On the run, but shortly:
Don’t do it that way, much easier ways available.
What version are you running on the SRX?
Traffic-selectors are what you want.
/Per
PS: I’ll try to get back with more details later.
> 1 dec. 2019 kl. 13:26 skrev Tom Meadows :
>
> I'm trying to set up a config very
Using BFD instead of LACP for link monitoring?
/Per
On 20 Jul 2019, at 12:06, Mark Tinka wrote:
> We now restrict LAG's to router-switch 802.1Q trunks.
>
> On backbone links, we've found regular IP ECMP to be more reliable than
> LAG's.
>
> Mark.
___
Hi all!
I’m trying to set up RPM probes with a SRX (1500, 15.1X49) to a server
(via IPsec tunnel, but that does not really have any bearing on the
problems I’m facing). The server is an external proxy-server for HTTP
requests, and it does not answer icmp-ping requests. Neither does it
answer
Interim followup:
This is probably the bestpath to follow, but I have not been able to
make the RPM probes work. I’ll follow that up in a separate thread.
Once that is cleared, there will be a final followup
/Per
On 10 Jun 2019, at 21:18, Per Westerlund wrote:
Thanks, good suggestion
Thanks, good suggestion.
Haven’t used that before. Given that input, this is what I will try:
- Add a dummy linknet to each tunnel interface, since RPM and
IP-monitoring works with addresses and not interfaces directly
- Use two RPM-probes on the primary links to be able to have independent
There is a tool available via the Juniper Partner site that helps with
migrations from Netscreen to SRX.
/Per
> 17 juli 2018 kl. 15:54 skrev Doug McIntyre :
>
>> On Tue, Jul 17, 2018 at 07:48:52AM +, M Abdeljawad via juniper-nsp wrote:
>> Was checking portal for the Netscreen-Junos
1
[edit routing-options static]
+/* Annotation test */
route 0.0.0.0/0 { ... }
On 1 Jul 2017, at 15:35, Per Westerlund wrote:
Hi all!
Normally, when comparing current and previous configurations on
Junos-boxes, I assume I get the same results when running in
operational mode as when
Hi all!
Normally, when comparing current and previous configurations on
Junos-boxes, I assume I get the same results when running in operational
mode as when running in configuration mode. I didn't even think there
could be a difference.
The other day, when we were having some problems with
I do believe that it is not until you stop the capture that all data is
flushed to the capture-file. If you have a small enough flow, the file
will be empty until you stop the capture.
/Per
On 17 Feb 2017, at 17:44, Jonathan Call wrote:
I followed the instructions listed here to create and
That should be enough. Forward traffic destination is resolved in the target
RI, and the return traffic egress interface is determined by the session set up
by the first packet. Note that the security policies should match on post-NAT
zones/addresses.
/Per
> 27 jan. 2017 kl. 09:52 skrev
in how BFD and charging licenses are connected?
/Per Westerlund
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
That is default behavior, but you can access other RI's interfaces by
explicitly using the RI name. No way to reach all IFs at once via a RI.
/Per
PS: Excuse my brevity, caused by screen kbd.
> 27 apr. 2016 kl. 17:45 skrev James Bensley :
>
> Hi All,
>
> I am migrating
Like most manufacturers the performances quoted by Juniper are under ideal (or
even better) conditions. The only way to be sure is to test with a
representative load.
In my case we were running backups (large packets one way, acks the other) over
IPSec. We generally planned for 1/3 of the
I think you are hit by the flow mechanism, this would probably work in
pure routing scenario.
Please verify my possible explanation with set security flow
traceoptions flag basic-datapath.
When the first packet is accepted, a flow is set up. It contains both
the forward path and the reverse
There is (probably) a simple solution if pp0.0 is only used by inbound traffic
that will be NAT-ed, and never used as backup for pp0.1 outbound. Is this the
case?
/Per
Sent from my iPad, please ignore stupid spelling corrections!
