SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX doesn't pass HTTP traffic.

    Posted 07-12-2015 22:38

    Hi All,

     

    So I've connected my SRX 100B to the Internet using PPPoE.

     

    This is how my setup looks: Internet > SRX > LAN.

     

    From the SRX and the LAN I'm able to ping the Internet. However when I try to browse, it fails.

     

    In fact, when I try from Chrome, as I type into the address bar I see suggestions pop up, however when I try to connect to a site, it doesn't work.

     

    I saw similar questions in the forum but the solutions didn't work.

     

    Please let me know if I'm missing something.

     

    Here's the relevant config:

     

    shyam@SRX# run show configuration
## Last commit: 2015-07-12 11:34:59 UTC by shyam
version 10.4R4.5;
system {
    host-name SRX;
    root-authentication {
        encrypted-password "$1$nLZR1jQE$uu.VTm59yiZtsw9XPaGIs/"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
        4.2.2.2;
    }
interfaces {
    fe-0/0/0 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 172.16.1.1/24;
            }
        }
    }
    pp0 {
        description "Connection to Internet";
        unit 0 {
            ppp-options {
                pap {
                    default-password "$9AuO/9lF9ABIEcreEh"; ## SECRET-DATA
                    local-name "abc@xyz.com";
                    local-password "$9$PfFAtp1RrevWX7vM"; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 5;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
}
security {
    nat {
        source {
            rule-set NAT-ALL {
                from zone trust;
                to zone untrust;
                rule 1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            all;
                        }
                    }
                }
                pp0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy ALLOW-WEB {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit {
                        firewall-authentication {
                            web-authentication {
                                client-match shyam;
                            }
                        }
                    }
                }
            }
            policy ALLOW-INTERNET {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    flow {
        tcp-session {
            no-syn-check;
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
    }
}

[edit]
shyam@SRX#

     

    There's a modem between the Internet and the SRX, which is placed in bridged mode. However I don't think this could be causing any issue since ping works well.

     

    Please suggest, thank you in advance.



  • 2.  RE: SRX doesn't pass HTTP traffic.

     
    Posted 07-12-2015 23:07

    When you say HTTP not working, is everything else working, like PIng to 4.2.2.2 from SRX and LAN?

    Also can you try telnet to 4.2.2.2 on port 80?

     

     



  • 3.  RE: SRX doesn't pass HTTP traffic.
    Best Answer

     
    Posted 07-12-2015 23:11

    Hello ,

     

    Can you check the same by removing the firewall authentication and check if the web page is loading ?  Also I cannot see the "access" configuration for that user .

     

     



  • 4.  RE: SRX doesn't pass HTTP traffic.

     
    Posted 07-12-2015 23:16

    Hello ,

     

    For eg:

     

    set access profile Shyam client Shyam firewall-user password <pwd>
    set access firewall-authentication web-authentication default-profile Shyam
    set access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"


  • 5.  RE: SRX doesn't pass HTTP traffic.

    Posted 07-14-2015 00:59

    @Suraj: Thanks for trying to help out.

     

    @Sam: Two things here:

     

    1. HTTP traffic is passing after removing firewall authentication and the policy associated with it.

    However, my Internet connection is pretty slow when it passes through the SRX. Also, some websites like speedtest.net don't open at all. When I remove the SRX from the topology, the connection is fast like it should be.

    Do I need to change some TCP settings or is it something else?

     

    2. Why does HTTP not work with firewall authentication turned on? Is it because security policy that authenticates is above the policy that allows normal traffic?

     

     

    Regards.



  • 6.  RE: SRX doesn't pass HTTP traffic.

     
    Posted 07-14-2015 02:01

    Hello ,

     

    1. HTTP traffic is passing after removing firewall authentication and the policy associated with it.

    However, my Internet connection is pretty slow when it passes through the SRX. Also, some websites like speedtest.net don't open at all. When I remove the SRX from the topology, the connection is fast like it should be.

    Do I need to change some TCP settings or is it something else?

     

    > can you try to configure the following and see if that makes any diff :

     

    #set security flow tcp-mss all-tcp mss 1300 .

     

    2. Why does HTTP not work with firewall authentication turned on? Is it because security policy that authenticates is above the policy that allows normal traffic?

     

    > It looks to be that the web authentication is not properly getting authenticated .  Also have you tried to configure the access configuration that I shared and test this again .

     



  • 7.  RE: SRX doesn't pass HTTP traffic.

    Posted 07-15-2015 00:06

    Thanks Sam.

     

    I realized that the MSS value specified by my ISP is 1400, after setting this things work fine.

     

    Thank you again.

     

    I still need to try the web authentication configuration one more time, will update soon.



  • 8.  RE: SRX doesn't pass HTTP traffic.

     
    Posted 07-15-2015 00:12

    Hello ,

     

    Thanks for the update . Glad that it helped .  Please let us know if you have any concerns regarding Web authentication .