SRX IPSEC VPN to UTM-1 Edge N

image_pdfimage_print

Intro


good news everybodym ze got IPSEC between SRX and Checkpoint.

 

On Checkpoint side


 

Click on VPN sites tab

click on New Site

Select Site-to-Site VPN

Enter the VPN Gateway

Select Route Based VPN

Enter Tunnel Local and Remote IP addreses.

Select Shared Secret

Enter a Pre shared Key

Enter Phase 1 & Phase 2 Details

Check the Connect Straight

Enter Site’s name.

VPN site Create.

Trying to contact the VPN site.

 

Checking traffic logs.

Adding an extra rule.

 

 

On SRX Side


  • Remote Network: 172.16.0.1 255.240.0.0 = /12 (DMZ TEST-OLDNET)
  • Tunnel IP address: 10.12.12.10
set interfaces st0 unit 1 family inet address 10.12.12.10/24
set routing-options static route 172.16.0.0/12 next-hop st0.1
#set security zones security-zone UNTRUST interfaces reth0.104 host-inbound-traffic system-services ike
set security zones security-zone ZONE_TUNNEL_TO_OLDNET interfaces st0.1
#set security address-book book1 address NEWNET_TEST 10.128.100.0/24
#set security address-book book1 attach zone TEST_ZONE
set security address-book book2 address OLDNET_TEST_DMZ 172.16.0.0/12
set security address-book book2 attach zone ZONE_TUNNEL_TO_OLDNET
 
#Phase 1 Proposal 
set security ike proposal ike-phase1-proposal-OLDNET authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal-OLDNET dh-group group2
set security ike proposal ike-phase1-proposal-OLDNET authentication-algorithm sha1
set security ike proposal ike-phase1-proposal-OLDNET encryption-algorithm aes-128-cbc


#Phase 1 Policy
set security ike policy ike-P1-policy-OLDNET-TEST-DMZ mode main
set security ike policy ike-P1-policy-OLDNET-TEST-DMZ proposals ike-phase1-proposal-OLDNET
set security ike policy ike-P1-policy-OLDNET-TEST-DMZ pre-shared-key ascii-text "Juniper1"

#Phase 1 Gateway
set security ike gateway IKE-GW-OLDNET-TEST-DMZ external-interface reth0.104
set security ike gateway IKE-GW-OLDNET-TEST-DMZ ike-policy ike-P1-policy-OLDNET-TEST-DMZ
set security ike gateway IKE-GW-OLDNET-TEST-DMZ address 94.225.234.80
 
#Phase 2 Proposal
set security ipsec proposal ipsec-phase2-proposal-OLDNET protocol esp
set security ipsec proposal ipsec-phase2-proposal-OLDNET authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal-OLDNET encryption-algorithm aes-128-cbc

#Phase 2 Policy
set security ipsec policy ipsec-phase2-policy-OLDNET proposals ipsec-phase2-proposal-OLDNET
set security ipsec policy ipsec-phase2-policy-OLDNET perfect-forward-secrecy keys group2

#Phase 2 VPN
set security ipsec vpn IKE-VPN-OLDNET-TEST-DMZ ike gateway IKE-GW-OLDNET-TEST-DMZ
set security ipsec vpn IKE-VPN-OLDNET-TEST-DMZ ike ipsec-policy ipsec-phase2-policy-OLDNET
set security ipsec vpn IKE-VPN-OLDNET-TEST-DMZ bind-interface st0.1
 
#Policy
set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET_TEST_DMZ match source-address NEWNET_TEST
set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET_TEST_DMZ match destination-address OLDNET_TEST_DMZ
set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET_TEST_DMZ match application any
set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET_TEST_DMZ then permit
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET_TEST_DMZ-TEST match source-address OLDNET_TEST_DMZ
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET_TEST_DMZ-TEST match destination-address NEWNET_TEST
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET_TEST_DMZ-TEST match application any
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET_TEST_DMZ-TEST then permit

 

SRX to Netscreen IPSEC VPN

image_pdfimage_print

 

General design


 

On ssg5


set zone name ZONE_TUNNEL_TO_NEWNET
set interface tunnel.1 zone ZONE_TUNNEL_TO_NEWNET
set interface tunnel.1 ip 10.11.11.11/24
set flow tcp-mss 1350
set address Trust "192.168.12-net" 192.168.12.0 255.255.255.0
set address ZONE_TUNNEL_TO_NEWNET "10.128.100-net" 10.128.100.0 255.255.255.0
set ike gateway NEWNET-IKE address 94.225.233.18 Main outgoing-interface ethernet0/0 preshare 395psksecr3t sec-level standard
set vpn NEWNET-vpn gateway NEWNET-IKE replay tunnel idletime 0 sec-level standard
set vpn NEWNET-vpn monitor optimized rekey
set vpn NEWNET-vpn bind interface tunnel.1
#set policy from Trust to Untrust “ANY” “ANY” “ANY” nat src permit
set policy from Trust to ZONE_TUNNEL_TO_NEWNET "192.168.12-net" "10.128.100-net" "ANY" permit
set policy from ZONE_TUNNEL_TO_NEWNET to Trust "10.128.100-net" "192.168.12-net" "ANY" permit
set route 10.128.100.0/24 interface tunnel.1
#set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1

example

set zone name vpn-chicago
set interface ethernet0/6 zone Trust
set interface ethernet0/0 zone Untrust
set interface tunnel.1 zone vpn-chicago
set interface ethernet0/6 ip 192.168.168.1/24
set interface ethernet0/6 route
set interface ethernet0/0 ip 2.2.2.2/30
set interface ethernet0/0 route
set interface tunnel.1 ip 10.11.11.11/24
set flow tcp-mss 1350
set address Trust “192.168.168-net” 192.168.168.0 255.255.255.0
set address vpn-chicago "10.10.10-net" 10.10.10.0 255.255.255.0
set ike gateway corp-ike address 1.1.1.2 Main outgoing-interface ethernet0/0 preshare 395psksecr3t sec-level standard
set vpn corp-vpn gateway corp-ike replay tunnel idletime 0 sec-level standard
set vpn corp-vpn monitor optimized rekey
set vpn corp-vpn bind interface tunnel.1
set policy from Trust to Untrust “ANY” “ANY” “ANY” nat src permit
set policy from Trust to vpn-chicago “192.168.168-net” “10.10.10-net” “ANY” permit
set policy from vpn-chicago to Trust “10.10.10-net” “192.168.168-net” “ANY” permit
set route 10.10.10.0/24 interface tunnel.1
set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1

On SRX


 

set interfaces st0 unit 0 family inet address 10.11.11.10/24
set routing-options static route 192.168.12.0/24 next-hop st0.0
set security zones security-zone UNTRUST interfaces reth0.104 host-inbound-traffic system-services ike
set security zones security-zone ZONE_TUNNEL_TO_OLDNET interfaces st0.0
set security address-book book1 address NEWNET_TEST 10.128.100.0/24
set security address-book book1 attach zone TEST_ZONE
set security address-book book2 address OLDNET_PROD 192.168.12.0/24
set security address-book book2 attach zone ZONE_TUNNEL_TO_OLDNET






set security ike proposal ike-phase1-proposal-OLDNET authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal-OLDNET dh-group group2
set security ike proposal ike-phase1-proposal-OLDNET authentication-algorithm sha1
set security ike proposal ike-phase1-proposal-OLDNET encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy-OLDNET mode main
set security ike policy ike-phase1-policy-OLDNET proposals ike-phase1-proposal-OLDNET
set security ike policy ike-phase1-policy-OLDNET pre-shared-key ascii-text "395psksecr3t"
set security ike gateway IKE-GW-OLDNET external-interface reth0.104
set security ike gateway IKE-GW-OLDNET ike-policy ike-phase1-policy-OLDNET
set security ike gateway IKE-GW-OLDNET address 94.225.239.70


set security ipsec proposal ipsec-phase2-proposal-OLDNET protocol esp
set security ipsec proposal ipsec-phase2-proposal-OLDNET authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal-OLDNET encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy-OLDNET proposals ipsec-phase2-proposal-OLDNET
set security ipsec policy ipsec-phase2-policy-OLDNET perfect-forward-secrecy keys group2
set security ipsec vpn IKE-VPN-OLDNET ike gateway IKE-GW-OLDNET
set security ipsec vpn IKE-VPN-OLDNET ike ipsec-policy ipsec-phase2-policy-OLDNET
set security ipsec vpn IKE-VPN-OLDNET bind-interface st0.0


set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET match source-address NEWNET_TEST
set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET match destination-address OLDNET_PROD
set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET match application any
set security policies from-zone TEST_ZONE to-zone ZONE_TUNNEL_TO_OLDNET policy VPN-TEST-OLDNET then permit
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET-TEST match source-address OLDNET_PROD
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET-TEST match destination-address NEWNET_TEST
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET-TEST match application any
set security policies from-zone ZONE_TUNNEL_TO_OLDNET to-zone TEST_ZONE policy VPN-OLDNET-TEST then permit

 

root@srxC-1# run show security ike security-associations
node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
7440602 UP     e3f142e66ad6aeb1  f751a20000e06b21  Main           94.225.239.70

{primary:node0}[edit]
root@srxC-1# run show security ipsec security-associations
node0:
--------------------------------------------------------------------------
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  131073 ESP:aes-cbc-128/sha1 a5bf0e96 3579/ unlim - root 500 94.225.239.70

{primary:node0}[edit]
root@srxC-1#

ping test

root@srxC-1# run ping 10.11.11.11 interface st0.0
PING 10.11.11.11 (10.11.11.11): 56 data bytes
^C
--- 10.11.11.11 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

{primary:node0}[edit]
root@srxC-1# run ping 10.11.11.11 interface st0.0 source 10.11.11.10
PING 10.11.11.11 (10.11.11.11): 56 data bytes
^C
--- 10.11.11.11 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

{primary:node0}[edit]
root@srxC-1# run ping 10.11.11.11 interface st0.0 source 10.128.100.1
PING 10.11.11.11 (10.11.11.11): 56 data bytes
^C
--- 10.11.11.11 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

{primary:node0}[edit]
root@srxC-1# run ping 192.168.12.10 interface st0.0 source 10.128.100.1
PING 192.168.12.10 (192.168.12.10): 56 data bytes
64 bytes from 192.168.12.10: icmp_seq=0 ttl=63 time=15.091 ms
64 bytes from 192.168.12.10: icmp_seq=1 ttl=63 time=10.259 ms
^C
--- 192.168.12.10 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.259/12.675/15.091/2.416 ms

{primary:node0}[edit]
root@srxC-1#

Check Phase 1 & Phase 2 details, clear ipsec associations.


