Re: [j-nsp] SXR340 One to One NAT

[sameer mughal]

Thanks Ola.
Actually, I want to do this NAT through the interface.
Senario: public ip /32 on interface and private ip belongs to my LAN
segment.
Please advice.

On Wed, Aug 8, 2018, 3:27 PM Ola Thoresen  wrote:

> On 08. aug. 2018 11:44, sameer mughal wrote:
>
> > Hi,
> >
> > Can anyone help me to configure static NAT bidirectional?
>
> It is pretty straight forward:
>
> https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-static.html
>
>
> Rgds.
>
> Ola Thoresen
> nLogic AS
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SXR340 One to One NAT

[sameer mughal]

Hi,

Can anyone help me to configure static NAT bidirectional?

Public IP: 202.101.83.50
Private IP: 10.10.10.80

Actually, i want to configure video conference device and it need ip which
has been white listed from authorities therefore it's necessary to
configure 1-to-1 NAT .
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Ipsec tunnel flapping

[sameer mughal]

anyone, check my below raise issue?

On Thu, Jun 28, 2018 at 3:54 PM, sameer mughal 
wrote:

> remote site logs are also shared below:
>
> Jun 28 17:23:20   rpd[1398]: EVENT  st0.0 index 79  PointToPoint Multicast>
> Jun 28 17:23:20   kmd[1403]: KMD_VPN_DOWN_ALARM_USER: VPN VPN-SOORTY from
> 123.123.123.123 is down. Local-ip: 50.50.50.50, gateway name: gw-soortybd,
> vpn name: VPN-SOORTY, tunnel-id: 131073, local tunnel-if: st0.0, remote
> tunnel-ip: 10.115.10.2, Local IKE-ID: 50.50.50.50, Remote IKE-ID:
> 123.123.123.123, XAUTH username: Not-Applicable, VR id: 0
> Jun 28 17:23:20   rpd[1398]: EVENT UpDown st0.0 index 79  PointToPoint Multicast Localup>
> Jun 28 17:23:20   rpd[1398]: EVENT UpDown st0.0 index 79 10.115.10.1 ->
> 10.115.10.1 
> Jun 28 17:23:20IFP trace> ifp_ifl_anydown_change_event: IFL anydown
> change event: "st0.0"
> Jun 28 17:23:20IFP trace> ifp_ifl_chg: IFL chg: "st0.0 ifl_id 79"
> Jun 28 17:23:20IFP trace> ifp_create_tunnel_session: duplicate tunnel
> session add(st0). skip tunnel session creation
> Jun 28 17:23:20   mib2d[1426]: SNMP_TRAP_LINK_DOWN: ifIndex 584,
> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.0
> Jun 28 17:23:35   rpd[1398]: EVENT  st0.0 index 79  PointToPoint Multicast>
> Jun 28 17:23:35   kmd[1403]: KMD_PM_SA_ESTABLISHED: Local gateway:
> 50.50.50.50, Remote gateway: 123.123.123.123, Local ID:
> ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=
> 0.0.0.0/0), Direction: inbound, SPI: 0x9e4d39d0, AUX-SPI: 0, Mode:
> Tunnel, Type: dynamic
> Jun 28 17:23:35   rpd[1398]: EVENT UpDown st0.0 index 79  PointToPoint Multicast>
> Jun 28 17:23:35   kmd[1403]: KMD_PM_SA_ESTABLISHED: Local gateway:
> 50.50.50.50, Remote gateway: 123.123.123.123, Local ID:
> ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=
> 0.0.0.0/0), Direction: outbound, SPI: 0xabfd4940, AUX-SPI: 0, Mode:
> Tunnel, Type: dynamic
> Jun 28 17:23:35   rpd[1398]: EVENT UpDown st0.0 index 79 10.115.10.1 ->
> 10.115.10.1 
> Jun 28 17:23:35   kmd[1403]: KMD_VPN_UP_ALARM_USER: VPN VPN-SOORTY from
> 123.123.123.123 is up. Local-ip: 50.50.50.50, gateway name: gw-soortybd,
> vpn name: VPN-SOORTY, tunnel-id: 131073, local tunnel-if: st0.0, remote
> tunnel-ip: 10.115.10.2, Local IKE-ID: 50.50.50.50, Remote IKE-ID:
> 123.123.123.123, XAUTH username: Not-Applicable, VR id: 0
> Jun 28 17:23:35IFP trace> ifp_ifl_anydown_change_event: IFL anydown
> change event: "st0.0"
> Jun 28 17:23:35IFP trace> ifp_ifl_chg: IFL chg: "st0.0 ifl_id 79"
> Jun 28 17:23:35IFP trace> ifp_create_tunnel_session: duplicate tunnel
> session add(st0). skip tunnel session creation
> Jun 28 17:23:35   mib2d[1426]: SNMP_TRAP_LINK_UP: ifIndex 584,
> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0
>
>
> On Thu, Jun 28, 2018 at 3:24 PM, sameer mughal 
> wrote:
>
>> Gentlemans,
>>
>> anyone help me on this issue?
>>
>> On Mon, Jun 25, 2018 at 10:37 PM, sameer mughal 
>> wrote:
>>
>>> Dear Alexandre,
>>> Please guide how can I fix this issue? It raise suddenly before this on
>>> same configuration ipsec tunnel was working fine for more than 5 to 6
>>> months.
>>>
>>> On Mon, Jun 25, 2018, 8:22 PM Alexandre Guimaraes <
>>> alexandre.guimar...@ascenty.com> wrote:
>>>
>>>> Sameer
>>>>
>>>>
>>>> Reason: IPSec SA delete payload received from peer, corresponding IPSec
>>>> SAs cleared
>>>>
>>>>
>>>> This is a phase 2 problem, maybe deadpeerdetection failure, VPN
>>>> monitoring failure, a failure during rekey when old SA is deleted
>>>> notification sent to delete old SA. Most of the cases.
>>>>
>>>>
>>>>
>>>> att
>>>> Alexandre
>>>>
>>>> Em 25 de jun de 2018, à(s) 03:42, sameer mughal 
>>>> escreveu:
>>>>
>>>> both sites on srx.
>>>> following are the logs.
>>>>
>>>>  show log junilog|match st0.15
>>>> Jun 25 01:47:51   rpd[1867]: EVENT  st0.15 index 86 >>> PointToPoint Multicast>
>>>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 >>> PointToPoint Multicast Localup>
>>>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2
>>>> -> 10.115.10.2 
>>>> Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>>>> from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name:
>>>> IKE-U15-GW, vpn name: IPSEC-15-VPN, tunn

