Srx and APs question

August 8, 2020, 6:54 pm

I have an srx240 and 3 AP's on that gateway. My question has to do with the independent behavior of the srx and the APs. By independence I mean protocol independent in terms of page file separation. Overall round robin independence. The APs are dd-wrt Asus rt-ac68u . I want them to be independent on the web but I'm missing something. I think. Maybe it will only run this way. I dont know, but my thought is it should be workable.

1. All protocols needed are probably in effect.
2. Full fledged DNS is not in effect.
3. DNS is dynamic but by xfinity.

Anyone got an idea?

My guess is DNS.

↧

Re: Srx and APs question

August 9, 2020, 7:10 am

≫ Next: Re: Srx and APs question

≪ Previous: Srx and APs question

I am not sure that I follow your question, but I think you are asking that if the dns server given to the AP and their clients is from the SRX are they independent from each other. The answer would be no. All the AP would be sharing the same DNS and all the cache and other behavior is based on all of their actions as a whole and not individually as units.

↧

Re: Srx and APs question

August 9, 2020, 3:03 pm

≫ Next: Re: Srx and APs question

≪ Previous: Re: Srx and APs question

Ok, and I must obviously accept an answer from a pro.

So, next question.

1. If my first DNS signal which is dynamic and is not closing and is in effect and I begin to use DYNDNS will it close the first dynamic signal?

By "close", I mean, to complete the circuit.

Is this possible?

↧

Re: Srx and APs question

August 10, 2020, 2:36 am

≫ Next: Experiencing strange connectivity issues using an SRX3400 with an EX9204

≪ Previous: Re: Srx and APs question

Still not sure I am getting your use case. Now you seem to be referencing the dyndns service so are you talking about having the APs register a dyndns name for each?

If that is the case they will all have the same ip address using default nat setups. If this is the problem you see with dyndns and you have other ip addresses in your carrier assigned pool you could create custom nat source rules to make sure each AP gets their own nat ip address.

↧

Experiencing strange connectivity issues using an SRX3400 with an EX9204

August 10, 2020, 7:51 am

≫ Next: Re: Experiencing strange connectivity issues using an SRX3400 with an EX9204

≪ Previous: Re: Srx and APs question

Hi,

I have experienced issues using an SRX3400 to route traffic between VLANs on an EX9204 switch. Previously the EX9204 was handling the routing successfully but the L3 interfaces were moved to the firewall to further segment the VLANs and enforce security policies.

Although PCs and phones get their IP addresses and can ping everything including the Internet, the PCs take a long time to authenticate to the domain, the network shares are seen but cannot be accessed, the outlook client cannot connect to the exchange server and the Internet cannot be reached with a web browser. All of this despite the fact that PCs can ping the Internet domain names, IP addresses and the servers needed for email, network shares, dns and dhcp and vice-versa.

This has worked in other locations using different platforms such as the SRX550 and EX4300s with no issues.

If you can help me understand what could cause this, I would appreciate it.

↧

Re: Experiencing strange connectivity issues using an SRX3400 with an EX9204

August 10, 2020, 10:41 am

≫ Next: Re: SRX not passing syslogs to syslog server

≪ Previous: Experiencing strange connectivity issues using an SRX3400 with an EX9204

Hello,

The possible causes for the traffic disruption can be anything. So, it's gonna be a step-by-step approach.

Are you experiencing this issue intermittently or the issue was persistent?
What is the Junos version running in the SRX?
Is the SRX deployed as standalone or cluster? If it's a cluster, can you failover the traffic to another node?
Can you give me the topology information? Is there any proxy or load balancer involved in your setup?
During the time of issue, you need to run the health checks of the SRX which I have provided at the end. Once captured, do share the output.
Check the flow sessions in SRX while you pinging the destination from PC and as well accessing web server via HTTP/S from the PC. Do share the outputs. user@host> show security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>
If you are using L7 inspections in security policies such as IDP, AppSec, SSL-proxy etc., can you deactivate those for the time being and check the traffic.
Assuming this is a latency issue, have you configured any bandwidth policers or CoS for this traffic? If so, can you disable it?
Slow DNS resolutions can also lead to latency, so if you are using private DNS servers, how about changing them to public ones?
The final step is to capture flow traces and packet captures in order to determine the cause of this issue.

