Hi Noobmaster,
Thanks for the URL. I'm reading the URL given but still not sure how to make it integrate with my setup FBF + Event-Option + ISP dual failover just using event-option due to SRX5400 not support "ip-monitoring". Most of the example is using RPM + IP-Monitoring + FBF.
https://rtodto.net/dual-isp-failover-with-rpm-ip-monitoring/
Thanks
Hello,
I am facing the same issue to established a tunnel with a client in China.
I will appreciate if you share your change settting IKE and Ipsec.
Thank you.
Anand
Do you work for JTAC support
I opened up a new case 2020-0814-0224 trying to get some help with this issue.
If you have access to JTAC cases can you view them and respond to the engineer assigned to this JTAC case
Thanks
Hey all,
I have a SRX320 w/4G-LTE PIM as a backup interface.
So far, the base configuration works as I'd like. I don't want the PIM up all the time. Only when the VPN tunnel configured is unusable..
And with the VPN tunnel, that's the tricky part. This SRX320 has been getting set up at retail outlets that have lots of equipment that sometimes misbehaves with ISPs that seem to have router/modem limitations where the primary interface has a link and can sometimes get some traffic out -- but the VPN tunnel is down.
So ultimately I need help with 2 aspects.
1. getting the policy based VPN to work over the dl0 interface when the backup is active.
2. advice on how to best detect the VPN tunnel is down to trigger using the dl0 backup even though ethernet still has a link and can pass non-VPN traffic. (I'm about to build that into my lab test fixure which will allow me to block traffic without dropping the ethernet link)
I did find these links, but they don't help because they don't match the scenario leaving me not sure what to do.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227
https://forums.juniper.net/t5/SRX-Services-Gateway/how-to-configure-fail-over-on-srx-branch-side-connected/m-p/331710
Both interfaces are DHCP clients. (the remote gateway is static)
I don't need the 4g/LTE up all the time. The use case can tolerate some down time at the 4G link is brought up.
Thanks in advance,
-Ben
Here's the related pieces of my configuration: (sorry for the weird highlighting in the code box.)
I don't think so. In fact, AFAIK mobile VPNs aren't available at all.
Your settings for ike and ipsec will depend on what your remote site has on their side as they must match.
To help narrow down mismatches there are some guides but it depends on how far in the process of creating the tunnel you site is. For this thread the site-to-site was showing established both ike and ipsec but no traffic was flowing. If your tunnel is not coming up start with this document to narrow down where the issue is.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100
Also since your partner is in China, there is a possibility that the vpn is being blocked by the "great firewall" of China. When I worked at one company we had to get government permission to have a vpn to the site which was then permitted. But start with the technical kb first.
We recently started moving more of our systems up to AWS and are now accessing them via Site to Site VPN with Dynamic Routing using BGP. We've started noticing increased latency with our applications and after doing a packet inspection we're seeing TCP Spurious Retransmission followed by a TCP Dup Ack message. I've read that MTU differences can cause issues like this, but not too sure I'm thinking about this correctly. I know that the encryption is going to take some overhead so the tunnel interfaces here are using a smaller than normal MTU size 1436 which is default for AWS. Do the server and client at the other end of the tunnels need to lower their MTU as well to avoid fragmentation? I can post configs and captures if that is helpful.
Thanks in advance!
Do you have a mss set for the vpn?
Looking up an old deploy the AWS recommendation at that time was 1387
set security flow tcp-mss ipsec-vpn mss 1387
Hi,
I'd like to be able to specify different access permissions to the users that connect to the network (SRX1500) via NCP.
For example, normal users have access to the whole office subnet (192.168.0.0/24) but limited users have access only to host 192.168.0.10. Is there a way to do this?
It's something similar to this post from 2014 with no replies unfortunately:
Thank you for your help!
Best regards
All,
Are there known issues with SRX 320's when they are a dhcp client to ISP home routers? We've had a number of devices that could not connect after a power outage. The communication between the SRX and Comcast router just stops. It's almost as if the SRX doesn't receive the DHCP address from the home router. Zeroizing the devices works, and sometimes the devices work again when plugged into different ISP routers. Thanks in advance.
Respectfully,
BK
Hi BK,
Can you provide us with the below information?
Again, the issue is I cannot get to the cli, so how do u enter cli commands. This is the error I am getting:
could not open user interface connection: management daemon at the ~#prompt. When I enter cli command, this is where I get the above error message
Hi,
One way to format the device is by following the kb: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/install-software-on-srx.html#id-installing-junos-os-on-srx-series-devices-from-the-boot-loader-using-a-usb-storage-device
If you want to set the date from the shell prompt, you can try with the # date -s "2 OCT 2006 18:00:00" (changing the values to current ones) to verify if this is the issue.
I would suggest format the box by following the link above, using a 1Gb or 4Gb usb if possible.