Re: [j-nsp] Ipsec tunnel flapping

[sameer mughal]

remote site logs are also shared below:

Jun 28 17:23:20   rpd[1398]: EVENT  st0.0 index 79 
Jun 28 17:23:20   kmd[1403]: KMD_VPN_DOWN_ALARM_USER: VPN VPN-SOORTY from
123.123.123.123 is down. Local-ip: 50.50.50.50, gateway name: gw-soortybd,
vpn name: VPN-SOORTY, tunnel-id: 131073, local tunnel-if: st0.0, remote
tunnel-ip: 10.115.10.2, Local IKE-ID: 50.50.50.50, Remote IKE-ID:
123.123.123.123, XAUTH username: Not-Applicable, VR id: 0
Jun 28 17:23:20   rpd[1398]: EVENT UpDown st0.0 index 79 
Jun 28 17:23:20   rpd[1398]: EVENT UpDown st0.0 index 79 10.115.10.1 ->
10.115.10.1 
Jun 28 17:23:20IFP trace> ifp_ifl_anydown_change_event: IFL anydown
change event: "st0.0"
Jun 28 17:23:20IFP trace> ifp_ifl_chg: IFL chg: "st0.0 ifl_id 79"
Jun 28 17:23:20IFP trace> ifp_create_tunnel_session: duplicate tunnel
session add(st0). skip tunnel session creation
Jun 28 17:23:20   mib2d[1426]: SNMP_TRAP_LINK_DOWN: ifIndex 584,
ifAdminStatus up(1), ifOperStatus down(2), ifName st0.0
Jun 28 17:23:35   rpd[1398]: EVENT  st0.0 index 79 
Jun 28 17:23:35   kmd[1403]: KMD_PM_SA_ESTABLISHED: Local gateway:
50.50.50.50, Remote gateway: 123.123.123.123, Local ID:
ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=
0.0.0.0/0), Direction: inbound, SPI: 0x9e4d39d0, AUX-SPI: 0, Mode: Tunnel,
Type: dynamic
Jun 28 17:23:35   rpd[1398]: EVENT UpDown st0.0 index 79 
Jun 28 17:23:35   kmd[1403]: KMD_PM_SA_ESTABLISHED: Local gateway:
50.50.50.50, Remote gateway: 123.123.123.123, Local ID:
ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=
0.0.0.0/0), Direction: outbound, SPI: 0xabfd4940, AUX-SPI: 0, Mode: Tunnel,
Type: dynamic
Jun 28 17:23:35   rpd[1398]: EVENT UpDown st0.0 index 79 10.115.10.1 ->
10.115.10.1 
Jun 28 17:23:35   kmd[1403]: KMD_VPN_UP_ALARM_USER: VPN VPN-SOORTY from
123.123.123.123 is up. Local-ip: 50.50.50.50, gateway name: gw-soortybd,
vpn name: VPN-SOORTY, tunnel-id: 131073, local tunnel-if: st0.0, remote
tunnel-ip: 10.115.10.2, Local IKE-ID: 50.50.50.50, Remote IKE-ID:
123.123.123.123, XAUTH username: Not-Applicable, VR id: 0
Jun 28 17:23:35IFP trace> ifp_ifl_anydown_change_event: IFL anydown
change event: "st0.0"
Jun 28 17:23:35IFP trace> ifp_ifl_chg: IFL chg: "st0.0 ifl_id 79"
Jun 28 17:23:35IFP trace> ifp_create_tunnel_session: duplicate tunnel
session add(st0). skip tunnel session creation
Jun 28 17:23:35   mib2d[1426]: SNMP_TRAP_LINK_UP: ifIndex 584,
ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0


On Thu, Jun 28, 2018 at 3:24 PM, sameer mughal 
wrote:

> Gentlemans,
>
> anyone help me on this issue?
>
> On Mon, Jun 25, 2018 at 10:37 PM, sameer mughal 
> wrote:
>
>> Dear Alexandre,
>> Please guide how can I fix this issue? It raise suddenly before this on
>> same configuration ipsec tunnel was working fine for more than 5 to 6
>> months.
>>
>> On Mon, Jun 25, 2018, 8:22 PM Alexandre Guimaraes <
>> alexandre.guimar...@ascenty.com> wrote:
>>
>>> Sameer
>>>
>>>
>>> Reason: IPSec SA delete payload received from peer, corresponding IPSec
>>> SAs cleared
>>>
>>>
>>> This is a phase 2 problem, maybe deadpeerdetection failure, VPN
>>> monitoring failure, a failure during rekey when old SA is deleted
>>> notification sent to delete old SA. Most of the cases.
>>>
>>>
>>>
>>> att
>>> Alexandre
>>>
>>> Em 25 de jun de 2018, à(s) 03:42, sameer mughal 
>>> escreveu:
>>>
>>> both sites on srx.
>>> following are the logs.
>>>
>>>  show log junilog|match st0.15
>>> Jun 25 01:47:51   rpd[1867]: EVENT  st0.15 index 86 >> PointToPoint Multicast>
>>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 >> PointToPoint Multicast Localup>
>>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>>> 10.115.10.2 
>>> Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>>> from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name:
>>> IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if:
>>> st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote
>>> IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0,
>>> Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=
>>> 0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0
>>> .0/0), SA Type: Static, Reason: IPSec SA delete payload received from
>>> peer, corresponding IPSec SAs cleared
>>> Jun 25 01:47:51   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
>>> ifAdminStatus up(1), ifOperStatus down(2),

Re: [j-nsp] Ipsec tunnel flapping

[sameer mughal]

Gentlemans,

anyone help me on this issue?

