Re: Secondary Index Corrupt
Just to add some further information I just found. During a reboot I get the message "IDP Policy Daemon: Decondary Index corrup: not consistent with primary". So it appears to be related to IDP. Any...
View ArticleSRX1400 sh chassis fpc high cpu usage
Hello, I've run in such situation and need some help to debug it. First of all there is not really much behind this SRX1400 with peak of 500 mbps traffic on upstream port. I've turned off all possible...
View ArticleClik here to view.
Re: SRX1500 SSL Proxy Signing hash
Hi All, SOLUTION FOUND!! The only thing that is preventing SSL forward proxy from working seemlessly with the major browsers is as you report the SRX when doing SSL-T-SSL (generating the certificate...
View ArticleRe: SSL Forward Proxy
Hi you can utilise Group Policy or local Security Policy settings for Google Chrome to allow SHA1 to work around this...
View ArticleRe: policy based VPN
it will setup a spearate pahse II (IPSEC) SA per flow and also a spearate tunnelthat means if you have 20 flows at the same time it will build up 20 tunnels in paralell (one per flow) So use policy...
View ArticleRe: Need to configure syslog to reach syslog server
Hi Folks,We do find the configuration there in place as per the attached file, set system syslog archive size 100kset system syslog archive files 3set system syslog user * any emergency set system...
View ArticleRe: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems
From the configuration it looks like you are missing the security policy to permit the inbound vpn traffic. It looks like you may have both the zone names mis matched and the addresses used in the...
View ArticleRe: Natting from a routing instance to global instance in a chassis cluster??
What method of connecting the global routing instance to the internet routing instance are you using? There are multiple ways to make sure the routes and path are visible to the traffic.
View ArticleRe: policy based VPN
Hello, A separate VPN tunnel ( Phase 2 ) will be established for each set of source-address / destination address entries in the policy or teh proxy ID configured for the VPN. In comparison, a route...
View ArticleRe: SRX210 in band managment in trunk mode
Not sure the exact question here, so forgive me if this is not the right answer. If you need mgmt protocols to work on your TRAFICO vlan and vlan.20 interface, you need the zone that these are assigned...
View ArticleRe: IKE negotiation failed with error: IKE gateway configuration lookup...
Looks like you might be configuring an ike id and not one on the cisco side. Try removing general-ikeid gateway gw-vpn-customer-u1 {ike-policy ike-pol-vpn-customer-u1;address...
View ArticleRe: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
do you have security policies in place to permit the traffic? Are all three tunnels at the hub site bound to the same interface?If they are, are you using OSPF to automatically create the NHTB for the...
View ArticleRe: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Thanks for your reply. Yes, I have create policy to permit traffic. Yes, all tunnel at hub is bound to same interface st0 (p2mp). I'm not yet try with OSPF. I'm also going try with this solution. You...
View ArticleRe: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
You can use static routes but you cannot use next-hop interface with a multi-point tunnel. You need to use the next-hop of the specific ip address of the REMOTE side tunnel for each subnet. Also...
View ArticleRe: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Thank you. I see i use next-hop with IP: route 192.168.7.0/24 next-hop 10.1.1.2;route 192.168.4.0/24 next-hop 10.1.1.6;route 192.168.3.0/24 next-hop 10.1.1.7;route 192.168.9.0/24 next-hop 10.1.1.4;I...
View ArticleDynamic VPN group IKE-ID
i have read the juniper article about Group and shared IKE-ID... but i have many questions.1-when to use group IKE-ID ? when there are large number of remote clients that exceed my installed licence,...
View ArticleRe: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Is everything working now then?
View ArticleRe: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
Not yet, everything not change. I'm really use next-hop with IP before. I'm only change subnet tunnel as you suggest. Thanks
View ArticleRe: Natting from a routing instance to global instance in a chassis cluster??
Hi Spuluka, Currently none. Is leaking of routes from d global table to custom routing instance table necesssary here?
View ArticleRe: VPN Hub and Spoke with IP Dynamic tunnel up but can not ping
I found when i delete ike service on external interface (only keep ike on untrust zone) then can pass traffic. But traffic vpn is not stable, sometime ping miss package. When traffic down, i check flow...
View Article