Hello,
I'm currently monitoring our main internet connection using RPM probes. Unfortunately we've experienced problems were the connection was very slow, but some of the probe pings would get through. As a result there was no fail-over. If you read the documentation there is a possibility to add a round trip time threshold:
set services rpm probe probetoremote test test-name thresholds rtt
But I can't get this successfully to work. I see PING_RTT_THRESHOLD_EXCEEDED messages in the log each time a test exceeds the set RTT value, but the probe does not fail on it. It looks like this threshold value is completely ignored.
Anyone who got this to work? I would really like to discard ping responses that take much longer than normal.
Best regards,
Steve
Hi , it works as expected.
From this doc, "A system log message is generated when the configured threshold is exceeded."
You can configure event option that will trigger on this event with
"set event-options policy test events ping_rtt_threshold_exceeded ..."
I would love to know if anyone has been able to get a stable dual stack config on an SRX. And if so, to please share as much of the config as you can.
The reason is that I have had a case open for well over 6 months where my SRX300 at my home office will only get an IPv4 address from the ISP maybe 1 time in 20. And that's not 1 in 20 DHCP request packets...but rather 1 in 20 reboots of the SRX itself.
We have tried everything imaginable to get this working in any reliable way (even buying 2 more cable modems to test with). 4 JTAC engineers have all come up empty, escalating it each time only for it to get bumped up to the next level. Incredibly, even ATAC engineers are scratching their heads. When I asked the current ATAC engineer (Bay Area) if he is on Comcast he said he is, but runs D-LINK himself. I have even asked each engineer along the way to solicit the broader internal team to see if anyone, anyone!, is running an SRX with Comcast at home and nothing has come from that. The previous mentions on these forums also do not inspire any confidence.
Anyway, before I finally just conclude that Junos is not even run reliably and personally shunned by Juniper engineers themselves -- and should therefore no longer in my future and throw this thing out -- I wanted to at least ask the community to see if it's even remotely worth the effort going forward.
Hi,
I know this is marked as resolved but might be worth to mention... The Cisco ASA uses Policy Based IPSEC, and it looks like the Juniper side is Route Based. This will work, if there is only 1 encryption domain. Not several traffic selectors as usually used when doing route-based between to devices.
There is KBs within Juniper side that explains this in detail.
Ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB20543&cat=SRX_SERIES&actp=LIST
So one thing is to setup policy based on the Juniper as well, or simplify the encryption domain a bit to get it to one.
I've been told that some ASAs (maybe older) cant handle the setup by using the peer-ip(gateway ip) as both peer ip and encryption domain to NAT the network behind it. But I havent been able to try it myself 🙂
I hope this information might help someone out there!
//Rob
Hi,
I have a SRX300, configued the same way as older SRX 2XX-devices. The major difference is that this one is running the newer JunOS version.
The syslog-server is hosted remote. The controller logs from the platform is showing up, but nothing related to the traffic.
I have a custom routing-instance, that has the knowledge or the network.
There is forwarding (next-table) between the default instance and the custom vr. So the routing between them looks fine, both ways.
show configuration security log | display set
set security log mode stream
set security log format sd-syslog
set security log source-address 172.22.1.7
set security log stream JSA format sd-syslog
set security log stream JSA category all
set security log stream JSA host 172.25.2.1
set security log stream JSA host port 514
set security log stream JSA host routing-instance client_VR
Any good ideas if there is any basic stuff i missed? - Or any ideas of troubleshooting?
I can see this logs at the JSA (checking via TCPdump)
set system syslog user * any emergency
set system syslog host 172.25.2.1 any any
set system syslog host 172.25.2.1 match "!.(Failed to connect to the server after 0 retries)|(!.*Time since last watchdog strob.*)"
set system syslog host 172.25.2.1 structured-data
Thanks in advance!
//Rob
Hi,
JDHCPD stopped assigning proper IP addresses to the users.
Example of configuration:
set access address-assignment pool mobile family inet host user-notebook hardware-address 34:7d:f6:65:5d:2e
set access address-assignment pool mobile family inet host user-notebook ip-address 192.168.100.221
root@SRX2# run show dhcp server binding | match 34:7d:f6:65:5d:2e
192.168.100.187 13180 34:7d:f6:65:5d:2e 86082 BOUND reth0.100
As you see, dhcp assigned .187 IP instead of .221. It worked before, but it suddenly stopped. I tried to restart dhcp daemon, but without success. When enabling traceoptions for dhcp, I see these errors:
Aug 24 14:32:56.031278 [MSTR][ERROR][default:default][SVR][INET][reth0.10][SID=10726] jdhcpd_rpd_add_route: RPD route addition failed - no attempt to retry
Any idea, please?
Hi,
Sometimes management daemon may stop working if you have made some changes from shell or deleted some folders.
In this case, a reboot may automatically create these files and the management daemon will be up.
To perform reboot from shell, just type "reboot"
%reboot
Regards,
Jagrati Agarwal
Product Consultant – Security
Juniper Professional Services