Hello,
Is there a way to set default static route next-hop INTERFACE in a SRX345?
We have a config where lan and external facing interfaces are on the same subnet (it must be like this) and we must route 0.0.0.0/0 traffic to the Router (also in the same subnet).
Thank you indeed!
Hello!
Thank you.
Do u know if there's any other solution that can be implemented to be able to indicate where interface to go out in the same subenet? maybe forcing metrics, routing-instances and ribs groups or something like that?
Thank you
Hi,
If you want to pass untagged frames, you can use the native-vlan-id to allow it. Here is a kb that explains how it works:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB17419
On your setup, you will need to configure it as:
set vlans VLAN10 vlan-id 10
set vlans VLAN10 l3-interface irb.10
set interfaces irb.10 family inet address 10.10.10.1/24
#interface towards the host:
set interfaces ge-0/0/1 native-vlan-id 10
set interfaces ge-0/0/1.0 family ethernet-switching vlan members 10
#interface towards the router:
set interfaces ge-0/0/x native-vlan-id 10
set interfaces ge-0/0/x.0 family ethernet-switching vlan members 10
This will allow untagged frames or tagged frames to flow from the pc towards the router. You can also use instead family inet interfaces.
Hi!
Thank you Jospina!
I tried your suggestions but it is not possible to set native-vlan-in on ethernet-switching interfaces unless it is interface-mode trunk (in SRX):
native-vlan-id can be specified with flexible-vlan-tagging mode or with interface-mode trunk
I was able to set native-vlan-id on router facing interface and pc can ping the FW but the router can't. I also tried with flexible-vlan-tagging but no luck.
Do you know how to workaround this?
Thank you!
Hi,
There can be multiple issues when having same subnet under two different interfaces as mentioned in this KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB24928
However, there is an article explaining the overlapping subnet scenarios - https://kb.juniper.net/InfoCenter/index?page=content&id=KB21286
To better understanding, what I need is to tag incoming untagged traffic on ge-0/0/1 so It can go out through ge-0/0 / 0.x tagged because the router expects it tagged..
Thank you!
I think I have succeeded, I have not used tunnels but I think it works.
Before posting the solution there is a problem that I have not been able to solve ..
Communication between a port on a local network (not vlan) with devices on a network whose input port is access:
How can I config the SRX to get communication flow between pc in local net: 2.2.2.10/24 to pc in 10.10.10.10/27?
Does someone have an idea? I tried setting up native vlan in the trunk port (beacuase it shares the same ip) but no luck.
Thanks!
Sorry for the delay in response, but I finally got my hands on a newer generation srx in the lab to do some testing.
Need to confirm that the irb.10 interface is assigned to a security zone.
and that the security zone has the appropriate policy in place to allow traffic.
In addition to the difference you note in the ethernet assignment command, the forwarding mode set to allow the mixed ethernet/layer3 needs to be enabled in configuration and a reboot after it is first applied.
Check the current mode with:
root> show ethernet-switching global-information
Global Configuration:
MAC aging interval : 300
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 24575
MAC limit hit : Disabled
MAC packet action drop: Disabled
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Switching <<< this is needed for the configuration here
If it is blank the following command needs to be added with a reboot afterwards
set protocols l2-learning global-mode switching
Just for the sake of completeness: I did some more testing and found that the working of thresholds rtt depends on the Junos version. I used an old SRX-100 that I had lying around running 12.1X46-D35.1. That Junos version exhibits the behavior I described earlier. That is the only effect of the 'rtt' statement is, that it generates PING_RTT_THRESHOLD_EXCEEDED messages.
In a more recent version (15.1X49-D211) the behavior is different. The rtt threshold is taken into account. But the effect is that as soon as just one ping exceeds the set round trip time the probe fails immediately. This kind of makes sense. But if your probes consists of multiple pings then as soon as one ping is missing, regardless of the total-loss threshold and successive-loss, the probe will fail.
Hello guys.
Been troubleshooting VPN phase-2 that wont go up between SRX-300 and Zyxel ZyWall. I have ran out of ideas phase-2 proposal seems to miss match even though we use same authentication, encryption and lifetime.
Ipsec bind-interface = st0.192
st0.192 = family inet
security-zone trust = interface st0.192
JUNIPER SRX-300 19.1R3.9
Zyxel ZyWall USG
SRX IKE debug logs
More IKE debug log output
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] Triggering the IKE negotiation ....
