J-Net Community
Your home for the latest technical resources, insights and conversations. Connect with your peers to ask questions, exchange ideas and share expertise.
Hi All   I have a dynamic VPN configuration, and I can connect to my computer but can't access the internet, what's wrong?   Thanks,   my configuration set security ike policy ike_pol_w... See more...
Hi All   I have a dynamic VPN configuration, and I can connect to my computer but can't access the internet, what's wrong?   Thanks,   my configuration set security ike policy ike_pol_wizard_dyn_vpn mode aggressive set security ike policy ike_pol_wizard_dyn_vpn proposal-set basic set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text "$9$JdZDH.PTz3/UDCpOBcSoaZj.PfTzF69q.BIRcle" set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn set security ike gateway gw_wizard_dyn_vpn dynamic hostname RXS-SRX300 set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50 set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id set security ike gateway gw_wizard_dyn_vpn external-interface ge-0/0/0.0 set security ike gateway gw_wizard_dyn_vpn aaa access-profile remote_access_profile set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set basic set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn set security dynamic-vpn access-profile remote_access_profile set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 192.168.0.0/16 set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.10.10.0/24 set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn set security dynamic-vpn clients wizard-dyn-group user admin1 set security dynamic-vpn clients wizard-dyn-group user admin2 set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.100.0/24 set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test low 10.10.100.20 set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test high 10.10.100.254 set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 192.168.0.11/32  
We have  a SRX240H2 that has a dhcp configuration to allow mobile devices to connect and is routed via independent ISP. Users are able to connect to the SSID and getting ip and DNS provided by SRX ho... See more...
We have  a SRX240H2 that has a dhcp configuration to allow mobile devices to connect and is routed via independent ISP. Users are able to connect to the SSID and getting ip and DNS provided by SRX however name resolution does not work and they cannot browse and strangely if a user accesses an unsecured webpage the "insecure page" warning appears but upon accepting the risk the webpage does not load. This was working fine and no changes were made to the network. We tried creating new SSID with new vlan and the results are the same. The configuration on another srx works fine.  Here's my dhcp configuration on the srx routing is ok as the users are able to ping eternal ip address.   set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.5 set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.250 set system services dhcp pool 192.168.3.0/24 name-server 4.2.2.2 set system services dhcp pool 192.168.3.0/24 name-server 8.8.8.8 set system services dhcp pool 192.168.3.0/24 router 192.168.3.1 set security zones security-zone Mobile interfaces reth1.399 host-inbound-traffic system-services all set security zones security-zone Mobile interfaces reth1.399 host-inbound-traffic protocols all I have restarted DHCP services but that didnt help either...
Hi, this seems very basic, however, I am needing some clarity on why I cannot peer OSPF between either in the following scenarios: 1. a pair of SRX4100s (one is a Chassis Cluster with reth and one ... See more...
Hi, this seems very basic, however, I am needing some clarity on why I cannot peer OSPF between either in the following scenarios: 1. a pair of SRX4100s (one is a Chassis Cluster with reth and one is stand-alone with irb) According to the diagram, layer 3 in scenario 1 is across a circuit (reth0.700 <--> irb.700) 2. above SRX Cluster and Cisco 6800 switch. According to the diagram, layer 3 in scenario 2 is between reth0.800 and Vlan800, directly. All devices show traceoptions/debug sending ospf. All have matching mtu, and can ping the directly connected interfaces of the other host. At Layer 2, the link between the SRX firewalls go via the C6800 switch.      
Hi, all   We have an IPsec connection with our partner, due to increasing of traffic, SRX can not handle the encryption/decryption any more, so we decide to migrate to direct connections. I put b... See more...