26 jun 2014 kl. 15:39 skrev Yuriy B. Borysov
If you start by setting up traceoptions as in the excellent article
referred to by Ben, you will probably find the problem easily. Then,
making the RI cat a virtual-router instead of a forwarding instance
(with the ISP ifl in it) and setting up proper policy will probably be a
good start to
From your post it is not obvious what setup you are using. Can you
elaborate, please?
Two standard setups that normally work:
- One link from each of node0 and node1, to (in this case) MX5-T. No
LACP, just active/passive setup with RETH-interface in SRX cluster.
- At least two interfaces
I think Mike was hinting at the hidden property ’local-address’ to help select
source address from an interface that has more than on address configured.
You won’t see it in the help, but if you enter this:
set security ike gateway GATE local-address x.y.z.w
it will work.
This way
Good catch/reference. Slight typo, the section is 13.12 (in my copy from May
2006).
/Per
Sent from my iPad, please ignore stupid spelling corrections!
3 apr 2014 kl. 01:14 skrev Jeff Wheeler j...@inconcepts.biz:
For more on the different MSTP Port Roles and their meanings, see IEEE
I'm offline right now, but last time I checked, IRBs with bridge domains (SRX
in transparent/L2 mode) were only used for management, no forwarding of transit
traffic possible.
/Per
2 apr 2014 kl. 21:46 skrev Morgan McLean wrx...@gmail.com:
Just double checking that IRB interfaces are not
You did not set up separate address for authentication like below, try that
first.
/Per
Sent from my iPad, please ignore stupid spelling corrections!
21 mar 2014 kl. 04:54 skrev Шепелев Андрей xamalon...@gmail.com:
show interfaces ge-0/0/1
unit 0 {
family inet {
address
$k.TFtu1RcyAtWLX7VbfTQ3Ap
set access ldap-server 10.60.0.5 port 3268
but it did not help :(((
2014-03-18 17:32 GMT+06:00 Per Westerlund p...@westerlund.se:
I haven’t done it myself (yet), but you probably need to define the
ldap-server directly under the stanza ”access”. In your profile TPAD you just
Hi everybody.
Juniper is apparently preparing to change the switching CLI in the future to
”Enhanced Layer 2 Software Support (ELS)”.
In the descriptions I have read so far, there is no mention on how to set up
Private VLAN (PVLAN) using ELS.
PVLAN is supported on QFX with the current CLI,
I don't KNOW why, but I realize that some want their entries sorted on address,
others on name; therefore it is in insertion order with the possibility to
reorder by ”insert …..” (or reorder externally, den delete and reapply content).
/Per
7 mar 2014 kl. 11:02 skrev Phil Mayers
What version are you running?
Not knowing the rest of the setup makes it hard to guess what it could be.
Unless there are some filters on interfaces, I would suspect the DNS ALG, it
has sometimes caused problems. If you are allowed to make changes to the ALGs,
one thing to try could be:
I think Eduardo forgot to mention that you should also change the metric to be
Type 1, then the internal metric will be added and I think you get the behavior
you want.
/Per
Sent from my iPad, please ignore stupid spelling corrections!
27 feb 2014 kl. 21:23 skrev Eduardo Barrios
The logic for what filters get applied is like this (stolen from Juniper
documentation):
• If you configure Filter A on the default loopback interface (lo0.0) and
Filter B on the VRF loopback interface (lo0.x), the VRF routing instance uses
Filter B.
• If you configure Filter A on the default
I am sorry to say that I think it is almost correct. The policy rules are
evaluated after destination NAT handling, where the destination port has
already been translated. You should probably exchange:
set security policies from-zone untrust to-zone trust policy DNAT_POLICY
match application
Below is what I believe is a working solution.
First, with destination nat, matching on public IP/port, the destination
IP/port is translated from 24.173.164.162 : to 132.147.160.3:23.