On Mon, Jun 25, 2018 at 10:37 PM, sameer mughal 
wrote:

> Dear Alexandre,
> Please guide how can I fix this issue? It raise suddenly before this on
> same configuration ipsec tunnel was working fine for more than 5 to 6
> months.
>
> On Mon, Jun 25, 2018, 8:22 PM Alexandre Guimaraes <
> alexandre.guimar...@ascenty.com> wrote:
>
>> Sameer
>>
>>
>> Reason: IPSec SA delete payload received from peer, corresponding IPSec
>> SAs cleared
>>
>>
>> This is a phase 2 problem, maybe deadpeerdetection failure, VPN
>> monitoring failure, a failure during rekey when old SA is deleted
>> notification sent to delete old SA. Most of the cases.
>>
>>
>>
>> att
>> Alexandre
>>
>> Em 25 de jun de 2018, à(s) 03:42, sameer mughal 
>> escreveu:
>>
>> both sites on srx.
>> following are the logs.
>>
>>  show log junilog|match st0.15
>> Jun 25 01:47:51   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast Localup>
>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 
>> Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>> from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name:
>> IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if:
>> st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote
>> IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0,
>> Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=
>> 0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.
>> 0.0/0), SA Type: Static, Reason: IPSec SA delete payload received from
>> peer, corresponding IPSec SAs cleared
>> Jun 25 01:47:51   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
>> Jun 25 01:48:06   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
>> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA
>> Type: Static
>> Jun 25 01:48:06   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 
>> Jun 25 01:48:06   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
>> Jun 25 01:51:52   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>> from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name:
>> IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if:
>> st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote
>> IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0,
>> Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=
>> 0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.
>> 0.0/0), SA Type: Static, Reason: IPSec SA delete payload received from
>> peer, corresponding IPSec SAs cleared
>> Jun 25 01:51:52   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast Localup>
>> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 
>> Jun 25 01:51:52   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
>> Jun 25 01:52:07   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:52:07   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
>> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
&

Re: [j-nsp] Ipsec tunnel flapping

[sameer mughal]

Dear Alexandre,
Please guide how can I fix this issue? It raise suddenly before this on
same configuration ipsec tunnel was working fine for more than 5 to 6
months.

On Mon, Jun 25, 2018, 8:22 PM Alexandre Guimaraes <
alexandre.guimar...@ascenty.com> wrote:

> Sameer
>
>
> Reason: IPSec SA delete payload received from peer, corresponding IPSec
> SAs cleared
>
>
> This is a phase 2 problem, maybe deadpeerdetection failure, VPN
> monitoring failure, a failure during rekey when old SA is deleted
> notification sent to delete old SA. Most of the cases.
>
>
>
> att
> Alexandre
>
> Em 25 de jun de 2018, à(s) 03:42, sameer mughal 
> escreveu:
>
> both sites on srx.
> following are the logs.
>
>  show log junilog|match st0.15
> Jun 25 01:47:51   rpd[1867]: EVENT  st0.15 index 86  PointToPoint Multicast>
> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86  PointToPoint Multicast Localup>
> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
> 10.115.10.2 
> Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
> from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name:
> IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if:
> st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote
> IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0,
> Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=
> 0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
> SA Type: Static, Reason: IPSec SA delete payload received from peer,
> corresponding IPSec SAs cleared
> Jun 25 01:47:51   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
> Jun 25 01:48:06   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
> Static
> Jun 25 01:48:06   rpd[1867]: EVENT  st0.15 index 86  PointToPoint Multicast>
> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86  PointToPoint Multicast>
> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
> 10.115.10.2 
> Jun 25 01:48:06   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
> Jun 25 01:51:52   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
> from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name:
> IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if:
> st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote
> IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0,
> Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=
> 0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
> SA Type: Static, Reason: IPSec SA delete payload received from peer,
> corresponding IPSec SAs cleared
> Jun 25 01:51:52   rpd[1867]: EVENT  st0.15 index 86  PointToPoint Multicast>
> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86  PointToPoint Multicast Localup>
> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
> 10.115.10.2 
> Jun 25 01:51:52   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
> Jun 25 01:52:07   rpd[1867]: EVENT  st0.15 index 86  PointToPoint Multicast>
> Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86  PointToPoint Multicast>
> Jun 25 01:52:07   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
> Static
> Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
> 10.115.10.2 
> Jun 25 01:52:07   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
>
> {primary:node0}
>
> On Mon, Jun 25, 2018 at 3:03 AM, Alexandre Guimaraes <
> alexandre.guimar...@ascenty.com> wrote:
>
>> 

Re: [j-nsp] Ipsec tunnel flapping

[sameer mughal]

Dear Koyle,
I have already configure static route towards destination.

On Mon, Jun 25, 2018, 6:50 PM Eldon Koyle 
wrote:

> Do you have a default route over that tunnel?  If so, once the tunnel
> comes up it will try to route the ipsec connection through the tunnel,
> which will break the tunnel.  Try adding a static route to the remote
> tunnel endpoint via your internet connection.
>
> --
> Eldon
>
>
> On Mon, Jun 25, 2018, 00:43 sameer mughal  wrote:
>
>> both sites on srx.
>> following are the logs.
>>
>>  show log junilog|match st0.15
>> Jun 25 01:47:51   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast Localup>
>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 
>> Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>> from
>> 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static, Reason: IPSec SA delete payload received from peer, corresponding
>> IPSec SAs cleared
>> Jun 25 01:47:51   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
>> Jun 25 01:48:06   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
>> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static
>> Jun 25 01:48:06   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 
>> Jun 25 01:48:06   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
>> Jun 25 01:51:52   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>> from
>> 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static, Reason: IPSec SA delete payload received from peer, corresponding
>> IPSec SAs cleared
>> Jun 25 01:51:52   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast Localup>
>> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 
>> Jun 25 01:51:52   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
>> Jun 25 01:52:07   rpd[1867]: EVENT  st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 > PointToPoint Multicast>
>> Jun 25 01:52:07   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
>> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static
>> Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 
>> Jun 25 01:52:07   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
>>
>> {primary:node0}
>>
>> On Mon, Jun 

