SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-24-2015 12:52

    Its for a totaly segmented vlan with just one host, i dont see why its so high, is there any way to check any logs/debug to see what all the rejects are comming from?



  • 2.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-24-2015 14:22
    Hi,

    Input packet rejects—Number of packets that the filter rejected because of either the source MAC address or the destination MAC address.

    You need to check your filter configuration .

    You also can check this out by :

    - show security flow session
    - use traceoption
    - use tcpdump
    - sample \ packet capture filter


  • 3.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-25-2015 00:28

    How do i sample/capture all packet on a interface?



  • 4.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400



  • 5.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-25-2015 10:47

    It turned out to be this protocol: https://wiki.wireshark.org/Loop that was enabled on the port 



  • 6.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-25-2015 13:02
    Hi,

    Did you solve it by turning off the BPDUs on the interface ?


  • 7.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-26-2015 06:33
    It was not bpdu, it was this protocol: https://supportforums.cisco.com/discussion/11252611/loop-protocol Never heard of it before


  • 8.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-26-2015 09:38

    Oh , I see you need to configure the no-keepalive .

     
    [edit interfaces interface-name]no-keepalives;

     

     



  • 9.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-26-2015 10:16

    It was plugged into a cisco switch, we disabled it on that port, then the counter stopped. I guess you mean that we should disable it on the other end right (the cisco in this case)?

     

    Becouse i cant find any way to set this on the interface on the srx. i can only find documents for no-keepalive regarding frame relay and gre



  • 10.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-26-2015 10:53
    Hi,

    Do yuo mean how to disable no-keepalives on juniper SRX ?

    http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/interfaces-configuring-keepalives.html

    But if you disable it on the cisco side , then its ok 🙂


  • 11.  RE: Very high number of "Input packet rejects" on a interface (increasing) on a 1400

    Posted 11-26-2015 10:59

    No, what i mean what to ask you ment to disable it on the firewall or the cisco side, since its the cisco device that sending out the packet i assumed that you mean on the switch (that commands dont seem to exist on the srx), also as i wrote,acording to the document it seems to be more for:

     

    "By default, physical interfaces configured with Cisco HDLC or PPP encapsulation send keepalive packets at 10-second intervals. The Frame Relay term for keepalives is LMI packets; the Junos OS supports both ANSI T1.617 Annex D LMIs and ITU Q933 Annex A LMIs. On ATM networks, OAM cells perform the same function. You configure OAM cells at the logical interface level; for more information"

     

    I dont even know what some of this stuff are, expect that it has nothing to do with my enviorment/configuration 😛