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_async_ike_trigger_msg_handler: Triggering IKE negotiation for tunnel-id:131076 Set traffic trigger flag for sa_cfg:ike-gw-1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] Triggering negotiation for ike-gw-1 config block
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_pm_trigger_callback: lookup peer entry for gateway ike-gw-1, local_port=500, remote_port=500
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_pm_trigger_callback: FOUND peer entry for gateway ike-gw-1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] Using existing ike SA 436045 for gateway ike-gw-1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_pm_trigger_negotiation Set p2_ed in sa_cfg=ike-gw-1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_pm_trigger_negotiation Convert traffic selectors from V1 format to V2 format for narrowing/matching selectors
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fallback_negotiation_alloc: Allocated fallback negotiation 148e800
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fb_i_qm_negotiation_start: FSM_SET_NEXT:ikev2_fb_i_qm_negotiation_negotiate
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_pm_ipsec_spi_allocate: local:1.1.1.1, remote:2.2.2.2 IKEv1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_pm_ipsec_spi_allocate: local:1.1.1.1, remote:2.2.2.2 IKEv1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fb_st_i_qm_sa_alloc_spi: FSM_SET_NEXT:ikev2_fb_st_i_qm_sa_notify_request
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fb_st_i_qm_sa_notify_request: FSM_SET_NEXT:ikev2_fb_st_i_qm_sa_request
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] iked_pm_ike_spd_notify_request Parse notification paylad in last received pkt
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fb_st_i_qm_sa_request: FSM_SET_NEXT:ikev2_fb_st_i_qm_result
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fallback_negotiation_free: Fallback negotiation 148e800 has still 1 references
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fb_i_qm_negotiation_negotiate: FSM_SET_NEXT:ikev2_fb_i_qm_negotiation_result
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ssh_ike_connect_ipsec: SA = { 393c45cc 50d161d1 - 50e6f538 046c37b0}, nego = 0
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Initiator) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [0] / 0x6c4d49c5 } QM; Start ipsec sa negotiation
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Initiator) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [0] / 0x6c4d49c5 } QM; Version = 1.0, Input packet fields = 0000
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_state_step: Current state = Start QM I (14)/-1, exchange = 32, auth_method = phase1, Initiator
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_o_qm_hash_1: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_o_qm_sa_proposals: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_o_qm_nonce: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_policy_reply_qm_nonce_data_len: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_o_qm_optional_ke: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Initiator) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [0] / 0x6c4d49c5 } QM; No PFS requested by caller
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_o_qm_optional_ids: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_qm_optional_id: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_qm_optional_id: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_o_private: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] Construction NHTB payload for local:1.1.1.1, remote:2.2.2.2 IKEv1 P1 SA index 436045 sa-cfg ike-gw-1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg ike-gw-1, p1_sa=436045
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_policy_reply_private_payload_out: Start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_o_encrypt: Marking encryption for packet
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Initiator) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [0] / 0x6c4d49c5 } QM; Output of phase 2 IV hash[16] = 0xeebffdcc d4d366f6 86295edd 2d2882d0
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_state_step: All done, new state = QM HASH SA I (16)
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_finalize_qm_hash_1: Hash[0..32] = 14cb4a12 77c007f7 ...
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] IKEv1 packet S(<none>:500 -> 2.2.2.2:500): len= 172, mID=6c4d49c5, HDR, HASH, SA, Nonce, ID, ID
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_send_packet: Start, send SA = { 393c45cc 50d161d1 - 50e6f538 046c37b0}, nego = 0, dst = 2.2.2.2:500
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ---------> Received from 2.2.2.2:500 to 1.1.1.1:0, VR 0, length 140 on IF
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_v1_get_sa
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_sa_find: Found SA = { 393c45cc 50d161d1 - 50e6f538 046c37b0 }
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_packet_st_input_v1_get_sa: FSM_SET_NEXT:ikev2_packet_v1_start
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_get_sa: Start, SA = { 393c45cc 50d161d1 - 50e6f538 046c37b0 } / 2b97a63f, remote = 2.2.2.2:500
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_sa_find: Found SA = { 393c45cc 50d161d1 - 50e6f538 046c37b0 }
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; New informational negotiation
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; Packet to old negotiation
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; Output of phase 2 IV hash[16] = 0xdd8f412e 20602562 53c79ddb 97b2e420
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] IKEv1 packet R(<none>:500 <- 2.2.2.2:500): len= 140, mID=2b97a63f, HDR, HASH, N(NO_PROPOSAL_CHOSEN)
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; Version = 1.0, Input packet fields = 0220 HASH N
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_state_step: Current state = Done (53)/-1, exchange = 5, auth_method = any, Responder
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_i_encrypt: Check that packet was encrypted succeeded
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_i_gen_hash: Start, hash[0..32] = 42714506 0ce3b8f1 ...
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ike_st_i_n: Start, doi = 1, protocol = 3, code = No proposal chosen (14), spi[0..4] = 62ba1579 00000000 ..., data[0..50] = 800c0001 00060022 ...
