Re: [j-nsp] SRX as a server load balancer for service redundancy?
The SRX isn't a loadbalancer. Use something sensible like haproxy, nginx, etc. Scott On Wed, Aug 15, 2012 at 12:07 PM, OBrien, Will obri...@missouri.edu wrote: I'm wondering if I can do a simple server load balancer using a SRX. Example: Server A offers up service on port . Server B has the same service. If Server A goes offline, send traffic over to server B. Resume when Server A becomes available again. One thought is to use something like track-ip to push a static nat mapping around. Ideally, I'd love to monitor the port. Ideas or examples? This is really just for failover, rather than load balancing. I suppose I could monitor the service from a control machine and have a script execute a configuration change if the service becomes unreachable. I'd prefer it if the entire process were managed from the SRX. (In this case it's a pair of clustered SRX 210s.) Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX as a server load balancer for service redundancy?
On Wed, Aug 15, 2012 at 12:53 PM, joel jaeggli joe...@bogus.com wrote: On 8/15/12 9:34 AM, Scott T. Cameron wrote: The SRX isn't a loadbalancer. Use something sensible like haproxy, nginx, etc. We do layer 3 ecmp in front of our load balancer tier and I imagine that would be fairly straight forward to implement with an srx. each destination to be load balanced to is available via several nexthops, in this case the destinations are advertised using a ebgp session originating from a private ASN. This approach doesn't deal with application health checks or asymmetric load balancing but you can take a destination out of the rotation by withdrawing the routes and if the bgp session drops that happens automatically. l3+l4 hash per flow load balancing is stateless but sticky. it can be implemented on more than one device. I'm generally down on the idea of putting a stateful firewall in front of a service that accepts unsolicited incoming connections, it will tend to be the least scalable item in the path. You might consider using a DNS server that supports health checking to support your objective. gdnsd supports simple failovers, health checks, multiple or single A record returns, and geo targetting. Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.
On Mon, Jun 25, 2012 at 6:56 AM, Pavel Lunin plu...@senetsy.ru wrote: This is exactly what happened. The session table filled up. One of our security guys took down our edge 650 cluster from a single unix box out on the net. This is what happens when you use a stateful box for an internet router. a router with a covering aggreate and some knowledge of the more specifc on the interior would inexpensively discard traffic bound for unreachable destinations. 1. First, sorry for writing this once again, but it's just not the case. Any more or less smart stateful device, whether SRX or anything else, must not create session states for packets falling under a discard route. And SRX does not, I checked. Filling up the session table is caused by either a bug or (rather) a design/config mistake. I'm not sure I agree with this assessment. The SRX is very quick at disposing of invalid sessions, generally. However, it is easily susceptible to DDOS if you let it reach the session table. Here's some quick POC code: http://pastebin.com/FjgavSwn You can run this against some non-operational IPs, but present via, say, discard route in your config. You will see the invalid sessions rise dramatically via 'show sec flow sess sum'. I am no expert, but you can see how quickly this could be abused by someone who was intent on disrupting your network -- and they wouldn't have to use cheap perl code to do the job. Malicious user aside, a legitimate application trying to hit an invalid IP would give the same result. Self-made DDOS are very common in my experience. In one case, we had an updater application which would update drivers and software for our hardware. It was installed on millions of computers. One day, the service was shutdown and new software was distributed with the products. Many users, however, never updated, and the software was very aggressive in calling home. Without knowing this, a /24 was pulled down to the SRX, and the updater instantly filled the session table. Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.
Generally you only want to bring traffic down to your SRX that can actually be used. There's no reason to advertise a /24 to your MX via IGP when you're only actually using a /27 -- the leftover is just going to take up sessions through random internet scans, etc. Forcing advertisements of /32 from SRX to MX has some administrative overhead, but is generally worth it. I have a policy that matches my /24 orlonger, and inject /32 static discard routes. The only bother is remembering to inject the /32 when a new NAT address is being used. Even so, some SRX nodes have a really low session count. - My SRX240: 128k - My SRX3400: 400k - My SRX5600: 1M per PIC (3M total in my config) The MX can be used to drop traffic to a specific IP that's causing your SRX trouble, or rate limit, etc. The MX has no problem dropping high volume traffic. You can also configure the session timeouts to be more reasonable for applications in your environment. I think the default for TCP is 15 minutes -- maybe you don't need that. Scott On Sat, Jun 23, 2012 at 2:41 AM, Morgan Mclean wrx...@gmail.com wrote: Actually, we used mx80's as our Internet routers. What do you suppose I use to handle my firewalling, ipsec and nat? Thank you everyone, I will pop back to this thread when I change things up and have our security guy test again. Sent from my iPhone On Jun 22, 2012, at 9:39 PM, joel jaeggli joe...@bogus.com wrote: On 6/22/12 9:49 AM, Morgan Mclean wrote: This is exactly what happened. The session table filled up. One of our security guys took down our edge 650 cluster from a single unix box out on the net. This is what happens when you use a stateful box for an internet router. a router with a covering aggreate and some knowledge of the more specifc on the interior would inexpensively discard traffic bound for unreachable destinations. Sent from my iPhone On Jun 22, 2012, at 4:39 AM, Scott T. Cameron routeh...@gmail.com wrote: On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean wrx...@gmail.com wrote: I have a /24 I want to announce, but I don't actually have it anywhere on the network. I NAT some of its IP's on the SRX that has the BGP session with our providers. I've been using static routes with the discard flag, but I don't really like the way the SRX handles traffic. It still creates sessions for traffic destined to IP's not used anywhere (hitting the static route) and can be easily dos'd because of this. Is there a better way to just tell our providers hey, we have this range? It sounds like you're using the SRX as an edge router with a BGP session upstream? I don't have this architecture here, but I had the same problem. I had my edge router announce the /24 to the BGP upstreams, and my SRX announce the /24 via OSPF to the MX. Unfortunately, one of my IPs was hammered, and filled up the session table with invalid sessions. That's the real issue, at least in my case, was that even invalid sessions were taking a session, and prohibiting legitimate traffic from flowing. The solution was only to announce from SRX to MX (edge router) the /32s that were actually in use. I suppose that a firewall filter may help on your ingress ports to only permit the traffic to the /32s that are actually in use, but I can't say from experience if this will happen before a session is created, even in invalid state. Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Whats the best way to announce an IP range in BGP? Doesn't physically exist anywhere.
