Re: [j-nsp] route-based VPNs between SRX and ASA with multiple subnets behind SRX and single subnet behind ASA

On the run, but shortly: Don’t do it that way, much easier ways available. What version are you running on the SRX? Traffic-selectors are what you want. /Per PS: I’ll try to get back with more details later. > 1 dec. 2019 kl. 13:26 skrev Tom Meadows : > > I'm trying to set up a config very

Re: [j-nsp] 802.3ad LAG between ASR 1002-X and Juniper MX204

Using BFD instead of LACP for link monitoring? /Per On 20 Jul 2019, at 12:06, Mark Tinka wrote: > We now restrict LAG's to router-switch 802.1Q trunks. > > On backbone links, we've found regular IP ECMP to be more reliable than > LAG's. > > Mark. ___

[j-nsp] RPM-probes to HTTP proxy server?

Hi all! I’m trying to set up RPM probes with a SRX (1500, 15.1X49) to a server (via IPsec tunnel, but that does not really have any bearing on the problems I’m facing). The server is an external proxy-server for HTTP requests, and it does not answer icmp-ping requests. Neither does it answer

Re: [j-nsp] Simulate minimum-links for ordinary interfaces?

Interim followup: This is probably the bestpath to follow, but I have not been able to make the RPM probes work. I’ll follow that up in a separate thread. Once that is cleared, there will be a final followup /Per On 10 Jun 2019, at 21:18, Per Westerlund wrote: Thanks, good suggestion

Re: [j-nsp] Simulate minimum-links for ordinary interfaces?

Thanks, good suggestion. Haven’t used that before. Given that input, this is what I will try: - Add a dummy linknet to each tunnel interface, since RPM and IP-monitoring works with addresses and not interfaces directly - Use two RPM-probes on the primary links to be able to have independent

Re: [j-nsp] Netscreen-to-Junos Translation Tool

There is a tool available via the Juniper Partner site that helps with migrations from Netscreen to SRX. /Per > 17 juli 2018 kl. 15:54 skrev Doug McIntyre : > >> On Tue, Jul 17, 2018 at 07:48:52AM +, M Abdeljawad via juniper-nsp wrote: >> Was checking portal for the Netscreen-Junos

Re: [j-nsp] Comparison strangeness with annotations

1 [edit routing-options static] +/* Annotation test */ route 0.0.0.0/0 { ... } On 1 Jul 2017, at 15:35, Per Westerlund wrote: Hi all! Normally, when comparing current and previous configurations on Junos-boxes, I assume I get the same results when running in operational mode as when

[j-nsp] Comparison strangeness with annotations

Hi all! Normally, when comparing current and previous configurations on Junos-boxes, I assume I get the same results when running in operational mode as when running in configuration mode. I didn't even think there could be a difference. The other day, when we were having some problems with

Re: [j-nsp] Packet capturing on SRX5400

I do believe that it is not until you stop the capture that all data is flushed to the capture-file. If you have a small enough flow, the file will be empty until you stop the capture. /Per On 17 Feb 2017, at 17:44, Jonathan Call wrote: I followed the instructions listed here to create and

Re: [j-nsp] NAT & routing instances

That should be enough. Forward traffic destination is resolved in the target RI, and the return traffic egress interface is determined by the session set up by the first packet. Note that the security policies should match on post-NAT zones/addresses. /Per > 27 jan. 2017 kl. 09:52 skrev

[j-nsp] License for BFD on vMX?

in how BFD and charging licenses are connected? /Per Westerlund ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SNMP walk on JunOS from inside a routing instance

That is default behavior, but you can access other RI's interfaces by explicitly using the RI name. No way to reach all IFs at once via a RI. /Per PS: Excuse my brevity, caused by screen kbd. > 27 apr. 2016 kl. 17:45 skrev James Bensley : > > Hi All, > > I am migrating

Re: [j-nsp] SRX performance

Like most manufacturers the performances quoted by Juniper are under ideal (or even better) conditions. The only way to be sure is to test with a representative load. In my case we were running backups (large packets one way, acks the other) over IPSec. We generally planned for 1/3 of the

Re: [j-nsp] SRX FBR and destination nat

I think you are hit by the flow mechanism, this would probably work in pure routing scenario. Please verify my possible explanation with set security flow traceoptions flag basic-datapath. When the first packet is accepted, a flow is set up. It contains both the forward path and the reverse