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; Notification data has attribute list
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; Notify message version = 1
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; Error text = Could not find acceptable proposal
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Responder) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [1] / 0x2b97a63f } Info; Offending message id = 0x6c4d49c5
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Initiator) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [0] / 0x6c4d49c5 } QM; Removing negotiation
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Initiator) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [0] / 0x6c4d49c5 } QM; Connection got error = 14, calling callback
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] <none>:500 (Initiator) <-> 2.2.2.2:500 { 393c45cc 50d161d1 - 50e6f538 046c37b0 [0] / 0x6c4d49c5 } QM; Deleting negotiation
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fallback_negotiation_free: Fallback negotiation 148e800 has still 1 references
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] Inside iked_pm_ipsec_sa_done
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] IPSec negotiation failed for SA-CFG ike-gw-1 for local:1.1.1.1, remote:2.2.2.2 IKEv1. status: No proposal chosen
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] P2 ed info: flags 0x8082, P2 error: Error ok
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] IKEv1 Error : No proposal chosen
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] IPSec SA done callback. ed 1496028. status: No proposal chosen
[Sep 7 11:00:57][1.1.1.1 <-> 2.2.2.2] ikev2_fallback_negotiation_free: Freeing fallback negotiation 148e800
[Sep 7 11:03:32][1.1.1.1 <-> 2.2.2.2] iked_config_stage_update_and_activate update_required for sa_cfg = ike-gw-1
[Sep 7 11:03:32][1.1.1.1 <-> 2.2.2.2] iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg ike-gw-1 count is 0
[Sep 7 11:03:32][1.1.1.1 <-> 2.2.2.2] kmd_update_tunnel_interface:
[Sep 7 11:03:32][1.1.1.1 <-> 2.2.2.2] iked_update_tunnel_interface_by_ifname: update ifl st0.192 status UP
[Sep 7 11:03:32][1.1.1.1 <-> 2.2.2.2] iked_stop_vpnm_timer: processing SA ike-gw-1
[Sep 7 11:08:42][1.1.1.1 <-> 2.2.2.2] iked_config_stage_update_and_activate update_required for sa_cfg = ike-gw-1
[Sep 7 11:08:42][1.1.1.1 <-> 2.2.2.2] iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg ike-gw-1 count is 0
[Sep 7 11:08:42][1.1.1.1 <-> 2.2.2.2] kmd_update_tunnel_interface:
[Sep 7 11:08:42][1.1.1.1 <-> 2.2.2.2] iked_update_tunnel_interface_by_ifname: update ifl st0.192 status UP
[Sep 7 11:08:42][1.1.1.1 <-> 2.2.2.2] iked_stop_vpnm_timer: processing SA ike-gw-1
Hello Sesa,
Since you are getting VPN error message as No Proposal Chosen, I suspect 2 things. Either the VPN parameters didn't match or it might be the sync issue between RE and PFE.
Can you try the below steps and let me know whether it helps.
Hi!
Help me, please. And sorry for my English 😃
I have such scheme as in the picture.
I want to send all outside traffic through Cisco FTD. I configured FBF, firewall and added static routes:
Everything works well, but there is one problem - I cannot connect to the internal servers from the Internet. I have configured for Cisco FTD DNAT and it works fine.
When the connection is established, the first tcp syn packet reaches the server. The server replies with a syn ack packet, but it is not returned to the client. It is dropped on SRX. This is how it looks on the server:
This problem can be solved if you disable flow mode for the 192.168.0.115 server on SRX. And then everything works well. Can you please tell me, why does this work only in packet mode? And how can I solve this problem.
Thank you in advance!
Your basic issue is asymmetrical routing where return traffic from PC 2 to PC 1 will per default be routed to the internet interface on the SRX.
You have worked around this by using filter-based forwarding (aka. FBF) and not disabling the flow engine as stated. It's correct that a firewall filter can be used to do selective packet-mode on some traffic disabling the flow engine... but this is not the case here.
You overall have two options to solve this:
1. configure source NAT on the Cisco FTD, hiding traffic behind 10.1.16.2. That way traffic will be routed correctly back to the Cisco device but you loose visibility
2. Create a static route for 217.66.159.246/32 (or matching prefix) on the SRX and point it towards 10.1.16.2. The rest of the internet destined traffic will still exist via the INTERNET zone on the SRX.
I hope this clarifies.