 

root@srxC-1> show security ike security-associations detail
node0:
--------------------------------------------------------------------------
IKE peer 94.225.239.70, Index 7440602, Gateway Name: IKE-GW-OLDNET
  Role: Responder, State: UP
  Initiator cookie: e3f142e66ad6aeb1, Responder cookie: f751a20000e06b21
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 94.225.233.18:500, Remote: 94.225.239.70:500
  Lifetime: Expires in 19479 seconds
  Peer ike-id: 94.225.239.70
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 3560
   Output bytes  :                 3492
   Input  packets:                   17
   Output packets:                   19
  Flags: IKE SA is created
  IPSec security associations: 7 created, 3 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 94.225.233.18:500, Remote: 94.225.239.70:500
    Local identity: 94.225.233.18
    Remote identity: 94.225.239.70
    Flags: IKE SA is created


{primary:node0}
root@srxC-1> show security ipsec security-associations detail
node0:
--------------------------------------------------------------------------
  ID: 131073 Virtual-system: root, VPN Name: IKE-VPN-OLDNET
  Local Gateway: 94.225.233.18, Remote Gateway: 94.225.239.70
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 7, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
  Last Tunnel Down Reason: Cleared via CLI
    Direction: inbound, SPI: 4d5289ca, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3507 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2928 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: a5bf0e9c, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3507 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2928 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64


{primary:node0}
root@srxC-1> clear security ipsec security-associations

 

References


Netscreen Rollback

Example: Configure a route based VPN

Netscreen Config before Ipsec tunnel configuration on commnad line

image_pdfimage_print

Get Zone


 

ssg5-fw-> get zone
Total 14 zones created in vsys Root - 8 are policy configurable.
Total policy configurable zones for Root is 8.
------------------------------------------------------------------------
  ID Name                             Type    Attr    VR          Default-IF   VSYS
   0 Null                             Null    Shared untrust-vr   serial0/0    Root
   1 Untrust                          Sec(L3) Shared trust-vr     ethernet0/0  Root
   2 Trust                            Sec(L3)        trust-vr     bgroup0      Root
   3 DMZ                              Sec(L3)        trust-vr     ethernet0/1  Root
   4 Self                             Func           trust-vr     self         Root
   5 MGT                              Func           trust-vr     null         Root
   6 HA                               Func           trust-vr     null         Root
  10 Global                           Sec(L3)        trust-vr     null         Root
  11 V1-Untrust                       Sec(L2) Shared trust-vr     v1-untrust   Root
  12 V1-Trust                         Sec(L2) Shared trust-vr     v1-trust     Root
  13 V1-DMZ                           Sec(L2) Shared trust-vr     v1-dmz       Root
  14 VLAN                             Func    Shared trust-vr     vlan1        Root
  15 V1-Null                          Sec(L2) Shared trust-vr     l2v          Root
  16 Untrust-Tun                      Tun            trust-vr     hidden.1     Root
------------------------------------------------------------------------

 

Get Interface


 

ssg5-fw-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD
serial0/0      0.0.0.0/0                         Null        N/A               -   D   -
eth0/0         94.225.239.70/20                  Untrust     0023.9c3f.9e00    -   U   -
eth0/1         0.0.0.0/0                         DMZ         0023.9c3f.9e05    -   D   -
eth0/5         172.20.66.2/30                    Trust       0023.9c3f.9e09    -   D   -
eth0/6         172.20.77.2/30                    Trust       0023.9c3f.9e0a    -   D   -
bgroup0        192.168.12.1/24                   Trust       0023.9c3f.9e0b    -   U   -
  eth0/2       N/A                               N/A         N/A               -   U   -
  eth0/3       N/A                               N/A         N/A               -   U   -
  eth0/4       N/A                               N/A         N/A               -   D   -
bgroup1        0.0.0.0/0                         Null        0023.9c3f.9e0c    -   D   -
bgroup2        0.0.0.0/0                         Null        0023.9c3f.9e0d    -   D   -
bgroup3        0.0.0.0/0                         Null        0023.9c3f.9e0e    -   D   -
loopback.1     192.168.2.1/32                    Trust       N/A               -   U   -
loopback.2     192.168.2.2/32                    Trust       N/A               -   U   -
vlan1          0.0.0.0/0                         VLAN        0023.9c3f.9e0f    1   D   -
null           0.0.0.0/0                         Null        N/A               -   U   -

 

Get flow


 

ssg5-fw-> get flow
flow action flag: 0055
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for outbound vpn packets = 1350
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : NO
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : YES
Enable the strict SYN check: NO
Allow naked tcp reset pass through firewall: NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check  unknown mac flooding : YES
Skip sequence number check in stateful inspection : YES
Drop embedded ICMP : NO
ICMP path mtu discovery : NO
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
Force packet fragment reassembly : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
	high watermark = 100 (8064 sessions)
	low watermark  = 100 (8064 sessions)
	early ageout   = 2
	RST seq. chk OFF
MAC cache for management traffic: OFF
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
reverse route setting:
	clear-text or first packet going into tunnel: prefer reverse route (default)
	first packet from tunnel: always reverse route (default)
Close session when receive ICMP error packet: YES
Passing through only one ICMP error packet: NO
Flow caches route and arp: YES, miss rate 27%
flow tcp session notification tuning value is 65536

 

Get Address book


 

ssg5-fw->  get address
Total 20 addresses and 0 user groups in security zone address books of vsys "Root".

addr zone name Trust
Trust Addresses:
Name                 Address/Mask                    Flag  Comments
192.168.10.8/32      192.168.10.8/255.255.255.255    0200
192.168.12.10/32     192.168.12.10/255.255.255.255   0200
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
Dial-Up VPN          255.255.255.255/255.255.255.255 0202  Dial-Up VPN Addr

addr zone name Untrust
Untrust Addresses:
Name                 Address/Mask                    Flag  Comments
8.8.8.8/32           8.8.8.8/255.255.255.255         0201
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
Dial-Up VPN          255.255.255.255/255.255.255.255 0202  Dial-Up VPN Addr

addr zone name Global
Global Addresses:
Name                 Address/Mask                    Flag  Comments
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
DIP(ethernet0/0)     94.225.239.70/255.255.255.255   0210  ethernet0/0
VIP(ethernet0/0)     94.225.239.70/255.255.255.255   0210

addr zone name V1-Null
V1-Null Addresses:
Name                 Address/Mask                    Flag  Comments
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
Dial-Up VPN          255.255.255.255/255.255.255.255 0202  Dial-Up VPN Addr

addr zone name V1-Trust
V1-Trust Addresses:
Name                 Address/Mask                    Flag  Comments
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
Dial-Up VPN          255.255.255.255/255.255.255.255 0202  Dial-Up VPN Addr

addr zone name V1-Untrust
V1-Untrust Addresses:
Name                 Address/Mask                    Flag  Comments
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
Dial-Up VPN          255.255.255.255/255.255.255.255 0202  Dial-Up VPN Addr

addr zone name DMZ
DMZ Addresses:
Name                 Address/Mask                    Flag  Comments
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
Dial-Up VPN          255.255.255.255/255.255.255.255 0202  Dial-Up VPN Addr

addr zone name V1-DMZ
V1-DMZ Addresses:
Name                 Address/Mask                    Flag  Comments
Any                  0.0.0.0/0.0.0.0                 0202  All Addr
Dial-Up VPN          255.255.255.255/255.255.255.255 0202  Dial-Up VPN Addr

 

Get ike


 

 

ssg5-fw-> get ike ?
accept-all-proposal  Show IKE proposal acceptance policy
ca-and-type          Supported CA(s) and cert type(s)
cert                 Currently Supported Certificates
conn-entry           Show conn entry table
cookies              Show cookie table
gateway              Show IKE Gateway table
heartbeat            get IKE heartbeat protocol parameters
id-mode              Show id Info
ikeid-enumeration    Show info of anti IKE ID emueration attack
ikev2                Show IKE v2 info
initial-contact      Send initial contact
initiator-set-commit set commit bit when initiate
member-sa-hold-time  get hold time for dialup group member sa
p1-max-dialgrp-sessions get allowed concurrent p1 negotiation for dialup group
p1-proposal          Show IKE Phase 1 Proposal
p1-sec-level         Show IKE predefined Phase 1 Proposal sets
p2-proposal          Show IKE Phase 2 Proposal
p2-sec-level         Show IKE predefined Phase 2 Proposal sets
policy-checking      Show peer policy checking status
respond-bad-spi      Respond to Bad Spi
responder-set-commit set commit bit when respond
soft-lifetime-buffer IPsec soft lifetime buffer
ssg5-fw-> get ike gateway
 Id  Name            Gateway Address Gateway ID      Mode Proposals
---- --------------- --------------- --------------- ---- ---------
  Total Gateways: 0 (0 including dynamic peers)
user with ASN1_DN type ID sort list:

 

 

Get VPN


 

 

ssg5-fw-> get vpn
Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
  Total Auto VPN: 0
  Total Pure Transport Mode IPSEC VPN: 0

Name       Gateway         Interface       Lcl SPI  Rmt SPI  Algorithm        Monitor Tunnel ID
---------- --------------- --------------- -------- -------- ---------------- ------- ----------
Total Manual VPN 0
ssg5-fw-> get pol
policy               show policy
ssg5-fw-> get policy
Total regular policies 5, Default deny, Software based policy search, new policy enabled.
    ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
     3 Untrust  Untrust  Any          VIP(etherne~ HTTPS                Permit enabled ---XXX
     2 Trust    Untrust  192.168.12.~ 8.8.8.8/32   DNS                  Permit enabled ----XX
     1 Trust    Untrust  Any          Any          ANY                  Permit enabled ---XXX
     4 Trust    Trust    Any          Any          ANY                  Permit enabled ---XXX
     5 Untrust  Trust    Any          VIP(etherne~ HTTPS                Permit enabled ---XXX

 

get route


 

 

ssg5-fw-> get route


IPv4 Dest-Routes for  (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route


IPv4 Dest-Routes for  (15 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*       245          0.0.0.0/0         eth0/0    94.225.224.1   C    0      1     Root
*         2   94.225.239.70/32         eth0/0         0.0.0.0   H    0      0     Root
*        15      172.21.0.0/24        bgroup0    192.168.12.7   S   20      1     Root
*         8    192.168.12.1/32        bgroup0         0.0.0.0   H    0      0     Root
*        10     192.168.2.2/32     loopback.2         0.0.0.0   C    0      0     Root
*         9     192.168.2.1/32     loopback.1         0.0.0.0   C    0      0     Root
*        14     10.128.10.0/24        bgroup0    192.168.12.7  SP   20      1     Root
*         7    192.168.12.0/24        bgroup0         0.0.0.0   C    0      0     Root
*        12    192.168.10.0/24        bgroup0    192.168.12.7  SP   20      1     Root
*         1    94.225.224.0/20         eth0/0         0.0.0.0   C    0      0     Root
*        11      172.16.0.0/12        bgroup0    192.168.12.7  SP   20      1     Root
          5     172.20.77.0/30         eth0/6         0.0.0.0   C    0      0     Root
          6     172.20.77.2/32         eth0/6         0.0.0.0   H    0      0     Root
          4     172.20.66.2/32         eth0/5         0.0.0.0   H    0      0     Root
          3     172.20.66.0/30         eth0/5         0.0.0.0   C    0      0     Root

 

 