Hi, all   We have an IPsec connection with our partner, due to increasing of traffic, SRX can not handle the encryption/decryption any more, so we decide to migrate to direct connections. I put both st0 interface and physical direct connection interface in the same security zone so I don't have touch exsiting security policies or NAT rules, for the migration, I thought I just deactivate the VPN and lift the BGP import filter so routing to partner side prefix will now go out of physical interface, everything should just work, easy enought right? not so much ... somehow TCP session can not be established from either direction after cutover, security flow session indicates that sessions were created by intitating connections from either side, but there is no return traffic. Here is the diagram                                            [zone trust ge-1/0/1] ------[SRX]----(zone untrust, interface st0.1, interface ge-1/0/0)   ## Here is the show security session interface output when VPN was deactivated for inbound traffic internal host 172.18.63.122 is statically mapped to 28.8.12.129, for outbound traffic internal host is PAT'd to 28.8.12.135 (if this internal host does not have static NAT address assigned)   Session ID: 115841114, Policy name: allow_inbound/26, State: Active, Timeout: 8, Valid In: 13.20.21.192/53944 --> 28.8.12.129/25;tcp, Conn Tag: 0x0, If: ge-1/0/0, Pkts: 1, Bytes: 60, CP Session ID: 113526337 Out: 172.18.63.122/25 --> 13.20.21.192/53944;tcp, Conn Tag: 0x0, If: ge-1/0/1, Pkts: 0, Bytes: 0, CP Session ID: 113526337   Session ID: 115842757, Policy name: allow_outbound/25, State: Active, Timeout: 6, Valid In: 172.18.25.36/54664 --> 13.20.17.137/8051;tcp, Conn Tag: 0x0, If: ge-1/0/1, Pkts: 1, Bytes: 60, CP Session ID: 112611196 Out: 13.20.17.137/8051 --> 28.8.12.135/43157;tcp, Conn Tag: 0x0, If: ge-1/0/0, Pkts: 0, Bytes: 0, CP Session ID: 15897414   Look at the inbound session, obviously SRX received TCP SYNC from partner, but seems that SRX did not receive SYNC-ACK from our internal host, but from the outbound session, SRX received TCP SYNC from internal host, but did not receive SYNC-ACK from partner side.   This is a pure networking layer routing changes, there is no application side configuration changes and both partner and I verifed that routing is correct, but the above two sessions controdict to each other.  By looking at the flow session,  I am not sure which leg is having problem, for example for the inbound session, we can conclude that inbound from partner to SRX works, but how do I know the return session failure is because of our internal host is not sending sync-ack to SRX, or SRX failed to send syn-ack to partner, or partner side received sync-ack but failed to send back to SRX?  I unfortunately didn't have the luxury to take my time to do flow trace on my side during the short maintence window. Where else should I look further off line?  
Hi   Is it possible to perform a wildcard search on logs within Security Director web console (Monitor > Events & Logs > All events)?   i.e. if a full IP address is not known but the starting... See more...
Hi   Is it possible to perform a wildcard search on logs within Security Director web console (Monitor > Events & Logs > All events)?   i.e. if a full IP address is not known but the starting prefix is, for example; source ip address starts 192.168.x.x   Referenced doc does not seem to identify any facility for pattern matching https://www.juniper.net/documentation/en_US/junos-space19.1/help/information-products/pathway-pages/topic-104854.html   For ref this is: Security Directory 19.1R1   Any help much appreciated,   Cheers FK
Hi,   What's the command to display the status (enabled/disabled) of all the protocols on Junos? I tried to determine which one is on or off. Thanks, I found '#show protocols' command (in conf... See more...
Hi,   What's the command to display the status (enabled/disabled) of all the protocols on Junos? I tried to determine which one is on or off. Thanks, I found '#show protocols' command (in config mode), but this is what I configured right, not the status of protocols? Or is it the same thing?   Thanks,
I captured LSP packets on vMX1 interface ge-0/0/1 facing vMX3. I got the following two LSP packets. One has attached bit on, the other has attached bit off. They have differnet LSP_ID I highli... See more...
I captured LSP packets on vMX1 interface ge-0/0/1 facing vMX3. I got the following two LSP packets. One has attached bit on, the other has attached bit off. They have differnet LSP_ID I highlighted. Can someone explain to me the reasons ? root@vMX1# run show interfaces ge-0/0/1 | match Curr Current address: 00:05:86:71:d8:01, Hardware address: 00:05:86:71:d8:01 thanks !!
Hello all,   I just enabled virtual-chassis between my two qfx5100-48s-6q swithces and I am seeing some odd behavior. I am not able to see the backup linecard ports with the command "show interfa... See more...