Health checks commands:

user@host> set cli timestamp

user@host> show version

user@host> show chassis hardware

user@host> show chassis fpc pic-status

user@host> show chassis alarms

user@host> show chassis environment

user@host> show system alarms

user@host> show system core-dumps

user@host> show system storage

user@host> show chassis routing-engine

user@host> show security monitoring performance spu

user@host> show chassis cluster status

user@host> show chassis cluster interfaces

user@host> show security flow session summary

user@host> show security flow status

↧

Re: SRX not passing syslogs to syslog server

August 10, 2020, 10:59 am

≫ Next: Re: SRX not passing syslogs to syslog server

≪ Previous: Re: Experiencing strange connectivity issues using an SRX3400 with an EX9204

Did you find resolution to this issue? If so, what did you do differently? My Syslog and Junos source-interface are in same network, and I can't seem to get traffic to syslog

Thanks

↧

Re: SRX not passing syslogs to syslog server

August 10, 2020, 2:56 pm

≫ Next: SSL inspection using IPS license

≪ Previous: Re: SRX not passing syslogs to syslog server

AhmadAubair654,

Which SRX model do you have?

What is your current syslog stanza contents?

↧

SSL inspection using IPS license

August 10, 2020, 5:49 pm

≫ Next: Re: SSL inspection using IPS license

≪ Previous: Re: SRX not passing syslogs to syslog server

I have a peculiar problem of inspecting ssl encrypted packets amounting more than 300k/sec sessions via ips on SRX 4200.

Wanted to check if there is any way out other than ssl forward proxy to inspect the ssl tls properly?

if i enable ssl proxy, how much will be the throughput of the device?

↧

Re: SSL inspection using IPS license

August 10, 2020, 11:15 pm

≫ Next: srx320 LTE remote management access

≪ Previous: SSL inspection using IPS license

With SSL-FP enabled on a SRX4200, I would expect up to 1G of throughput (less if the gateway also does other types of inspection)... but it really depends on traffic patterns so difficult to give any firm numbers.

Depending on your goal, you could be looking to utilize the encrypted traffic analyzer function of the Cloud ATP offering where AI/ML is being done of the traffic flows + certs without trying to actually decrypt the traffic. As it's quite new the best explanation of the function can be seen via this video from Tech Field Day: https://www.youtube.com/watch?v=LkXSYC0ELJ0

The cloud ATP would require either a premium 1 or premium 2 subscription for your gateway(s) to offer this functionality.

Overview of the possible subsriptions for the SRX gateways is found here: https://www.juniper.net/documentation/en_US/release-independent/licensing/topics/concept/flex-software-subscription-model-support.html#jd0e2604

If your goal is to apply IPS, UTM or similar to TLS-encrypted traffic, then SSL FP is the only way to go.

↧

srx320 LTE remote management access

August 11, 2020, 3:29 am

≫ Next: Re: JUNOS PULSE vpn client version with Winows 10

≪ Previous: Re: SSL inspection using IPS license

Hello experts,

I'm first time user for juniper srx320 and I've been trying to setup the lte module in a way that I can access the srx320 from outside. The SIM being used in the LTE module is having a static public ip mapping. (this SIM has been tested on a different brand firewall and accessing the fw via static public IP works from outside).

On srx320, I've already tried putting the interface dl0.0 under untrust and assigned respective policies to allow all traffic (for testing purpose only for now). However I'm not able to get to ping the static ip nor get to the https page, please can you assist in pointing where the issue is in the config?

Thanking in advance.

}
services {
ssh;
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
interface [ dl0.0 all ];
}
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp;
}
security {
log {
mode stream;
report;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
policy untrust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
dl0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet;
}
}
cl-1/0/0 {
dialer-options {
pool 1 priority 1;
}
act-sim 1;
cellular-options {
sim 1 {
select-profile profile-id 1;
radio-access automatic;
gateway x.x.38.73/32;
}
}
}
dl0 {
unit 0 {
family inet {
negotiate-address;
}
family inet6 {
negotiate-address;
}
dialer-options {
pool 1;
always-on;
dial-string [ 1234 "*88#" ];
}
}
}
irb {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop dl0.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
access {
address-assignment {
pool junosDHCPPool {
family inet {
network 192.168.1.0/24;
range junosRange {
low 192.168.1.2;
high 192.168.1.254;
}
dhcp-attributes {
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
poe {
interface all;
}

[edit]
root@srxtest#

↧

Re: JUNOS PULSE vpn client version with Winows 10

July 27, 2020, 11:05 am

≫ Next: SRX4100 Recommended Junos Version currently running 18.3R1

≪ Previous: srx320 LTE remote management access

I'm glad it all worked out 😊

Yes, Robert, you can message me.

Honestly, I'm not sure about the Juniper process on this one. I guess there is only one way to find out; give them a ring.

↧

SRX4100 Recommended Junos Version currently running 18.3R1

August 11, 2020, 12:28 pm

≫ Next: Re: SRX4100 Recommended Junos Version currently running 18.3R1

≪ Previous: Re: JUNOS PULSE vpn client version with Winows 10

I tried loading 18.4R3-S4 and had the following issues

xe-0/0/x redundancy group members showing down/down physical links were up on both side LACP up/down constantly on links

redundancy groups kept failing over from primary to secondary

VPN rekey issues on tunnels causing data to stop flowing deactivate/activate tunnel

syslog messages not working had to disable stream and re-enable it to work

18.4R3-S4 does not work properly do no use it

I had four P2 tickets open up on various issues in three days and a P1 ticket open up on the VPN issue

All issues went away after rolling back Junos OS to 18.3R1

I need to upgrade my Junos and need a stable version to load I cannot have these same types of issues.