Before the Ipsec tunnel configuration


 

ssg5-fw-> get config
Total Config size 7528:
unset key protection enable
set clock ntp
set clock timezone 0
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set protocol ospf
set enable
set advertise-def-route metric 251 metric-type 1
exit
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nADTAPn"
set admin user "netadmin1" password "nIRG97n" privilege "all"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/5" zone "Trust"
set interface "ethernet0/6" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface "loopback.1" zone "Trust"
set interface "loopback.2" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
unset interface vlan1 ip
set interface ethernet0/0 ip 94.225.239.70/20
set interface ethernet0/0 route
set interface ethernet0/5 ip 172.20.66.2/30
set interface ethernet0/5 route
set interface ethernet0/6 ip 172.20.77.2/30
set interface ethernet0/6 route
set interface bgroup0 ip 192.168.12.1/24
set interface bgroup0 nat
set interface loopback.1 ip 192.168.2.1/32
set interface loopback.1 nat
set interface loopback.2 ip 192.168.2.2/32
set interface loopback.2 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/5 ip manageable
set interface ethernet0/6 ip manageable
set interface bgroup0 ip manageable
set interface loopback.1 ip manageable
set interface loopback.2 ip manageable
unset interface ethernet0/5 manage ssh
unset interface ethernet0/5 manage snmp
unset interface ethernet0/5 manage ssl
unset interface ethernet0/6 manage telnet
unset interface ethernet0/6 manage snmp
unset interface ethernet0/6 manage ssl
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip interface-ip 443 "HTTPS" 192.168.12.8
set interface ethernet0/0 dhcp client enable
set interface ethernet0/0 dip interface-ip incoming
set interface bgroup0 dip 4 192.168.12.250 192.168.12.254
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain telenet.be
set hostname ssg5-fw
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 192.168.12.10 src-interface bgroup0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "192.168.10.8/32" 192.168.10.8 255.255.255.255
set address "Trust" "192.168.12.10/32" 192.168.12.10 255.255.255.255
set address "Untrust" "8.8.8.8/32" 8.8.8.8 255.255.255.255
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 3 name "SSL VPN" from "Untrust" to "Untrust"  "Any" "VIP(ethernet0/0)" "HTTPS" permit log count
set policy id 3
exit
set policy id 2 name "NO DNS LOG to google" from "Trust" to "Untrust"  "192.168.12.10/32" "8.8.8.8/32" "DNS" permit count
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log count
set policy id 1
exit
set policy id 4 name "trust2trust" from "Trust" to "Trust"  "Any" "Any" "ANY" permit log count
set policy id 4
exit
set policy id 5 name "NAT TO SSL" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "HTTPS" nat dst ip 192.168.12.8 permit log count
set policy id 5
exit
set syslog config "192.168.12.229"
set syslog config "192.168.12.229" facilities local0 local0
set syslog config "192.168.12.229" log traffic
set syslog src-interface bgroup0
set syslog enable
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
unset ssl enable
set ssl port 4433
set ntp server "1.be.pool.ntp.org"
set snmp community "public" Read-Only Trap-on traffic version any
set snmp host "public" 172.16.2.2/32 src-interface bgroup0  trap v2
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162062009000098"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set access-list 1
set access-list 1 permit ip 192.168.10.0/24 2
set access-list 3
set access-list 3 permit ip 0.0.0.0/0 1
set route-map name "REDIS-TR-ROUTE" permit 1
set match ip 1
exit
set route-map name "REDIS-DEFAULT" permit 2
set match ip 3
exit
unset add-default-route
set route 172.16.0.0/12 interface bgroup0 gateway 192.168.12.7 permanent
set route 192.168.10.0/24 interface bgroup0 gateway 192.168.12.7 permanent
set route 10.128.10.0/24 interface bgroup0 gateway 192.168.12.7 permanent
set route 172.21.0.0/24 gateway 172.20.77.1
set protocol ospf
set redistribute route-map "REDIS-DEFAULT" protocol static
exit
exit
set interface bgroup0 protocol ospf area 0.0.0.0
set interface bgroup0 protocol ospf enable
set interface bgroup0 protocol ospf cost 1
set interface ethernet0/5 protocol ospf area 0.0.0.0
set interface ethernet0/5 protocol ospf enable
set interface ethernet0/5 protocol ospf cost 1
set interface ethernet0/6 protocol ospf area 0.0.0.0
set interface ethernet0/6 protocol ospf enable
set interface ethernet0/6 protocol ospf cost 1
set interface loopback.1 protocol ospf area 0.0.0.0
set interface loopback.1 protocol ospf enable
set interface loopback.1 protocol ospf cost 1
set interface loopback.2 protocol ospf area 0.0.0.0
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ssg5-fw->

EDU-JUN-JTNOC-12.B: LAB 4 : Monitoring Hardware and Environmental Conditions

image_pdfimage_print

 

Step 1.6 chassis routing engine


 

root@srxC-1> show chassis routing-engine
node0:
--------------------------------------------------------------------------
Routing Engine status:
    Temperature                 47 degrees C / 116 degrees F
    Total memory              1024 MB Max   676 MB used ( 66 percent)
      Control plane memory     544 MB Max   424 MB used ( 78 percent)
      Data plane memory        480 MB Max   254 MB used ( 53 percent)
    CPU utilization:
      User                       6 percent
      Background                 0 percent
      Kernel                     8 percent
      Interrupt                  0 percent
      Idle                      86 percent
    Model                          RE-SRX220H
    Serial ID                      AAEX6001
    Start time                     2017-06-01 20:50:18 CEST
    Uptime                         1 day, 22 hours, 12 minutes, 32 seconds
    Last reboot reason             0x200:normal shutdown
    Load averages:                 1 minute   5 minute  15 minute
                                       0.03       0.11       0.09

node1:
--------------------------------------------------------------------------
Routing Engine status:
    Temperature                 44 degrees C / 111 degrees F
    Total memory              1024 MB Max   604 MB used ( 59 percent)
      Control plane memory     544 MB Max   354 MB used ( 65 percent)
      Data plane memory        480 MB Max   254 MB used ( 53 percent)
    CPU utilization:
      User                       3 percent
      Background                 0 percent
      Kernel                     5 percent
      Interrupt                  0 percent
      Idle                      92 percent
    Model                          RE-SRX220H
    Serial ID                      AAEY8619
    Start time                     2017-06-01 22:43:31 CEST
    Uptime                         1 day, 22 hours, 12 minutes, 1 second
    Last reboot reason             0x200:normal shutdown
    Load averages:                 1 minute   5 minute  15 minute
                                       0.14       0.10       0.04

{primary:node0}
root@srxC-1>

Step 1.7 show system storage


 

root@srxC-1> show system storage node 0
node0:
--------------------------------------------------------------------------
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/ad0s1a             293M       148M       122M       55%  /
devfs                   1.0K       1.0K         0B      100%  /dev
/dev/md0                 20M       978K        17M        5%  /junos
/cf/packages            293M       148M       122M       55%  /junos/cf/packages
devfs                   1.0K       1.0K         0B      100%  /junos/cf/dev
/cf/usr                 293M       148M       122M       55%  /junos/cf/usr
/cf/boot                293M       148M       122M       55%  /junos/cf/boot
/dev/md1                412M       412M         0B      100%  /junos
/cf                      20M       978K        17M        5%  /junos/cf
devfs                   1.0K       1.0K         0B      100%  /junos/dev/
/cf/packages            293M       148M       122M       55%  /junos/cf/packages1
/cf/boot                293M       148M       122M       55%  /junos/cf/boot
/cf/usr                 293M       148M       122M       55%  /junos/cf/usr1
procfs                  4.0K       4.0K         0B      100%  /proc
/dev/bo0s3e              24M        20K        22M        0%  /config
/dev/bo0s3f             343M       6.3M       310M        2%  /cf/var
/dev/md2                168M        19M       136M       12%  /mfs
/cf/var/jail            343M       6.3M       310M        2%  /jail/var
/cf/var/log             343M       6.3M       310M        2%  /jail/var/log
devfs                   1.0K       1.0K         0B      100%  /jail/dev
/dev/md3                 39M       4.0K        36M        0%  /mfs/var/run/utm
/dev/md4                1.8M       4.0K       1.7M        0%  /jail/mfs

node 1

root@srxC-1> show system storage node 1
node1:
--------------------------------------------------------------------------
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/ad0s1a             595M       148M       399M       27%  /
devfs                   1.0K       1.0K         0B      100%  /dev
/dev/md0                 20M       976K        17M        5%  /junos
/cf/packages            595M       148M       399M       27%  /junos/cf/packages
devfs                   1.0K       1.0K         0B      100%  /junos/cf/dev
/cf/usr                 595M       148M       399M       27%  /junos/cf/usr
/cf/boot                595M       148M       399M       27%  /junos/cf/boot
/dev/md1                412M       412M         0B      100%  /junos
/cf                      20M       976K        17M        5%  /junos/cf
devfs                   1.0K       1.0K         0B      100%  /junos/dev/
/cf/packages            595M       148M       399M       27%  /junos/cf/packages1
/cf/boot                595M       148M       399M       27%  /junos/cf/boot
/cf/usr                 595M       148M       399M       27%  /junos/cf/usr1
procfs                  4.0K       4.0K         0B      100%  /proc
/dev/bo0s3e              47M        20K        43M        0%  /config
/dev/bo0s3f             594M       6.3M       540M        1%  /cf/var
/dev/md2                168M        28M       126M       18%  /mfs
/cf/var/jail            594M       6.3M       540M        1%  /jail/var
/cf/var/log             594M       6.3M       540M        1%  /jail/var/log
devfs                   1.0K       1.0K         0B      100%  /jail/dev
/dev/md3                 39M       4.0K        36M        0%  /mfs/var/run/utm
/dev/md4                1.8M       4.0K       1.7M        0%  /jail/mfs

{primary:node0}
root@srxC-1>

Step 1.9


 

root@srxC-1% dd if=/dev/md0 of=/dev/null bs=1m
20+0 records in
20+0 records out
20971520 bytes transferred in 0.119340 secs (175729261 bytes/sec)
root@srxC-1%

 

Part 2: Viewing Boot and System Logs


 

Step 2.1


 

 

root@srxC-1> request system reboot in 20
Reboot the system in 20? [yes,no] (no) yes

Shutdown at Sat Jun  3 19:28:59 2017.
[pid 7832]

{primary:node0}
root@srxC-1>
*** System shutdown message from root@srxC-1 ***

System going down at 19:28

Step 2.2

root@srxC-1> clear system reboot
reboot requested by root at Sat Jun  3 19:28:59 2017
[process id 7832]
Terminating...