Hi,
I need to test SSL FP on vSRX 18.4, 19.4 and 20.2. I did everything as I'm used to.
generate a key
build a root CA
Import the CA and the key to vSRX
configure an SSL FP profile
active the profile on a policy
The problem is that the FP doesn't seem to work at all.
on a Linux machine connected to the SRX
root@ssl-lab:~$ openssl s_client -showcerts -servername www.google.com -connect www.google.com:443 2>/dev/null</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -inform pem -noout -text | grep -i "issuer: "
Issuer: C = US, O = Google Trust Services, CN = GTS CA 1O1on the vSRX
root@vSRX> show security pki local-certificate
LSYS: root-logical-system
Certificate identifier: ssl-lab
Issued to: vSRX, Issued by: C = N/A, ST = N/A, L = N/A, O = SRX SSL FP Lab, OU = IT, CN = vSRX, emailAddress = test@test.com
Validity:
Not before: 09- 7-2020 15:04 UTC
Not after: 09- 5-2030 15:04 UTC
Public key algorithm: rsaEncryption(4096 bits)root@vSRX> show configuration services ssl
proxy {
global-config {
disable-cert-cache;
}
profile SSL-Lab-Proxy {
preferred-ciphers strong;
trusted-ca all;
root-ca ssl-lab;
actions {
log {
all;
}
renegotiation allow;
allow-strong-certificate;
}
}
}root@vSRX> show configuration security policies
from-zone trust to-zone untrust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
ssl-proxy {
profile-name SSL-Lab-Proxy;
}
}
}
}
}
}root@vSRX> show services ssl proxy statistics
PIC:fwdd0 fpc[0] pic[0] ------
sessions matched 32
sessions bypassed:non-ssl 0
sessions bypassed:mem overflow 0
sessions bypassed:low memory 0
sessions created 0
sessions ignored 0
sessions active 0
sessions dropped 0
sessions whitelisted 0
whitelisted url category match 0
default profile hit 0
session dropped no default profile 0
policy hit no profile configured 0Weirdly, I see matched but no created, ignored, active, etc. sessions.
I set traceoptions on the SSL service, and it seems as the SRX thinks the communication is UDP and not TCP.
[edit]
root@vSRX# show services ssl traceoptions
file SSL-FP.log size 10m files 5 world-readable;
flag all;
[edit]
root@vSRX# run show log SSL-FP.log
Sep 7 21:37:22 vSRX clear-log[28481]: logfile cleared
Sep 7 20:37:31 20:37:30.864921:CID-0:RT:junos-ssl-proxy jssl_proxy_policy_handle_session_interest[1842]: [1207] protocol(17) != IPPROTO_TCP(6)
Sep 7 20:37:36 20:37:36.448154:CID-0:RT:junos-ssl-proxy jssl_proxy_policy_handle_session_interest[1842]: [1209] protocol(17) != IPPROTO_TCP(6)
Sep 7 20:37:36 20:37:36.448522:CID-0:RT:junos-ssl-proxy jssl_proxy_policy_handle_session_interest[1842]: [1210] protocol(17) != IPPROTO_TCP(6)
I'm testing either using openssl s_client or curl, and I don't see anything suspicious in flow sessions.
[edit]
root@vSRX# run show security flow session destination-port 443
Session ID: 1284, Policy name: allow-any/4, Timeout: 1798, Valid
In: 192.168.53.10/51518 --> 74.125.193.94/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 5, Bytes: 605,
Out: 74.125.193.94/443 --> 172.16.1.146/16678;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 5, Bytes: 2849,
Total sessions: 1So far, I tested this on 18.4R3 and 19.4R2.6.
Any idea?
Thanks for answer!
But why are responses from server 192.168.0.115 sent through the inet.0 routing table? After all, I have a firewall rule that tells router to send packets using the second routing table - to-ftd-route-table.inet.0. And if the initiator of the connection is the server, then the packets are really sent through to-ftd-route-table.inet.0. But when the server is not the initiator, then tcp syn ack packets go through inet.0.
And when I turn off flowd, then everything starts working as expected. How does flowd affect route selection? Or is it some kind of bug?
Hi Experts,
just saw this when i did a "rollback ?" last night "MYT by <null>via synchronized" and "MYT by root via other". im the only admin of this srx and i didn't log in the day those were committed. i did a rollback on the last commit that did and do a "show|compare" and shows no difference. question is how come there is a commit happened where no one actually made the configuration change on that day, and second what those "MYT by <null>via synchronized" and "MYT by root via other" mean. many thanks
Hi Team,
we have recently noticed in our juniper srx210 log messages about cpu utilization and found some process which are seemingly pretty high in percentage for example for bfdd and mib2d.
Can you please let me know if something is wrong.
Hello,
MYT by <null>via synchronized can be caused due to scripts or any event-options triggering the commit and I'm not sure about the other.
The best way to investigate this behaviour is to check in the interactive-logs. If you haven't configured interactive-logs, please find the KB article for the procedure - https://kb.juniper.net/InfoCenter/index?page=content&id=KB30458. This way we can correlate the timestamps and can check which has triggered the commit operation.