Re: [j-nsp] Ipsec tunnel flapping

[sameer mughal]

both sites on srx.
following are the logs.

 show log junilog|match st0.15
Jun 25 01:47:51   rpd[1867]: EVENT  st0.15 index 86 
Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 
Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
10.115.10.2 
Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN from
103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
, Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
Static, Reason: IPSec SA delete payload received from peer, corresponding
IPSec SAs cleared
Jun 25 01:47:51   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
Jun 25 01:48:06   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
, Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
Static
Jun 25 01:48:06   rpd[1867]: EVENT  st0.15 index 86 
Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 
Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
10.115.10.2 
Jun 25 01:48:06   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
Jun 25 01:51:52   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN from
103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
, Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
Static, Reason: IPSec SA delete payload received from peer, corresponding
IPSec SAs cleared
Jun 25 01:51:52   rpd[1867]: EVENT  st0.15 index 86 
Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 
Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
10.115.10.2 
Jun 25 01:51:52   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
Jun 25 01:52:07   rpd[1867]: EVENT  st0.15 index 86 
Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 
Jun 25 01:52:07   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
, Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
Static
Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
10.115.10.2 
Jun 25 01:52:07   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15

{primary:node0}

On Mon, Jun 25, 2018 at 3:03 AM, Alexandre Guimaraes <
alexandre.guimar...@ascenty.com> wrote:

> Have you checked the errors? Do a deep Inspection and check the packets to
> see what’s the behavior that’s trigger the down state. Tcpdump Will give
> you hints.
>
> Both sides uses SRX?
>
> att
> Alexandre
>
> Em 24 de jun de 2018, à(s) 07:59, sameer mughal 
> escreveu:
>
> > Hi All,
> > I am facing ipsec tunnel flapping issue on srx550. Both sides isp links
> are
> > up and stable but still tunnel is flapping.
> > Can anyone facing similar problem or any solution to fix this issue?
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Ipsec tunnel flapping

[sameer mughal]

Hi All,
I am facing ipsec tunnel flapping issue on srx550. Both sides isp links are
up and stable but still tunnel is flapping.
Can anyone facing similar problem or any solution to fix this issue?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX 550 BGP Flapping

[sameer mughal]

Thank you all for your interests.
Following are the interface stats FYR.

  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode:
Full-duplex, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags : None
  CoS queues : 8 supported, 8 maximum usable queues
  Current address: 00:10:db:ff:10:02, Hardware address: 58:00:bb:58:35:02
  Last flapped   : 2018-01-30 05:27:06 GMT+5 (18:48:35 ago)
  Input rate : 32985528 bps (6226 pps)
  Output rate: 29967832 bps (5722 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/2.0 (Index 67) (SNMP ifIndex 520)
Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 222627215
Output packets: 167230114
Security: Zone: Null
Protocol aenet, AE bundle: reth2.0   Link Index: 0

{primary:node0}
show interfaces ge-9/0/2
Physical interface: ge-9/0/2, Enabled, Physical link is Up
  Interface index: 177, SNMP ifIndex: 565
  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode:
Full-duplex, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags : None
  CoS queues : 8 supported, 8 maximum usable queues
  Current address: 00:10:db:ff:10:02, Hardware address: 58:00:bb:58:bc:02
  Last flapped   : 2018-01-30 03:50:09 GMT+5 (20:25:37 ago)
  Input rate : 0 bps (0 pps)
  Output rate: 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface ge-9/0/2.0 (Index 89) (SNMP ifIndex 575)
Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 3584089
Output packets: 4832617
Security: Zone: Null
Protocol aenet, AE bundle: reth2.0   Link Index: 0

{primary:node0}

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Jan 31, 2018 at 1:42 AM, Payam Chychi <pchy...@gmail.com> wrote:

> On Tue, Jan 30, 2018 at 9:29 AM Alexander Arseniev <
> arsen...@btinternet.com>
> wrote:
>
> > Hello,
> >
> > BGP KA size is 19 bytes without authentication, circa 39 with. Plus IP
> > overhead, plus Ethernet OVH - still below 100 B.
> >
> > SRX reth default MTU is 1500B.
> >
> > Are You sure that checking & setting MTU helps to fix BGP holdtime
> expiry?
> >
> > I would bet that either SRX550 reth interface is saturated, or SRX550
> > CPU is busy.
> >
> > HTH
> >
> > Thx
> > Alex
> >
> >
> > On 30/01/2018 06:25, Emille Blanc wrote:
> > > You might want to check the MTU of the path, or ensure that pmtu is
> > enabled.
> > > It looks like you're using a redundant ethernet interface (reth). If
> > you're using a non-standard MTU, make sure it is set correctly for its
> > member interface(s).
> > >
> > > 
> > > From: juniper-nsp [juniper-nsp-boun...@puck.nether.net] On Behalf Of
> > sameer mughal [pcs.same...@gmail.com]
> > > Sent: Monday, January 29, 2018 8:20 PM
> > > To: juniper-nsp@puck.nether.net
> > > Subject: Re: [j-nsp] SRX 550 BGP Flapping
> > >
> > > I have seen hold time error. what will be the fix on this issue?
> > >
> > >
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>  Bgp exchanges routes, those routes get sent as an update packet, that
> packet can fill up the size of the packet to the mtu-ip/tcp(40byte), so
> yes, if you have mix match of mtu, your bgp session will
> drop/reconnect/drop... (repeat) if the update pkt size gets fragmented
>
>
> --
> Payam Tarverdyan Chychi
> Network Security Specialist / Network Engineer
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX 550 BGP Flapping

[sameer mughal]

Thanks for the reply.
Can you please help me how can I check and correct this ?

