Another useful SRX command for looking at IPSec tunnels

12 08 2015

This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!

On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are…  See below: Read the rest of this entry »

Useful SRX debugging blog

12 08 2015

Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP].   But otherwise, this is a very useful set of instructions. Read the rest of this entry »

A nice SRX command I’ve never come across before

11 08 2015

Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:

imtech@srx220-1-POD3> show security policies hit-count 
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       VR3a             VR3b              P1             0            
 2       VR3a             untrust           3to1VPN        8320         
 3       VR3a             untrust           P1             3249         
 4       VR3b             VR3a              P1             0            
 5       VR3b             untrust           P1             0            
 6       untrust          junos-host        P1             8            
 7       untrust          VR3a              1to3           5523         
 8       untrust          VR3a              P1             5            
 9       untrust          VR3b              permit-to-3b   0            
 10      untrust          VR3b              DEFAULT-DENY   16

VIRL versus Junosphere

9 06 2015

I’ve been using Junosphere a lot recently, and it’s a great tool – quick and easy creation of topologies without the need to go to a physical lab to try things out. Takes the guesswork out of a lot of things, which is a real bonus. There are obviously a few things you can’t do in a virtual environment that would be possible in a real one (e.g. QoS, MTU greater than 2000 bytes, MS-MIC in an MX), but it caters for 80% of what you need.

I always thought that it put Juniper leagues ahead of Cisco because you can buy credits to use the system right on the front page. Cisco were late to the party with something called VIRL – Virtual Internet Routing Lab.  They were late, but rumour had it that a lot of developers moved from Juniper to Cisco to bring VIRL about.  However Junosphere always had the edge for the networking student (as we all remain, whether we are JNCIE or not) because of its accessibility – with VIRL you had to be a Cisco customer and gain access through your account manager.  I’ll stick with GNS3 thanks!

That appears to have changed now, and you can get access to VIRL ‘personal edition’ for $199 per year.  Now we’re talking.  Since it runs on Openstack, you can run up other third-party VMs alongside NXOS, IOS and IOS-XE.  Network Inferno has a nice guide on integrating Juniper’s vSRX (formerly Firefly) into VIRL, which looks pretty comprehensive, although I’ve not tried it yet.

I think need to get a copy of this – only problem is it needs me to get a new quad-core laptop with the virtualization extensions in the BIOS to replace my cranky old Lenovo.  Ho hum!

SRX – “VPN monitoring” causes IPSec to bounce

7 04 2014

Just making a note here because this will probably trip me up again in the future:   I have a customer with a VPN running from an SRX650 on 11.4R9.4 to a variety of other devices.  One of these is some kind of Huawei device, and the other a Vyatta router.  I’ve no idea what versions or models these are because they’re not under the customer’s control.

Read the rest of this entry »

Junos SRX web filtering and Websense

26 04 2010

Ah – another bug-ette, unfortunately. It seems that if you are using a Websense server for your URL filtering, and the websense server goes away for a while (e.g. while it reboots), the SRX doesn’t bother re-connecting.

There’s a timeout you can set, and I’ve not tried that yet, but it has been verified by JTAC as happening within a few minutes.

What’s disappointing about this is that there’s no way in Junos that you can specify a secondary server – you can’t do that in the feature-profile or with a second policy. So in a way, the timeout doesn’t make any sense: there’s no second option to fall back onto.

The disconnect is going to be fixed in 10.1R2, and might be available via a special engineering build if you press hard enough. I plan to log the ‘backup server’ idea as a feature request.

Unified Threat Management (UTM) on Junos is BAD

25 03 2010

I probably shouldn’t say this, but UTM on Junos with their new SRX devices.. (ahem).. is not very good… Juniper support is excellent, and the base features of the device are good, but there are a few caveats:

1. Don’t do too much logging
2. Especially, don’t log too much to the device’s filesystem
3. Don’t implement large whitelists/blacklists (particularly with wildcard filtering on URLs)

Juniper’s support on this product is (as usual) excellent, and far surpasses any other manufacturer’s level of help. However, there are some bits of code in this box that haven’t undergone the level of testing you might expect.
Junos 10.0R3 is therefore what we should all be waiting for – available in April. It includes almost 300 fixes (just fixes – no new features), and they have re-worked how the do Q&A on the entire product line.

If you’re struggling with an SRX right now, I’d be really interested to hear from you. In the meantime, let’s hope that release R3 is going to alleviate some of our pain..