Hello all,   I just enabled virtual-chassis between my two qfx5100-48s-6q swithces and I am seeing some odd behavior. I am not able to see the backup linecard ports with the command "show interface terse" but I am able to set additional interfaces and then commit succesfully. As a test, I added interfaces xe-1/0/25 , xe-2/0/25 and xe-3/0/25 and commited succesfully. Is that expected behavior when I only have two switches? Furthemore, the new interfaces I created do not shop up with the interface terse command but they do appear in the running config.   {master:0}[edit] atetu@emp-cle.core-01.qfx5100# set interfaces xe-2/0/25 description TEST {master:0}[edit] atetu@emp-cle.core-01.qfx5100# set interfaces xe-3/0/25 description TEST   {master:0}[edit] atetu@emp-cle.core-01.qfx5100# commit fpc0: configuration check succeeds fpc1: commit complete fpc0: commit complete   I attached a file with the output from show virtual-chassis / vc-port statistics extensive and the output looks correct.   Thanks in advance, -AT
after bootloader flash upgrade fail because of sudden power loss when the firewall reboots it shows nothing and it won't allow a reset config to initiate it only reboots every 4 mins....any help will... See more...
after bootloader flash upgrade fail because of sudden power loss when the firewall reboots it shows nothing and it won't allow a reset config to initiate it only reboots every 4 mins....any help will be good right about now, how to atleast get it to start showing what's happenig through the console port again.
Hi all,    I need to know about vMX: Is there a basic form to install?. Because in the data sheeet say: 16GB RAM. Can I use 2 o 4 GB RAM in a basic form? I want to use virtual machine on virtualb... See more...
Hi all,    I need to know about vMX: Is there a basic form to install?. Because in the data sheeet say: 16GB RAM. Can I use 2 o 4 GB RAM in a basic form? I want to use virtual machine on virtualbox but my PC only has 8GB RAM. Thanks.
Hello Friends, I have an issue which really seems a simple problem but couldn't solve it so far.    I migrated a Cisco ASA with a Juniper320. All outbound traffic hitting the static NAT are fai... See more...
Hello Friends, I have an issue which really seems a simple problem but couldn't solve it so far.    I migrated a Cisco ASA with a Juniper320. All outbound traffic hitting the static NAT are failing while traffic hitting the interface source NAT are working fine. To put it differently return traffic destined to the SRX external interface address is ok but return traffic destined to static NAT public address isn't. When rolling back to the Cisco ASA everything works fine. Tested the SRX config in lab with a similar setup ... everything is working. I think the upstream cisco router is the issue but i cannot be sure. ISP confirmed that they have two static routes for the static NAT public range ... one with next-hop FW address and another next-hop interface. See below.   I dont understand why they have redundant routes but i think this is causing my issue. Does anyone agree?  As this range is not part my ISP interface subnet, i understood i don't need to configure proxy-arp. correct?   My NAT config looks likes this. set security nat source rule-set Interface_NAT from zone INSIDE set security nat source rule-set Interface_NAT to zone OUTSIDE set security nat source rule-set Interface_NAT rule R1 match source-address 192.168.1.0/24 set security nat source rule-set Interface_NAT rule R1 match destination-address 0.0.0.0/0 set security nat source rule-set Interface_NAT rule R1 then source-nat interface set security nat static rule-set Static_NAT from zone OUTSIDE set security nat static rule-set Static_NAT rule r1 match destination-address 2.2.2.1/32 set security nat static rule-set Static_NAT rule r1 then static-nat prefix 192.168.1.253/32   Any help is appreciated!   Thanks in advance! Mohneja
Checking on the forum before opening a JTAC Service Request ...   EX2300 have been installed and running for weeks now. Image is recommended 18.2R3S2.9. Suddenly this morning, lost ping communica... See more...
Checking on the forum before opening a JTAC Service Request ...   EX2300 have been installed and running for weeks now. Image is recommended 18.2R3S2.9. Suddenly this morning, lost ping communication s for a brief period. Trafic still going through seemingly unaffected.  Pings went back, but were taking almost a second to reach. then everything went back to normal ping time. Hooking up on console, we saw    kernel: bcmrgg0: Internal Shutdown  should I be worried ?????? Michel Lapointe     any clue ? 