{primary:node0}
root@srxC-1>

Step 2.4 show system boot-messages


 

 

root@srxC-1> show system boot-messages | no-more
node0:
--------------------------------------------------------------------------
kld_map_v: 0x8ff80000, kld_map_p: 0x0
Copyright (c) 1996-2016, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
JUNOS 12.1X46-D65.4 #0: 2016-12-30 01:34:30 UTC
    builder@quoarth.juniper.net:/volume/build/junos/12.1/service/12.1X46-D65.4/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
JUNOS 12.1X46-D65.4 #0: 2016-12-30 01:34:30 UTC
    builder@quoarth.juniper.net:/volume/build/junos/12.1/service/12.1X46-D65.4/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
real memory  = 1073741824 (1024MB)
avail memory = 509661184 (486MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
netisr_init: !debug_mpsafenet, forcing maxthreads from 2 to 1
cpu0 on motherboard
: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
        L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
        L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0:  on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0:  on obio0
usb0:  on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 3 ports with 2 removable, self powered
cpld0 on obio0
pcib0:  on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0:  on pcib0
pci0:  at device 1.0 (no driver attached)
atapci0:  port 0x8-0xb,0x10-0x17,0x18-0x1b,0x20-0x2f mem 0x8020000-0x80200ff irq 0 at device 2.0 on pci0
ata2:  on atapci0
ata3:  on atapci0
gblmem0 on obio0
octpkt0:  on obio0
cfi0: <AMD/Fujitsu - 8MB> on obio0
Timecounter "mips" frequency 700000000 Hz quality 0
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
ad0: Device does not support APM
ad0: 1006MB  at ata2-master WDMA2
Trying to mount root from ufs:/dev/ad0s1a

node1:
--------------------------------------------------------------------------
kld_map_v: 0x8ff80000, kld_map_p: 0x0
Copyright (c) 1996-2016, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
JUNOS 12.1X46-D65.4 #0: 2016-12-30 01:34:30 UTC
    builder@quoarth.juniper.net:/volume/build/junos/12.1/service/12.1X46-D65.4/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
JUNOS 12.1X46-D65.4 #0: 2016-12-30 01:34:30 UTC
    builder@quoarth.juniper.net:/volume/build/junos/12.1/service/12.1X46-D65.4/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
real memory  = 1073741824 (1024MB)
avail memory = 509661184 (486MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
netisr_init: !debug_mpsafenet, forcing maxthreads from 2 to 1
cpu0 on motherboard
: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
        L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
        L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0:  on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0:  on obio0
usb0:  on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 3 ports with 2 removable, self powered
cpld0 on obio0
pcib0:  on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0:  on pcib0
pci0:  at device 1.0 (no driver attached)
atapci0:  port 0x8-0xb,0x10-0x17,0x18-0x1b,0x20-0x2f mem 0x8020000-0x80200ff irq 0 at device 2.0 on pci0
ata2:  on atapci0
ata3:  on atapci0
gblmem0 on obio0
octpkt0:  on obio0
cfi0: <AMD/Fujitsu - 8MB> on obio0
Timecounter "mips" frequency 700000000 Hz quality 0
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
ad0: Device does not support APM
ad0: 1923MB  at ata2-master UDMA100
Trying to mount root from ufs:/dev/ad0s1a
ad0: WARNING - WRITE_DMA ABORT error (retrying request) LBA=9087
ad0: WARNING - WRITE_DMA ABORT error (retrying request) LBA=9087
ad0: WARNING - WRITE_DMA ABORT error (retrying request) LBA=9087
ad0: WARNING - WRITE_DMA UDMA ICRC error(falling back to PIO mode) LBA=9087

Step 2.5


 

root@srxC-1> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2017-06-03 19:11:10 CEST
System booted: 2017-06-01 20:50:27 CEST (1d 22:20 ago)
Protocols started: 2017-06-01 20:53:26 CEST (1d 22:17 ago)
Last configured: 2017-06-03 18:58:30 CEST (00:12:40 ago) by root
 7:11PM  up 1 day, 22:21, 2 users, load averages: 0.13, 0.11, 0.08

node1:
--------------------------------------------------------------------------
Current time: 2017-06-03 21:03:44 CEST
System booted: 2017-06-01 22:43:31 CEST (1d 22:20 ago)
Last configured: 2017-06-03 20:50:51 CEST (00:12:53 ago) by root
 9:03PM  up 1 day, 22:20, 0 users, load averages: 0.00, 0.03, 0.02

{primary:node0}
root@srxC-1>

Step 2.6


 

root@srxC-1> show log messages | match "Jun  1" | last
Jun  1 19:58:19  srxC-1 init: hostname-caching-process (PID 0) started
Jun  1 19:58:19  srxC-1 init: security-intelligence (PID 2588) started
Jun  1 19:58:19  srxC-1 init: can not access /usr/sbin/ipmid: No such file or directory
Jun  1 19:58:19  srxC-1 init: ipmi (PID 0) started
Jun  1 19:58:19  srxC-1 init: security-intelligence (PID 2588) exited with status=0 Normal Exit
Jun  1 19:58:19  srxC-1 init: security-intelligence (PID 2590) started
Jun  1 19:58:20  srxC-1 init: remote-operations (PID 2585) terminated by signal number 1!
Jun  1 19:58:20  srxC-1 init: remote-operations (PID 2591) started
Jun  1 19:58:21  srxC-1 init: l2cpd-service (PID 2586) exited with status=0 Normal Exit
Jun  1 19:58:21  srxC-1 init: l2cpd-service (PID 2592) started
Jun  1 19:58:25  srxC-1 init: security-intelligence (PID 2590) exited with status=0 Normal Exit
Jun  1 19:58:25  srxC-1 init: security-intelligence (PID 2595) started
Jun  1 19:58:27  srxC-1 init: l2cpd-service (PID 2592) exited with status=0 Normal Exit
Jun  1 19:58:27  srxC-1 init: l2cpd-service (PID 2596) started
Jun  1 19:58:30  srxC-1 init: security-intelligence (PID 2595) exited with status=0 Normal Exit
Jun  1 19:58:30  srxC-1 init: security-intelligence (PID 2598) started
Jun  1 19:58:32  srxC-1 init: l2cpd-service (PID 2596) exited with status=0 Normal Exit
Jun  1 19:58:32  srxC-1 init: l2cpd-service (PID 2600) started
Jun  1 19:58:35  srxC-1 init: security-intelligence (PID 2598) exited with status=0 Normal Exit
Jun  1 19:58:35  srxC-1 init: security-intelligence is thrashing, not restarted
Jun  1 19:58:38  srxC-1 init: l2cpd-service (PID 2600) exited with status=0 Normal Exit
Jun  1 19:58:38  srxC-1 init: l2cpd-service is thrashing, not restarted
Jun  1 20:31:04  srxC-1 init: ntp (PID 3627) started
Jun  1 20:31:04  srxC-1 init: l2cpd-service (PID 3628) started
Jun  1 22:31:04  srxC-1 init: can not access /usr/sbin/hostname-cached: No such file or directory
Jun  1 22:31:04  srxC-1 init: hostname-caching-process (PID 0) started
Jun  1 22:31:04  srxC-1 init: security-intelligence (PID 3630) started
Jun  1 22:31:04  srxC-1 init: can not access /usr/sbin/ipmid: No such file or directory
Jun  1 22:31:04  srxC-1 init: ipmi (PID 0) started
Jun  1 22:31:05  srxC-1 init: security-intelligence (PID 3630) exited with status=0 Normal Exit
Jun  1 22:31:05  srxC-1 init: security-intelligence (PID 3632) started
Jun  1 22:31:07  srxC-1 init: l2cpd-service (PID 3628) exited with status=0 Normal Exit
Jun  1 22:31:07  srxC-1 init: l2cpd-service (PID 3634) started
Jun  1 22:31:10  srxC-1 init: security-intelligence (PID 3632) exited with status=0 Normal Exit
Jun  1 22:31:10  srxC-1 init: security-intelligence (PID 3637) started
Jun  1 22:31:12  srxC-1 init: l2cpd-service (PID 3634) exited with status=0 Normal Exit
Jun  1 22:31:12  srxC-1 init: l2cpd-service (PID 3638) started
Jun  1 22:31:15  srxC-1 init: security-intelligence (PID 3637) exited with status=0 Normal Exit
Jun  1 22:31:15  srxC-1 init: security-intelligence (PID 3641) started
Jun  1 22:31:18  srxC-1 init: l2cpd-service (PID 3638) exited with status=0 Normal Exit
Jun  1 22:31:18  srxC-1 init: l2cpd-service (PID 3642) started
Jun  1 22:31:20  srxC-1 init: security-intelligence (PID 3641) exited with status=0 Normal Exit
Jun  1 22:31:20  srxC-1 init: security-intelligence is thrashing, not restarted
Jun  1 22:31:23  srxC-1 init: l2cpd-service (PID 3642) exited with status=0 Normal Exit
Jun  1 22:31:23  srxC-1 init: l2cpd-service is thrashing, not restarted

Step 2.7


 

root@srxC-1> show log messages | match "Jun  1" | match reboot
Jun  1 18:49:19   shutdown: reboot by root:

Part 3: Monitoring the Chassis and environment


 

Step 3.1 chassis temperature thresholds


 

 

root@srxC-1> show chassis temperature-thresholds
node0:
--------------------------------------------------------------------------
                           Fan speed      Yellow alarm      Red alarm      Fire Shutdown
                          (degrees C)      (degrees C)     (degrees C)      (degrees C)
Item                     Normal  High   Normal  Bad fan   Normal  Bad fan     Normal
Chassis default              48    54       65       55       75       65       90
Routing Engine               48    54       65       55       75       65       90

node1:
--------------------------------------------------------------------------
                           Fan speed      Yellow alarm      Red alarm      Fire Shutdown
                          (degrees C)      (degrees C)     (degrees C)      (degrees C)
Item                     Normal  High   Normal  Bad fan   Normal  Bad fan     Normal
Chassis default              48    54       65       55       75       65       90
Routing Engine               48    54       65       55       75       65       90

{primary:node0}
root@srxC-1>

Step 3.2 environment


 

 

root@srxC-1> show chassis environment
node0:
--------------------------------------------------------------------------
Class Item                           Status     Measurement
Temp  Routing Engine                 OK         47 degrees C / 116 degrees F
      Routing Engine CPU             Absent
Fans  SRX220 Chassis fan 0           OK         Spinning at normal speed
      SRX220 Chassis fan 1           OK         Spinning at normal speed
Power Power Supply 0                 OK

node1:
--------------------------------------------------------------------------
Class Item                           Status     Measurement
Temp  Routing Engine                 OK         44 degrees C / 111 degrees F
      Routing Engine CPU             Absent
Fans  SRX220 Chassis fan 0           OK         Spinning at normal speed
      SRX220 Chassis fan 1           OK         Spinning at normal speed
Power Power Supply 0                 OK

{primary:node0}

Step 3.3 chassis alarms.


