---- CPU less FPC ----
Start time 2020-05-06 03:51:22 UTC
Uptime 12 hour, 17 minutes, 37 seconds
root>
Glad to know that the VPN came up.
Yes, static route should be configured for the destination network with nexthop as st0.0
Default behavior is on-demand. Tunnel will be initiated when traffic to destination hits SRX.
If you are using the avira antivirus then the database is located at https://update.juniper-updates.net/avira
You can find this and other avira information here:
I could not find that exact SKU on Junipers public facing pages so if this does not appear to match your product I would encourage you to contact your Juniper account team.
Also, running a show system license command would spell out what you have available on that device.
Ed
We have a SRX550 VPN cluster. Installed a new IPsec tunnel to AWS, static VPN. Tunnel has been strong, however, when we do a Windows RDP into a server in the AWS space, we seem to drop the RDP session every 2 minutes, at least within 10-20ms.
Laptop is windows 10, server is Windws 2012R2. Tunnel is route based, MTU is 1436. End to end traffic is 85ms.
Config matches what AWS is expecting.
A constant ping test from laptop to server using various sizes does fine, until the RDP session is lost, we drop two pings, session restarts and pings come back, and this repeats every 2 minutes.
Any SRX to AWS experts out there run into anything like this using RDP or any other protocol ? And if so, what was the fix ?
Thanks
Thanks.
Hi,
This is my topology, on srx we have one link (Untrust) which are connected to Layer 2 Switches and Layer 2 Switches are connected to MX Routers. On SRX we have two default routes one toward VRRP active on MX-1 and other toward VRRP Active on MX-2.
Hello,
I have created the below mentioned on vSRX ( version 18.2R3.4) to block .exe and .zip files. It worked for ftp uploads and downloads. But for HTTP/HTTPS content filtering worked for only downloads. Is this expected behaviour ? or Is there any other way to block .exe and .zip uploads ?
set security utm feature-profile content-filtering profile File_all block-extension Block_Ext
set security utm feature-profile content-filtering profile File_all block-content-type exe
set security utm feature-profile content-filtering profile File_all block-content-type zip
set security utm feature-profile content-filtering profile File_all notification-options type protocol-only
set security utm feature-profile content-filtering profile File_all notification-options custom-message "File Blocked by SRX CF"
set security utm utm-policy UTM-AV-CF-WF content-filtering http-profile File_all
set security utm utm-policy UTM-AV-CF-WF content-filtering ftp upload-profile File_all
set security utm utm-policy UTM-AV-CF-WF content-filtering ftp download-profile File_all
set security policies from-zone Trust to-zone Untrust policy UTM-CF-Policy match source-address any
set security policies from-zone Trust to-zone Untrust policy UTM-CF-Policy match destination-address any
set security policies from-zone Trust to-zone Untrust policy UTM-CF-Policy match application any
set security policies from-zone Trust to-zone Untrust policy UTM-CF-Policy then permit application-services ssl-proxy profile-name ssl-forward-proxy-profile
set security policies from-zone Trust to-zone Untrust policy UTM-CF-Policy then permit application-services utm-policy UTM-AV-CF-WF
set security policies from-zone Trust to-zone Untrust policy UTM-CF-Policy then log session-init
set security policies from-zone Trust to-zone Untrust policy UTM-CF-Policy then log session-close
Hello,
Is there a way to block upload/download of Password protected PDF file.
Thanks,
Hari.
Hi Hari,
Greetings,
As per my understanding, you can block the pdf extension type using the UTM block-extension list in the feature-profile settings. There would be no difference between pdf and password protected pdf in terms of extension as such and so it would not be possible as per my understanding.
Please mark "Accept as solution" if this answers your query.
Kudos are appreciated too!
Regards,
Sharat Ainapur
Hi Sharat,
By using block-extension, it would block PDF files. Is there a way to block only password protected PDF.
Moreover, what I have observed is block-extension is blocking only http/https downloads but not the uploads.
Thanks,
Hari.
Hi Hari,
The document link gives a detailed explanation about all possible ways in which you can achieve Unified Threat Management:
Starting with Junos OS Release 18.2R1, the following commands under the [edit security utm feature-profile] hierarchy level are deprecated.
Before you can configure most UTM features, you must first configure the custom objects for the feature in question. Custom objects are global parameters for UTM features. This means that configured custom objects can be applied to all UTM policies where applicable, rather than only to individual policies.
The below document gives you an example configuration of content filtering custom objects:
Example config snippet:
{primary:node0}[edit security utm]
root@SRX550-Node0# show
custom-objects {
filename-extension {
Extension-List {
value [ pdf swf js ]; >>>> in your case you can just use pdf
}
}
protocol-command {
GET {
value GET;
}
}
}
feature-profile {
content-filtering {
profile Content-Filtering {
permit-command GET;
block-extension Extension-List;
block-content-type {
active;
java-applet;
exe;
}
}
}
}
utm-policy Content-Filter-Policy {
content-filtering {
http-profile Content-Filtering;
}
}
You can block uploads by using HTTP Content Filter. Please refer the below KB:
With respect to limiting this to password-protected files specifically, I am not sure if we can do that! This is the closest I could get, to match your requirements. 
Hope this helps.
Please mark this "Accepted solution" if this solves your query.
Kudos would be much appreciated as well