Hi all,   we have a Virtual-Chassis containing 3 EX4300 (no mixed, no multi-gigabit) connected by the QSFP-Ports. The Virtual-Chassis is preprovisioned. The QSFP-Ports are in default-state, whi... See more...
Hi all,   we have a Virtual-Chassis containing 3 EX4300 (no mixed, no multi-gigabit) connected by the QSFP-Ports. The Virtual-Chassis is preprovisioned. The QSFP-Ports are in default-state, which mean they are all intened to be used for building a VC.   Now we have the 2 issues: By doing a show system partitions media internal, the system shows a "error: /dev/da0s1a is not a JUNOS snapshot" on the fpc0. Also when doing a show system storage partitions, the system has mixed up da0s1a and da0s2a: fpc0: -------------------------------------------------------------------------- Boot Media: internal (da0) Active Partition: da0s2a Backup Partition: da0s1a Currently booted from: active (da0s2a)   JATC recommend to do a format install on fpc0 to get the system back into normal state.   Can you please confirm the follwoing procedure:     Shutdown fpc0 and disconnect VC-Cables Boot into loader-promt Do a format-install by usb Boot the fresh installed Switch Check System-Partitions / create a system snapshot Shutdown the switch Reconnect the VC-Cables Power on the Switch After the switch has powered on, it should assign itself backup into the VC Is this procedure correct ?   BR, Christoph.  
Hi all,   I have two EX3400-48T switches configured in a VC. I struggle with disk-usage alarms for /var that don't make any sense to me. The system is very new, just the OS was updated to 18.2R3-... See more...
Hi all,   I have two EX3400-48T switches configured in a VC. I struggle with disk-usage alarms for /var that don't make any sense to me. The system is very new, just the OS was updated to 18.2R3-S2.9 and some configuration was done.   me@XX> show system alarms 2 alarms currently active Alarm time Class Description 2020-02-26 09:29:42 UTC Minor RE 1 /var partition usage is high 2020-02-20 22:20:00 UTC Minor FPC 0 /var partition usage is high However there should be enough free space from my understanding:   me@XX> show system storage fpc0: -------------------------------------------------------------------------- Filesystem Size Used Avail Capacity Mounted on /dev/gpt/junos 1.3G 919M 337M 73% /.mount tmpfs 805M 48K 805M 0% /.mount/tmp tmpfs 324M 420K 324M 0% /.mount/mfs fpc1: -------------------------------------------------------------------------- Filesystem Size Used Avail Capacity Mounted on /dev/gpt/junos 1.3G 916M 340M 73% /.mount tmpfs 564M 48K 564M 0% /.mount/tmp tmpfs 324M 524K 324M 0% /.mount/mfs Since there is no separate /var partition visible my guess is this is refering to the main partition mounted at /.mount?   Manually set very low thresholds for the alarms but they did not disappear:   me@XX> show configuration chassis disk-partition /var level full { free-space 50 mb; } level high { free-space 100 mb; } Any help is appreciated.
Hi all,   I have two EX3400-48T switches configured in a VC. The Web UI mostly works, but some pages are not accessible and immediately return Your Session has expired. Click OK to redirect to ... See more...
Hi all,   I have two EX3400-48T switches configured in a VC. The Web UI mostly works, but some pages are not accessible and immediately return Your Session has expired. Click OK to redirect to login page. Broken pages are for example: Configure > Security > Filters Alarms > Alarms and Events > View Alarms This also happens after a fresh login, different user accounts and with different browsers (Firefox and Safari). Found a solution in the forums where the system time was not set properly. But this is not the case in my setup.   The time is correct: fpc0: Current time: 2020-02-26 13:19:05 UTC Time Source: LOCAL CLOCK fpc1: Current time: 2020-02-26 13:19:05 UTC Time Source: LOCAL CLOCK Software versions Junos: 18.2R3-S2.9 JUNOS Web Management Application package [18.2A1]   Any ideas?
Hi all,   On one of my QFX10008, I am seeing CRC and BER errors like below: Feb 20 20:55:41.907 ablab.czk-re0 fpc4 CCL: 1 CRC errors seen on link PE2-Avg-28nm-link-9-17 Feb 21 03:04:03.213... See more...
