Re: SRX routing with redundant connections
Let's take a step back. If either firewall can handle all the traffic with room to spare, what exactly is the point of load balancing? Sure, you could do it, but with no benefit. It would just make...
View ArticleRe: SRX routing with redundant connections
I have independent circuits each with its own IP address. Each circuit goes to one SRX as in post 1. SRX1 has x.x.x.x/30 from ISP, SRX2 has y.y.y.y/30 from ISP. Think of this as having 2 physically...
View ArticleClik here to view.
Re: SRX routing with redundant connections
You wrote: What we are now doing [emphasis added] is the ISP will setup a single managed router that will sit in front of the SRXes and both internet uplinks will terminate into the router So I thought...
View ArticleRe: SRX100 VPN problem
This should work. Please verify that it works.....set interfaces fe-0/0/0 unit 0 family inet address x.y.z.14/29set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode accessset interfaces...
View ArticleRe: VPN Passthrough SRX
Hello, Can you share RSI and topology diagram of what you want to achieve? Regards, Rushi
View ArticleClik here to view.
SRX can't ping / access hosts trough vpn
Hi!I can ping SRX device from any host within LAN (directly attached to SRX or through vpn), but SRX device itself cant ping devices trhough vpn.Captured some traffic on destination host with tcpdump -...
View ArticleRe: SRX can't ping / access hosts trough vpn
Do you have Junos-host zone configured? If so you need a policy from Junos-host zone to the external/untrus/trust zone to allow this traffic.
View ArticleRe: VPN Passthrough SRX
When you say "I see traffic going out but not coming back in", did you check the remote device to confirm whether its reciving those packets?
View ArticleRe: VPN Passthrough SRX
Hi, I cant check the other end as its a different company to ours I see this output from running a show security flow session Session ID: 325917, Policy name: mortgage-to-untrust/32, Timeout: 1566,...
View ArticleRe: VPN Passthrough SRX
This shows SRX is not dropping the packet. is your Destination NAT for the same IP configured in source NAT pool? set security nat source pool gre-nat-pool address "10.10.10.1/32" (made up external ip...
View ArticleRe: VPN Passthrough SRX
Destination NAT is 10.10.10.2/32 which is a proxy arp ip on the ge-0/0/5 interface For the source pool i have used the main external interface which is 10.10.10.1/32
View ArticleRe: VPN Passthrough SRX
in that case we need to check with the remote side and confirm if they are reciving the traffic and how they process it.
View ArticleRe: public subnet routing woes - SRX320
You appear to be hitting a source nat rule then. So create a source nat rule that forces this to be off. Adjust the zone names if needed, these need to match the zones used "from zone" is the zone on...
View ArticleClik here to view.
Re: public subnet routing woes - SRX320
Once again spaluka, I'm in your debt for providing such a straight forward and easy to apply solution. Many, many thanks
View ArticleRe: SRX routing with redundant connections
Hi, Using ECMP on the QFX and having separate independent SRX firewalls is very likely to result in assymetric routing and stateful firewall inspection would be an issue. If the SRXs are independent...
View ArticleRe: SRX routing with redundant connections
Nikolay, I would like to thank you for your help and your patience with this. We are almost done with the negotiations with the ISP for the managed router. Since we are going to be doing BGP the ISP...
View ArticleRe: SRX routing with redundant connections
Yes, it sounds right but, again, it depends on what the ISP comes up with in the end. Consider Ashvin's concerns, too. I don't know how / if QFX does ECMP. You really need it to do things just right...
View ArticleRe: RT_ALT_WRN_CFG_NEED: MSRPC ALG detected packet; needs extra policy
Steve,Thank you. Can you explain to me: why is the juniper blocking any traffic when I specify I want to allow any source address, any destination address, any application, and any source-identity?...
View Article