Re: [j-nsp] SRX Experiences - Was: JUNOS 10.4S6 for EX8200 - PR/676826
Am 01.09.2011 23:06, schrieb Scott T. Cameron: I have 2x chassis cluster with SRX3400s. ALGs will destroy your soul. Avoid at all costs. Additionally, they don't work when firewalling over two virtual routers (which I did need for a setup on a chassis cluster). The ports then get only open for one of the involved zones, the zones for the other virtual router don't seem to care for the opened ports, or the ALG just doesn't open the ports for that zones, ones it has been processed. Very uncool... Regards, Stephan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Experiences - Was: JUNOS 10.4S6 for EX8200 - PR/676826
1. Have you opened tickets? 2. Did you look in the Defect Search tool? We have SRXs in our environment and there has been some issues, but thus far all have been identified and resolved over time. Months actually rather than years. At least for us, Juniper has been quick to resolve issues. Derick Winkworth CCIE #15672 (RS, SP), JNCIE-M #721 http://blinking-network.blogspot.com From: Stephan Tesch step...@tesch.cx To: juniper-nsp@puck.nether.net Sent: Friday, September 2, 2011 5:29 AM Subject: Re: [j-nsp] SRX Experiences - Was: JUNOS 10.4S6 for EX8200 - PR/676826 Am 01.09.2011 23:06, schrieb Scott T. Cameron: I have 2x chassis cluster with SRX3400s. ALGs will destroy your soul. Avoid at all costs. Additionally, they don't work when firewalling over two virtual routers (which I did need for a setup on a chassis cluster). The ports then get only open for one of the involved zones, the zones for the other virtual router don't seem to care for the opened ports, or the ALG just doesn't open the ports for that zones, ones it has been processed. Very uncool... Regards, Stephan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISG Dropping TCP packets
An update, this issue is officially PR 677385. JTAC is working on a fix. Since I last posted we have observed the bug on an additional ISG-1000. To date, we have observed this in 6.3.0r7, 6.3.0r8, and 6.2.0r9. We were able to get packet captures of both the V1-Untrust and V1-Trust interface, in addition to numerous debug outputs as requested by JTAC. Analysis of the packet captures reveals that the ISG-1000 is actually sending response traffic when it erroneously activates TCP Proxy. The conversation looks like this: Packet 1: 10.0.2.4:56742 10.0.1.10:80 SYN (Correct src-mac) (Correct dst-mac) Packet 2: 10.0.1.10:80 10.0.2.4:56742 SYN-ACK (src-mac: 00:00:00:00:00:00) (dst-mac: 00:00:00:00:00:00) The full packet capture shows some other oddities with sequence numbers sent by the ISG, but the above is enough to prove the point. To summarize, this bug can be experienced if the following conditions are true: 1. ISG platform 2. ScreenOS 6.2 or 6.3 3. Transparent / Layer-2 mode 4. Undelivered TCP packets 5. UDP and ICMP packets delivered without issue 6. debug flow basic shows 'tcp proxy processing' ex: get ff (make sure no FF are set, if so use unset ff ) clear db debug flow basic get db str | include tcp proxy processing I hope this helps if anyone else ever experiences this issue. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Securing management access to Juniper gear
You can use a firewall filter to avoid or to permit the correct ip address to your gear. There is a good document at Juniper web site explaining how you can do that (best practices) ... beside others: http://www.cymru.com/gillsr/documents/junos-template.pdf http://www.juniper.net/us/en/community/junos/training-certification/day-one/ http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ What is the recommend/preferred way to secure the SSH Web access to a piece of JunOS gear? I have a couple routers (MX80) and switches (EX4200) that are remote. Can I attach packet filters to the system services (HTTP,SSH)? Do I attach the packet filter to the lo0 interface? Thanks -Matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Securing management access to Juniper gear
Hi Matthew - On Fri, Sep 02, 2011 at 02:28:03PM -0400, Matthew S. Crocker wrote: What is the recommend/preferred way to secure the SSH Web access to a piece of JunOS gear? I have a couple routers (MX80) and switches (EX4200) that are remote. Can I attach packet filters to the system services (HTTP,SSH)? Do I attach the packet filter to the lo0 interface? You typically attach a firewall filter to the lo0 interface to secure the routing engine. For more information I highly recommend the following day one book, which goes over this in detail: http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ I'm not an EX guru, but I believe the same concepts can be applied. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX fabric utilization
Hello, Sorry for dumb question. Is there in JunOS (MX480/MX960) command like show fabric utilization on Cisco 6500/7600 ? -- MYL2-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp