[j-nsp] 答复: SRX IPSEC Full Mesh
HI, I see your question. For full mesh ipsec vpn, it's require a netmask /30 address to your tunnel interface, no more parmater! regards Jack Xu juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -邮件原件- 发件人: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] 代表 Mohammad Khalil 发送时间: 2013年10月29日 22:29 收件人: juniper-nsp@puck.nether.net 主题: [j-nsp] SRX IPSEC Full Mesh Hi all I have three SRX firewall , one of them is acting as a hub and the other two are spokes I have established two IPSEC VPNs between each spoke and the hub and all is functioning well Now , I had a requirement to establish a direct IPSEC VPN between the spokes , when I do so , I lose all VPN connections on one of the spokes and the tunnel never comes up ? I suspected that there is something wrong in the traffic pattern due to learn the prefix from two places or something , what should be done to avoid this and bring the two tunnels toward the hub and the spoke up and functioning ? BR, Mohammad ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] how check MAG & SA's cpu and memory
Hi all: As the title said, I want to know SA and MAG’s cpu and memory information, I have a box, MAG2600, how do I get them, or where could I get them from internet? I have checked the datasheets, no message. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX's dynamic vpn
Hi all: I have some questions about srx’s dynamic vpn. Suppose two user connected throught dynamic vpn, is there a configuration could make them access each other? I know the default setting can’t. If can’t do, is there office explain about the thory? And what about ssl vpn? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 答复: 答复: 答复: SRX650 full-mesh vpn, ssh not passed
Yes. Double equal next-hop there, one path is directly connect node 1(st0.1), and another is node 2(st0.2)->node 3->node 1, ospf choose route random. if next-hop is sto.1, traffic pass right, another route can't be. It's all trouble with metric value of st0.X. -邮件原件- 发件人: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] 代表 Payam Chychi 发送时间: 2013年8月8日 4:56 收件人: juniper-nsp@puck.nether.net 主题: Re: [j-nsp] 答复: 答复: SRX650 full-mesh vpn, ssh not passed so your valid path was actually invalid? On 2013-08-06 6:43 PM, 徐见 wrote: > Thx for you attention, I have found out the reason, it’s ospf issue, > because ospf generate two next-hop for NET A on node 2. > > > > 发件人: Muhammad Atif Jauhar [mailto:atif.jau...@gmail.com] > 发送时间: 2013年8月5日 21:36 > 收件人: 徐见 > 抄送: juniper-nsp@puck.nether.net > 主题: Re: [j-nsp] 答复: SRX650 full-mesh vpn, ssh not passed > > > > Hi, > > Is it possible to share configuration of Node 1, Node 2 and Node 3. > and also output of Show route of Network behind Node 1 and Node 2 and > Node 3 at all Nodes (1, 2, and 3). > > > > Regards, > Atif. > > > > On Mon, Aug 5, 2013 at 10:58 AM, 徐见 wrote: > > Actually, when I disable the first link of node 1, all nodes could > pass every kind of traffic well, except node 2. > And I build an same lab system, the issue not happen. > > > -邮件原件- > 发件人: Ojamo, V. [mailto:lists.vi...@ojamo.eu] > 发送时间: 2013年8月5日 15:02 > 收件人: '徐见'; juniper-nsp@puck.nether.net > 主题: RE: [j-nsp] SRX650 full-mesh vpn, ssh not passed > > The pictures cannot be viewed without Weibo account? > > > -V > > >> -Original Message- >> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] >> On Behalf Of ?? >> Sent: Monday, August 05, 2013 1:18 PM >> To: juniper-nsp@puck.nether.net >> Subject: [j-nsp] SRX650 full-mesh vpn, ssh not passed >> >> Hi all: >> >> As the theme said, I have a route-based vpn, > full-mesh >> topology, >> and run ospf protocol. >> >> Physical link topology is here: >> >> http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 >> 937263216169#36 >> 07937263216169 >> >> logical link topology is here: >> >> >> http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 >> 931668041778#36 >> 07926685185940 >> >> the issue just between node 1 and node 2. >> >> As you can see, there are four links on node 1, and one link > on node >> 2, and >> 2 vpn tunnel have been built between both,(st0.0, st0.1) >> >> And the two tunnel works as primary(st0.0) and backup(st0.1). >> >> The problem is, when primary down, ssh traffic from NET A to > NET >> B, can’t >> passed, but from NET B to NET A is ok, >> >> Show route “NET B”, show route “NET A” commands show both > of >> them have >> learned route from right tunnel (st0.1), ping command in > bidirection >> is ok >> too. >> >> Anyone could give any idea? >> >> >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 答复: 答复: SRX650 full-mesh vpn, ssh not passed
Thx for you attention, I have found out the reason, it’s ospf issue, because ospf generate two next-hop for NET A on node 2. 发件人: Muhammad Atif Jauhar [mailto:atif.jau...@gmail.com] 发送时间: 2013年8月5日 21:36 收件人: 徐见 抄送: juniper-nsp@puck.nether.net 主题: Re: [j-nsp] 答复: SRX650 full-mesh vpn, ssh not passed Hi, Is it possible to share configuration of Node 1, Node 2 and Node 3. and also output of Show route of Network behind Node 1 and Node 2 and Node 3 at all Nodes (1, 2, and 3). Regards, Atif. On Mon, Aug 5, 2013 at 10:58 AM, 徐见 wrote: Actually, when I disable the first link of node 1, all nodes could pass every kind of traffic well, except node 2. And I build an same lab system, the issue not happen. -邮件原件- 发件人: Ojamo, V. [mailto:lists.vi...@ojamo.eu] 发送时间: 2013年8月5日 15:02 收件人: '徐见'; juniper-nsp@puck.nether.net 主题: RE: [j-nsp] SRX650 full-mesh vpn, ssh not passed The pictures cannot be viewed without Weibo account? -V > -Original Message- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] > On Behalf Of ?? > Sent: Monday, August 05, 2013 1:18 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] SRX650 full-mesh vpn, ssh not passed > > Hi all: > > As the theme said, I have a route-based vpn, full-mesh > topology, > and run ospf protocol. > > Physical link topology is here: > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 937263216169#36 > 07937263216169 > > logical link topology is here: > > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 931668041778#36 > 07926685185940 > > the issue just between node 1 and node 2. > > As you can see, there are four links on node 1, and one link on node > 2, and > 2 vpn tunnel have been built between both,(st0.0, st0.1) > > And the two tunnel works as primary(st0.0) and backup(st0.1). > > The problem is, when primary down, ssh traffic from NET A to NET > B, can’t > passed, but from NET B to NET A is ok, > > Show route “NET B”, show route “NET A” commands show both of > them have > learned route from right tunnel (st0.1), ping command in bidirection > is ok > too. > > Anyone could give any idea? > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 答复: 答复: SRX650 full-mesh vpn, ssh not passed
Node 1’s configuration 发件人: Muhammad Atif Jauhar [mailto:atif.jau...@gmail.com] 发送时间: 2013年8月5日 21:36 收件人: 徐见 抄送: juniper-nsp@puck.nether.net 主题: Re: [j-nsp] 答复: SRX650 full-mesh vpn, ssh not passed Hi, Is it possible to share configuration of Node 1, Node 2 and Node 3. and also output of Show route of Network behind Node 1 and Node 2 and Node 3 at all Nodes (1, 2, and 3). Regards, Atif. On Mon, Aug 5, 2013 at 10:58 AM, 徐见 wrote: Actually, when I disable the first link of node 1, all nodes could pass every kind of traffic well, except node 2. And I build an same lab system, the issue not happen. -邮件原件- 发件人: Ojamo, V. [mailto:lists.vi...@ojamo.eu] 发送时间: 2013年8月5日 15:02 收件人: '徐见'; juniper-nsp@puck.nether.net 主题: RE: [j-nsp] SRX650 full-mesh vpn, ssh not passed The pictures cannot be viewed without Weibo account? -V > -Original Message- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] > On Behalf Of ?? > Sent: Monday, August 05, 2013 1:18 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] SRX650 full-mesh vpn, ssh not passed > > Hi all: > > As the theme said, I have a route-based vpn, full-mesh > topology, > and run ospf protocol. > > Physical link topology is here: > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 937263216169#36 > 07937263216169 > > logical link topology is here: > > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 931668041778#36 > 07926685185940 > > the issue just between node 1 and node 2. > > As you can see, there are four links on node 1, and one link on node > 2, and > 2 vpn tunnel have been built between both,(st0.0, st0.1) > > And the two tunnel works as primary(st0.0) and backup(st0.1). > > The problem is, when primary down, ssh traffic from NET A to NET > B, can’t > passed, but from NET B to NET A is ok, > > Show route “NET B”, show route “NET A” commands show both of > them have > learned route from right tunnel (st0.1), ping command in bidirection > is ok > too. > > Anyone could give any idea? > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 答复: SRX650 full-mesh vpn, ssh not passed
Actually, when I disable the first link of node 1, all nodes could pass every kind of traffic well, except node 2. And I build an same lab system, the issue not happen. -邮件原件- 发件人: Ojamo, V. [mailto:lists.vi...@ojamo.eu] 发送时间: 2013年8月5日 15:02 收件人: '徐见'; juniper-nsp@puck.nether.net 主题: RE: [j-nsp] SRX650 full-mesh vpn, ssh not passed The pictures cannot be viewed without Weibo account? -V > -Original Message- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] > On Behalf Of ?? > Sent: Monday, August 05, 2013 1:18 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] SRX650 full-mesh vpn, ssh not passed > > Hi all: > > As the theme said, I have a route-based vpn, full-mesh > topology, > and run ospf protocol. > > Physical link topology is here: > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 937263216169#36 > 07937263216169 > > logical link topology is here: > > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 931668041778#36 > 07926685185940 > > the issue just between node 1 and node 2. > > As you can see, there are four links on node 1, and one link on node > 2, and > 2 vpn tunnel have been built between both,(st0.0, st0.1) > > And the two tunnel works as primary(st0.0) and backup(st0.1). > > The problem is, when primary down, ssh traffic from NET A to NET > B, can’t > passed, but from NET B to NET A is ok, > > Show route “NET B”, show route “NET A” commands show both of > them have > learned route from right tunnel (st0.1), ping command in bidirection > is ok > too. > > Anyone could give any idea? > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 答复: SRX650 full-mesh vpn, ssh not passed
I'm so sorry, new link is here: Physical link: http://xiangce.baidu.com/picture/detail/b99b8391244c49d2e545b055e33bb5567905 7dc2?type=gallery#f014b9639630fd5f0bd300d3bf2f8bcf2019be9a logical link: http://xiangce.baidu.com/picture/detail/b99b8391244c49d2e545b055e33bb5567905 7dc2?type=gallery#b99b8391244c49d2e545b055e33bb55679057dc2 pls check again. -邮件原件- 发件人: Ojamo, V. [mailto:lists.vi...@ojamo.eu] 发送时间: 2013年8月5日 15:02 收件人: '徐见'; juniper-nsp@puck.nether.net 主题: RE: [j-nsp] SRX650 full-mesh vpn, ssh not passed The pictures cannot be viewed without Weibo account? -V > -Original Message- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] > On Behalf Of ?? > Sent: Monday, August 05, 2013 1:18 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] SRX650 full-mesh vpn, ssh not passed > > Hi all: > > As the theme said, I have a route-based vpn, full-mesh > topology, > and run ospf protocol. > > Physical link topology is here: > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 937263216169#36 > 07937263216169 > > logical link topology is here: > > > http://photo.weibo.com/2110817105/photos/detail/photo_id/3607 > 931668041778#36 > 07926685185940 > > the issue just between node 1 and node 2. > > As you can see, there are four links on node 1, and one link on node > 2, and > 2 vpn tunnel have been built between both,(st0.0, st0.1) > > And the two tunnel works as primary(st0.0) and backup(st0.1). > > The problem is, when primary down, ssh traffic from NET A to NET > B, can’t > passed, but from NET B to NET A is ok, > > Show route “NET B”, show route “NET A” commands show both of > them have > learned route from right tunnel (st0.1), ping command in bidirection > is ok > too. > > Anyone could give any idea? > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX650 full-mesh vpn, ssh not passed
Hi all: As the theme said, I have a route-based vpn, full-mesh topology, and run ospf protocol. Physical link topology is here: http://photo.weibo.com/2110817105/photos/detail/photo_id/3607937263216169#36 07937263216169 logical link topology is here: http://photo.weibo.com/2110817105/photos/detail/photo_id/3607931668041778#36 07926685185940 the issue just between node 1 and node 2. As you can see, there are four links on node 1, and one link on node 2, and 2 vpn tunnel have been built between both,(st0.0, st0.1) And the two tunnel works as primary(st0.0) and backup(st0.1). The problem is, when primary down, ssh traffic from NET A to NET B, can’t passed, but from NET B to NET A is ok, Show route “NET B”, show route “NET A” commands show both of them have learned route from right tunnel (st0.1), ping command in bidirection is ok too. Anyone could give any idea? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