On Wed, Jun 20, 2012 at 10:14 PM, Morgan McLean wrx...@gmail.com wrote: I have a /24 I want to announce, but I don't actually have it anywhere on the network. I NAT some of its IP's on the SRX that has the BGP session with our providers. I've been using static routes with the discard flag, but I don't really like the way the SRX handles traffic. It still creates sessions for traffic destined to IP's not used anywhere (hitting the static route) and can be easily dos'd because of this. Is there a better way to just tell our providers hey, we have this range? It sounds like you're using the SRX as an edge router with a BGP session upstream? I don't have this architecture here, but I had the same problem. I had my edge router announce the /24 to the BGP upstreams, and my SRX announce the /24 via OSPF to the MX. Unfortunately, one of my IPs was hammered, and filled up the session table with invalid sessions. That's the real issue, at least in my case, was that even invalid sessions were taking a session, and prohibiting legitimate traffic from flowing. The solution was only to announce from SRX to MX (edge router) the /32s that were actually in use. I suppose that a firewall filter may help on your ingress ports to only permit the traffic to the /32s that are actually in use, but I can't say from experience if this will happen before a session is created, even in invalid state. Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Problem Routing process doesn't work on SRX cluster
rpd is disabled on the backup node in a chassis cluster. You can set some routes through fpx0 using the groups node0/node1, but it has to be truly OOB. Scott On Tue, Jun 19, 2012 at 8:21 AM, Roland Droual roland.dro...@paris.iufm.frwrote: Hello the list, I solve most of problems to ping from my SRX cluster. But now, I have a new problem, because I did a lot of changes: I don't have routing process on the cluster of site B. toto@BA-SRX650-01# show chassis cluster reth-count 6; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-6/0/19 weight 255; ge-6/0/20 weight 255; ge-6/0/21 weight 255; ge-6/0/22 weight 255; ge-6/0/23 weight 255; ge-15/0/19 weight 255; ge-15/0/20 weight 255; ge-15/0/21 weight 255; ge-15/0/22 weight 255; ge-15/0/23 weight 255; ge-6/0/18 weight 255; ge-15/0/18 weight 255; } } toto@BA-SRX650-01# run show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 100 secondary no no node1 1 primary no no Redundancy group: 1 , Failover count: 0 node0 0 secondary no no node1 0 primary no no toto@BA-SRX650-01 show route all error: the routing subsystem is not running toto@BA-SRX650-01 restart routing error: Routing protocols process is not running error: Routing protocols process was not restarted = artere@BA-SRX650-01# run show chassis alarms node0: -- 1 alarms currently active Alarm time Class Description 2012-06-19 19:51:11 UTC Major PEM 0 Output Failure node1: -- 1 alarms currently active Alarm time Class Description 2012-06-19 20:07:36 UTC Major PEM 0 Output Failure I don't know where I can find the solution. How can I solve the problem about routing process doesn't work ? Thanks Roland ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP OID for sessions number
SRX240 (non-cluster): Current flows: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6 Max flows: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7 On my SRX3400 cluster: Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6 Max: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7 SRX5600 cluster: Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.8 Max: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.9 Current: .1.3.6.1.4.1.2636.3.39.1.12.1.1.1.8 Max: On Tue, Apr 3, 2012 at 8:43 AM, Alexander Shikoff minot...@crete.org.uawrote: Hello List, what is the right SNMP oid/MIB variable for monitoring of sessions number on J/SRX box? minotaur@BACKUP# run show security flow session summary node0: -- Unicast-sessions: 253200 Multicast-sessions: 0 Failed-sessions: 382648369 Sessions-in-use: 261820 Valid sessions: 252169 Pending sessions: 0 Invalidated sessions: 8611 Sessions in other states: 0 Maximum-sessions: 262144 node1: -- Unicast-sessions: 26153 Multicast-sessions: 0 Failed-sessions: 60631844 Sessions-in-use: 39200 Valid sessions: 28975 Pending sessions: 0 Invalidated sessions: 12233 Sessions in other states: 0 Maximum-sessions: 262144 I want to get all these numbers wia SNMP. Thanks in advance! -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] How to create a policy in SSG140
Check out the set policy command. On Mon, Oct 3, 2011 at 10:26 PM, MSusiva ssiva1...@gmail.com wrote: Hi Experts, I have a SSG140. Tow things I need to do, 1. Policy to allow few websites 2. Policy to block websites Can someone please help me on this. Thanks in Advance! -- Thanks, SiVa ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX RE how fast is slow
What you're saying isn't too clear by churn through that job. Do you mean when your upstream routing sessions are coming up, it takes 15 minutes to process all the routes? Do you mean commit? Scott On Thu, Sep 8, 2011 at 7:41 AM, Mike Williams mike.willi...@comodo.comwrote: Hi all, Recently a discussion touched on the routing engine speed of the MX series, but there wasn't much like a real world comparison. So my question is, how slow is the RE on an MX80 compared to it's bigger brethren? I ask because we find the MX80 slow, really slow. As we've got 2 distinctly different traffic types, and 2 distinctly different upstreams (1Gbps and 10Gbps), we're using a rib group and policy to populate 2 additional ribs with different local preferences applied to the learnt routes. Filters direct packets to the right table. It'll take the RE a good 10-15 minutes to churn through that job, and that's a bit annoying when you make a small change to a unrelated policy! Now, is that us being stupid, or the RE being slow? I know what I'd like to hear :) Cheers -- Mike Williams ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IRB Interface Question
