SRX

hello all,

 

i've just got my hands on a brand new shiny SRX340. all it's good for at the moment is a foot rest though, because i can't seem to be able to put basic configuration on it.

i have a load of 240s, which i use for VPN access from remote sites. one port is routed for internet access and the rest are switchports, which uses a vlan interface for routing.

i tried copying the config from a 240 to a 340 and the first thing i get in my vlan config is:

 

error: l3-interface: 'vlan.123': Only IRB interface is supported, e.g. irb.10

 

fine, i'll use an IRB interface:

 

# set security zones security-zone TRUST interfaces irb.123

error: interface-unit: 'irb.123': This interface cannot be configured in a zone
error: statement creation failed: irb.123

 

fine, i'll create a new zone with all the physical switchports defined and permit the new zone outbound.

 

'policy TRUST-UNTRUST'
from-zone (TRUST) and to-zone (UNTRUST) must be both L2 or L3 zones.
error: configuration check-out failed

 

i'm not a firewall admin by any means, so maybe i'm missing something very obvious, but it doesn't look as these things want to be gateway devices anymore?!

 

Hello

 

Can you tell me which JUNOS version is running on SRX340?

 

Regards,

 

Rushi

Hi Rushi,

 

It's running 15.1X49-D35.

Hello,

 

In 15.1X49-D35, Ethernet Switching feature is not supported on SRX300, SRX320, SRX340 & SRX345 devices.

 

http://www.juniper.net/techpubs/en_US/junos15.1x49-d35/information-products/topic-collections/release-notes/15.1x49-d35/junos-release-notes-15.1X49.pdf

 

Regards,

 

Rushi

---

@rtilak wrote:

Hello,

 

In 15.1X49-D35, Ethernet Switching feature is not supported on SRX300, SRX320, SRX340 & SRX345 devices.

 

http://www.juniper.net/techpubs/en_US/junos15.1x49-d35/information-products/topic-collections/release-notes/15.1x49-d35/junos-release-notes-15.1X49.pdf

 

Regards,

 

Rushi

---

thanks Rushi,

this is a pitty. i quite liked the "all in one" capability of the 240. looks like i will have to go 110 and a switch. i don't believe the SRX240H2 is end of sale yet though, but it will be soon i'd imagine.

Hi,

 

You will still be able to use it as the SRX240H2 (which is EoL, you can buy it from distributor stock as long as it last).

 

15.1X49-D40 re-adds support for ethernet switching:

http://www.juniper.net/techpubs/en_US/junos15.1x49-d40/information-products/topic-collections/release-notes/15.1x49-d40/junos-release-notes-15.1X49-D40.pdf page 10:

 

—Starting with Junos OS Release 15.1X49-D40, the enhanced Layer 2 transparent bridge mode and switching mode features are supported on SRX300, SRX320, SRX340, SRX345, and SRX550 devices.

 

 

-- 

Best regards,

 

Jonas Hauge

To the point about SRX240H2 availability. As of 1st May the SRX100, 210, 220, 240H2, 650 all went end of sale.

Starting release for the new SRX3xx and 1500 devices is 15.1...

Depreciation of features that were available in the now end of sale boxes without some kind of a way forward... don't know quite what to tell you here. Begin the conversation with your SE, maybe there is something "on the roadmap". 

the SRX110 and SRX220H2 did not go EoL - but I agree, there are too many features missing without a reasonable alternative (no dynamic vpn, no NAT or VPN-termination on IRB-interfaces - and the worst one: No built-in DHCP server if you use IRB's!). 

 

Ref: http://www.juniper.net/techpubs/en_US/junos15.1x49-d45/information-products/topic-collections/release-notes/15.1x49-d45/topic-102705.html#cbbu-rn-junos-srx-j-out-issues

 

The software features is IMHO no ready for full scale production. I have stated this to the SEs and AMs multiple times but no useful feedback from the SRX/Security business unit.

