Another useful SRX command for looking at IPSec tunnels

12 08 2015

This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!

On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are…  See below: Read the rest of this entry »





Useful SRX debugging blog

12 08 2015

Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP].   But otherwise, this is a very useful set of instructions. Read the rest of this entry »





A nice SRX command I’ve never come across before

11 08 2015

Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:

imtech@srx220-1-POD3> show security policies hit-count 
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       VR3a             VR3b              P1             0            
 2       VR3a             untrust           3to1VPN        8320         
 3       VR3a             untrust           P1             3249         
 4       VR3b             VR3a              P1             0            
 5       VR3b             untrust           P1             0            
 6       untrust          junos-host        P1             8            
 7       untrust          VR3a              1to3           5523         
 8       untrust          VR3a              P1             5            
 9       untrust          VR3b              permit-to-3b   0            
 10      untrust          VR3b              DEFAULT-DENY   16