IRB is like RVI on Cisco. It's a logical interface, and doesn't have a physical (bandwidth) limitation. I don't use NMS so can't speak on what you're seeing. But I have 2x 1Gbps interfaces in LACP (ae1) bound to an IRB 1x 10Gb. show int irb ext shows only 1000 Mbps, but I think that's just a placeholder instead of having different show interface output. Scott On Tue, Sep 6, 2011 at 7:59 PM, Paul Stewart p...@paulstewart.org wrote: Hi there... Been searching for an answer on this - can't find it. On an MX box we have an IRB interface that is physically made up of 4X1GE interfaces. I noticed our NMS platform reports the IRB interface itself as 1000mbps and also the CLI reports the same: Logical interface irb.911 (Index 97) (SNMP ifIndex 384) Description: x Flags: SNMP-Traps 0x4004000 Encapsulation: ENET2 Bandwidth: 1000mbps Routing Instance: xx Bridging Domain: xxx I presume that the IRB has no actual bandwidth limitation and that the only limitation is the physical interfaces? Can I set the bandwidth manually or is this because the IRB has no real way to know what the bandwidth behind it is possible of doing? Thanks, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Experiences - Was: JUNOS 10.4S6 for EX8200 - PR/676826
I have 2x chassis cluster with SRX3400s. ALGs will destroy your soul. Avoid at all costs. Chassis cluster upgrades are needlessly painful (imo). Session counts can become exhausted very easily and lead to a very quick and dreadful DOS. Most of my early adopter issues have disappeared with updates over time and the software is quite stable for me in the past 6 months. Scott On Thu, Sep 1, 2011 at 4:59 PM, Brent Jones br...@servuhome.net wrote: I run multiple SRXs at several sites doing firewalling, routing, VPNs. Have everything from SRX100s, to SRX 1400s, branch units run 10.4R6 I believe, and SRX1400s running 11.1R3 (will double check later). Have had minor issues, mainly with VPNs to other vendor devices like Cisco ASAs. You have to be mindful if you need policy based VPN or route based VPNs to work with other vendors. I'd be curious to hear what problems other people have, for something to look out for, but otherwise the SRXs have worked as well as most anything else on the market. I would know, I've gone through the whole lifecycle of Cisco PIX, into ASAs, Sonicwall, Fortigate, etc, and I would say SRXs have worked better than most, especially considering they are a young product line. -- Brent Jones br...@servuhome.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Multihome SRX650 2 default routes
No, that's really not the case. As long as you have the two external interfaces in the same security zone, it will not drop traffic simply because BGP is sending traffic in different directions. Scott On Fri, Aug 26, 2011 at 10:44 AM, Ben Boyd b...@sinatranetwork.com wrote: If you install both routes in the forwarding table you'll probably end up dropping a lot of your traffic. The SRX is a stateful firewall, so if you sent traffic to one provider and got it back on another it would drop the traffic. It would be best to do this in a router or to load balance per prefix with as path prepending going out and local pref coming in. Anyway, here's how you would do it, but be careful. root# show policy-statement TestLBOut { then { load-balance per-packet; } } lroot# show routing-options forwarding-table { export TestLBOut; } Thanks, Ben Boyd -- Sent from my iPhone On Aug 25, 2011, at 11:09, Daniel M Daloia Jr daniel.dal...@yahoo.com wrote: Hi Folks, Is it possible to install 2 BGP default routes from 2 ISPs to provide load balancing with an SRX650 cluster? Both ISPs are same speed. I was thinking this may be possible with importing the routes into inet.0 from separate virtual routers which have the interfaces facing the 2 ISPs in them, but the ISP interfaces would have to be in separate security zones which wouldn't agree with the security policy and NAT. Anyone have any ideas or can point me to some documentation that will help? I suppose I can buy a separate set of routers to run BGP and use an IGP to load balance, but doing it with the single cluster would be nice. Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX Operating Temperature Question
I have an SRX240-POE in the basement of my house, in the GTA. As you are no doubt aware, it is ridiculously hot here this summer. The current temperature of the unit is 39c/102F. The fans are blowing at normal according to show chassis environment. I'm running 10.4r4 on this box. In old releases, say 10.3 and earlier, the fans used to run at high frequently, in the same environment. The box does not show any issues and seems to operate just fine. Scott On Wed, Jul 20, 2011 at 6:29 AM, Paul Stewart p...@paulstewart.org wrote: Hi folks... According to the datasheets on SRX210 equipment (for example), the operating temperature is 32-104F - we are looking at an application for them that would see high temperatures peaking at 104F, sometimes a bit hotter. Anyone have any experiences with running small SRX equipment in very hot environments? Thanks, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX destination-nat ping