 

-- 

Best regards,

 

Jonas Hauge

Hi,

 

I have 2x SRH240H2 available which have been running as a cluster in my cloud setup for about 4 years.

 

Both have running fine without any issues ...

i've just read this:

 

https://www.juniper.net/techpubs/en_US/junos15.1x49/topics/concept/security-layer2-bridging-transparent-mode-overview.html

 

from the looks of things, I may be right about the new SRXs, in that they don't really work as a L3 switch anymore?! please tell me i'm wrong. we won't buy these.

Actually you are right, I was a little hasty. The others are End of Sale however.

I too have been unable to get this type of basic service working on an SRX345 running JunOS 15.1X49-D45. I tried the following configuration:

 

system {

    services {

        ssh;

        web-management {

            http;

        }

    }

}

interfaces {

    ge-0/0/4 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members TestVlan2;

                }

            }

        }

    }

    ge-0/0/7 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members TestVlan3;

                }

            }

        }

    }

    irb {

        unit 2 {

            family inet {

                address 192.168.1.1/27;

            }

        }

        unit 3 {

            family inet {

                address 192.168.2.1/27;

            }

        }

    }

}

security {

    policies {

        from-zone TestZone2 to-zone TestZone3 {

            policy TestZone2-TestZone3 {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone TestZone3 to-zone TestZone2 {

            policy TestZone3-TestZone2 {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        default-policy {

            permit-all;

        }

    }

    zones {

        security-zone TestZone2 {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                irb.2;

            }

        }

        security-zone TestZone3 {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                irb.3;

            }

        }

    }

}

vlans {

    TestVlan2 {

        vlan-id 2;

        l3-interface irb.2;

    }

    TestVlan3 {

        vlan-id 3;

        l3-interface irb.3;

    }

}

 

My computer that is plugged into port ge-0/0/4 with IP Address 192.168.1.2/27 with a gateway of 192.168.1.1 is not able to even ping the 192.168.1.1 address on the router.

This type of basic functionality worked perfectly fine on the SRX240 (with "vlan" instead of "irb").

I tested a similar configuration on a SRX340 last night running same software version and I cannot get it to work either. arp request/response does but no other traffic is showing up on the irb. 

 

I will investigate this further but let us know if you figure out that we're doing something wrong 🙂

did you guys do:

 

set protocols l2-learning global-mode switch

 

?

I tried "set protocols l2-learning global-mode switch" and that worked. However, when I then configured the irb interfaces to use VRRP, the same issue occurred. I am not able to ping the virtual address of 192.168.1.1 from a computer connected to port ge-0/0/4 with an IP Address of 192.168.1.2/27 and a gateway of 192.168.1.1.

 

Here's the configuration I tried:

system {

    services {

        ssh;

        web-management {

            http;

        }

    }

}

interfaces {

    ge-0/0/4 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members TestVlan2;

                }

            }

        }

    }

    ge-0/0/7 {

        unit 0 {

            family ethernet-switching {

                vlan {

                    members TestVlan3;

                }

            }

        }

    }

    irb {

        unit 2 {

            family inet {

                address 192.168.1.3/27 {

                   vrrp-group 2 {

                      virtual-address 192.168.1.1;

                      priority 110;

                      accept-data;

                  }

            }

        }

        unit 3 {

            family inet {

                address 192.168.2.3/27;

                   vrrp-group 3 {

                      virtual-address 192.168.2.1;

                      priority 110;

                      accept-data;

                  }

            }

        }

    }

}

security {

    policies {

        from-zone TestZone2 to-zone TestZone3 {

            policy TestZone2-TestZone3 {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone TestZone3 to-zone TestZone2 {

            policy TestZone3-TestZone2 {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        default-policy {

            permit-all;

        }

    }

    zones {

        security-zone TestZone2 {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                irb.2;

            }

        }

        security-zone TestZone3 {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                irb.3;

            }

        }

    }

}

vlans {

    TestVlan2 {

        vlan-id 2;

        l3-interface irb.2;

    }

    TestVlan3 {

        vlan-id 3;

        l3-interface irb.3;

    }

}

protocols {

    l2-learning {

            global-mode switch;

    }

}

    

I have had a similar experience getting my SRX 345 (15.1x49-D45) up and running. I have one port configured as a trunk that is a member of all VLANs which connects to a switch. All working after added the l2-learning protocol however after adding the VRRP groups under the IRB's, it all breaks - I can't ping the virtual address of each VRRP group.

