SRX w/ multiple routes/paths
I'm thinking this may be related to flow mode but if someone can confirm that and if there's a way to work around it while remaining in flow mode that would be awesome. SRX220 or 100 w/ two uplinks....
View ArticleRe: SRX w/ multiple routes/paths
As you notice, stateful firewalls really don't like asymmetrical flow traffic. In this type of situation you have two options. Place both uplink interfaces into the same security zone. This will...
View ArticleSRX5600 source NAT pool unevenly used
Hi! Using snmp looking at the jnxJsNatSrcNumSessions it seems very un-balanced for our nat source pool user-shared-pool (x.y.142.0-x.y.142.255). For some (individual) IP addresses, the number of...
View ArticleRe: VPN fragmentation - How to check if SRX send fragments
Hi R_J As you have mentioned that the remote peer complains that the packet received are fragmented , I should assume that the packets are fragnmented post encryption. So if tghis is the case SRX would...
View ArticleRe: VPN fragmentation - How to check if SRX send fragments
Hi, Could the packets be fragmented by an intermediate device/router as well, since TCP MSS has already been set to 1300 and assuming MTU on the SRX egress interface is default?Also, just to confirm...
View ArticleRe: VPN fragmentation - How to check if SRX send fragments
Hi Ashvin, Please find the answers below for the queries you had: Could the packets be fragmented by an intermediate device/router as well, since TCP MSS has already been set to 1300 and assuming MTU...
View ArticleRe: SRX240 cooling fan speed
Hi,I'm a bit confused about fan speed.I see the following: > show chassis environment Class Item Status Measurement Temp Routing Engine OK 54 degrees C / 129 degrees F Routing Engine CPU OK 51...
View ArticleSlow Site to Site VPN tunnel
Site to Site VPN tunnel between two SRX 210's both running 12.1X46-D45. I expect to get a transfer speed close to 30MB/s Currently I'm my transfer speed is right around 6MB/s . Its been an on going...
View ArticleHow to apply NAT before policy based IPSEC VPN? Virtual router an option?
Hi all, have an issue.Need to set up an IPSEC VPN from Juniper SRX 240 to a third party, running PFSense firewall. LAN subnet on my end is 10.0.0.0/24The requirement is to have it NAT-ed (source NAT,...
View ArticleRe: Slow Site to Site VPN tunnel
Hi Mikey,Since you mentioned that you are able to get a maximum of 6 Mbps of speed across the vpn , there are lot of parameters that needs top be considered for giving answer to this question. # Do you...
View ArticleRe: How to apply NAT before policy based IPSEC VPN? Virtual router an option?
Hi Alex, As you have mentioned , you can nat the traffic first and send it to a VR , you may terminate the VPN on the interface inside the VR and this should solve your problem.However there are few...
View ArticleCan you cluster SRX 240H2 and SRX 240H ?
Hi all, is there any problem with the below setup? run show chassis hardware detailnode0:--------------------------------------------------------------------------Hardware inventory:Item Version Part...
View ArticleRe: Can you cluster SRX 240H2 and SRX 240H ?
Hi Alex, The difference between two boxes is that SRX240h ihas 1 Gig RAM , whereas SRX240H2 has 2 gig RAM.As it is advisable from Juniper that hardware and software should be exact to form a cluster ,...
View ArticleClik here to view.
Re: VPN fragmentation - How to check if SRX send fragments
Hi Hemant, Hemant:Yes , the packets (ESP in this case) can be fragmented by intermediate router/L3 device.--> From the Intermediate routers point of view, its just an IP packet. Also, just to...
View ArticleRe: Slow Site to Site VPN tunnel
Very often performance issues are due to fragmentation especially in IPSec due to added headers. Worth reading:http://rtoodtoo.net/ipsec-tcp-mss-df-bit-and-fragmentation-in-srx/
View Article300 series license
Can anyone tell me what the JSB / JSE licenses are for on the SRX300 series? Does the device have the same functionality as previous SRX models without any licenses e.g. NAT, VPN, etc.? I can not seem...
View ArticleIPSEC site-to-site --> Traffic not go through tunnel every 7 days?
Hi All, Currently my SRX has IPSEC point-to-point to Fortinet. But the issue is every 7 days traffic will not go through the IPSEC tunnel even the tunnel is not down. Usually i'm need to clear back the...
View ArticleRe: SRX5600 source NAT pool unevenly used
You can control the usage of the pool by the application of pairing and persistent options or using no pair to force round robin. But for enterprise applications your probably do want pairing to...
View ArticleRe: How to apply NAT before policy based IPSEC VPN? Virtual router an option?
You can connect to a policy vpn on the remote device while still configuring a route based vpn on the SRX. then you can apply nat to the vpn traffic without any extra configuration oddities.
View ArticleRe: 300 series license
The two licenses are listed on the top of page 4 in the bulleted lists. https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000550-en.pdf The basic firewall policy, nat and vpn features are all...
View Article