Thought I would bump this back up. Anyone have any success in getting a destination-nat on SRX respond to ICMP? Any tricks to loopback to 127.0.0.1 or anything else? Don't really care how, just would like it as an option. Scott On Wed, May 11, 2011 at 10:45 AM, Scott T. Cameron routeh...@gmail.comwrote: Hello, Is there a way of forwarding pings destined for a destination-nat address to loopback, or, otherwise respond to them? Thanks, Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX destination-nat ping
Anyone have any success in getting a destination-nat on SRX respond to ICMP? Any tricks to loopback to 127.0.0.1 or anything else? Don't really care how, just would like it as an option. Scott Hey Scott, Can you describe the setup in more detail? Usually NAT is designed to translate traffic for hosts that are behind the firewall, so the host should usually be the one to respond to ICMP. Are you talking about doing destination-NAT to an address located on the SRX itself? With SRX static-nat, all traffic (all protocols) is forwarded to a specific IP. With SRX destination-nat, a specific protocol (tcp/udp, presumably) is forwarded to a specific IP [and optionally port] There does not appear to be an option in destination-nat to send ICMP to an IP, so that it responds to, for example, ping. Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX destination-nat ping
On Mon, Jul 11, 2011 at 6:46 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: On 7/11/2011 6:31 PM, Scott T. Cameron wrote: Unless you are doing port translation, simply matching on destination-address in your match statement and then specifying the translated address in your then statement should do the trick. You may need to enable proxy-arp in your environment if the ingress IP (pre-translated) is a different address than the interface IP, but other than that you shouldn't need to do anything fancy to enable ping traffic to flow through... Sorry I don't have access to a device at the moment to give you a working config... can we see your configs in the meantime? Thanks, this actually does work, and I am a bit surprised. It's very counter-intuitive, but thank you nonetheless! Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX stream security log
I'm trying to enable security logging via 'mode stream'. However, it does not appear to work. Upon commit, this is sent on syslog: RT_FLOW[1223]: UI_CONFIGURATION_ERROR: Process: rtlogd, path: [edit security log], statement: stream splunk, Stream has no meaning when system-event-mode is on My config appears to be rudimentary: scameron@sdc01fw01b# show security log mode stream; source-address 172.30.244.1; stream splunk { severity info; format syslog; category all; host { 172.30.249.101; port 514; } } If I switch from mode stream to event, my policy logging works fine. Anyone encountered this? Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX destination-nat ping
Hello, Is there a way of forwarding pings destined for a destination-nat address to loopback, or, otherwise respond to them? Thanks, Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
You should probably think about doing IP-based filtering on your management networks. It's going to guarantee a drop in random port scans/login attempts vs obfuscating the listen port of ssh. Scott On Sat, Apr 2, 2011 at 11:13 AM, Jesus Alvarez jalva...@prw.net wrote: No, I've been asking for this feature. :) Thanks for your answer. It should be trivial to implement a configurable SSH port in the Junos firmware and this would help in securing the router. Practically all scanners attempt SSH logins when port 22 is available but very few check all available ports. It is surprising that Juniper does not provide a way to change the SSH port. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat emptor. Nice on paper and very similar to Linux conntrack modules, but in reality the rule of thumb is it's better to have them disabled. In the case of Microsoft, their technical papers will say your firewall should allow 1024-65535 open. In my datacenters, the only place where I find this to be necessary is to domain controllers. Most other MS software can happily run off a specific TCP port. YMMV. Scott On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger gkrutsin...@compassion.com wrote: Hello all, Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS ms-rpc-any isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team. Thanks, Glenn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX
Free for all on all Juniper related topics. RAS may overwhelm you with intimate knowledge of the devices, don't be frightened :) On Sat, Mar 5, 2011 at 7:06 AM, Walaa Abdel razzak wala...@bmc.com.sawrote: Hi Experts Is there any mailing list like this related to SRX topics or we can post on this as well? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX650 Clustering Issue
I don't think this is enough information to really help you. What does chassisd log say? Can you provide a sanitized config? Scott On Sat, Mar 5, 2011 at 8:24 AM, Walaa Abdel razzak wala...@bmc.com.sawrote: Hi All We were connecting two SRX650 to work in Active/passive mode. Before they were having old configuration and once we enabled clustering and rebooted the boxes, they became in hold mode and we get a message of shared violations even after reboot again and no user logged in, any suggestions? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Static NAT