Hi all,   On one of my QFX10008, I am seeing CRC and BER errors like below: Feb 20 20:55:41.907 ablab.czk-re0 fpc4 CCL: 1 CRC errors seen on link PE2-Avg-28nm-link-9-17 Feb 21 03:04:03.213 ablab.czk-re0 fpc5 CCL: 1 CRC errors seen on link PE2-Avg-28nm-link-9-17   When I run fabric-related commands, it shows everything is ok; because these errors are not consistently occurring. I see 4-5 occurrence in a day at random times.    Also, today I saw that all the SIB's restarted themselves automatically at the same time and I am not sure what triggered the same. Even after this, I see CRC and BER errors getting reported at around 4-5 per day again. 1. How do I proceed further to resolve this or isolate the issue with FPC/SIB? 2. What does link 9-17 mean in the logs? How do we map this to FPC or SIB link?   Appreciate any help understanding this or if there are any documents that can help me.   //Nex
Hi Team,   We are trying to configure SNMP traps on all devices. Traps are working fine when the devices are below SRX 240 firewall (trust zone or same network).   But the issue comes when ed... See more...
Hi Team,   We are trying to configure SNMP traps on all devices. Traps are working fine when the devices are below SRX 240 firewall (trust zone or same network).   But the issue comes when edge devices initiate a trap from untrust to trust zone.   snmp configuration on Edge devices :  *consider following example trap-options { source-address 14.x.x.1; } trap-group Zabbix-trap { version v2; destination-port 162; categories { authentication; remote-operations; configuration; } targets { 14.x.x.2; } }   configuration on core firewall : set security nat destination pool Zabbix_Trap address 192.168.10.2/32 set security nat destination pool Zabbix_Trap address port 162   set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-address 14.x.x.2/32 set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-port 162 set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap then destination-nat pool Zabbix_Trap   set security policies from-zone untrust to-zone trust policy Zabbix_Trap match source-address 14.x.x.1 set security policies from-zone untrust to-zone trust policy Zabbix_Trap match destination-address Zabbix set security policies from-zone untrust to-zone trust policy Zabbix_Trap match application SNMP set security policies from-zone untrust to-zone trust policy Zabbix_Trap then permit set security policies from-zone untrust to-zone trust policy Zabbix_Trap then log session-init set security policies from-zone untrust to-zone trust policy Zabbix_Trap then count   But when we are trying to configure traps on edge devices we have configured destination nat pool on the core firewall (SRX 240) and we have given the same target ip which we have given for snmp configuration on edge devices.   We have even configured a policy from untrust to trust zone and  source as public ip ex: 14.x.x.x and destination as private ip of our zabbix server and allowed the application port as 162 for trap.   please find attached network architecture.       Can any one kindly assist in proceeding  further.     Thanks, Gautam
Can someone guide me how to configure the 4 port to 40G on mx204? Right now I see xe-0/0/0:0 up up xe-0/0/0:1 up up xe-0/0/0:2 up up xe-0/0/0:3 up up I refer https://www.juniper.net/documenta... See more...
Can someone guide me how to configure the 4 port to 40G on mx204? Right now I see xe-0/0/0:0 up up xe-0/0/0:1 up up xe-0/0/0:2 up up xe-0/0/0:3 up up I refer https://www.juniper.net/documentation/en_US/junos/topics/topic-map/rate-selectability-configuring.html not working as it should. Thanks
Hi all,   May i know where is tab "monitor" on junos space ver 18.4 above? Usually i'm use that tab to see history interface utilization, RE utilization and etc.   Anybody can tell me whether... See more...
Hi all,   May i know where is tab "monitor" on junos space ver 18.4 above? Usually i'm use that tab to see history interface utilization, RE utilization and etc.   Anybody can tell me whether that tab totally take out from space or put at other tab.   Thanks and appreciate any feedback    
Hi all,     First of all may i know the SRX5k series have similar feature like this url https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server . I'm see on MX960 & MX... See more...
Hi all,     First of all may i know the SRX5k series have similar feature like this url https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server . I'm see on MX960 & MX480 based this url https://www.juniper.net/documentation/en_US/junos/topics/concept/tdf-tlb-overview.html it supported if use SPC3. Is it the SPC3 on MX and SRX5k its same card?   Thanks and appreciate any feedback