 

 

root@srxC-1> show chassis alarms
node0:
--------------------------------------------------------------------------
No alarms currently active

node1:
--------------------------------------------------------------------------
No alarms currently active

{primary:node0}
root@srxC-1>

EDU-JUN-JTNOC-12.B: LAB 3: Using Monitoring Tools and Establishing a Baseline

image_pdfimage_print

Step 1.5

 

 

root@srxC-1> show interfaces terse ge* | except down
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   aenet    --> reth1.0
ge-0/0/3                up    up
ge-0/0/3.100            up    up   aenet    --> reth0.100
ge-0/0/3.101            up    up   aenet    --> reth0.101
ge-0/0/3.102            up    up   aenet    --> reth0.102
ge-0/0/3.103            up    up   aenet    --> reth0.103
ge-0/0/3.104            up    up   aenet    --> reth0.104
ge-0/0/3.32767          up    up   aenet    --> reth0.32767
ge-0/0/4                up    up
ge-0/0/4.100            up    up   aenet    --> reth0.100
ge-0/0/4.101            up    up   aenet    --> reth0.101
ge-0/0/4.102            up    up   aenet    --> reth0.102
ge-0/0/4.103            up    up   aenet    --> reth0.103
ge-0/0/4.104            up    up   aenet    --> reth0.104
ge-0/0/4.32767          up    up   aenet    --> reth0.32767
ge-0/0/5                up    up
ge-0/0/5.0              up    up   aenet    --> fab0.0
ge-0/0/6                up    up
ge-0/0/7                up    up
ge-3/0/5                up    up
ge-3/0/5.0              up    up   aenet    --> fab1.0
ge-3/0/6                up    up
ge-3/0/7                up    up
root@srxC-1> show interfaces terse ret* | match inet | except down
reth0.100               up    up   inet     10.128.100.1/24
reth0.101               up    up   inet     10.128.101.1/24
reth0.102               up    up   inet     10.128.102.1/24
reth0.104               up    up   inet     94.225.233.18/20
reth1.0                 up    up   inet     10.128.10.137/24

Step 1.6

root@srxC-1> show chassis craft-interface node 0
node0:
--------------------------------------------------------------------------
Front Panel System Indicator:
Routing Engine   0
-----------------------------
OK               *

Front Panel Alarm Indicator:
----------------------------
RED            .
ORANGE         *

Front Panel HA Indicator:
-------------------------
RED            .
ORANGE         .
GREEN          *

Front Panel PS Indicator:
PS             0
-------------------------
RED            .
GREEN          *

{primary:node0}
root@srxC-1>

node 1

root@srxC-1> show chassis craft-interface node 1
node1:
--------------------------------------------------------------------------
Front Panel System Indicator:
Routing Engine   0
-----------------------------
OK               *

Front Panel Alarm Indicator:
----------------------------
RED            .
ORANGE         *

Front Panel HA Indicator:
-------------------------
RED            .
ORANGE         .
GREEN          *

Front Panel PS Indicator:
PS             0
-------------------------
RED            .
GREEN          *

{primary:node0}
root@srxC-1>

Step 1.7 show pfe statistics error

root@srxC-1> show pfe statistics error
================ cluster1.node0 ================


{primary:node0}
root@srxC-1>

Step 1.8 show log messages match error

root@srxC-1> show log messages | match error
May 30 20:59:15   login[1485]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user rooot

{primary:node0}
root@srxC-1>

Step 1.9 show chassis hardware

root@srxC-1> show chassis hardware | no-more
node0:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                AQ2812AA0002      SRX220H
Routing Engine   REV 21   750-031175   AAEX6001          RE-SRX220H
FPC 0                                                    FPC
  PIC 0                                                  8x GE Base PIC
Power Supply 0

node1:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                AQ3312AA0160      SRX220H
Routing Engine   REV 21   750-031175   AAEY8619          RE-SRX220H
FPC 0                                                    FPC
  PIC 0                                                  8x GE Base PIC
Power Supply 0

{primary:node0}
root@srxC-1>

Step 1.10 show chassiis fpc detail

root@srxC-1> show chassis fpc detail
node0:
--------------------------------------------------------------------------
Slot 0 information:
  State                               Online
  Total CPU DRAM                      ---- CPU less FPC ----
  Start time                          2017-06-01 20:53:49 CEST
  Uptime                              1 day, 21 hours, 52 minutes, 7 seconds

node1:
--------------------------------------------------------------------------
Slot 0 information:
  State                               Online
  Total CPU DRAM                      ---- CPU less FPC ----
  Start time                          2017-06-01 22:49:58 CEST
  Uptime                              1 day, 21 hours, 48 minutes, 40 seconds

{primary:node0}
root@srxC-1>

Step 1.11

root@srxC-1> show chassis tfeb
error: command is not valid on the srx220h

Part 2: Establishing a Baseline

step 2.1

root@srxC-1> show configuration | no-more
## Last commit: 2017-06-03 15:12:13 CEST by root
version 12.1X46-D65.4;
groups {
    node0 {
        system {
            host-name srxC-1;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.210.14.135/27;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name srxC-2;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.210.14.136/27;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    time-zone Europe/Brussels;
    root-authentication {
        encrypted-password "$1$nExECCUH$4rWgERhjpKiRnCRWdw9Xf1"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        dhcp-local-server {
            group POOL_LAB {
                interface reth0.101;
            }
            group POOL_TEST {
                interface reth0.100;
            }
            group POOL_PROD {
                interface reth0.102;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        boot-server 193.104.237.238;
    }
}
chassis {
    cluster {
        reth-count 2;
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 2 {
            node 1 priority 200;
            node 0 priority 100;
            preempt;
            interface-monitor {
                ge-3/0/3 weight 255;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/4 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-3/0/0 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-3/0/3 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-3/0/4 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/5;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-3/0/5;
            }
        }
    }
    reth0 {
        description "RETH1 new LAN TEST LAB PROD";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
            lacp {
                active;
            }
        }
        unit 100 {
            description "100 TEST Interface";
            vlan-id 100;
            family inet {
                address 10.128.100.1/24;
            }
        }
        unit 101 {
            description "101 LAB Interface";
            vlan-id 101;
            family inet {
                address 10.128.101.1/24;
            }
        }
        unit 102 {
            description "102 PROD Interface";
            vlan-id 102;
            family inet {
                address 10.128.102.1/24;
            }
        }
        unit 103 {
            description "103 DMZ Interface";
            vlan-id 103;
        }
        unit 104 {
            description "104 Internet Interface";
            vlan-id 104;
            family inet {
                dhcp-client {
                    retransmission-attempt 6;
                    retransmission-interval 5;
                    update-server;
                }
            }
        }
    }
    reth1 {
        description "Interface towards OLDNET trough OLDTEST";
        redundant-ether-options {
            redundancy-group 2;
        }
        unit 0 {
            family inet {
                dhcp-client {
                    retransmission-attempt 6;
                    retransmission-interval 5;
                    update-server;
                }
            }
        }
    }
}
routing-options {
    static {
        route 192.168.10.0/24 next-hop 10.128.10.2;
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set SRC_NAT_TEST_RULESET_1 {
                from zone TEST_ZONE;
                to zone UNTRUST;
                rule RULE_TEST_1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set SRC_NAT_LAB_RULESET_1 {
                from zone LAB_ZONE;
                to zone UNTRUST;
                rule RULE_LAB_1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set SRC_NAT_TO_OLDNET {
                from zone [ LAB_ZONE PROD_ZONE TEST_ZONE ];
                to zone OLDNET;
                rule FROM_NEW_TO_OLD {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone UNTRUST {
            description "UNTRUST towards Inet";
            interfaces {
                reth0.104 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone TEST_ZONE {
            description "Zone TEST";
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
            }
            interfaces {
                reth0.100 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone LAB_ZONE {
            description "Zone LAB";
            interfaces {
                reth0.101 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone PROD_ZONE {
            description "Zone PROD";
            interfaces {
                reth0.102 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone DMZ_ZONE {
            description "Zone DMZ";
            interfaces {
                reth0.103;
            }
        }
        security-zone OLDNET {
            description "OLDNET towards all the rest of the LAN";
            interfaces {
                reth1.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ping;
                            traceroute;
                            ssh;
                        }
                    }
                }
            }
        }
    }
}
access {
    address-assignment {
        pool POOL_TEST {
            family inet {
                network 10.128.100.0/24;
                range POOL_TEST_RANGE {
                    low 10.128.100.100;
                    high 10.128.100.250;
                }
                dhcp-attributes {
                    maximum-lease-time 2419200;
                    router {
                        10.128.100.1;
                    }
                }
            }
        }
        pool POOL_LAB {
            family inet {
                network 10.128.101.0/24;
                range POOL_LAB_RANGE {
                    low 10.128.101.100;
                    high 10.128.101.250;
                }
                dhcp-attributes {
                    maximum-lease-time 2419200;
                    router {
                        10.128.101.1;
                    }
                }
            }
        }
        pool POOL_PROD {
            family inet {
                network 10.128.102.0/24;
                range POOL_PROD_RANGE {
                    low 10.128.102.100;
                    high 10.128.102.250;
                }
                dhcp-attributes {
                    maximum-lease-time 2419200;
                    router {
                        10.128.102.1;
                    }
                }
            }
        }
    }
}
services {
    rpm {
        probe INTERNET-CHECKS {
            test ICMP-TEST-TO-GOOGLE {
                probe-type icmp-ping;
                target address 8.8.8.8;
                probe-interval 15;
                source-address 94.225.233.18;
                hardware-timestamp;
            }
        }
        probe STORE-PROBE {
            test GOOGLE {
                probe-type icmp-ping;
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 15;
                test-interval 10;
                source-address 94.225.233.18;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                hardware-timestamp;
                one-way-hardware-timestamp;
            }
        }
    }
}

{primary:node0}
root@srxC-1>

Step 2.2 ntp

{primary:node0}[edit]
root@srxC-1# edit system ntp

{primary:node0}[edit system ntp]
root@srxC-1# set server 3.be.pool.ntp.org

{primary:node0}[edit system ntp]
root@srxC-1# set server 1.europe.pool.ntp.org

{primary:node0}[edit system ntp]
root@srxC-1# set server 3.europe.pool.ntp.org

Step 2.3

set system time-zone Europe/Brussels

Step 2.4

root@srxC-1# run set date ntp
node0:
--------------------------------------------------------------------------
 3 Jun 18:53:42 ntpdate[7455]: step time server 84.199.86.248 offset 0.002248 sec

node1:
--------------------------------------------------------------------------
 3 Jun 20:46:19 ntpdate[9407]: no server suitable for synchronization found

{primary:node0}[edit]
root@srxC-1#

Step 2.5

root@srxC-1# run show ntp associations
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 84-199-86-248.i .STEP.          16 -  342   64    0    0.000    0.000 4000.00
 host189-248-2-8 .STEP.          16 -  213   64    0    0.000    0.000 4000.00
 bb8.dousse.eu   .STEP.          16 - 1707   64    0    0.000    0.000 4000.00

{primary:node0}[edit]
root@srxC-1#

Step 2.6

root@srxC-1# run show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2017-06-03 18:54:49 CEST
System booted: 2017-06-01 20:50:27 CEST (1d 22:04 ago)
Protocols started: 2017-06-01 20:53:26 CEST (1d 22:01 ago)
Last configured: 2017-06-03 18:52:22 CEST (00:02:27 ago) by root
 6:54PM  up 1 day, 22:04, 3 users, load averages: 0.13, 0.10, 0.08

node1:
--------------------------------------------------------------------------
Current time: 2017-06-03 20:47:22 CEST
System booted: 2017-06-01 22:43:31 CEST (1d 22:03 ago)
Last configured: 2017-06-03 20:44:46 CEST (00:02:36 ago) by root
 8:47PM  up 1 day, 22:04, 0 users, load averages: 0.02, 0.07, 0.02

{primary:node0}[edit]
root@srxC-1#

Step 2.7 set up syslog

{primary:node0}[edit system syslog]
root@srxC-1# set host 10.128.100.100 any any

{primary:node0}[edit system syslog]
root@srxC-1# commit and-quit
error: can only commit from top of private configuration

{primary:node0}[edit system syslog]
root@srxC-1# top

{primary:node0}[edit]
root@srxC-1# commit and-quit
node0:

Step 2.8 monitor traffic

root@srxC-1> monitor traffic interface reth0.100
verbose output suppressed, use  or  for full protocol decode
Address resolution is ON. Use  to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on reth0.100, capture size 96 bytes

Reverse lookup for 10.128.100.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use  to avoid reverse lookups on IP addresses.

