There should have been a banner up for the last few weeks detailing changes
that were going to happen May 2 to My Juniper. There may have also been an
email but I don't recall that myself.
http://casemanager.juniper.net is the place to go for your case management
needs now.
On May 2 2020, at 1
Definitely. You can file a report with the “feedback” button on that page and
it will get updated.
> On Dec 19, 2018, at 10:16 AM, Niall Donaghy wrote:
>
> Thanks Saku and Aaron.
>
> My point is KB15585 should be retired if FTP is no longer supported. =)
>
> -Original Message-
> Fro
I thought it was pending shutdown in favor of sftp. But I haven’t been paying
that much attention.
> On Dec 19, 2018, at 8:44 AM, Aaron Gould wrote:
>
> Does juniper's ftp.juniper.net still work ?
>
>
>
> I haven't been able to use it in a few weeks.
>
>
>
> -Aaron
>
>
Hi Adam,
A JSU is a point fix for one particular PR, and is tested against that PR. If
there's any risk for the fix affecting other things, it won't be considered a
JSU candidate and you'll be asked to move to the next SR (or special, i.e. X
release). Thus, testing performed on a JSU is spec
016, at 12:31 PM, Jason Lixfeld wrote:
>
> That’s interesting. I wouldn’t have expected to hear that about Juniper.
>
> Thanks for the insight!
>
>> On Jul 8, 2016, at 2:19 PM, Aaron Dewell wrote:
>>
>>
>> Yes, though there are occasional issues such
t everywhere inside that VRF.
>
>> On Jul 8, 2016, at 1:52 PM, Aaron Dewell wrote:
>>
>>
>> Sorry! I got stuck on SRX. Ignore that lol.
>>
>> So if you’re only putting lo0 into the VRF, then you’ll need some way to
>> route in and out of the VRF t
write it.
> On Jul 8, 2016, at 11:34 AM, Jason Lixfeld wrote:
>
> Sorry, I wasn’t trying to suggest I got an error, it was more of a conceptual
> config paste.
>
> This is on an EX9200, which I don’t think support security zones?
>
>> On Jul 8, 2016
Did you write those firewall filters that you list? What was the error that
you got?
You’ll have to assign lo0 into a security zone, that might be what’s missing.
"security zones functional-zone management” must be in inet.0. You can do
other zones in a VRF and do in-band management within
say "No route to host" but the routes are
> there.
>
> Thanks.
>
> 2016-07-05 0:07 GMT-03:00 Aaron Dewell :
>>
>> The routes have to exist in the table in order to be available to a policy.
>> So you’ll have to leak them first.
>>
>> An
The routes have to exist in the table in order to be available to a policy. So
you’ll have to leak them first.
Any policy only has access to the routes within it’s context.
You could route them to discard after they are leaked however. That way, they
still exist even if they are inactive. (
I attempted to make this work on an SRX210 running 12.1X46-D30 with TWC. The
inherent issue was that Junos will only accept multiples of 16 bit-boundaries
as a dhcpv6 client, and /56 (as TWC assigns) is not accepted.
So it’s less about your settings and more about the known PR, assuming that
> On Jun 27, 2016, at 9:16 AM, Hugo Slabbert wrote:
>
>
> On Sun 2016-Jun-26 20:51:41 -0700, Brian Spade wrote:
>
>> Hi Alexandre,
>>
>> Thanks for all the details. I will check with our Juniper team and see
>> what's the latest on A/A vs A/P. For most of our sites, we plan to just
>> use
12:40 PM, Brian Spade wrote:
>
> Hi Aaron,
>
> On Sun, Jun 26, 2016 at 11:19 AM, Aaron Dewell <mailto:aaron.dew...@gmail.com>> wrote:
> >
> > You are correct - RG0 will always be active/passive. A full control plane
> > failover will always be painful.
&
You are correct - RG0 will always be active/passive. A full control plane
failover will always be painful.
SRX active/active is more about the interfaces in use. You can arrange for
half of your traffic to prefer FW1 vs. FW2 and achieve active/active in that
way so you’ll take less of a hit
Any DHCP routes appear as access-internal. There may be other reasons but
that’s the most common.
> On Mar 30, 2016, at 5:46 PM, Aaron wrote:
>
> what are these routes (access-internal) ? i'm seeing them actually being
> sent over my MPLS L3VPN into my other pe's as /32 routes. very interes
While that may be completely correct (while not completely provable, it is
entirely reasonable to assume it), the immediate question was whether this
particular vulnerability affected JunOS also, or only ScreenOS.
The answer to that more narrow question is that it only affects ScreenOS.
I thin
It's code version dependent. It was raised recently, so if you still see 16
you need to upgrade.