 

Did you managed to find a resolution or workaround?

 

Cheers,

Martin

I have not managed to get a resolution to this issue. I have spoken with a Juniper rep and they are aware of the issue. It seems with every new build of 15.1X49, they are including more and more functionality. Hopefully one of the upcoming builds will address this particular issue.

Hi,

 

Hmm very frustrating. Have you tried configuring a 802.1q trunk and scrapping the IRB setup? I believe I may have had that working briefly even with VRRP. I cannot remember why I changed the config.

 

Cheers.

 

It looks like many of the irb issue(s) have been addressed now in 15.1X49-D50, or at least have PR's logged against them in the release notes. I have a working irb now post-upgrade on an SRX320. 

 

https://www.juniper.net/techpubs/en_US/junos15.1x49-d50/information-products/topic-collections/release-notes/15.1x49-d50/junos-release-notes-15.1X49-D50.pdf

 

It's probably worth noting as well the default mode for the 3xx devices is transparent-bridge, so to use your irb interface, you'll need to set this to global-mode switching, and reboot the unit.

 

http://www.juniper.net/techpubs/en_US/junos15.1x49-d40/topics/reference/configuration-statement/protocols-edit-global-mode.html

 

Doesn't need IRB config:

 

following partial configs work:

 

ge-0/0/1 {
vlan-tagging;
gigether-options {
auto-negotiation;
}
unit 0 {
vlan-id 1;
family inet {
address 10.100.2.1/24;
}
}
unit 3 {
description "3 Subnet Interface";
vlan-id 3;
family inet {
address 10.100.3.1/24;
}
}
unit 4 {
description "Subnet 4 Interface";
vlan-id 4;
family inet {
address 10.100.4.1/24;
}
}
unit 7 {
description "Subnet 7 Interface";
vlan-id 7;
family inet {
address 10.100.7.1/24;
}
}

 

just put in the correct zone.

 

then switch port must be configured correctly with trunk and ....must be all tagged

i have been expierencing similar issues using a config i copied and modified from a srx210 ( i made the interfaces match up) for a srx 345. the 345 is running 15.1x49-D75.5

all we are trying to do is use the 345 to support users using dhcp. the input is a router and the users will plug into the firewall. 

as of now i am able to reach the firewall but i cannot get the user ports to connect. 

the vlan appears to only want an irb, as i have learned from reading this thread. I used the set protocols l2-learning global-mode switch command and lost remote connectivity so i changed the firewall back to transparent to get remote connectivity restored.

im no admin, so im baffled here. 

any advice would be great.

There was a major change in how layer 2 services are configured in Junos for the SRX.  You can try first to run your SRX configuration through the ELS translator to get the "Enhanced Layer 2 Services" version of your configuration.

 

https://www.juniper.net/customers/support/configtools/elstranslator/

 

The main documentation for ELS is here.

 

https://www.juniper.net/techpubs/en_US/junos12.3/information-products/topic-collections/ex9200/software-all/getting-started-els.pdf

not to mention remote access VPNs also arent supported yet, just had this issue last night and confirmed with JTAC. 

Guys,

 

I've run into the same issue with PulseSecure and dynamic VPN after changing SRX240 to SRX345. I found NCP Secure Client - Juniper Edition is able to establish VPN connections with new SRX345.

 

Has anybody tried that soft?

Dynamic VPN should be reintroduced in 15.1X49-D60 which is expected to be released in september.

 

A major error that they removed this functionality in the first place.