Re: [j-nsp] SRX FBR and destination nat

There is (probably) a simple solution if pp0.0 is only used by inbound traffic that will be NAT-ed, and never used as backup for pp0.1 outbound. Is this the case? /Per Sent from my iPad, please ignore stupid spelling corrections! 26 jun 2014 kl. 15:39 skrev Yuriy B. Borysov

Re: [j-nsp] SRX FBR and destination nat

If you start by setting up traceoptions as in the excellent article referred to by Ben, you will probably find the problem easily. Then, making the RI cat a virtual-router instead of a forwarding instance (with the ISP ifl in it) and setting up proper policy will probably be a good start to

Re: [j-nsp] Cluster issue with SRX550

From your post it is not obvious what setup you are using. Can you elaborate, please? Two standard setups that normally work: - One link from each of node0 and node1, to (in this case) MX5-T. No LACP, just active/passive setup with RETH-interface in SRX cluster. - At least two interfaces

Re: [j-nsp] Site-To-Site VPN woes again

I think Mike was hinting at the hidden property ’local-address’ to help select source address from an interface that has more than on address configured. You won’t see it in the help, but if you enter this: set security ike gateway GATE local-address x.y.z.w it will work. This way

Re: [j-nsp] Help with MSTP in EX8208

Good catch/reference. Slight typo, the section is 13.12 (in my copy from May 2006). /Per Sent from my iPad, please ignore stupid spelling corrections! 3 apr 2014 kl. 01:14 skrev Jeff Wheeler j...@inconcepts.biz: For more on the different MSTP Port Roles and their meanings, see IEEE

Re: [j-nsp] Are IRB interfaces still not functional under SRX?

I'm offline right now, but last time I checked, IRBs with bridge domains (SRX in transparent/L2 mode) were only used for management, no forwarding of transit traffic possible. /Per 2 apr 2014 kl. 21:46 skrev Morgan McLean wrx...@gmail.com: Just double checking that IRB interfaces are not

Re: [j-nsp] SRX100 LDAP

You did not set up separate address for authentication like below, try that first. /Per Sent from my iPad, please ignore stupid spelling corrections! 21 mar 2014 kl. 04:54 skrev Шепелев Андрей xamalon...@gmail.com: show interfaces ge-0/0/1 unit 0 { family inet { address

Re: [j-nsp] SRX100 LDAP

$k.TFtu1RcyAtWLX7VbfTQ3Ap set access ldap-server 10.60.0.5 port 3268 but it did not help :((( 2014-03-18 17:32 GMT+06:00 Per Westerlund p...@westerlund.se: I haven’t done it myself (yet), but you probably need to define the ldap-server directly under the stanza ”access”. In your profile TPAD you just

[j-nsp] PVLAN with ELS?

Hi everybody. Juniper is apparently preparing to change the switching CLI in the future to ”Enhanced Layer 2 Software Support (ELS)”. In the descriptions I have read so far, there is no mention on how to set up Private VLAN (PVLAN) using ELS. PVLAN is supported on QFX with the current CLI,

Re: [j-nsp] Config ordering of security address-book and address-set members

I don't KNOW why, but I realize that some want their entries sorted on address, others on name; therefore it is in insertion order with the possibility to reorder by ”insert …..” (or reorder externally, den delete and reapply content). /Per 7 mar 2014 kl. 11:02 skrev Phil Mayers

Re: [j-nsp] Problem with Active Directory with my SRX

What version are you running? Not knowing the rest of the setup makes it hard to guess what it could be. Unless there are some filters on interfaces, I would suspect the DNS ALG, it has sometimes caused problems. If you are allowed to make changes to the ALGs, one thing to try could be:

Re: [j-nsp] OSPF Confusion

I think Eduardo forgot to mention that you should also change the metric to be Type 1, then the internal metric will be added and I think you get the behavior you want. /Per Sent from my iPad, please ignore stupid spelling corrections! 27 feb 2014 kl. 21:23 skrev Eduardo Barrios

Re: [j-nsp] MX480 RE-S-2000 IGMP flood

The logic for what filters get applied is like this (stolen from Juniper documentation): • If you configure Filter A on the default loopback interface (lo0.0) and Filter B on the VRF loopback interface (lo0.x), the VRF routing instance uses Filter B. • If you configure Filter A on the default

Re: [j-nsp] Destination NAT

I am sorry to say that I think it is almost correct. The policy rules are evaluated after destination NAT handling, where the destination port has already been translated. You should probably exchange: set security policies from-zone untrust to-zone trust policy DNAT_POLICY match application

Re: [j-nsp] Destination NAT

Below is what I believe is a working solution. First, with destination nat, matching on public IP/port, the destination IP/port is translated from 24.173.164.162 : to 132.147.160.3:23. Next, the policy match statement has to allow just that, after the translation: 132.147.160.3:23.

Re: [j-nsp] Destination NAT

Have you set up proxy-arp for the DNAT address? It does not work by itself, has to be manually if it is an address on the external (untrust) network. /Per 28 nov 2013 kl. 10:32 skrev Mohammad Khalil eng.m...@gmail.com: set security policies from-zone untrust to-zone trust policy

Re: [j-nsp] Destination NAT

No, those source nat rules should have no effect on you problem. When the inbound traffic matches (hopefully) the requirements, a complete flow is set up. The return traffic automatically gets the proper nat handling to match the inbound traffic. The outbound traffic will use source NAT that

Re: [j-nsp] Destination NAT

Try to add this to your configuration: [edit security flow] perw@srx1# show traceoptions { file dnat-telnet-debug; flag basic-datapath; packet-filter dnat-telnet-in { protocol tcp; destination-prefix 24.173.164.162/32; destination-port ; }

[j-nsp] Fwd: Destination NAT

Problem resolved. /Per Vidarebefordrat brev: Från: Mohammad Khalil eng.m...@gmail.com Ämne: Re: [j-nsp] Destination NAT Datum: 28 november 2013 12:23:49 CET Till: Per Westerlund p...@westerlund.se All the problem was from the public IP address , seems it was used somewhere else I do

Re: [j-nsp] Tunnel failing at No propsal chosen but works when target is another device

What was the problem? /Per 26 nov 2013 kl. 10:28 skrev Mattias Gyllenvarg matt...@gyllenvarg.se: Actually it was not, it was before but I removed it when I removed the st interface to re apply it. I have since then fixed the original issue and now got through IKE and have it working.

Re: [j-nsp] JNCIS SP

Once logged in to https://learningportal.juniper.net/, you can navigate to Learning Portal Home Fast Track JNCIS-SP eLearning JNCIS-SP Study Resources There are 3 PDF files available there, study guides for switching, routing and MPLS/VPN. /Per 31 okt 2013 kl. 15:55 skrev Mohammad

Re: [j-nsp] Internet access SRX

The normal NAT handling only works with transit traffic, not self-sourced traffic. With newer Junos, you can set up NAT rules using the zone junos-host to get the wanted behaviour. /Per 23 okt 2013 kl. 09:34 skrev Mohammad Khalil eng.m...@gmail.com: Hi all I have SRX and I have

Re: [j-nsp] Internet access SRX

is allowed BR, Mohammad On Wed, Oct 23, 2013 at 10:56 AM, Per Westerlund p...@westerlund.se wrote: The normal NAT handling only works with transit traffic, not self-sourced traffic. With newer Junos, you can set up NAT rules using the zone junos-host to get the wanted behaviour. /Per

Re: [j-nsp] Junos ospf question

Can you give some more details? I'm not sure I understand all of your requirements. Are you trying to influence something native to OSPF, or are you talking about setting metrics for routes redistributed (Cisco-speak) from another protocol? /Per 25 sep 2013 kl. 10:09 skrev R S

Re: [j-nsp] Junos ospf question

I don't think overload-mode is what you want. I used it once before I realized the consequences. It will, as i says in the docs, put itself into the mode I cannot really be used for transit traffic any more, only send me traffic for my directly attached networks. This is an OSPF setting (in

Re: [j-nsp] Junos ospf question

First let me see if I understand you correctly by rephrasing. - Three sites A, B och C all connected with direct links - Link A-B has high capacity - Links A-C and B-C has lower capacity - High volume storage traffic traverses link A-B and must not use links A-C or B-C, even if link A-B goes

Re: [j-nsp] Junos ospf question

I think I know one way to do it. Multi-topology routing to the rescue! With MT-routing we can have one topology with only sites A and B and all their routers and routes/prefixes, and another topology with sites A, B and C and everything (just like today). On ingress, you classify and assign

Re: [j-nsp] trouble setting up link agg between clustered SRX 550 and Cisco 6509

The components of the SRX RETH-interfaces are not all active at the same time, this is a fail-over construct. One active link at the time. You should be looking at the AE-interfaces instead, they are proper LACP aggregators. /Per 16 aug 2013 kl. 00:55 skrev Andy Litzinger

Re: [j-nsp] trouble setting up link agg between clustered SRX 550 and Cisco 6509

-Original Message- From: Per Westerlund [mailto:p...@westerlund.se] Sent: Friday, August 16, 2013 12:54 AM To: Andy Litzinger Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] trouble setting up link agg between clustered SRX 550 and Cisco 6509 The components of the SRX RETH-interfaces

