SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
cksoo
Regular Visitor
cksoo
Posts: 7
Registered: ‎10-10-2010
0

Interface ge-0/0/0 always hang every 2 hours

Options

‎04-21-2012 11:25 AM 

Hi ,

I just deployed a unit of SRX 210mh to replace my SSG 5. I only use as firewall and IP Sec VPN without UTM enable.

However, ny untrust interface, ge-0/0/0 always hang 2 hours with out any notice. I had tried to diable and enable the Interface, howver the interface still unable to communicate. 

This problem only ahppen on Interface ge-0/0/0 only, my trust interface fe-0/0/7  did not have any problem, I able to login the SRX from trust interface fe-0/0/0 when the ge-0/0/0 was hang. 

have anyone experince this problem before, if yes can you please share with me your solution.

below is my SRX configuration file



## Last changed: 2012-04-22 02:14:04 UTC
version 10.0R1.8;
system {
    host-name NTTSRX_01;
    root-authentication {
        encrypted-password "$1$Howgch2Q$o4zYknFYpITtrN2mb5xbu1";
    }
    name-server {
        203.115.225.9;
        203.115.225.24;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 fe-0/0/2.0 ge-0/0/0.0 ];
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range interfaces-trust {
        member fe-0/0/6;
        member fe-0/0/7;
        member fe-0/0/3;
        member ge-0/0/1;
        member fe-0/0/5;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/0 {
        enable;
        speed 100m;
        mtu 1500;
        link-mode full-duplex;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
               s /25;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                address /24;
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family inet {
                address 29;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 10.11.11.1/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop ;
        route 192.168.111.0/24 next-hop st0.0;
    }
}
security {
    ike {
        proposal ike-proposal {
            authentication-method pre-shared-keys;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-policy {
            mode main;
            proposals ike-proposal;
            pre-shared-key ascii-text "$9$nxeB9pOEcrML7k.fQ39u0";
        }
        gateway ike-gateway {
            ike-policy ike-policy;
            address 203.115.248.34;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 3;
            threshold 3;
        }
        proposal ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ipsec-policy {
            proposals ipsec-proposal;
        }
        vpn ipsec-gateway {
            bind-interface st0.0;
            vpn-monitor;
            ike {
                gateway ike-gateway;
                ipsec-policy ipsec-policy;
            }
            establish-tunnels immediately;
        }
    }
    nat {
        source {
            address-persistent;
            rule-set rs1 {
                from zone trust;
                to zone untrust;
                rule r1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set RS2 {
                from interface fe-0/0/4.0;
                to interface ge-0/0/0.0;
                rule r2 {
                    match {
                        source-address 192.168.1.16/32;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address local-net 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                fe-0/0/2.0;
                fe-0/0/3.0;
            }
        }
        security-zone untrust {
            address-book {
                address remote-net 192.168.111.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                    ike;
                    https;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/0.0;
            }
        }
        security-zone DMZ {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                fe-0/0/4.0;
                fe-0/0/5.0;
            }
        }
        security-zone vpn {
            address-book {
                address remote-net 192.168.111.0/24;
            }
            interfaces {
                st0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            inactive: policy any-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone DMZ {
            policy Untrust2DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy VPN_CBJ_UBN {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy VPN_UBN_CBJ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    alg {
        dns disable;
        ftp disable;
        msrpc disable;
        sunrpc disable;
        real disable;
        rsh disable;
        rtsp disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}
Message 1 of 5 (280 Views)
 
Reply
Super Contributor
AdamLin
Posts: 166
Registered: ‎08-02-2010
0

Re: Interface ge-0/0/0 always hang every 2 hours

Options

‎04-22-2012 11:44 PM

Hello,

I'd start with upgrading to 10.4 or higher, 10.0R1 is not really a stable release.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476
If that doesn't solve it, I'd remove all "optional" options on the interface, and check logs.
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Message 2 of 5 (255 Views)
 
Reply
cksoo
Regular Visitor
cksoo
Posts: 7
Registered: ‎10-10-2010
0

Re: Interface ge-0/0/0 always hang every 2 hours

Options

‎04-23-2012 02:21 AM

Hi Adam, Thanks for reply, I just upgrade to version from 10.0 to 11.4, now is monitoring the interface. Besides that, may I know how you check the log as I found that SRX log is really poor and I did not have the syslog server. Can you please advise ?
Message 3 of 5 (246 Views)
 
Reply
Super Contributor
AdamLin
Posts: 166
Registered: ‎08-02-2010
0

Re: Interface ge-0/0/0 always hang every 2 hours

[ Edited ]
Options

‎04-23-2012 03:03 AM - edited ‎04-23-2012 03:05 AM

Hi, the SRX logging is actually quite powerful, under system syslog you can use "file" instead of "host" to write logs to a file, just like "messages" which should be there by default, although it's normally not logging a whole lot to save the RE.
You can increase the verbosity under the file stanza.

 

You could also configure traceoptions for the interfaces.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Message 4 of 5 (243 Views)
 
Reply
cksoo
Regular Visitor
cksoo
Posts: 7
Registered: ‎10-10-2010
0

Re: Interface ge-0/0/0 always hang every 2 hours

Options

‎04-23-2012 06:12 PM

Hi All, Problem Solved after upgrade the Junos from ver 10.0 R 1 to ver 11.4. Thanks for the advice giving.
Message 5 of 5 (229 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.