You should only need proxy-arp if your particular routing scenario requires it. If all the IPs that you are answering for are routed to you, then there's no need for proxy-arp. However, you'll still require 2 lines per static nat. One for the match, and one for the action. Scott On Wed, Mar 2, 2011 at 7:05 PM, Bill Blackford bblackf...@gmail.com wrote: I am looking for a more efficient method to define/map several scattered/non-contiguous static NATS. I can use pools to map ranges for end user blocks, but this need is for publishing services (servers) globally on a one by one basis. ex., using the following method, I would need to make a separate rule and a proxy-arp address for each one-to-one snat. snip static { rule-set SNAT1 { from interface ge-0/0/0.0; rule SNAT-TEST0 { match { destination-address 66.x.y.6/32; } then { static-nat prefix 192.168.1.65/32; } } rule SNAT-TEST1 { match { destination-address 66.x.y.18/32; } then { static-nat prefix 192.168.13.67/32; } } } } proxy-arp { interface ge-0/0/0.0 { address { 66.x.y.6/32; 66.x.y.18/32; } } } /snip I remember doing a single line in screenos unless my recollection is off. On the Cisco ASA/PIX, it's a single line 'static (inside,outside) ' statement. Is there an equivalently efficient method on the SRX? Thank you in advance for any input. -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Static NAT
I've got two srx3400 clusters that disagree with you about proxy-arp. :) Scott On Wed, Mar 2, 2011 at 7:50 PM, Daniel M Daloia Jr daniel.dal...@yahoo.comwrote: Almost positive that proxy-arp is required for NAT on the SRX series if the destination addresses is not assigned to the interface. Not in front of my gear now, but can lab it out tomorrow. As for the static NAT, two lines is necessary. -Dan - Original Message - From:Scott T. Cameron routeh...@gmail.com To:juniper-nsp@puck.nether.net Cc: Sent:Wednesday, March 2, 2011 7:12 PM Subject:Re: [j-nsp] SRX Static NAT You should only need proxy-arp if your particular routing scenario requires it. If all the IPs that you are answering for are routed to you, then there's no need for proxy-arp. However, you'll still require 2 lines per static nat. One for the match, and one for the action. Scott On Wed, Mar 2, 2011 at 7:05 PM, Bill Blackford bblackf...@gmail.com wrote: I am looking for a more efficient method to define/map several scattered/non-contiguous static NATS. I can use pools to map ranges for end user blocks, but this need is for publishing services (servers) globally on a one by one basis. ex., using the following method, I would need to make a separate rule and a proxy-arp address for each one-to-one snat. snip static { rule-set SNAT1 { from interface ge-0/0/0.0; rule SNAT-TEST0 { match { destination-address 66.x.y.6/32; } then { static-nat prefix 192.168.1.65/32; } } rule SNAT-TEST1 { match { destination-address 66.x.y.18/32; } then { static-nat prefix 192.168.13.67/32; } } } } proxy-arp { interface ge-0/0/0.0 { address { 66.x.y.6/32; 66.x.y.18/32; } } } /snip I remember doing a single line in screenos unless my recollection is off. On the Cisco ASA/PIX, it's a single line 'static (inside,outside) ' statement. Is there an equivalently efficient method on the SRX? Thank you in advance for any input. -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Debug vmcore files
You could use gdb. But the likelihood of any success without source code is slim. You're better off sending them to jtac. On Tue, Mar 1, 2011 at 6:36 AM, meryem Z merye...@hotmail.com wrote: Hello community, Is there any tool to debug vmcore files generated on an m-series juniper router ? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Debug vmcore files
Here's an example below. You'll either need to use gdb on the box itself, or get/xcompile a powerpc-freebsd gdb. Again, without source, you're not going to get far. % tar zvxf /var/tmp/chassisd.core-tarball.4.tgz chassisd.core.4.gz juniper.conf.gz messages chassisd.info.4 juniper.conf.1.gz % gzip -d chassisd.core.4.gz % gdb /usr/sbin/chassisd chassisd.core.4 GNU gdb 6.5 [juniper_2006a_411] Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as powerpc-specifix.com-freebsd...(no debugging symbols found) Reading symbols from /usr/lib/libddl-access.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libddl-access.so.1 Reading symbols from /usr/lib/libjipc.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libjipc.so.1 Reading symbols from /usr/lib/libberkeley-db.so.4...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libberkeley-db.so.4 Reading symbols from /usr/lib/libthr.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libthr.so.2 Reading symbols from /usr/lib/libisc.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libisc.so.2 Reading symbols from /usr/lib/libkvm.so.3... (no debugging symbols found)...done. Loaded symbols for /usr/lib/libkvm.so.3 Reading symbols from /usr/lib/libfasic.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libfasic.so.1 Reading symbols from /usr/lib/libhsl2.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libhsl2.so.1 Reading symbols from /usr/lib/libcmb.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libcmb.so.1 Reading symbols from /usr/lib/libcnh.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libcnh.so.1 Reading symbols from /usr/lib/libjpci.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/lib/libjpci.so.1 Reading symbols from /usr/lib/libm.so.4...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libm.so.4 Reading symbols from /usr/lib/libfabric2.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libfabric2.so.1 Reading symbols from /usr/lib/libfabric1.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libfabric1.so.1 Reading symbols from /usr/lib/libprovider.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libprovider.so.1 Reading symbols from /usr/lib/libiic.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/lib/libiic.so.1 Reading symbols from /usr/lib/libcam.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libcam.so.3 Reading symbols from /usr/lib/libsbuf.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libsbuf.so.3 Reading symbols from /usr/lib/libutil.so.5...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libutil.so.5 Reading symbols from /usr/lib/libgcc.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libgcc.so.1 Reading symbols from /usr/lib/libc.so.6... (no debugging symbols found)...done. Loaded symbols for /usr/lib/libc.so.6 Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/libexec/ld-elf.so.1 Core was generated by `chassisd'. Program terminated with signal 6, Aborted. #0 0x42683428 in kill () from /usr/lib/libc.so.6 [New Thread 0x2057000 (LWP 100110)] (gdb) bt #0 0x42683428 in kill () from /usr/lib/libc.so.6 #1 0x421d8a30 in raise () from /usr/lib/libthr.so.2 #2 0x42681e88 in abort () from /usr/lib/libc.so.6 #3 0x01c00c64 in vlogging_event () #4 0x01c00af4 in vlogging () #5 0x01c00ce4 in logging () #6 0x01ab9670 in pic_clean_init () #7 0x01a16308 in mcontrol_check_backup_active () #8 0x01a16e20 in msm_exec () #9 0x01a17b2c in mcontrol_init () #10 0x019365e4 in ch_init () #11 0x01938640 in ch_a2_fru_map_set_context () #12 0x01ab3620 in allocadupx () #13 0x01ab44bc in main () (gdb) x 0x01a16308 0x1a16308 mcontrol_check_backup_active+364: 0x3d200201 On Tue, Mar 1, 2011 at 7:29 AM, meryem Z merye...@hotmail.com wrote: You mean kgdb i guess. this tool is available on juniper routers on /var/bin. I'm wondering if anyone has tested it before ? Thank you. From: routeh...@gmail.com Date: Tue, 1 Mar 2011 07:21:58 -0500 To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Debug vmcore files You could use gdb. But the likelihood of any success without source code is slim. You're better off sending them to jtac. On Tue, Mar 1, 2011 at 6:36 AM, meryem Z merye...@hotmail.com wrote: Hello community, Is there any tool to debug vmcore files generated on an m-series juniper
Re: [j-nsp] Chassis Cluster - Strange behavior
You disconnected the cables but didn't delete the chassis cluster config, is that right? Delete the chassis cluster. Scott On Fri, Sep 17, 2010 at 11:04 AM, Fahad Khan fahad.k...@gmail.com wrote: Hi Folks, I have been running SRX3600 In chassis cluster. At the moment, I have disconnected control link and fabric link and Secondary device is isolated from the network. But on primary device, the cluster configs are still there. The network is working fine with primary device but when i see chassis cluster status, i find this SRX3600-A show chassis cluster status Cluster ID: 1 Node Priority StatusPreempt Manual failover Redundancy group: 0 , Failover count: 1 node0 254 primaryno no node1 0 lost n/a n/a Redundancy group: 1 , Failover count: 1 node0 0 primaryyes no node1 0 lost n/a n/a why I am getting Node0 priority as 0 for red group 1, while i has been set to 254??? have any body experienced? thanks and regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Stable Junos
On Tue, Aug 31, 2010 at 1:55 PM, Mark Tinka mti...@globaltransit.netwrote: On Wednesday, September 01, 2010 12:06:26 am Richard A Steenbergen wrote: ... but we're gonna be forced into 10.2+ for MX to get full Trio support soon anyways, so there isn't much benefit to hanging around 10.0 even if it was stable. Same reason we're going to 10.2 - MX80 support as well as some new NG-MVPN stuff. I wish 10.5 were coming out tomorrow, but for now, 10.2R2.11 has been behaving with the little we're doing. I'm tired of chasing JUNOS for the past 2 years, so I wouldn't mind continuing with 10.2R2.11 until 10.5R4 or 10.6R4 comes out (and works). Of course, that's hoping we don't run into anything major with 10.2R2.11 :-\. On my SRX3400 boxes, I've got 10.2R2 humming along without issue for the past couple of weeks. Of course, I was cornered in to this upgrade after a crash-failover-turned-ALG-blocking-DNS event to save my V6 support. I'm about to flip the switch live on a pair of MX240s running 10.1R3. They run great with only traffic coming on on fxp0... Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX3400: DNS ALG on 10.2R1
Hello, I just had a very unusual production outage. All traffic was flowing through the SRX3400 (in chassis cluster mode) no problem. Suddenly, DNS started to fail. Was not passing through the firewall at all -- all other traffic was. The resolution was to disable the DNS ALG. Nothing interesting in the flow log. Anyone seen this? Tips? Tricks? ALGs are evil? Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX for access/core routing/MPLS duties?
BGP is slow. Painfully so. I have 2x SRX3400 in a chassis cluster config getting 2 full BGP tables. I would say it takes at least 5 minutes for the BGP updates to complete and for the device to be usable. IPv6 support will be in 10.2 for SRX3400 and higher. 10.2R1 exists today but has a number of interesting bugs. I wouldn't really recommend this device as a router. I just purchased some MX240s to take over the routing role from my SRX3400s. Scott On Wed, Jul 28, 2010 at 10:05 AM, TCIS List Acct lista...@tulsaconnect.comwrote: I've been reading past threads on the SRX line with interest. It seems this box can do many of the things we are looking for (at a low price point), which include: - MPLS - IPv4 routing (OSPF, BGP) - Runs JunOS - Could be used at the access layer - Future IPv6 support - If required, could be used as an edge device holding a full IPv4 table (at least, the SRX650 and above) Can anyone comment on experiences with these devices, such as: - Wire rate? yea/nay? - Anyone ever tried to use one as an edge router w/a full BGP feed? - MPLS -- mainly EoMPLS type stuff, esp. at the access layer - Stability (we understand that this is highly specific to the JunOS release) TIA. --Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3400/3600 Stabie Code Recommendations?
Datacenter 1: SRX3400 chassis cluster config 10.2R1 /config/juniper.conf.gz = 11811 bytes 2 BGP sessions = Runs no problem. Datacenter 2: SRX3400 chassis cluster config 10.2R1 /config/juniper.conf.gz = 18251 bytes 1 BGP session = DISASTER JTAC was very slow in trying to help with the disaster. Basically, the firewall would crash several times per day, and I gave up before JTAC even asked for something beyond request support information. Datacenter 2 is back running 10.0R3 with no problems. It lacks V6, but is quite stable. Moral of this story: YMMV. And don't expect a quick, or even helpful, response from JTAC. Scott On Sat, Jul 24, 2010 at 9:28 AM, Clarke Morledge chm...@wm.edu wrote: There have been a number of views expressed recently on the list regarding the SRX and Junos code buggines and instability. I am wondering if a lot of the issues are related to specific platforms. Specifically, I am curious to know about the reliability of some of the smaller data center models, namely the 3400 and 3600. Are there any stable code recommendations to make regarding these data center platforms? Are there any particularly noteworthy code revs that one should stay away from? I tested the 3400 with flavors of 10.0 for an evaluation recently and it performed pretty well, but I did not bang on it as much as I wanted. I find it interesting to say the least that Juniper officially does not recommend (or even make available for the lower end) the latest 10.2R1 for any of their SRX products, including the higher end models. And it has been two months now and no maintenance release. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3400/3600 Stabie Code Recommendations?
Sure. SRX3xxx and higher do not support IPv6 until 10.2. Older code has no v6 capability. Scott On Sat, Jul 24, 2010 at 5:00 PM, Mike Williams mike.willi...@comodo.comwrote: On Saturday 24 July 2010 15:26:29 Scott T. Cameron wrote: Datacenter 2 is back running 10.0R3 with no problems. It lacks V6, but is quite stable. Hi, could you possibly expand on lacks V6 please? We're looking at deploying some SRX3600s, and IPv6 is something we really want to do. Thanks -- Mike Williams Senior Systems Administrator ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX3400/3600 Stabie Code Recommendations?
Only on the low end models, 3400 and higher has no support. Scott On Sat, Jul 24, 2010 at 5:19 PM, Mark Kamichoff p...@prolixium.com wrote: On Sat, Jul 24, 2010 at 10:00:36PM +0100, Mike Williams wrote: Hi, could you possibly expand on lacks V6 please? The one big change in 10.2 for the SRX platforms is the addition of IPv6 flow mode. The SRXes will still pass IPv6 traffic in earlier releases, but without any policy evaluation. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Templates for logging from EX series
I'd recommend you not rely on Juniper to do this but instead do it yourself. If you output the entire contents of syslog to a syslog-ng server, you can do all of the intelligent filtering you need on the server end. Personally, I'd rather Juniper focus on fixing bugs for my SRX. :) Scott On Wed, Jun 23, 2010 at 1:12 PM, sth...@nethelp.no wrote: 2) I disagree with a huge number of the default prioties for a lot of events. For example, an IGP DOWN event is a priority 5 / notice, while an IGP UP is a priority 6 / info. If you actually want to match up your igp flaps and know if a circuit has come back up you'll need to monitor all the info stuff, in which case be prepared for a flood of useless crap messages. Agreed, having IGP UP be an info event is awful. I'm afraid it may be too late in the game to change the default, however. But Juniper - pretty please: We *really* need a simple method to be able to match UP and DOWN events and not drown in useless trash. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX80 = vaporware?
Why don't you just get an MX240? They are available and on the market. On Mon, Jun 21, 2010 at 6:50 AM, Sven Juergensen (KielNET) s.juergen...@kielnet.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi list, does anybody have the slightest clue about the availability or hold-up of those boxes? Our sales representatives are shrugging, MX80 demonstrations are lacking the boxes etc pp. Make way for the 2010 awards? http://www.wired.com/epicenter/2009/12/vaporware-2009-inhale-the-fail/ Boggling regards, Mit freundlichen Gruessen, i. A. Sven Juergensen - -- Fachbereich Netze und Rechenzentren KielNET GmbH Gesellschaft fuer Kommunikation Preusserstr. 1-9, 24105 Kiel Telefon : 0431 2219-053 Mobil : 0170 403 5600 Telefax : 0431 2219-005 E-Mail : s.juergen...@kielnet.de Internet: http://www.kielnet.de Geschaeftsfuehrer Eberhard Schmidt HRB 4499 (Amtsgericht Kiel) PGP details at http://pgp.kielnet.de/sjuergensen/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkwfRAsACgkQnEU7erAt4TI7SgCfQBPnw4WET20S2O6h7TTntERZ JQoAn2tvuq+yqxJofG9hFip710P8pFhF =7bfb -END PGP SIGNATURE- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] NSR with SRX
Just the obvious: Why NSR? Why not set up a roadwarrior config and use the builtin client of every modern OS? OSX, most Linux distros and Windows have the ability to do IPSEC natively. On Thu, May 27, 2010 at 3:39 AM, Fahad Khan fahad.k...@gmail.com wrote: Any comments guys?? Thanks and Regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd On Wed, May 26, 2010 at 5:52 PM, Fahad Khan fahad.k...@gmail.com wrote: Dear Folks, Has any one used Netscreen Remote Client for dialup VPN with SRX device?? I have seen in release notes of 10.1 that SRX does not support NSR. But in security guide, NSR is a dedicated chapter please respond quickly regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IDP8200 Issue -