On Oct 29, 2015 5:01 AM, "Cydon Satyr" wrote:
> Hello experts,
>
> Could somebody confirm if 16 is the max number of physical interfaces one
> can have in a LAG on MX? What about MX2020, is it still 1
Yes, the commit will fail if commit check would have also failed. I tend to
use commit check as a check on myself when I’ve done a big cut-and-paste, or
when creating a bunch of objects. The time to fail of commit check is less
than commit if there are discrepancies.
On Sep 28, 2015, at 3:
Apply a filter on lo0.0 which denies traffic from anything but your management
IPs. Or, put a filter on the VR interface denying all traffic destined to that
IP itself.
On Jul 15, 2015, at 10:11 AM, Victor Sudakov wrote:
> Colleagues,
>
> I have customers' networks connected to routing-ins
Ask your local reseller for a quote.
On May 5, 2015, at 2:13 PM, Colton Conor wrote:
> Damien,
>
> Thanks for the links. From the website: Juniper Networks, Inc. requires an
> inspection or a reinstatement fee for all products that were not originally
> purchased, by the then current owner of t
I looked into this once. Support involves a one-time purchase of a contract,
back-dated to when it was last under contract. Depending on how long ago that
was, it may be prohibitive as well.
On May 5, 2015, at 11:00 AM, Raphael Mazelier wrote:
>
> Le 05/05/15 18:47, Colton Conor a écrit :
>
Have you tried 0/1 and 128/1 instead of 0/0?
That’s also required for backup-router destination as well, so might solve this
problem too.
On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger wrote:
> On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote:
>> I need to have my vpn clie
What version of code? D10 (frs) had some issues with some cables which is
resolved in more current versions.
Also if this is 5100 to 4300 make sure you have auto negotiation turned off
on the 4300 (but that would probably fail with a juniper branded dac as
well so unlikely to be the issue).
On Sep
90% sure it's nested tunnels (GRE over IPSec). You cannot do them in a cluster.
If you can get the Cisco side to remove the GRE layer and route directly over
the secure tunnel (have not tried it so I don't know if they can or not), then
it will work (using st0 on the SRX). If you can't, your
I have terminated IPSec tunnels on reth interfaces entirely successfully. I
would think that would work fine in your setup as well. It wasn't amazon, but
it was to other remote SRXs. The ISP in question did terminate on both cluster
members (two drops).
That was on a branch SRX. On the 3
fsck is run automatically every boot. If the automatic fsck fails, it throws
it to the backup partition. So yes, you are correct, but the situation
observed is when that system fails.
On Mar 24, 2014, at 11:04 PM, Victor Sudakov wrote:
> Dear Masood,
>
> Thanks for the link to the KB article
The local username will be by default "remote" but you can return the TACACS
version of a Vendor-Specific Attribute in order to specify something different
per-user. That local username then must exist on the router and all users
which have that VSA returned will be mapped to that local user.
The route is known via some source, and therefore the destination is reachable.
I've never known the source of the route to matter for the peer address on any
platform.
If you want it to go down, you can try the ttl knob to force it down if it's
taking a longer path.
On Mar 17, 2014, at 12:5
I can verify that if a VLAN is both named as a member and as a native-vlan-id,
then it will accept traffic both tagged and untagged on that port for that
VLAN. However, traffic will only be sent tagged. That can break some things
(for example APs) which might work during boot but the loaded c
I don't know if I'd call them issues. Just ELS introduces different
configuration hierarchies that is the way things will be in the future. The
functionality is still there even if the config bits change some.
The main advantage of the 4300 vs. 4200 is 4x10G uplinks instead of 2, and 40G
QSF
It's a name change. vlan is now irb. It depends on platform, but the newer
ones use irb instead of vlan.
So it doesn't work with vlan.103 because the vlan interface physically does not
exist. But you can configure nonexistent interfaces in JunOS.
On Feb 18, 2014, at 9:44 PM, Janusz Wełna wr
reth interfaces are for failover not for bundle. You can use two LAGs within a
reth interface (multiple interface on a single node in a LAG) but not across
both. It's up (probably) because you aren't running LACP. If you turn on
LACP, then various links will be down. I'm going to guess that
Depending on how you have your redundancy groups set up, only the active
links will be active at any given time. That means that the mxs won't see
two links active, they will see one each. So you should have two
adjacencies on the srx and one on each mx in this scenario.
Lacp would only be useful
That's a pretty normal configuration so I wouldn't expect any issues.
Load balancing over both connections is another story entirely and doesn't
matter the exact platform. You can find a large volume of
books/websites/opinions on BGP load balancing out there. It's not exactly a
trivial subje
Depends if there are other communities attached besides vpls-z. The first
example would retain all of those.
If that's the only community on the route, then, in that case, they are the
same.
On Oct 31, 2013, at 1:53 PM, Mihai wrote:
> Aren't these 2 policies the same thing?
>
>
> policy-st
Hey all,
Got a conflict here and hoping someone has some ideas on this. We have 1:1
static nat for a server, but that server also needs to communicate over a
policy-based VPN. If this VPN were route-based, there'd be no problem.
The VPN works for this server if I remove the static NAT so e
It depends how careful you want to be about it. Multipath and adding the
peer as you've described will get you half traffic on each immediately
which is fine assuming the circuit is good, etc.
If it were me, I'd probably bring up the new one with a different policy
(same group, policy under the ne
Mine do it automatically. I've never set anything to make them do that.
On Jul 10, 2013, at 9:08 AM, Mark Felder wrote:
> Is there some way to make a j2320 auto power on when power is restored? I
> can't seem to successfully find this on Google
> ___
You could do this over CCC on an MPLS core for sure (take the whole port not
logical interfaces). If your core is q-in-q though, you can configure your
customer vlans as a range instead of a single number. That potentially creates
issues if multiple customers on the same SVLAN are using the s
There are two usable ips and no broadcast or network address. One device
can have .0 and the other one .1.
On May 1, 2013 8:56 AM, "Murphy, Jay, DOH" wrote:
> 10.8.0.1/31 What are the useable IPs. What is the broadcast and network
> address in this subnetwork?
>
> ** **
>
> Thanks.
>
>
Insert doesn't create it, it re-orders existing policies. IMHO it's
confusingly named.
So you create the policy using set (which puts it at the end) then you use
insert to re-order it in the position you want.
On May 1, 2013 8:32 AM, "James S. Smith" wrote:
> I have an SRX240 running 11.1R2.3, a
That seems like it should work. Note that you'd need a policy in place
from/to the same zone to allow this traffic. Even intrazone traffic is
denied by default on an srx. I suspect that might be the issue here.
On May 1, 2013 8:49 AM, "Bruce Buchanan" wrote:
> Hi List –
>
> ** **
>
> Can a
I have a cx111 which I use when the primary connection goes down. I'm
using usb tethering from my phone which works only if you're willing to
constantly mess with it. I wouldn't recommend that setup.
However, I have a customer using the non rebadged cx111 (aka cradlepoint
cba750) with the paired
I use this for backup connectivity on dynamic endpoints and they are quite
happy. One end must be fixed (which I assume is yours).
Their configuration:
set security ike gateway gateway-name local-identity inet their-vpn-ip-address
set security ike gateway gateway-name remote-identity inet your
A reth interface is essentially an aggregated ethernet interface except only
half are active at any one time. So the difference is (almost, practically)
zero.
As to loopback termination, I've not actually tried it. I believe (without
trying or any actual data) that it requires the actual phy
IIRC, it's possible but not recommended due to the reliability issue of the
switch in between. In your situation, I'd probably give it a shot.
Definitely use different VLANs for control and fabric.
Aaron
On Apr 2, 2013, at 10:47 AM, Mike Williams wrote:
> Hey all,
>
> So I've been reading th
You'll also need a policy which allows traffic from trust to trust, i.e.:
set security policies from-zone trust to-zone trust match source-address any
set security policies from-zone trust to-zone trust match destination-address
any
set security policies from-zone trust to-zone trust match proto
On Mar 12, 2013, at 7:44 PM, Aaron Dewell wrote:
>
> Quick question for you all (I'm sure I'm doing something dumb here).
>
> I had this working config:
> […]
>
>
> That was working. Now I want to be able to get to the CX111's management
> VLAN,
Quick question for you all (I'm sure I'm doing something dumb here).
I had this working config:
routing-instances {
ISP {
instance-type virtual-router;
interface ge-0/0/0.0;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
I tried ISSU twice, both times on 3 MX routers during a single maintenance
window, going from 10.x to 11.x. It failed spectacularly on the second router,
requiring manual recovery via the console (mastership was not assumed by the
backup before the primary rebooted), so I completely gave up on
Not that I've had to do it - but I'd probably break the cluster to do the
upgrade and run on one during the procedure.
On Mar 8, 2013, at 10:50 AM, Andy Litzinger wrote:
> We're evaluating SRX clusters as replacements for our aging ASAs FO pairs in
> various places in our network including th
Hello all,
I thought maybe more than a few might have used VB before and might know the
answer to this. In my lab, I have this setup:
SRX100 cluster EX2200-C Mac Mini host running Lion and VB VMs
I'm trying to do BGP from the cluster to the VMs, but the current step is just
pi
Sounds like a Xen bridge issue, but I have no definitive experience or reason
other than that's the only thing in the path which might block it. Strange
that it would pass an arp for a ping but not for SSH. Should be the same arp
off the switch either way.
On Jan 30, 2013, at 5:41 PM, Luca S
Not true. Logical interfaces are allocated to logical systems, not physical
interfaces. No problem with what you're doing.
On Jan 24, 2013 4:28 AM, "Skeeve Stevens"
wrote:
> Hey all,
>
> I want to build this scenario.
>
> 2 * MX80, with a trunk between then.
>
> On the trunk (as an example) there
Actually, you have to do that on an MX also. By default, the virtual IP will
not accept anything destined for it (such as pings) unless you enable
accept-data. The "real" IP of the interface will respond, but not the shared
address.
Now, I have seen hokey setups before where people had confi
Hello all,
So I have this hub-and-spoke multipoint VPN on various SRX240 firewalls. It's
working generally, the problem is with the dynamic endpoints. When they shift
IP addresses, the hub won't allow them to connect anymore because of the old
state from the prior IP address.
Is this someth
On Nov 29, 2012, at 12:53 AM, Tore Anderson wrote:
> * Aaron Dewell
>
>> I haven't found an answer to this question (except for Cisco options
>> which doesn't help me). I want to configure a static route to a DHCP
>> interface on an SRX240. Here's the
Hey all,
I haven't found an answer to this question (except for Cisco options which
doesn't help me). I want to configure a static route to a DHCP interface on an
SRX240. Here's the scenario:
ge-0/0/0 connected to CX111 (4G modem/DHCP)
t1-0/1/0 connected to an L3VPN (with BGP)
st0.0 should c
On Jul 24, 2012, at 2:04 PM, Wayne Tucker wrote:
> On Tue, Jul 24, 2012 at 12:36 PM, Aaron Dewell wrote:
>> Yes, Type Transit (2). However, the Network LSA only includes 3 attached
>> routers (should be 6 currently). There are two Network LSAs in R7. One has
>> the in
On Jul 24, 2012, at 4:56 AM, Wayne Tucker wrote:
> On Mon, Jul 23, 2012 at 11:02 PM, Aaron Dewell wrote:
>> I ran into an odd behavior here tonight, I'm hoping someone has some ideas.
>> We have 8 routers on a broadcast OSPF segment. All are advertising their
>> l
Hi all,
I ran into an odd behavior here tonight, I'm hoping someone has some ideas. We
have 8 routers on a broadcast OSPF segment. All are advertising their loopback
addresses (amongst other things). I'll call this R1 to R8 for now. Their IP
addresses on this shared segment are 192.168.0.1
Hi all,
Quick question for you all. Is it possible to define static routes within a
VRF on a PE router that specify different P routers as next-hops? These are
2547 VPNs, BGP signaled etc.
The first hop signaling is LDP, thereafter enters an RSVP LSP.
Quick and dirty diagram:
1.1.1.1 ---
gt; and again depending on the ISP. As far as I know there hasn't been an
> feature to tweak the TTL for dhcp discover requests.
>
> I hope this helps,
> -Tim Eberhard
>
> On Mon, May 28, 2012 at 5:29 PM, Aaron Dewell wrote:
>>
>> Hi all,
>>
>> I&#x
Hi all,
I've been having a problem with an SRX210 connected to a Wildblue satellite
modem (Surfbeam 2 if it matters). This is DHCP which appears to be proxied by
the modem. There are a couple of different states, but neither work:
Case 1: No ARP entry for the DHCP default route (forwarding t
I have observed this on both an srx240 and srx210h. Jtac advised turning
off utm and idp (on 210), yet those were enabled before with no issues. The
240 was fresh out of the box getting initial config (IP, Nat, zones,
policies, I.e. nothing amazing).
I'll be waiting to see the answers too!
On May
For the flexibility of however they want to do it, I'd suggest CCC and just
take the whole port over the network. There are two disadvantages to that plan
however. One is that it's point to point only, the second is that it's not
supported on Cisco.
L2vpn (kompella) with encapsulation CCC
Have you tried knobs such as:
loose-authentication-check
level X no-csnp-authentication
level X no-psnp-authentication
The second two sound like what you might be looking for. I have no CRS thus no
further ideas...
Aaron
On Mar 7, 2012, at 7:53 PM, John Neiberger wrote:
> I'm pretty new to J
I haven't tried it, but all the docs I read on it suggested that configured
VC ports acted as more ports, not replacements. On our EXs, the normal VC
ports are still available even though we use two 10g for VC. However, we
aren't using them so i can't confirm... But pretty sure it should work.
On
Sure. Everything is actually routed hop-by-hop. As you've observed, that's a
serious obstacle to multihop eBGP.
Most uses I've seen involve crossing a non-BGP router to a customer, and
redistributing whatever the customer advertises into their IGP. Klunky for
sure, but it does work.
Aaron
69 matches
Mail list logo