Re: [j-nsp] Config archive subtleties

RANCID! If you then augment the basic timed polling setup with SNMP-triggered polling, you can have every committed config backed up, and have a timed poll as backup in case there is some problems with the SNMP traps. /Per Sent from my iPad, please ignore stupid spelling corrections! 7 aug

Re: [j-nsp] Static NAT and VPN tunnels

What device are you using? Sometimes it is possible to use a route-based VPN even if the other side only can use policy-based VPN (SRX with Cisco ASA is a typical example), that could perhaps solve your problem? /Per 24 jul 2013 kl. 19:50 skrev Aaron Dewell aaron.dew...@gmail.com: Hey

Re: [j-nsp] J/SRX ICMP handling

In the context of this conversation it is implicit that IPsec is used, with st0.x interfaces. They have nowhere to attach filters! To be able to use filters with st0.x interfaces, you have to wrap one more layer of interface. GRE is one obvious solution (can have attached filters), can

Re: [j-nsp] Howto debug RTPERF_CPU_THRESHOLD_EXCEEDED

The other cause for this message is SPU overload, often caused by to much IPsec VPN traffic. Being offline on holiday with only an iPad, I'll just give you a hint, details not to difficult to fill in: show security monitoring performance spu Or something along those lines. In my experience,

Re: [j-nsp] Old JUNOS images removed from download page

Probably the response to the vulnerabilities described in PSN-2013-01-823, Crafted TCP packet can lead to kernel crash. (PR 839412) /Per 30 jan 2013 kl. 13:38 skrev Tore Anderson t...@fud.no: Hi, For EX, 11.4R5.5 is the JTAC-recommended version for most models. It appears to have been

Re: [j-nsp] Not logging the interface status logs

You can always use set groups no-events-link-status ., set apply-groups no-events-link-status for global effect. /Per Sent from my iPad, please ignore stupid spelling corrections! 23 dec 2012 kl. 10:28 skrev Nc Aji aji14...@gmail.com: Thanks for that shot .. is there a way we can do this

Re: [j-nsp] FBF with st interfaces on SRX3400

of that, but sounds pretty solid. I'm gonna see if i can build a test setup for this. Pitty though that i will have another 24 bytes overhead because of GRE... Thanks, Dennis From: Per Westerlund [p...@westerlund.se] Sent: Wednesday, December 19

Re: [j-nsp] SRX, UDP traffic, routing asymmetry (selective packet mode, 1/2)

We are running a similar setup, sites with SRXs running OSPF over IPsec (tunnel mode, st0.x). Right now we have a hub-and-spoke setup, but plan to implement direct IPsec connections between some of our spoke sites, opening the possibility of asymmetric routing (and subsequent failure in the SRX

Re: [j-nsp] SRX, UDP traffic, routing asymmetry

disable; sql disable; talk disable; tftp disable; pptp disable; msrpc disable; sunrpc disable; } } -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Per Westerlund Sent

Re: [j-nsp] SRX, UDP traffic, routing asymmetry

/12/12 10:58, Per Westerlund wrote: To follow up my own post (even more to follow), here is the config you use on a J-series router to put it in router-mode. Nothing magic, just some configuration. This will work with SRX as well, there is nothing J-series specific in here. This config is found

Re: [j-nsp] OSPF on a VRRP Interface

Why would you want to do that (assuming you are running OSPF on all VRRP group members)? /Per Sent from my iPad, please ignore stupid spelling corrections! 5 dec 2012 kl. 05:57 skrev Luca Salvatore l...@ninefold.com: Hi, If I run OSPF on an interface that is also running VRRP, is it

Re: [j-nsp] SRX, UDP traffic, routing asymmetry

SRX as router with IPsec? Have you tried Router Context? Most docs talk about J-series, but it works with SRX as well. If you need security (as in policies and zones) as well, there is selective packet mode. I have done some work in that area, and can give details later (right now I'm

Re: [j-nsp] SRX100 for dual 100M uplink routing network in packet mode.

Our experience with performance-limited branch SRX systems lately has made us use the 1/3-rule. If you don't use more than 1/3 of the rated max of any one metric the box will perform well and have some headroom for fluctuations. Going above that, our boxes fill the logs with warnings that the

Re: [j-nsp] Juniper SRX 240 Clustering

: -- Hostname: dkcphfw01b Model: srx550 JUNOS Software Release [12.1R2.9] /Per Westerlund 25 nov 2012 kl. 07:11 skrev Bikash Bhattarai: Dear Westerlund, Thank you for your email. When I configure clustering all

Re: [j-nsp] Juniper SRX 240 Clustering

}” . Is that making issue while failover ? Regards, Bikash Bhattarai | Dristi Tech (P.) Ltd | +977 9851039710 | www.dristi.com.np Lazimpat, Kathmandu |Tel 977 1 4427949 | Fax 977 1 4410385 On Sun, Nov 25, 2012 at 4:12 PM, Per Westerlund p...@westerlund.se wrote: Strange, this is from

Re: [j-nsp] Juniper SRX 240 Clustering

are connecting to node0, not node1. /Per Westerlund 24 nov 2012 kl. 18:43 skrev Bikash Bhattarai: Dear all, I have just configured two SRX 240 in clustering. One firewall is working as primary and another is working as secondary. When primary router wan interface fails the secondary

Re: [j-nsp] Strangeness with CoS and scheduler rate-limiting

cluster, 12.2R2). Comments? /Per 13 okt 2012 kl. 22:25 skrev Stefan Fouant: On Oct 13, 2012, at 2:59 PM, Per Westerlund p...@westerlund.se wrote: Note that the scheduler tmp-be is not used. My belief is that everything that is not explicitly mentioned in the scheduler-map is handled

Re: [j-nsp] Strangeness with CoS and scheduler rate-limiting

Sorry, 12.1R2 of course. /Per 15 okt 2012 kl. 17:57 skrev Per Westerlund: SRX550 cluster, 12.2R2 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Strangeness with CoS and scheduler rate-limiting

!! Why is this happening? I thought schedulers XXX transmit-rate YYY exact would put a strict limit whatever happened. /Per Westerlund ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Strangeness with CoS and scheduler rate-limiting

corrections! 13 okt 2012 kl. 22:25 skrev Stefan Fouant sfou...@shortestpathfirst.net: On Oct 13, 2012, at 2:59 PM, Per Westerlund p...@westerlund.se wrote: Note that the scheduler tmp-be is not used. My belief is that everything that is not explicitly mentioned in the scheduler-map is handled

Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route

in Juniper KB or Juniper forums. The common use case is with 2 default routes to 2 different ISPs, and having to chose one or the other based on what local IP address is used. /Per Westerlund 14 sep 2012 kl. 14:16 skrev pkc_mls: Le 14/09/2012 11:51, Mark Menzies a écrit : How do you route

Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route

Yes, static routes work. What happens is that you put the two tunnels in different routing instances. The static route/routes used in each routing instance are completely independent of each other. /Per 14 sep 2012 kl. 15:55 skrev pkc_mls: Le 14/09/2012 2:55, Per Westerlund a écrit

Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route

be a little complicated but we dont really have many options if the 2 remote sites have the same addressing scheme. HTH On 14 September 2012 15:59, Per Westerlund p...@westerlund.se wrote: Yes, static routes work. What happens is that you put the two tunnels in different routing instances

Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route

Sorry, I was sloppy, they don't need 10.1.0.0/16 of course, 10.1.0.0/18 would be enough :-) /Per ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - multipoint st0 tunnel interface and static route

Too tired, I'm going to bed! Last call is: 10.1.0.0/22 /Per 14 sep 2012 kl. 18:43 skrev Per Westerlund: Sorry, I was sloppy, they don't need 10.1.0.0/16 of course, 10.1.0.0/18 would be enough :-) /Per ___ juniper-nsp mailing list juniper-nsp

Re: [j-nsp] Logical Systems Interconnection by Physical Interface

Didn't you just forget to add VLAN tagging to the main interface? /Per Westerlund 27 jul 2012 kl. 14:17 skrev Abdul 2012: Hello, I have two logical systems configured on m7i router, I want to connect both LSs through two physical interfaces on the same router (fe-0/0/0 and fe0/1/0

Re: [j-nsp] SRX240 - ready for prime time?

6 mar 2012 kl. 02:20 skrev TCIS List Acct: Thanks for all of the responses. A few more questions: - Can the L2 switch feature on the SRX240 be used when I have a pair of appliances in HA mode? The docs seem to be conflicting on this -- it appears that it may be supported in 11.x?

Re: [j-nsp] Help with vpn srx - asa

The ASAs are usually quite picky about Propxy-ID, and since you haven't specified one, the SRX will use any, any, any (all 0). That kind of Proxy-ID (or lack of) usually works well when you are using a route-based setup. The ASA on the other hand (almost) always use policy based VPN, where you