set chassis cluster redundancy-group # ip-monitoring As with all things, YMMV. On Wed, May 26, 2010 at 7:40 AM, Tim Eberhard xmi...@gmail.com wrote: You could always run trackip on the SRX to monitor the path to the switch. Pinging a L3 interface on the core switch itself. Hope this helps -Tim Eberhard On May 26, 2010, at 6:27 AM, Fahad Khan fahad.k...@gmail.com wrote: Dear Folks, I am just shocked to know that IDP8200 does not support Peer Port Modulation for 10 gig links. Does any one know, how can I failover my Firewall properly if the link between Core Switch and IDP is down the diagram is SRX3600---HA---SRX3600 | | IDP8200IDP8200 | | --Core -Switch-- Awaiting for quick response Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-321-2370510 +92-301-8247638 Skype: fahad-ibm http://www.linkedin.com/in/muhammadfahadkhan http://fahad-internetworker.blogspot.com http://www.visualcv.com/g46ptnd ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] static route
What is 192.168.20.2? Does it know what 202.5.5.5 is? If yes, does it allow IP forwarding? On Tue, May 18, 2010 at 10:10 AM, jjs...@aol.com wrote: My customer offered to some customers that utilizes a probe box between the CE and PE so to monitor traffic quality and other parameters. This probe box has a /32 IP address as a management IP and it can of course be managed via out-of-band connections, however customer would like to use in-band management to accomplish this task and they can do this as below using Cisco gear. The question is if the PE becomes M320 of Juniper, it does not seem to work with JUNOS static route command. The current cli command we can translate in JUNOS is routing-instance foo routing-options static route 202.5.5.5/32 next-hop 192.168.20.2 We cannot point to the next-hop as the ge- interface name since it is not a point-to-point ifl. Does some kind of proxy ARP get involved here? Can someone shine some light as whether this is do-able with JUNOS static command to accomplish the same or we have to adopt some other methods to do this. thanks jjsyed ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX vs. SSG
On Mon, May 10, 2010 at 3:25 AM, Pavel Lunin plu...@senetsy.ru wrote: Moreover SRX3/5k is quite a different story. ScreenOS products anyway can not compete against them. Are you speaking from experience? Because my old ISG1000 firewalls are superior than my SRX3400 firewalls. Not only do they support IPv6 in route mode, they support it in flow-based packet filtering mode. The SRX3400s do not support IPv6 at all. ISG1000s on ScreenOS, on the other hand, support IPv6 no problem. Sorry, I didn't mean to kindle a holy war :) Just my opinion. Well, maybe not too humble. I have an SSG320, 2x ISG1000s and 4x SRX3400s. […] The routing performance of the SRX, ie, taking a full route table via BGP, is horrendous. Interesting. Did you try to load full BGP into SRX3k? Could you please shere the experience. Any issues or something? Yes, that is precisely the problem. 2x SRX3400s in chassis cluster mode, receiving full route table from 2 providers, it takes approximately 5 minutes for the route process to finish injecting routes in to the kernel routing table. The overall process of a chassis cluster failover, when BGP is enabled, is extremely slow. We're talking minutes of downtime. Chassis cluster failover when upstream is configured via static route is 10 seconds. It's still slower than the ScreenOS failover. Scott ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX vs. SSG
I have an SSG320, 2x ISG1000s and 4x SRX3400s. I can say that the more mature ScreenOS platform is going to be a better fit for anyone craving stability. The complete lack of IPv6 support on the SRX series is a serious flaw in a product that's been on the market for a year already. The routing performance of the SRX, ie, taking a full route table via BGP, is horrendous. On the plus for the SRX is the ease of jumbo frames. Unfortunately, if you do enable jumbo frames in an existing configuration, it will blow away your source nat config. :) I would say the SRX series is not quite ready for a 99.9% environment. If you can afford some hiccups, then it is a more forward looking device, assuming the IPv6 support arrives soon. Scott On Sat, May 8, 2010 at 5:57 PM, Pavel Lunin plu...@senetsy.ru wrote: Hi Eric, SSG should be available for another couple of years. Juniper likes to say ScreenOS's roadmap is full of things do be done till the end of the next year. However I wouldn't say SSG has so much better featureset. In routing SRX is far far beyond. You can even have packet-mode instances with MPLS, reachable through a internal tunnel. Just like mature routers. From security point of view — embedded IPS, NAT pools not linked to any direct networks, very granular per zone or interface stateful filters for control plane destined traffic, some more FW things. And of course increased performance/price ratio. JUNOS itself. As for me, the major weaknesses are: — NHRP, which allows auto-connect IPSec VPNs, is not supported. A workaround is possible here if you want an SRX to be a hub for SSG spokes. — IP tracking is not supported for very basic dual-homing. Sure, workarounds are possible. — Reverse path next-hop is always chosen with reverse route lookup. Not to much important. An ER exists for this though no idea whether someone cares of it. -- Pavel 2010/5/8 Eric Helm helmw...@ruraltel.net Hi, Has anyone heard what Juniper's plan is moving forward with the SSG platform? The SSG still has a much better feature set than the SRX, but is seems that marketing is pushing people to the SRX. I am looking to roll-out of approximately 200-300 VPN tunnels and trying to decide what platform to go with between the two. SSG is more appealing because of some of its feature set and proven stability. I just don't want to be buying equipment that is slated to be phased out sometime in the future. Thanks in advance, /Eric ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp