SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 82
Registered: ‎07-10-2010
0 Kudos

SRX210 running 10.4 dynamic vpn license

Hi,

 

Just tested the new dynamic vpn wizard with local assigned ip address on 10.4r1.  It is working great.   Now the alarm led is turnning amber.  I believe it has to do with missing dynamic vpn license,

 

root@SRX210> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  dynamic-vpn                           1            0           1    invalid
  ax411-wlan-ap                         0            2           0    permanent

Licenses installed: none

root@SRX210>

 

Ain't the SRX1xx, 2xx come with 2 dynamic vpn license as default?  Did I miss something?

 

Thanks,

 

rotearc

Trusted Contributor
Posts: 123
Registered: ‎11-27-2010
0 Kudos

Re: SRX210 running 10.4 dynamic vpn license

Dear rotearc,

 

2 Licenses are included

 

Note: If more than two simultaneous user connections are required, a dynamic VPN license must be installed

 

Source: LINK

Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0 Kudos

Re: SRX210 running 10.4 dynamic vpn license

It would be nice if the alarm LED didn't turn on for the default two Dynamic VPN connections though.

 

mawr

Contributor
Posts: 82
Registered: ‎07-10-2010
0 Kudos

Re: SRX210 running 10.4 dynamic vpn license

 

show system license on your SRX, do you see any dynamic vpn license listed?  I don't see any on mine.  The "2 users" licenses are missing since 10.2 and above.
rotearc

NULL wrote:

Dear rotearc,

 

2 Licenses are included

 

Note: If more than two simultaneous user connections are required, a dynamic VPN license must be installed

 

Source: LINK


 

Contributor
Posts: 82
Registered: ‎07-10-2010
0 Kudos

Re: SRX210 running 10.4 dynamic vpn license

 

I don't think Juniper fixed the "2 users free/demo" dynamic vpn license on 10.4 yet..

mawr wrote:

It would be nice if the alarm LED didn't turn on for the default two Dynamic VPN connections though.

 

mawr


 

Contributor
Posts: 82
Registered: ‎12-11-2009
0 Kudos

Re: SRX210 running 10.4 dynamic vpn license

 


rotearc wrote:

 

show system license on your SRX, do you see any dynamic vpn license listed?  I don't see any on mine.  The "2 users" licenses are missing since 10.2 and above.
rotearc

NULL wrote:

Dear rotearc,

 

2 Licenses are included

 

Note: If more than two simultaneous user connections are required, a dynamic VPN license must be installed

 

Source: LINK


 


That should be the 'normal' behavior that the free dynamic vpn license is not listed anymore.

 

Contributor
Posts: 82
Registered: ‎07-10-2010
0 Kudos

Re: SRX210 running 10.4 dynamic vpn license

 

Gosi,
If that is the case, why is the alarmd is complaining and filling up the message log file with these,
Dec 12 15:54:17  SRX210 alarmd[1082]: LICENSE_EXPIRED: License for feature dynamic-vpn(55) expired
Dec 12 15:55:17  SRX210 alarmd[1082]: LICENSE_EXPIRED: License for feature dynamic-vpn(55) expired
Dec 12 15:56:17  SRX210 alarmd[1082]: LICENSE_EXPIRED: License for feature dynamic-vpn(55) expired
Dec 12 16:07:17  SRX210 last message repeated 11 times
Dec 12 16:17:17  SRX210 last message repeated 10 times

gosi wrote:

 


That should be the 'normal' behavior that the free dynamic vpn license is not listed anymore.

 


 

Contributor
Posts: 82
Registered: ‎12-11-2009
0 Kudos

Re: SRX210 running 10.4 dynamic vpn license

Hi rotearc,

 

that is a good question! Please open a ticket on JTAC and ask them if this is a bug. I'm interested on this answer too!

Contributor
Posts: 226
Registered: ‎08-07-2010
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

[ Edited ]

I have same problem in junos 10.4.

I think there is not feature for free license for dynamic VPN for ever for two users am using the dynamic VPN smoothly from about one months, but today I get same problem unexpectedly. I can't solve the problem so I Downgraded the OS 10.4 to 10.0 hoping that will resolve the problem.

 

If license need for free two user, how to get the license for dynamic VPN. I get to study there is change in 10.4 for dynamic VPN, may this cause the occuring the problem

Super Contributor
Posts: 313
Registered: ‎09-30-2009
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

There is most def a license for two users by default.

 

However, I have seen PULSE, specifically 1.3 not clean-up ike / ipsec SAs very well so they might be hung.

 

Check by issuing "show security ike security-association"

 

If they are hung, clear by...

 

admin@SRX240A_0011_Mark_Cole> clear security dynamic-vpn user <username> ike-id <ike-id>

 

And yes, the license doesn't show anymore with "show system license".

Contributor
Posts: 226
Registered: ‎08-07-2010
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

Hi Cole,

 

The commands, clear security dynamic-vpn user <username> ike-id <ike-id>,  you posted is not supported in srx.

 

root@abo> show security dynamic-vpn users gs
                                                                         ^
syntax error, expecting <command>.
root@abo> show security dynamic-vpn users gs

 

I think you are worong

Super Contributor
Posts: 313
Registered: ‎09-30-2009
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

[ Edited ]

EDIT, late night, even earlier morning...

 

remove the "s" from users.

 

admin@labgw-fw> show security dynamic-vpn users
User: mcole , Number of connections: 1
    Remote IP: 76.7.X.X
    IPSEC VPN: wizard_dyn_vpn
    IKE gateway: gw_wizard_dyn_vpn
    IKE ID   : mcolesrxlab
    IKE Lifetime: 28800
    IPSEC Lifetime: 3600
    Status: CONNECTED


admin@labgw-fw> clear security dynamic-vpn user mcole ike-id mcolesrxlab
Connection entry for user mcole has been cleared

admin@labgw-fw>

Contributor
Posts: 226
Registered: ‎08-07-2010
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

Hi cobe,

 

root@abo> show security dynamic-VPN users
User: ghanshyam , Number of connections: 1
    Remote IP: 202.x.x.x
    IPSEC VPN: dynamic-VPN-dilip
    IKE gateway: dyn-gw-test
    IKE ID   : ghanshyam
    IKE Lifetime: 3600
    IPSEC Lifetime: 28800
    Status: CONNECTED

 

But the command, clear security dynamic-VPN ..........., doesn't work.

it look as when I entered

root@abo> clear security dynamic-VPN
                                                          ^
syntax error, expecting <command>.
root@abo> clear security dynamic-VPN

 

If u able to enter this command, why don't I  enter ?and like to post, I can't omit from 's' from 'users' without it shows as above.Just check this command once  again to conform

Super Contributor
Posts: 313
Registered: ‎09-30-2009
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

It's case sens...  don't caps.  VPN.  just vpn.  dynamic-vpn.

Contributor
Posts: 226
Registered: ‎08-07-2010
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

Again I am getting the same error

 

root@abo# run clear security dynamic-vpn
                                                     ^
syntax error, expecting <command>.
root@abo# run clear security dynamic-vpn

Highlighted
Super Contributor
Posts: 313
Registered: ‎09-30-2009
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

Did you down-grade?

 

Platform, version?

Contributor
Posts: 25
Registered: ‎02-03-2011
0 Kudos

Re: SRX210 running 10.4 dynamic VPN license

Just wanted to confirm that the clear command works for me running 10.4R2.7 on a SRX100

 

 

clear security dynamic-vpn user *username* ike-id *ike-id*

 

 

I found that if you just close access manager without disconnecting the license assignment seems to hang for a bit.  I've not tested for how long it hangs yet.  Could be a nasty issue if you have say a 25 user dynamic vpn license, and users are fond of just "x"ing out of access manager or just shutting down their PCs.

 

if I figure out why they hang or for how long I will post the results.