Looking for stable release in 18.4

Please let me know

↧

Re: SRX4100 Recommended Junos Version currently running 18.3R1

August 11, 2020, 4:42 pm

≫ Next: Re: SRX4100 Recommended Junos Version currently running 18.3R1

≪ Previous: SRX4100 Recommended Junos Version currently running 18.3R1

Hello James,

It is so unfortunate that you had to face these issues post upgrading the Junos to 18.4R3-S4.

Actually, Junos 18.4R3-S4 is the JTAC recommended release for SRX4100 and since you faced the issue with the very same version, I would suggest you to wait for JTAC's analysis before upgrading to any other version.

There are issues observed recently in SRX4600 while upgrading the Junos to 18.4R3-S4 resulting in upgrade failure so, the JTAC recommended release was changed to 18.4R3-S3. But I guess that isn't the case here because upgrade is successful for you and the issue is seen post upgrade.

↧

Re: SRX4100 Recommended Junos Version currently running 18.3R1

August 11, 2020, 8:21 pm

≫ Next: Re: SRX Intra-Zone traffic

≪ Previous: Re: SRX4100 Recommended Junos Version currently running 18.3R1

Hi James,

We are aware of this issue and we are working on fixing it. Thank you for bringing this to our attention.

Regards,

Anand

↧

Re: SRX Intra-Zone traffic

August 11, 2020, 10:29 pm

≫ Next: Re: SRX Intra-Zone traffic

≪ Previous: Re: SRX4100 Recommended Junos Version currently running 18.3R1

Did you configure the traces yet? Also, what are the hops you see when you do a traceroute?

Anand

↧

Re: SRX Intra-Zone traffic

August 12, 2020, 12:59 am

≫ Next: Re: SRX4100 Recommended Junos Version currently running 18.3R1

≪ Previous: Re: SRX Intra-Zone traffic

Hi Anand10

I rebuilt the firewall and it works as expected now so not sure what the actual problem was.

Thanks for the response.

↧

Re: SRX4100 Recommended Junos Version currently running 18.3R1

August 12, 2020, 5:46 am

≫ Next: Re: SRX5400 not support RPM by source and destination? Any other alternative?

≪ Previous: Re: SRX Intra-Zone traffic

Does the Junos OS go through any type of quality assurance testing

The features I am using

LACP bundle
Redundant Ethernet
IPSEC VPN using static routing

These are very basic functions and I would assume should be tested as part of your QA process.

Thanks

James Hansen | Network Design Engineer I | Network Services
Unisys | 717-409-5931 W | 717-594-8181 C | james.hansen@unisys.com

[unisys_logo]<>

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all devices.
[Grey_LI]<> [Grey_TW] <> [Grey_YT] <> [Grey_FB] <> [Grey_Vimeo] <> [Grey_UB] <>

↧

Re: SRX5400 not support RPM by source and destination? Any other alternative?

August 13, 2020, 7:47 am

≫ Next: Re: SRX5400 not support RPM by source and destination? Any other alternative?

≪ Previous: Re: SRX4100 Recommended Junos Version currently running 18.3R1

Hi Noobmaster/all,

I check all the example using RPM and it look like the "next-hop" is mandatory. But on SRX5400 not support "next-hop", so any workaround of this?

rpm {

probe Failover-ISP1 {

test probe-failover {

probe-type icmp-ping;

target address 20.20.86.1;

probe-count 5;

probe-interval 1;

test-interval 5;

thresholds {

successive-loss 10;

total-loss 3;

}

destination-interface reth2.10;

## Warning: statement ignored: unsupported platform (srx5400)

next-hop 20.20.86.1;

}

Thanks and appreciate any feedback

↧

Re: SRX5400 not support RPM by source and destination? Any other alternative?

August 13, 2020, 8:37 am

≫ Next: Re: SRX5400 not support RPM by source and destination? Any other alternative?

≪ Previous: Re: SRX5400 not support RPM by source and destination? Any other alternative?

Hello Kronicklez,

The next-hop statement is optional; since you specified the destination-interface, the probes will exit through that interface. For more information, please check this KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB25052

So, please remove the next-hop statement and continue to implement the rest of the configuration. Also, I stumbled upon one of the old posts, maybe it might be helpful for you - https://forums.juniper.net/t5/Configuration-Library/SRX-Default-Route-Failover-RPM-Script/td-p/64023

↧