18:59:20.547958 Out IP truncated-ip - 86 bytes missing! 10.128.100.1.syslog > 10.128.100.100.syslog: SYSLOG daemon.info, length: 108
18:59:20.549493 Out IP truncated-ip - 71 bytes missing! 10.128.100.1.syslog > 10.128.100.100.syslog: SYSLOG daemon.info, length: 93
18:59:20.551002 Out IP truncated-ip - 49 bytes missing! 10.128.100.1.syslog > 10.128.100.100.syslog: SYSLOG daemon.debug, length: 71
18:59:35.043775  In arp who-has 10.128.100.1 (00:10:db:ff:10:00) tell 10.128.100.100

References

 


[SRX] Why secondary node of SRX cluster is not synchronizing with NTP server

Initiating a Chassis Cluster Manual Redundancy Group Failover

 

Appendix 1: NTP sync on passive member


For some reason time wasnt synchro between cluster members, seems a failover needs to be triggered in order to initialize ntp on the passive node

root@srxC-1% cli
{primary:node0}

root@srxC-1> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2017-06-04 09:42:51 CEST
System booted: 2017-06-01 20:50:27 CEST (2d 12:52 ago)
Protocols started: 2017-06-01 20:53:26 CEST (2d 12:49 ago)
Last configured: 2017-06-04 07:20:24 CEST (02:22:27 ago) by root
 9:42AM  up 2 days, 12:52, 3 users, load averages: 0.11, 0.12, 0.11

node1:
--------------------------------------------------------------------------
Current time: 2017-06-04 11:35:24 CEST
System booted: 2017-06-01 22:43:31 CEST (2d 12:51 ago)
Last configured: 2017-06-04 09:12:51 CEST (02:22:33 ago) by root
11:35AM  up 2 days, 12:52, 0 users, load averages: 0.03, 0.04, 0.00

{primary:node0}
root@srxC-1> show chassis cluster status redundancy-group 0
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  1        primary        no      no       None
node1  1        secondary      no      no       None

{primary:node0}
root@srxC-1> request chassis cluster failover redundancy-group 0 node 1
node1:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 0

{primary:node0}
root@srxC-1> packet_write_wait: Connection to 10.128.10.137: Broken pipe
qazwsxs-MBP:~ qazwsxedcrfv$ ssh root@10.128.10.137
Password:
--- JUNOS 12.1X46-D65.4 built 2016-12-30 01:34:30 UTC
root@srxC-2% cli
{primary:node1}
root@srxC-2>

root@srxC-2% cli
{primary:node1}
root@srxC-2> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2017-06-04 09:45:23 CEST
System booted: 2017-06-01 20:50:27 CEST (2d 12:54 ago)
Last configured: 2017-06-04 07:20:24 CEST (02:24:59 ago) by root
 9:45AM  up 2 days, 12:55, 3 users, load averages: 1.01, 0.68, 0.34

node1:
--------------------------------------------------------------------------
Current time: 2017-06-04 09:45:23 CEST
System booted: 2017-06-01 20:50:59 CEST (2d 12:54 ago)
Protocols started: 2017-06-04 09:43:54 CEST (00:01:29 ago)
Last configured: 2017-06-04 09:12:51 CEST (00:32:32 ago) by root
 9:45AM  up 2 days, 12:54, 1 user, load averages: 5.60, 2.95, 1.21

{primary:node1}
root@srxC-2>

Fail back

root@srxC-2> request chassis cluster failover redundancy-group 0 node 0
node0:
--------------------------------------------------------------------------
Redundancy-group 0 is in manual failover mode already.
Please reset it before requesting a failover.

{primary:node1}
root@srxC-2> request chassis cluster failover reset redundancy-group 0
node0:
--------------------------------------------------------------------------
No reset required for redundancy group 0.

node1:
--------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 0

{primary:node1}
root@srxC-2> request chassis cluster failover redundancy-group 0 node 0
node0:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 0

EDU-JUN-JTNOC-12.B: LAB 2: IDENTIFYING HARDWARE COMPONENTS

image_pdfimage_print

 

 

Part 2: Veryfying Initial Device Configuration

Step 2.1 Show interfaces

root@srxC-1> show interfaces terse | no-more
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   aenet    --> reth1.0
gr-0/0/0                up    up
ip-0/0/0                up    up
ge-0/0/1                up    down
ge-0/0/2                up    down
ge-0/0/3                up    up
ge-0/0/3.100            up    up   aenet    --> reth0.100
ge-0/0/3.101            up    up   aenet    --> reth0.101
ge-0/0/3.102            up    up   aenet    --> reth0.102
ge-0/0/3.103            up    up   aenet    --> reth0.103
ge-0/0/3.104            up    up   aenet    --> reth0.104
ge-0/0/3.32767          up    up   aenet    --> reth0.32767
ge-0/0/4                up    up
ge-0/0/4.100            up    up   aenet    --> reth0.100
ge-0/0/4.101            up    up   aenet    --> reth0.101
ge-0/0/4.102            up    up   aenet    --> reth0.102
ge-0/0/4.103            up    up   aenet    --> reth0.103
ge-0/0/4.104            up    up   aenet    --> reth0.104
ge-0/0/4.32767          up    up   aenet    --> reth0.32767
ge-0/0/5                up    up
ge-0/0/5.0              up    up   aenet    --> fab0.0
ge-0/0/6                up    up
ge-0/0/7                up    up
ge-3/0/0                up    down
ge-3/0/0.0              up    down aenet    --> reth1.0
ge-3/0/1                up    down
ge-3/0/2                up    down
ge-3/0/3                up    down
ge-3/0/3.100            up    down aenet    --> reth0.100
ge-3/0/3.101            up    down aenet    --> reth0.101
ge-3/0/3.102            up    down aenet    --> reth0.102
ge-3/0/3.103            up    down aenet    --> reth0.103
ge-3/0/3.104            up    down aenet    --> reth0.104
ge-3/0/3.32767          up    down aenet    --> reth0.32767
ge-3/0/4                up    down
ge-3/0/4.100            up    down aenet    --> reth0.100
ge-3/0/4.101            up    down aenet    --> reth0.101
ge-3/0/4.102            up    down aenet    --> reth0.102
ge-3/0/4.103            up    down aenet    --> reth0.103
ge-3/0/4.104            up    down aenet    --> reth0.104
ge-3/0/4.32767          up    down aenet    --> reth0.32767
ge-3/0/5                up    up
ge-3/0/5.0              up    up   aenet    --> fab1.0
ge-3/0/6                up    up
ge-3/0/7                up    up
fab0                    up    up
fab0.0                  up    up   inet     30.17.0.200/24
fab1                    up    up
fab1.0                  up    up   inet     30.18.0.200/24
fxp0                    up    up
fxp0.0                  up    up   inet     10.210.14.135/27
fxp1                    up    up
fxp1.0                  up    up   inet     129.16.0.1/2
                                   tnp      0x1100001
fxp2                    up    up
fxp2.0                  up    up   tnp      0x1100001
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
reth0                   up    up
reth0.100               up    up   inet     10.128.100.1/24
reth0.101               up    up   inet     10.128.101.1/24
reth0.102               up    up   inet     10.128.102.1/24
reth0.103               up    up
reth0.104               up    up   inet     94.225.233.18/20
reth0.32767             up    up
reth1                   up    up
reth1.0                 up    up   inet     10.128.10.137/24
st0                     up    up
swfab0                  up    down
swfab1                  up    down
tap                     up    up
vlan                    up    up

{primary:node0}
root@srxC-1>

Step 2.2 ping the routers attached

root@srxC-1> ping 10.128.10.2 count 5
PING 10.128.10.2 (10.128.10.2): 56 data bytes
64 bytes from 10.128.10.2: icmp_seq=0 ttl=64 time=12.836 ms
64 bytes from 10.128.10.2: icmp_seq=1 ttl=64 time=4.882 ms
64 bytes from 10.128.10.2: icmp_seq=2 ttl=64 time=4.706 ms
64 bytes from 10.128.10.2: icmp_seq=3 ttl=64 time=4.738 ms
64 bytes from 10.128.10.2: icmp_seq=4 ttl=64 time=5.593 ms

--- 10.128.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.706/6.551/12.836/3.159 ms

{primary:node0}
root@srxC-1>

Step 2.3 ping a remote address

root@srxC-1> ping 192.168.12.10 count 5
PING 192.168.12.10 (192.168.12.10): 56 data bytes
92 bytes from my.firewall (10.128.10.2): Redirect Host(New addr: 10.128.10.7)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 4401   0 0000  3f  01 55ed 10.128.10.137  192.168.12.10

64 bytes from 192.168.12.10: icmp_seq=0 ttl=62 time=20.837 ms
92 bytes from my.firewall (10.128.10.2): Redirect Host(New addr: 10.128.10.7)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 440a   0 0000  3f  01 55e4 10.128.10.137  192.168.12.10

64 bytes from 192.168.12.10: icmp_seq=1 ttl=62 time=16.050 ms
92 bytes from my.firewall (10.128.10.2): Redirect Host(New addr: 10.128.10.7)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 441c   0 0000  3f  01 55d2 10.128.10.137  192.168.12.10

64 bytes from 192.168.12.10: icmp_seq=2 ttl=62 time=12.645 ms
92 bytes from my.firewall (10.128.10.2): Redirect Host(New addr: 10.128.10.7)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 4425   0 0000  3f  01 55c9 10.128.10.137  192.168.12.10

64 bytes from 192.168.12.10: icmp_seq=3 ttl=62 time=12.569 ms
92 bytes from my.firewall (10.128.10.2): Redirect Host(New addr: 10.128.10.7)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 442b   0 0000  3f  01 55c3 10.128.10.137  192.168.12.10

64 bytes from 192.168.12.10: icmp_seq=4 ttl=62 time=12.391 ms

--- 192.168.12.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 12.391/14.898/20.837/3.268 ms

{primary:node0}
root@srxC-1>

Part 3: Identifying Hardware and Key Components

Step 3.1 show chassis hardware

root@srxC-1> show chassis hardware | no-more
node0:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                AQ2812AA0002      SRX220H
Routing Engine   REV 21   750-031175   AAEX6001          RE-SRX220H
FPC 0                                                    FPC
  PIC 0                                                  8x GE Base PIC
Power Supply 0

node1:
--------------------------------------------------------------------------
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                AQ3312AA0160      SRX220H
Routing Engine   REV 21   750-031175   AAEY8619          RE-SRX220H
FPC 0                                                    FPC
  PIC 0                                                  8x GE Base PIC
Power Supply 0

{primary:node0}
root@srxC-1>

Juniper Networks Learning Paths

image_pdfimage_print

 

Juniper Networks Learning Paths


 

Junos Security Learning Path


 

 

 

Junos Security


 

Advanced Junos Security


 

Junos Support


 

 

 

Junos Troubleshooting on the NOC (JUN-JTNOC_12.b)


 

Advanced Junos Enterprise Security troubleshooting (AJEST)


 

 

 

 

 

Junos Enterprise Switching


 

 

Junos Intermediate Routing


 

 

Advance junos entrerprise switching troubleshooting


 

 

 

References


ir

upgrading srx220h

image_pdfimage_print

 

root> show system storage               
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/ad0s2a             295M       146M       125M       54%  /
devfs                   1.0K       1.0K         0B      100%  /dev
/dev/md0                 20M       1.0M        17M        6%  /junos
/cf/packages            295M       146M       125M       54%  /junos/cf/packages
devfs                   1.0K       1.0K         0B      100%  /junos/cf/dev
/cf/usr                 295M       146M       125M       54%  /junos/cf/usr
/cf/boot                295M       146M       125M       54%  /junos/cf/boot
/dev/md1                405M       405M         0B      100%  /junos
/cf                      20M       1.0M        17M        6%  /junos/cf
devfs                   1.0K       1.0K         0B      100%  /junos/dev/
/cf/packages            295M       146M       125M       54%  /junos/cf/packages1
/cf/boot                295M       146M       125M       54%  /junos/cf/boot
/cf/usr                 295M       146M       125M       54%  /junos/cf/usr
procfs                  4.0K       4.0K         0B      100%  /proc
/dev/bo0s3e              24M        26K        22M        0%  /config
/dev/bo0s3f             344M        13M       303M        4%  /cf/var
/dev/md2                168M        19M       135M       12%  /mfs
/cf/var/jail            344M        13M       303M        4%  /jail/var
/cf/var/log             344M        13M       303M        4%  /jail/var/log
devfs                   1.0K       1.0K         0B      100%  /jail/dev
/dev/md3                 39M       4.0K        36M        0%  /mfs/var/run/utm
/dev/md4                1.8M       4.0K       1.7M        0%  /jail/mfs

 

SRX recommended software for srx220

root# run show chassis hardware           
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                AQ2812AA0002      SRX220H
Routing Engine   REV 21   750-031175   AAEX6001          RE-SRX220H
FPC 0                                                    FPC
  PIC 0                                                  8x GE Base PIC
Power Supply 0  


1

root> request system storage cleanup 

List of files to delete:

         Size Date         Name
  1344B May 29 20:11 /cf/var/crash/flowd_octeon_hm.log..0
   122B Sep 17  2013 /cf/var/crash/flowd_octeon_hm.log..1
  1344B Mar 12 16:57 /cf/var/crash/flowd_octeon_hm.log..2
  1344B Apr  7 15:04 /cf/var/crash/flowd_octeon_hm.log..3
  1344B Apr  7 22:22 /cf/var/crash/flowd_octeon_hm.log..4
   129B Mar 12 10:10 /cf/var/crash/flowd_octeon_hm.log.addelh-berlar-fw-01.0
   129B Mar 12 12:41 /cf/var/crash/flowd_octeon_hm.log.addelh-berlar-fw-01.1
   129B Mar 12 00:43 /cf/var/crash/flowd_octeon_hm.log.addelh-berlar-fw-01.2
   129B Mar 12 08:53 /cf/var/crash/flowd_octeon_hm.log.addelh-berlar-fw-01.3
   129B Mar 12 09:59 /cf/var/crash/flowd_octeon_hm.log.addelh-berlar-fw-01.4
  1344B Mar 12 17:15 /cf/var/crash/flowd_octeon_hm.log.srx-C2.0
  1344B Mar 18 11:51 /cf/var/crash/flowd_octeon_hm.log.srx-CL.0
Delete these files ? [yes,no] (no) yes 

2

root> request system configuration rescue save 

3


4

root> show chassis cluster status 
error: Chassis cluster is not enabled.

 

 

 

 

 

from reddit

 

 

 

 

Hi,
Check out the cluster upgrade docs here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB17235 but basically you need to upgrade both of them together. You can't have a single node in a cluster running different software versions.
To answer your question: If you start an upgrade your current device is NOT affected in anyway. It only becomes active after a reboot. You can patch both nodes without impacting traffic.
My standard things to do are
Check available disk space and free up any un-needed logs - request system storage cleanup
Update my rescue config - request system configuration rescue save
Copy the current running partition over the backup partition - request system snapshot slice alternate or you can save a copy of your whole partition to a usb with request system snapshot media usb
Check your cluster is working fine with no errors before you start - show chassis cluster status
Make sure you are either present with the devices or have a working console cable, check you can access both nodes before hand
Read the release notes and make sure they aren't depreciating or changing any commands/config you currently use. (Nothing worse than rebooting your cluster and it not starting because of some issues with your config)
Always always patch using the validate command which should check your current config against the new patch to stop issues like point 6. I believe this is the default if you don't specify no-validate. It will however take 10-15 minutes to do this!
I patch all nodes and then run a request system reboot node 1 in 1 for the secondary and a request system reboot immediately after for the primary. This is purely because I like node0 being the primary :)
Make sure you test this on your current config on a test device if possible.
Make sure you allocate enough time for your maintenance window. Validating will make it take a bit longer. You might need time to fix any issues after (rare but a possibility). If my downtime window is arranged for 10pm I would typically patch both nodes prior to this point as the new software doesn't take affect until the node is rebooted. However some people might not like that approach as you're doing stuff to live devices prior to your change windows etc.
Unfortunately I don't know of anyway to have 0 downtime with a HA cluster. There might be something on Juniper's site I guess but from what I recall there isn't a way of doing it!

 

References


upgrqding srx550

Jtac recommended software versions

EDU-JUN-AJSEC-12.B: LAB 2 : IMPLEMENTING LAYER 2 SECURITY

image_pdfimage_print

Configuring Transparent Mode

 

 

STEP 2.1


root> configure 
Entering configuration mode
root# delete security 
root# delete routing-options

STEP 2.2


root# delete firewall 
root# delete vlans 
root# delete interfaces 

 

STEP 2.3


set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 1 (700?)

Alternative working

set interfaces ge-0/0/1 unit 0 family bridge interface-mode access
set interfaces ge-0/0/1 unit 0 family bridge vlan-id 100

STEP 2.4


 

set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/2 unit 0 family bridge vlan-id-list 1

Alternative working

set interfaces ge-0/0/2 unit 0 family bridge interface-mode access
set interfaces ge-0/0/2 unit 0 family bridge vlan-id 100

STEP 2.5


 

 

set security zones security-zone UNTRUST-L2 interfaces ge-0/0/1.0

 

STEP 2.6


 

set security zones security-zone TRUST-L2 interfaces ge-0/0/2.0

 

STEP 2.7


 

set security policies from-zone TRUST-L2 to-zone UNTRUST-L2 policy ALLOW match source-address any
set security policies from-zone TRUST-L2 to-zone UNTRUST-L2 policy ALLOW match destination-address any
set security policies from-zone TRUST-L2 to-zone UNTRUST-L2 policy ALLOW match application any
set security policies from-zone TRUST-L2 to-zone UNTRUST-L2 policy ALLOW then permit

(TEST, this is not included)
set security policies from-zone UNTRUST-L2 to-zone TRUST-L2 policy ALLOW match source-address any
set security policies from-zone UNTRUST-L2 to-zone TRUST-L2 policy ALLOW match destination-address any
set security policies from-zone UNTRUST-L2 to-zone TRUST-L2 policy ALLOW match application any
set security policies from-zone UNTRUST-L2 to-zone TRUST-L2 policy ALLOW then permit

 

STEP 2.8


 

set routing-instances GIG-Switch instance-type virtual-switch
set routing-instances GIG-Switch interface ge-0/0/1.0
set routing-instances GIG-Switch interface ge-0/0/2.0

 

STEP 2.9


 

set routing-instances GIG-Switch bridge-domains BRIDGE1 domain-type bridge
set routing-instances GIG-Switch bridge-domains BRIDGE1 vlan-id 100
show

 

STEP 2.10


 

root@juniper# commit check 
warning: Interfaces are changed from route mode to transparent mode. Please reboot the device or all nodes in the HA cluster!
configuration check succeeds

[edit]
root@juniper# commit 
warning: Interfaces are changed from route mode to transparent mode. Please reboot the device or all nodes in the HA cluster!
commit complete

[edit]
root@juniper# commit 

reboot


root@juniper# run request system reboot 
Reboot the system ? [yes,no] (no) yes 

SNMP, Netflow, and Syslog from SRX to PRTG

image_pdfimage_print

Intro


Here some configuration examples for SNMP and Netflows ans Syslog for SRX and PRTG.

 

PRTG Sensor Configuration for snmp


 

 

PRTG Sensor Configuration for snmp trap receiver.


On the local probe, create a new sensor.

As an example here is a trap received regarding a manual failover.

 

 

 

PRTG Sensor Configuration for Jflows v5


On the local probe, create a sensor for Jflows v5.

Configure the settings as displayed bellow.

After configuring the device to send the flows, the information will be displayed as bellow.

 

PRTG sensor configuration for syslog


 

 

Snmp configuration on SRX


Configure Snmp community on SRX.


set snmp name srxC-00
set snmp location "Net Runner Lab STOCKEL"
set snmp contact "rafael.torrales@gmail.com"
set snmp community public authorization read-only
set snmp community public clients 10.128.0.0/16
set snmp trap-options source-address 10.128.100.1

 

when enabling the service on a interface or security-zone, in this example the interface takes precedence.

set security zones security-zone TEST_ZONE description "Zone TEST"
set security zones security-zone TEST_ZONE host-inbound-traffic system-services ping
set security zones security-zone TEST_ZONE host-inbound-traffic system-services traceroute
set security zones security-zone TEST_ZONE host-inbound-traffic system-services snmp
set security zones security-zone TEST_ZONE interfaces reth0.100 host-inbound-traffic system-services dhcp
set security zones security-zone TEST_ZONE interfaces reth0.100 host-inbound-traffic system-services ping
set security zones security-zone TEST_ZONE interfaces reth0.100 host-inbound-traffic system-services snmp

Configure Snmp traps on srx


set snmp trap-group TRAPS-TO-PRTG version v2 targets 10.128.100.100
set snmp trap-group TRAPS-TO-PRTG categories ?
set snmp trap-group TRAPS-TO-PRTG categories chassis
set snmp trap-group TRAPS-TO-PRTG categories chassis-cluster
set snmp trap-group TRAPS-TO-PRTG categories configuration
set snmp trap-group TRAPS-TO-PRTG categories link
set snmp trap-group TRAPS-TO-PRTG categories remote-operations
set snmp trap-group TRAPS-TO-PRTG categories routing
set snmp trap-group TRAPS-TO-PRTG categories services
set snmp trap-group TRAPS-TO-PRTG categories startup
set snmp trap-options source-address 10.128.100.1

 

Snmp statistics


 

root@srxC-1# run show snmp statistics 
SNMP statistics:
  Input:
    Packets: 8395, Bad versions: 0, Bad community names: 0,
    Bad community uses: 0, ASN parse errors: 0,
    Too bigs: 0, No such names: 0, Bad values: 0,
    Read onlys: 0, General errors: 0,
    Total request varbinds: 29358, Total set varbinds: 0,
    Get requests: 7566, Get nexts: 829, Set requests: 0,
    Get responses: 0, Traps: 0,
    Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
    Throttle drops: 0, Duplicate request drops: 0
  V3 Input:
    Unknown security models: 0, Invalid messages: 0
    Unknown pdu handlers: 0, Unavailable contexts: 0
    Unknown contexts: 0, Unsupported security levels: 0
    Not in time windows: 0, Unknown user names: 0
    Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
  Output:
    Packets: 8395, Too bigs: 0, No such names: 0,
    Bad values: 0, General errors: 0,
    Get requests: 0, Get nexts: 0, Set requests: 0,
    Get responses: 8395, Traps: 0

 

Configure Netflows on SRX


 

Set up Interfaces for sending netflow data on SRX


 

set interfaces reth0 unit 100 family inet sampling input
set interfaces reth0 unit 100 family inet sampling output
set interfaces reth0 unit 101 family inet sampling input
set interfaces reth0 unit 101 family inet sampling output
set interfaces reth0 unit 102 family inet sampling input
set interfaces reth0 unit 102 family inet sampling output
set interfaces reth0 unit 104 family inet sampling input
set interfaces reth0 unit 104 family inet sampling output

finding OID


root@srxC-1> show snmp mib walk jnxIpSecFlowMonMIB
jnxIkeTunMonLocalGwAddr.1.4.94.225.239.70.7440602 = 94.225.233.18
jnxIkeTunMonLocalGwAddrType.1.4.94.225.239.70.7440602 = 1
jnxIkeTunMonState.1.4.94.225.239.70.7440602 = 1
jnxIkeTunMonInitiatorCookie.1.4.94.225.239.70.7440602 = e3f142e66ad6aeb1
jnxIkeTunMonResponderCookie.1.4.94.225.239.70.7440602 = f751a20000e06b21
jnxIkeTunMonLocalRole.1.4.94.225.239.70.7440602 = 2
jnxIkeTunMonLocalIdType.1.4.94.225.239.70.7440602 = 1
jnxIkeTunMonLocalIdValue.1.4.94.225.239.70.7440602 = 94.225.233.18
jnxIkeTunMonLocalCertName.1.4.94.225.239.70.7440602
jnxIkeTunMonRemoteIdType.1.4.94.225.239.70.7440602 = 1
jnxIkeTunMonRemoteIdValue.1.4.94.225.239.70.7440602 = 94.225.239.70
jnxIkeTunMonNegoMode.1.4.94.225.239.70.7440602 = 1
jnxIkeTunMonEncryptAlgo.1.4.94.225.239.70.7440602 = 4
jnxIkeTunMonHashAlgo.1.4.94.225.239.70.7440602 = 2
jnxIkeTunMonAuthMethod.1.4.94.225.239.70.7440602 = 1
jnxIkeTunMonLifeTime.1.4.94.225.239.70.7440602 = 18259
jnxIkeTunMonActiveTime.1.4.94.225.239.70.7440602 = 1054100
jnxIkeTunMonInOctets.1.4.94.225.239.70.7440602 = 4016
jnxIkeTunMonInPkts.1.4.94.225.239.70.7440602 = 19
jnxIkeTunMonOutOctets.1.4.94.225.239.70.7440602 = 3900
jnxIkeTunMonOutPkts.1.4.94.225.239.70.7440602 = 21
jnxIkeTunMonXAuthUserId.1.4.94.225.239.70.7440602 = not available
jnxIkeTunMonDPDDownCount.1.4.94.225.239.70.7440602 = 0
jnxIpSecTunMonLocalGwAddrType.1.4.94.225.239.70.131073 = 1
jnxIpSecTunMonLocalGwAddr.1.4.94.225.239.70.131073 = 94.225.233.18
jnxIpSecTunMonLocalProxyId.1.4.94.225.239.70.131073 = ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
jnxIpSecTunMonRemoteProxyId.1.4.94.225.239.70.131073 = ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
jnxIpSecTunMonKeyType.1.4.94.225.239.70.131073 = 1
jnxIpSecTunMonRemotePeerType.1.4.94.225.239.70.131073 = 1
jnxIpSecTunMonOutEncryptedBytes.1.4.94.225.239.70.131073 = 185688
jnxIpSecTunMonOutEncryptedPkts.1.4.94.225.239.70.131073 = 1557
jnxIpSecTunMonInDecryptedBytes.1.4.94.225.239.70.131073 = 57116
jnxIpSecTunMonInDecryptedPkts.1.4.94.225.239.70.131073 = 1179
jnxIpSecTunMonAHInBytes.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonAHInPkts.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonAHOutBytes.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonAHOutPkts.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonReplayDropPkts.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonAhAuthFails.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonEspAuthFails.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonDecryptFails.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonBadHeaders.1.4.94.225.239.70.131073 = 0
jnxIpSecTunMonBadTrailers.1.4.94.225.239.70.131073 = 0
jnxIpSecSaMonProtocol.1.4.94.225.239.70.131073.1 = 2
jnxIpSecSaMonInSpi.1.4.94.225.239.70.131073.1 = 1918750565
jnxIpSecSaMonOutSpi.1.4.94.225.239.70.131073.1 = 2780761757
jnxIpSecSaMonType.1.4.94.225.239.70.131073.1 = 2
jnxIpSecSaMonEncapMode.1.4.94.225.239.70.131073.1 = 1
jnxIpSecSaMonLifeSize.1.4.94.225.239.70.131073.1 = 0
jnxIpSecSaMonLifeTime.1.4.94.225.239.70.131073.1 = 3600
jnxIpSecSaMonActiveTime.1.4.94.225.239.70.131073.1 = 121000
jnxIpSecSaMonLifeTimeThreshold.1.4.94.225.239.70.131073.1 = 3037
jnxIpSecSaMonEncryptAlgo.1.4.94.225.239.70.131073.1 = 3
jnxIpSecSaMonAuthAlgo.1.4.94.225.239.70.131073.1 = 1
jnxIpSecSaMonState.1.4.94.225.239.70.131073.1 = 1

{primary:node0}
root@srxC-1> show snmp mib walk jnxIpSecSaMonState
jnxIpSecSaMonState.1.4.94.225.239.70.131073.1 = 1

{primary:node0}
root@srxC-1> show snmp mib walk jnxIpSecSaMonState | display xml

    
        
            jnxIpSecSaMonState.1.4.94.225.239.70.131073.1
            
                jnxIpSecTunMonRemoteGwAddrType
                1
            
            
                jnxIpSecTunMonRemoteGwAddr
                5e e1 ef 46  
            
            
                jnxIpSecTunMonIndex
                131073
            
            
                jnxIpSecSaMonIndex
                1
            
            number
            1
            1.3.6.1.4.1.2636.3.52.1.2.3.1.14.1.4.94.225.239.70.131073.1
        
    
    
        {primary:node0}
    


{primary:node0}
root@srxC-1> show snmp mib walk jnxIpSecSaMonState | display xml | match oid
            1.3.6.1.4.1.2636.3.52.1.2.3.1.14.1.4.94.225.239.70.131073.1

{primary:node0}
root@srxC-1>

Send Netflows Version 5 on SRX


 

set forwarding-options sampling input rate 100
set forwarding-options sampling input run-length 0
set forwarding-options sampling family inet output flow-server 10.128.100.100 port 2055
set forwarding-options sampling family inet output flow-server 10.128.100.100 version 5

 

 

Version 9 (this time it didnt work)


 

set services flow-monitoring version9 template IPV4-FLOW-MON ipv4-template
set forwarding-options sampling input rate 100
set forwarding-options sampling input run-length 0
set forwarding-options sampling family inet output flow-server 10.128.100.100 port 2222
set forwarding-options sampling family inet output flow-server 10.128.100.100 version9 template IPV4-FLOW-MON
set forwarding-options sampling family inet output inline-jflow source-address 10.128.100.1

SRX syslog

This syslog configuration will store vpn messages (kmd) on file vpn-syslog.


set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 10.128.100.100 any any
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file vpn-syslog daemon any
set system syslog file vpn-syslog match kmd

Clear syslog file

root@srxC-1# run clear log vpn-syslog

To see the events when a VPN is down or recreated, we need to clear the security associations, as seen below

root@srxC-1# run show log vpn-syslog
Jun 4 22:02:39 srxC-1 clear-log[12314]: logfile cleared

{primary:node0}[edit]
root@srxC-1# run show security ipsec security-associations
node0:
--------------------------------------------------------------------------
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  131073 ESP:aes-cbc-128/sha1 a5bf0e9f 3035/ unlim - root 500 94.225.239.70

{primary:node0}[edit]
root@srxC-1# run clear security ipsec security-associations

{primary:node0}[edit]
root@srxC-1# run show log vpn-syslog
Jun 4 22:02:39 srxC-1 clear-log[12314]: logfile cleared
Jun  4 22:04:43  srxC-1 kmd[9847]: KMD_VPN_DOWN_ALARM_USER: VPN IKE-VPN-OLDNET from 94.225.239.70 is down. Local-ip: 94.225.233.18, gateway name: IKE-GW-OLDNET, vpn name: IKE-VPN-OLDNET, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 10.11.11.11, Local IKE-ID: 94.225.233.18, Remote IKE-ID: 94.225.239.70, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

{primary:node0}[edit]
root@srxC-1# run ping 192.168.12.10 interface st0.0 source 10.128.100.1
PING 192.168.12.10 (192.168.12.10): 56 data bytes
64 bytes from 192.168.12.10: icmp_seq=1 ttl=63 time=10.468 ms
64 bytes from 192.168.12.10: icmp_seq=2 ttl=63 time=12.977 ms
^C
--- 192.168.12.10 ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max/stddev = 10.468/11.723/12.977/1.254 ms

{primary:node0}[edit]
root@srxC-1# run show log vpn-syslog
Jun 4 22:02:39 srxC-1 clear-log[12314]: logfile cleared
Jun  4 22:04:43  srxC-1 kmd[9847]: KMD_VPN_DOWN_ALARM_USER: VPN IKE-VPN-OLDNET from 94.225.239.70 is down. Local-ip: 94.225.233.18, gateway name: IKE-GW-OLDNET, vpn name: IKE-VPN-OLDNET, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 10.11.11.11, Local IKE-ID: 94.225.233.18, Remote IKE-ID: 94.225.239.70, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Jun  4 22:05:00  srxC-1 kmd[9847]: KMD_PM_SA_ESTABLISHED: Local gateway: 94.225.233.18, Remote gateway: 94.225.239.70, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x92a5a74d, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Jun  4 22:05:00  srxC-1 kmd[9847]: KMD_PM_SA_ESTABLISHED: Local gateway: 94.225.233.18, Remote gateway: 94.225.239.70, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xa5bf0ea0, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Jun  4 22:05:00  srxC-1 kmd[9847]: KMD_VPN_UP_ALARM_USER: VPN IKE-VPN-OLDNET from 94.225.239.70 is up. Local-ip: 94.225.233.18, gateway name: IKE-GW-OLDNET, vpn name: IKE-VPN-OLDNET, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 10.11.11.11, Local IKE-ID: 94.225.233.18, Remote IKE-ID: 94.225.239.70, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

References


 

Configuring snmp agent

SNMP traps

SNMP statistics

Youtube Bandwith Monitoring with flows

SRX Getting started configuring Jflow

[Junos] How to find the SNMP OID which corresponds to the SNMP object name

TU ru ru ru rUUUUUUU