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Tue, Jan 30, 2018 at 11:25 AM, Emille Blanc <emi...@abccommunications.com
> wrote:

> You might want to check the MTU of the path, or ensure that pmtu is
> enabled.
> It looks like you're using a redundant ethernet interface (reth). If
> you're using a non-standard MTU, make sure it is set correctly for its
> member interface(s).
>
> 
> From: juniper-nsp [juniper-nsp-boun...@puck.nether.net] On Behalf Of
> sameer mughal [pcs.same...@gmail.com]
> Sent: Monday, January 29, 2018 8:20 PM
> To: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] SRX 550 BGP Flapping
>
> I have seen hold time error. what will be the fix on this issue?
>
> show bgp neighbor xx.xx.xx.xx
> Peer: xx.xx.xx.xx+179 AS   Local: xx.xx.xx.xx+56228 AS 
>   Type: ExternalState: EstablishedFlags: 
>   Last State: OpenConfirm   Last Event: RecvKeepAlive
>   Last Error: Hold Timer Expired Error
>   Export: [ IMPORT-LAN-INTO-BGP ] Import: [ Reject-BGP ]
>   Options: 
>   Options: 
>   Authentication key is configured
>   Local Address: xx.xx.xx.xx Holdtime: 90 Preference: 170
>   Number of flaps: 30
>   Last flap event: HoldTime
>   Error: 'Hold Timer Expired Error' Sent: 30 Recv: 0
>   Peer ID: xx.xx.xx.xx Local ID: xx.xx.xx.xx   Active Holdtime: 90
>   Keepalive Interval: 30 Group index: 0Peer index: 0
>   BFD: disabled, down
>   Local Interface: reth2.0
>   NLRI for restart configured on peer: inet-unicast
>   NLRI advertised by peer: inet-unicast
>   NLRI for this session: inet-unicast
>   Peer supports Refresh capability (2)
>   Stale routes from peer are kept for: 300
>   Peer does not support Restarter functionality
>   Peer does not support Receiver functionality
>   Peer does not support LLGR Restarter or Receiver functionality
>   Peer supports 4 byte AS extension (peer-as xx.xx.xx.xx)
>   Peer does not support Addpath
>   Table inet.0 Bit: 1
> RIB State: BGP restart is complete
>
> <https://www.avast.com/sig-email?utm_medium=email_
> source=link_campaign=sig-email_content=webmail_term=icon>
> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email_
> source=link_campaign=sig-email_content=webmail_term=link>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> On Tue, Jan 30, 2018 at 9:14 AM, sameer mughal <pcs.same...@gmail.com>
> wrote:
>
> > Hi,
> > Can anyone help me on this bgp flapping issue?
> >
> > show bgp summary
> > Groups: 1 Peers: 1 Down peers: 0
> > Table  Tot Paths  Act Paths SuppressedHistory Damp State
> > Pending
> > inet.0
> >   37 31  0  0  0
> > 0
> > Peer AS  InPkt OutPktOutQ   Flaps Last
> > Up/Dwn State|#Active/Received/Accepted/Damped...
> > xx.xx.xx.xx 9541 86 70   0  *30 *
> >  28:28 31/37/36/0   0/0/0/0
> >
> > {primary:node0}
> >
> > Peer: xx.xx.xx.xx +179 AS 9541 Local: xx.xx.xx.xx +56228 AS 64520
> >   Type: ExternalState: EstablishedFlags: 
> >   Last State: OpenConfirm   Last Event: RecvKeepAlive
> >   Last Error: Hold Timer Expired Error
> >   Export: [ IMPORT-LAN-INTO-BGP ] Import: [ Reject-BGP ]
> >   Options: 
> >   Options: 
> >   Authentication key is configured
> >   Local Address: 192.168.111.74 Holdtime: 90 Preference: 170
> >   Number of flaps: 30
> >   Last flap event: HoldTime
> >   Error: 'Hold Timer Expired Error' Sent: 30 Recv: 0
> >   Peer ID: xx.xx.xx.xx Local ID: xx.xx.xx.xxActive Holdtime: 90
> >   Keepalive Interval: 30 Group index: 0Peer index: 0
> >   BFD: disabled, down
> >   Local Interface: reth2.0
> >   NLRI for restart configured on peer: inet-unicast
> >   NLRI advertised by peer: inet-unicast
> >   NLRI for this session: inet-unicast
> >   Peer supports Refresh capability (2)
> >   Stale routes from peer are kept for: 300
> >   Peer does not support Restarter functionality
> >   Peer does not support Receiver functionality
> >   Peer does not support LLGR Restarter or Receiver functionality
> >   Peer supports 4 byte AS extension (peer-as 9541)
> >   Peer does not support Addpath
> >

Re: [j-nsp] SRX 550 BGP Flapping

[sameer mughal]

I have seen hold time error. what will be the fix on this issue?

show bgp neighbor xx.xx.xx.xx
Peer: xx.xx.xx.xx+179 AS   Local: xx.xx.xx.xx+56228 AS 
  Type: ExternalState: EstablishedFlags: 
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: Hold Timer Expired Error
  Export: [ IMPORT-LAN-INTO-BGP ] Import: [ Reject-BGP ]
  Options: 
  Options: 
  Authentication key is configured
  Local Address: xx.xx.xx.xx Holdtime: 90 Preference: 170
  Number of flaps: 30
  Last flap event: HoldTime
  Error: 'Hold Timer Expired Error' Sent: 30 Recv: 0
  Peer ID: xx.xx.xx.xx Local ID: xx.xx.xx.xx   Active Holdtime: 90
  Keepalive Interval: 30 Group index: 0Peer index: 0
  BFD: disabled, down
  Local Interface: reth2.0
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  Peer does not support Receiver functionality
  Peer does not support LLGR Restarter or Receiver functionality
  Peer supports 4 byte AS extension (peer-as xx.xx.xx.xx)
  Peer does not support Addpath
  Table inet.0 Bit: 1
RIB State: BGP restart is complete