Next, the policy match statement has to allow just that, after the translation:
132.147.160.3:23.
Have you set up proxy-arp for the DNAT address? It does not work by itself, has
to be manually if it is an address on the external (untrust) network.
/Per
28 nov 2013 kl. 10:32 skrev Mohammad Khalil eng.m...@gmail.com:
set security policies from-zone untrust to-zone trust policy
No, those source nat rules should have no effect on you problem. When the
inbound traffic matches (hopefully) the requirements, a complete flow is set
up. The return traffic automatically gets the proper nat handling to match the
inbound traffic. The outbound traffic will use source NAT that
Try to add this to your configuration:
[edit security flow]
perw@srx1# show
traceoptions {
file dnat-telnet-debug;
flag basic-datapath;
packet-filter dnat-telnet-in {
protocol tcp;
destination-prefix 24.173.164.162/32;
destination-port ;
}
Problem resolved.
/Per
Vidarebefordrat brev:
Från: Mohammad Khalil eng.m...@gmail.com
Ämne: Re: [j-nsp] Destination NAT
Datum: 28 november 2013 12:23:49 CET
Till: Per Westerlund p...@westerlund.se
All the problem was from the public IP address , seems it was used somewhere
else
I do
What was the problem?
/Per
26 nov 2013 kl. 10:28 skrev Mattias Gyllenvarg matt...@gyllenvarg.se:
Actually it was not, it was before but I removed it when I removed the st
interface to re apply it.
I have since then fixed the original issue and now got through IKE and have
it working.
Once logged in to https://learningportal.juniper.net/, you can navigate to
Learning Portal Home Fast Track JNCIS-SP eLearning JNCIS-SP Study
Resources
There are 3 PDF files available there, study guides for switching, routing and
MPLS/VPN.
/Per
31 okt 2013 kl. 15:55 skrev Mohammad
The normal NAT handling only works with transit traffic, not self-sourced
traffic.
With newer Junos, you can set up NAT rules using the zone junos-host to get
the wanted behaviour.
/Per
23 okt 2013 kl. 09:34 skrev Mohammad Khalil eng.m...@gmail.com:
Hi all
I have SRX and I have
is allowed
BR,
Mohammad
On Wed, Oct 23, 2013 at 10:56 AM, Per Westerlund p...@westerlund.se wrote:
The normal NAT handling only works with transit traffic, not self-sourced
traffic.
With newer Junos, you can set up NAT rules using the zone junos-host to get
the wanted behaviour.
/Per
Can you give some more details? I'm not sure I understand all of your
requirements.
Are you trying to influence something native to OSPF, or are you talking about
setting metrics for routes redistributed (Cisco-speak) from another protocol?
/Per
25 sep 2013 kl. 10:09 skrev R S
I don't think overload-mode is what you want.
I used it once before I realized the consequences. It will, as i says in the
docs, put itself into the mode I cannot really be used for transit traffic any
more, only send me traffic for my directly attached networks.
This is an OSPF setting (in
First let me see if I understand you correctly by rephrasing.
- Three sites A, B och C all connected with direct links
- Link A-B has high capacity
- Links A-C and B-C has lower capacity
- High volume storage traffic traverses link A-B and must not use links A-C or
B-C, even if link A-B goes
I think I know one way to do it.
Multi-topology routing to the rescue!
With MT-routing we can have one topology with only sites A and B and all their
routers and routes/prefixes, and another topology with sites A, B and C and
everything (just like today). On ingress, you classify and assign
The components of the SRX RETH-interfaces are not all active at the same time,
this is a fail-over construct. One active link at the time.
You should be looking at the AE-interfaces instead, they are proper LACP
aggregators.
/Per
16 aug 2013 kl. 00:55 skrev Andy Litzinger
-Original Message-
From: Per Westerlund [mailto:p...@westerlund.se]
Sent: Friday, August 16, 2013 12:54 AM
To: Andy Litzinger
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] trouble setting up link agg between clustered SRX 550
and Cisco 6509
The components of the SRX RETH-interfaces
RANCID!
If you then augment the basic timed polling setup with SNMP-triggered polling,
you can have every committed config backed up, and have a timed poll as backup
in case there is some problems with the SNMP traps.
/Per
Sent from my iPad, please ignore stupid spelling corrections!
7 aug
What device are you using?
Sometimes it is possible to use a route-based VPN even if the other side only
can use policy-based VPN (SRX with Cisco ASA is a typical example), that could
perhaps solve your problem?
/Per
24 jul 2013 kl. 19:50 skrev Aaron Dewell aaron.dew...@gmail.com:
Hey
In the context of this conversation it is implicit that IPsec is used, with
st0.x interfaces. They have nowhere to attach filters!
To be able to use filters with st0.x interfaces, you have to wrap one more
layer of interface. GRE is one obvious solution (can have attached filters),
can
The other cause for this message is SPU overload, often caused by to much IPsec
VPN traffic.
Being offline on holiday with only an iPad, I'll just give you a hint, details
not to difficult to fill in:
show security monitoring performance spu
Or something along those lines.
In my experience,
Probably the response to the vulnerabilities described in PSN-2013-01-823,
Crafted TCP packet can lead to kernel crash. (PR 839412)
/Per
30 jan 2013 kl. 13:38 skrev Tore Anderson t...@fud.no:
Hi,
For EX, 11.4R5.5 is the JTAC-recommended version for most models. It
appears to have been
You can always use set groups no-events-link-status ., set apply-groups
no-events-link-status for global effect.
/Per
Sent from my iPad, please ignore stupid spelling corrections!
23 dec 2012 kl. 10:28 skrev Nc Aji aji14...@gmail.com:
Thanks for that shot .. is there a way we can do this
of that, but sounds pretty solid.
I'm gonna see if i can build a test setup for this. Pitty though that i will
have another 24 bytes overhead because of GRE...
Thanks,
Dennis
From: Per Westerlund [p...@westerlund.se]
Sent: Wednesday, December 19
We are running a similar setup, sites with SRXs running OSPF over IPsec
(tunnel mode, st0.x). Right now we have a hub-and-spoke setup, but plan to
implement direct IPsec connections between some of our spoke sites, opening
the possibility of asymmetric routing (and subsequent failure in the SRX
disable;
sql disable;
talk disable;
tftp disable;
pptp disable;
msrpc disable;
sunrpc disable;
}
}
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Per Westerlund
Sent
/12/12 10:58, Per Westerlund wrote:
To follow up my own post (even more to follow), here is the config you use
on a J-series router to put it in router-mode. Nothing magic, just some
configuration. This will work with SRX as well, there is nothing J-series
specific in here. This config is found
Why would you want to do that (assuming you are running OSPF on all VRRP group
members)?
/Per
Sent from my iPad, please ignore stupid spelling corrections!
5 dec 2012 kl. 05:57 skrev Luca Salvatore l...@ninefold.com:
Hi,
If I run OSPF on an interface that is also running VRRP, is it
SRX as router with IPsec?
Have you tried Router Context? Most docs talk about J-series, but it works with
SRX as well.
If you need security (as in policies and zones) as well, there is selective
packet mode. I have done some work in that area, and can give details later
(right now I'm
Our experience with performance-limited branch SRX systems lately has made us
use the 1/3-rule. If you don't use more than 1/3 of the rated max of any one
metric the box will perform well and have some headroom for fluctuations.
Going above that, our boxes fill the logs with warnings that the
:
--
Hostname: dkcphfw01b
Model: srx550
JUNOS Software Release [12.1R2.9]
/Per Westerlund
25 nov 2012 kl. 07:11 skrev Bikash Bhattarai:
Dear Westerlund,
Thank you for your email. When I configure clustering all
}” . Is that making issue while failover ?
Regards,
Bikash Bhattarai | Dristi Tech (P.) Ltd | +977 9851039710 | www.dristi.com.np
Lazimpat, Kathmandu |Tel 977 1 4427949 | Fax 977 1 4410385
On Sun, Nov 25, 2012 at 4:12 PM, Per Westerlund p...@westerlund.se wrote:
Strange, this is from
are connecting to node0, not node1.
/Per Westerlund
24 nov 2012 kl. 18:43 skrev Bikash Bhattarai:
Dear all,
I have just configured two SRX 240 in clustering. One firewall is working
as primary and another is working as secondary. When primary router wan
interface fails the secondary
cluster, 12.2R2).
Comments?
/Per
13 okt 2012 kl. 22:25 skrev Stefan Fouant:
On Oct 13, 2012, at 2:59 PM, Per Westerlund p...@westerlund.se wrote:
Note that the scheduler tmp-be is not used. My belief is that everything
that is not explicitly mentioned in the scheduler-map is handled
Sorry, 12.1R2 of course.
/Per
15 okt 2012 kl. 17:57 skrev Per Westerlund:
SRX550 cluster, 12.2R2
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
!!
Why is this happening? I thought schedulers XXX transmit-rate YYY exact would
put a strict limit whatever happened.
/Per Westerlund
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
corrections!
13 okt 2012 kl. 22:25 skrev Stefan Fouant sfou...@shortestpathfirst.net:
On Oct 13, 2012, at 2:59 PM, Per Westerlund p...@westerlund.se wrote:
Note that the scheduler tmp-be is not used. My belief is that everything
that is not explicitly mentioned in the scheduler-map is handled
in Juniper KB or Juniper forums. The
common use case is with 2 default routes to 2 different ISPs, and having to
chose one or the other based on what local IP address is used.
/Per Westerlund
14 sep 2012 kl. 14:16 skrev pkc_mls:
Le 14/09/2012 11:51, Mark Menzies a écrit :
How do you route
Yes, static routes work. What happens is that you put the two tunnels in
different routing instances. The static route/routes used in each routing
instance are completely independent of each other.
/Per
14 sep 2012 kl. 15:55 skrev pkc_mls:
Le 14/09/2012 2:55, Per Westerlund a écrit
be a little complicated but we dont really have many options if the
2 remote sites have the same addressing scheme.
HTH
On 14 September 2012 15:59, Per Westerlund p...@westerlund.se wrote:
Yes, static routes work. What happens is that you put the two tunnels in
different routing instances
Sorry, I was sloppy, they don't need 10.1.0.0/16 of course, 10.1.0.0/18 would
be enough :-)
/Per
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Too tired, I'm going to bed!
Last call is: 10.1.0.0/22
/Per
14 sep 2012 kl. 18:43 skrev Per Westerlund:
Sorry, I was sloppy, they don't need 10.1.0.0/16 of course, 10.1.0.0/18 would
be enough :-)
/Per
___
juniper-nsp mailing list juniper-nsp
Didn't you just forget to add VLAN tagging to the main interface?
/Per Westerlund
27 jul 2012 kl. 14:17 skrev Abdul 2012:
Hello,
I have two logical systems configured on m7i router, I want to connect
both LSs through two physical interfaces on the same router (fe-0/0/0
and fe0/1/0
6 mar 2012 kl. 02:20 skrev TCIS List Acct:
Thanks for all of the responses.
A few more questions:
- Can the L2 switch feature on the SRX240 be used when I have a pair of
appliances in HA mode? The docs seem to be conflicting on this -- it appears
that it may be supported in 11.x?
The ASAs are usually quite picky about Propxy-ID, and since you haven't
specified one, the SRX will use any, any, any (all 0). That kind of Proxy-ID
(or lack of) usually works well when you are using a route-based setup. The ASA
on the other hand (almost) always use policy based VPN, where you
71 matches
Mail list logo