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Tue, Jan 30, 2018 at 9:14 AM, sameer mughal <pcs.same...@gmail.com>
wrote:

> Hi,
> Can anyone help me on this bgp flapping issue?
>
> show bgp summary
> Groups: 1 Peers: 1 Down peers: 0
> Table  Tot Paths  Act Paths SuppressedHistory Damp State
> Pending
> inet.0
>   37 31  0  0  0
> 0
> Peer AS  InPkt OutPktOutQ   Flaps Last
> Up/Dwn State|#Active/Received/Accepted/Damped...
> xx.xx.xx.xx 9541 86 70   0  *30 *
>  28:28 31/37/36/0   0/0/0/0
>
> {primary:node0}
>
> Peer: xx.xx.xx.xx +179 AS 9541 Local: xx.xx.xx.xx +56228 AS 64520
>   Type: ExternalState: EstablishedFlags: 
>   Last State: OpenConfirm   Last Event: RecvKeepAlive
>   Last Error: Hold Timer Expired Error
>   Export: [ IMPORT-LAN-INTO-BGP ] Import: [ Reject-BGP ]
>   Options: 
>   Options: 
>   Authentication key is configured
>   Local Address: 192.168.111.74 Holdtime: 90 Preference: 170
>   Number of flaps: 30
>   Last flap event: HoldTime
>   Error: 'Hold Timer Expired Error' Sent: 30 Recv: 0
>   Peer ID: xx.xx.xx.xx Local ID: xx.xx.xx.xxActive Holdtime: 90
>   Keepalive Interval: 30 Group index: 0Peer index: 0
>   BFD: disabled, down
>   Local Interface: reth2.0
>   NLRI for restart configured on peer: inet-unicast
>   NLRI advertised by peer: inet-unicast
>   NLRI for this session: inet-unicast
>   Peer supports Refresh capability (2)
>   Stale routes from peer are kept for: 300
>   Peer does not support Restarter functionality
>   Peer does not support Receiver functionality
>   Peer does not support LLGR Restarter or Receiver functionality
>   Peer supports 4 byte AS extension (peer-as 9541)
>   Peer does not support Addpath
>   Table inet.0 Bit: 1
> RIB State: BGP restart is complete
> Send state: in sync
> Active prefixes:  31
> Received prefixes:37
> Accepted prefixes:36
> Suppressed due to damping:0
> Advertised prefixes:  48
>   Last traffic (seconds): Received 28   Sent 10   Checked 58
>   Input messages:  Total 80 Updates 30  Refreshes 0 Octets 2749
>   Output messages: Total 64 Updates 5   Refreshes 0 Octets 1618
>   Output Queue[0]: 0(inet.0, inet-unicast)
>
>
> <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon>
>  Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link>
> <#m_-4192711485207260329_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX 550 BGP Flapping

[sameer mughal]

Hi,
Can anyone help me on this bgp flapping issue?

show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Table  Tot Paths  Act Paths SuppressedHistory Damp State
Pending
inet.0
  37 31  0  0  0
  0
Peer AS  InPkt OutPktOutQ   Flaps Last
Up/Dwn State|#Active/Received/Accepted/Damped...
xx.xx.xx.xx 9541 86 70   0  *30 *
 28:28 31/37/36/0   0/0/0/0

{primary:node0}

Peer: xx.xx.xx.xx +179 AS 9541 Local: xx.xx.xx.xx +56228 AS 64520
  Type: ExternalState: EstablishedFlags: 
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: Hold Timer Expired Error
  Export: [ IMPORT-LAN-INTO-BGP ] Import: [ Reject-BGP ]
  Options: 
  Options: 
  Authentication key is configured
  Local Address: 192.168.111.74 Holdtime: 90 Preference: 170
  Number of flaps: 30
  Last flap event: HoldTime
  Error: 'Hold Timer Expired Error' Sent: 30 Recv: 0
  Peer ID: xx.xx.xx.xx Local ID: xx.xx.xx.xxActive Holdtime: 90
  Keepalive Interval: 30 Group index: 0Peer index: 0
  BFD: disabled, down
  Local Interface: reth2.0
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  Peer does not support Receiver functionality
  Peer does not support LLGR Restarter or Receiver functionality
  Peer supports 4 byte AS extension (peer-as 9541)
  Peer does not support Addpath
  Table inet.0 Bit: 1
RIB State: BGP restart is complete
Send state: in sync
Active prefixes:  31
Received prefixes:37
Accepted prefixes:36
Suppressed due to damping:0
Advertised prefixes:  48
  Last traffic (seconds): Received 28   Sent 10   Checked 58
  Input messages:  Total 80 Updates 30  Refreshes 0 Octets 2749
  Output messages: Total 64 Updates 5   Refreshes 0 Octets 1618
  Output Queue[0]: 0(inet.0, inet-unicast)


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SSG 350M firewall to Cisco Firepower

[sameer mughal]

Hi,
Can anyone please share me any good converter from SSG to firepower
firewall configuration.

I was cisco tool but it is not working and support email address is also
not replying.

Cisco Tool:
https://fwmig.cisco.com/


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Need Assistance

[sameer mughal]

Hi All,

Kindly review below routes, can anyone please help me to prefer BGP over
OSPF internal route?
What will be the configuration, please?

172.16.0.0/16  *[OSPF/10] 1d 03:16:11, metric 2
> via st0.1
[BGP/170] 1d 03:17:10, localpref 100
  AS path: 9541 64520 I
> to 192.168.108.65 via fe-0/0/7.0


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Same configuration

[sameer mughal]

Hi All,

Can anyone update me that Is the same configuration on srx240h2 will work
on srx550 or need some modification?


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SSG350 Link Shifting

[sameer mughal]

Dear All,

I have two ISP's on my SSG350M firewall, i want to shift my one ISP link to
other in case of one iSP link failure. But physical interface in my SSG
will never down due to it is connected thru ethernet and ISP connected thru
fiber.
Can anyone please suggest me solution?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Application Type on SRX

[sameer mughal]

Hi,
Can anyone please guide me, Is it possible that I can check application
type i.e. https,https or ERP related on my SRX110/240 router?
Actually, my goal is to check which applications are bandwidth hungry or
using high bandwidth passing thru my router.

Thanks.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] HA Configuration on SRX550M

[sameer mughal]

Dear Youssef,
Thanks for the reply.
 Yes, you are right that there are multiple docs available on juniper site
for this HA configuration but I was just interested to the specific one
from this tech forum.

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Tue, Sep 26, 2017 at 2:54 PM, Youssef Bengelloun-Zahr <benge...@gmail.com
> wrote:

> Dear Sameer,
>
> There are tons of step-NYC-step documentations on juniper's website.
>
> Did you at least take the time to google it ?
>
> Best regards.
>
>
>
> > Le 26 sept. 2017 à 08:17, sameer mughal <pcs.same...@gmail.com> a écrit
> :
> >
> > Hi,
> >
> > Can anyone please share me the HA configuration on SRX550M?
> > Currently, we are using srx240h2 without HA operational.
> >
> > Need step by step configuration with best practice.
> >
> >
> > Thanks.
> >
> > <https://www.avast.com/sig-email?utm_medium=email_
> source=link_campaign=sig-email_content=webmail_term=icon>
> > Virus-free.
> > www.avast.com
> > <https://www.avast.com/sig-email?utm_medium=email_
> source=link_campaign=sig-email_content=webmail_term=link>
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] HA Configuration on SRX550M

[sameer mughal]

Hi,

Can anyone please share me the HA configuration on SRX550M?
Currently, we are using srx240h2 without HA operational.

Need step by step configuration with best practice.


Thanks.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - CPU utilization exceeds

[sameer mughal]

Hi Luke,

Thanks for the reply. Please refer below output;

 show security flow status
  Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
  Flow trace status
Flow tracing status: off
  Flow session distribution
Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
Ordering mode: Hardware

Regarding modes I have learned from this site:
http://net.cmed.us/Home/juniper/flow-vs-packet-mode

Please correct me If I understood something wrong.



On Wed, Sep 20, 2017 at 6:17 PM, Damien Luke <damien.l...@ac3.com.au> wrote:

> Are you sure?  BGP and policy options don't require packet mode to be
> enabled.
>
> What does `show security flow status` show under Inet forwarding mode?
> 
> From: juniper-nsp <juniper-nsp-boun...@puck.nether.net> on behalf of
> sameer mughal <pcs.same...@gmail.com>
> Sent: Wednesday, 20 September 2017 10:56 PM
> To: Phil Mayers
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] SRX - CPU utilization exceeds
>
> "packet mode" because we are configuring BGP and route map on this device.
>
> On Wed, Sep 20, 2017 at 4:37 PM, sameer mughal <pcs.same...@gmail.com>
> wrote:
>
> > Hi,
> > Device is working in packet flow.
> >
> > On Wed, Sep 20, 2017 at 3:21 PM, Phil Mayers <p.may...@imperial.ac.uk>
> > wrote:
> >
> >> Datasheet numbers are often optimistic.
> >>
> >> Is the device forwarding in flow or packet mode? If flow mode, what type
> >> of firewall services (appfw, IDP, etc.) and what is the session rate
> like?
> >> What does the bytes/packet distribution look like?
> >>
> >> On 19 September 2017 08:47:51 WEST, sameer mughal <
> pcs.same...@gmail.com>
> >> wrote:
> >> >Thanks a lot for the reply.
> >> >
> >> >However, as per the available SRX datasheet they can manage 300Mbps
> >> >throughput so why it is showing high CPU in btw 60 to 70 Mbps. This is
> >>
> >> --
> >> Sent from my mobile device, please excuse brevity and typos
> >>
> >
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - CPU utilization exceeds

[sameer mughal]

"packet mode" because we are configuring BGP and route map on this device.

On Wed, Sep 20, 2017 at 4:37 PM, sameer mughal <pcs.same...@gmail.com>
wrote:

> Hi,
> Device is working in packet flow.
>
> On Wed, Sep 20, 2017 at 3:21 PM, Phil Mayers <p.may...@imperial.ac.uk>
> wrote:
>
>> Datasheet numbers are often optimistic.
>>
>> Is the device forwarding in flow or packet mode? If flow mode, what type
>> of firewall services (appfw, IDP, etc.) and what is the session rate like?
>> What does the bytes/packet distribution look like?
>>
>> On 19 September 2017 08:47:51 WEST, sameer mughal <pcs.same...@gmail.com>
>> wrote:
>> >Thanks a lot for the reply.
>> >
>> >However, as per the available SRX datasheet they can manage 300Mbps
>> >throughput so why it is showing high CPU in btw 60 to 70 Mbps. This is
>>
>> --
>> Sent from my mobile device, please excuse brevity and typos
>>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - CPU utilization exceeds

[sameer mughal]

Hi,
Device is working in packet flow.

On Wed, Sep 20, 2017 at 3:21 PM, Phil Mayers <p.may...@imperial.ac.uk>
wrote:

> Datasheet numbers are often optimistic.
>
> Is the device forwarding in flow or packet mode? If flow mode, what type
> of firewall services (appfw, IDP, etc.) and what is the session rate like?
> What does the bytes/packet distribution look like?
>
> On 19 September 2017 08:47:51 WEST, sameer mughal <pcs.same...@gmail.com>
> wrote:
> >Thanks a lot for the reply.
> >
> >However, as per the available SRX datasheet they can manage 300Mbps
> >throughput so why it is showing high CPU in btw 60 to 70 Mbps. This is
>
> --
> Sent from my mobile device, please excuse brevity and typos
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - CPU utilization exceeds

[sameer mughal]

Thanks a lot for the reply.

However, as per the available SRX datasheet they can manage 300Mbps
throughput so why it is showing high CPU in btw 60 to 70 Mbps. This is a
bit confusing.
I have configured two things one is BGP (routes details mentioned below)
and route map (details mentioned below) and nothing else.


Please review my following remarks below;


On Tue, Sep 19, 2017 at 12:34 PM, Benoit Plessis <b.ples...@doyousoft.com>
wrote:

> Le 19/09/2017 à 06:26, sameer mughal a écrit :
>
> Hi,
>
> Thanks!
>
> This is SRX Model: srx220h2 - JUNOS Software Release [12.1X46-D35.1] and
> traffic is IP not IPSEC. Traffic is IP BGP and route map also configured.
>
>
> BGP ? With how many routes ? how many peers ?
>
inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
*Route MAP:*
RM-SO.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

Only one peer configured.

> Traffic is pushing around 70 to 80 Mbps.
>
>
> And in pps ?
> Is it regular or do you have peaks around the high cpu alerts ?
>
> Please advice.
>
> Well ... it depend !
>
>  * Are you ok with the current performances of your setup ?
>  * Is there an increase in traffic in the foreseable futur ?
>  * Have you got some $$$ to replace the firewall ?
>
> I for one would replace it, mostly because doing BGP on such a small SRX
> doesn't seem like a great idea, expect if you have only one peer and
> exchange a limited number of routes.
>
>
> On Tue, Sep 19, 2017 at 12:20 AM, Hugo Slabbert <h...@slabnet.com> wrote:
>
>> On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessis <
>> b.ples...@doyousoft.com> wrote:
>>
>> [..] to external conditions ("attacks" / scan / ..)
>>> [..] it kindof look inadequat to your need.
>>>
>>> Do you have some external monitoring in place with a graphing system to
>>> look after you firewall ?
>>>
>>
>> This can even just be throughput based, especially for flow services as
>> opposed to just packet-mode forwarding.  I've had instances of this from
>> e.g. pushing >50-60 Mbps of IPSEC on SRX100 boxes.
>>
>
> Yes that's one of the "external conditions" i had in mind ! :)
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - CPU utilization exceeds

[sameer mughal]

Hi,

Thanks!

This is SRX Model: srx220h2 - JUNOS Software Release [12.1X46-D35.1] and
traffic is IP not IPSEC. Traffic is IP BGP and route map also configured.
Traffic is pushing around 70 to 80 Mbps.
Please advice.


On Tue, Sep 19, 2017 at 12:20 AM, Hugo Slabbert <h...@slabnet.com> wrote:

> On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessis <b.ples...@doyousoft.com>
> wrote:
>
> Le 16/09/2017 à 07:48, sameer mughal a écrit :
>>
>>> Hi,
>>>
>>> Can anyone please review the mentioned below logs and advice me Is this
>>> issue critical and how can I fix this ?
>>>
>>
>> Well your firewall is alerting that it is regurlarly out of ressources.
>>
>> I would check if it's due to something you do (modifying configuration
>> at this time),
>> or if it's due to external conditions ("attacks" / scan / ..)
>>
>> Depend on that and on the service impact i would try to simplify
>> configuration, update the software
>> or more probably start to look at upgrading the device since it kindof
>> look inadequat to your need.
>>
>> Do you have some external monitoring in place with a graphing system to
>> look after you firewall ?
>>
>
> This can even just be throughput based, especially for flow services as
> opposed to just packet-mode forwarding.  I've had instances of this from
> e.g. pushing >50-60 Mbps of IPSEC on SRX100 boxes.
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX - CPU utilization exceeds

[sameer mughal]

Hi,

Can anyone please review the mentioned below logs and advice me Is this
issue critical and how can I fix this ?


Model: srx220h2
JUNOS Software Release [12.1X46-D35.1]

Sep 12 06:42:34  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=93
Sep 12 06:42:37  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=85
Sep 12 09:24:17  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=89
Sep 12 09:24:21  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=95
Sep 12 09:52:53  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=90
Sep 12 10:35:32  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=90
Sep 12 11:07:35  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=89
Sep 13 04:41:36  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=87
Sep 13 10:25:12  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=87
Sep 13 10:26:54  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=99
Sep 14 06:19:27  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=92
Sep 15 10:18:53  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=95
Sep 15 12:16:52  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=87
Sep 16 04:39:54  sr-rtr PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC
0 CPU utilization exceeds threshold, current value=91

==
show chassis routing-engine
Routing Engine status:
Temperature 43 degrees C / 109 degrees F
Total memory  2048 MB Max  1004 MB used ( 49 percent)
  Control plane memory1088 MB Max   392 MB used ( 36 percent)
  Data plane memory960 MB Max   614 MB used ( 64 percent)
CPU utilization:
  User   4 percent
  Background 0 percent
  Kernel 9 percent
  Interrupt  0 percent
  Idle  87 percent
Model  RE-SRX220H2
Serial ID  ACPS8752
Start time 2017-09-07 15:00:58 UTC
Uptime 8 days, 14 hours, 41 minutes, 12 seconds
Last reboot reason 0x1:power cycle/failure
Load averages: 1 minute   5 minute  15 minute
   0.02   0.08   0.08
===

show security monitoring fpc 0
FPC 0
  PIC 0
CPU utilization  :   39 %
Memory utilization   :   64 %
Current flow session : 18000
Current flow session IPv4: 18000
Current flow session IPv6:0
Max flow session : 524288
Total Session Creation Per Second (for last 96 seconds on average):  378
IPv4  Session Creation Per Second (for last 96 seconds on average):  378
IPv6  Session Creation Per Second (for last 96 seconds on average):0
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] st0.13 Interface won't come up - ipsec VPN issue

[sameer mughal]

Hi Team,

I was disable st interface and when I am going to active this interface, it
won't coming up and remote site st interface is up.
Can anyone please help me to fix this issue?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp