SRX Services Gateway
SRX Services Gateway

SRX210 running 10.4 dynamic vpn license

12.09.10   |  
‎12-09-2010 08:08 PM

Hi,

 

Just tested the new dynamic vpn wizard with local assigned ip address on 10.4r1.  It is working great.   Now the alarm led is turnning amber.  I believe it has to do with missing dynamic vpn license,

 

root@SRX210> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  dynamic-vpn                           1            0           1    invalid
  ax411-wlan-ap                         0            2           0    permanent

Licenses installed: none

root@SRX210>

 

Ain't the SRX1xx, 2xx come with 2 dynamic vpn license as default?  Did I miss something?

 

Thanks,

 

rotearc

16 REPLIES
SRX Services Gateway

Re: SRX210 running 10.4 dynamic vpn license

12.11.10   |  
‎12-11-2010 09:36 AM

Dear rotearc,

 

2 Licenses are included

 

Note: If more than two simultaneous user connections are required, a dynamic VPN license must be installed

 

Source: LINK

SRX Services Gateway

Re: SRX210 running 10.4 dynamic vpn license

12.11.10   |  
‎12-11-2010 09:49 AM

It would be nice if the alarm LED didn't turn on for the default two Dynamic VPN connections though.

 

mawr

SRX Services Gateway

Re: SRX210 running 10.4 dynamic vpn license

12.11.10   |  
‎12-11-2010 10:45 AM

 

show system license on your SRX, do you see any dynamic vpn license listed?  I don't see any on mine.  The "2 users" licenses are missing since 10.2 and above.
rotearc

NULL wrote:

Dear rotearc,

 

2 Licenses are included

 

Note: If more than two simultaneous user connections are required, a dynamic VPN license must be installed

 

Source: LINK


 

SRX Services Gateway

Re: SRX210 running 10.4 dynamic vpn license

12.11.10   |  
‎12-11-2010 10:46 AM

 

I don't think Juniper fixed the "2 users free/demo" dynamic vpn license on 10.4 yet..

mawr wrote:

It would be nice if the alarm LED didn't turn on for the default two Dynamic VPN connections though.

 

mawr


 

SRX Services Gateway

Re: SRX210 running 10.4 dynamic vpn license

12.12.10   |  
‎12-12-2010 01:06 AM

 


rotearc wrote:

 

show system license on your SRX, do you see any dynamic vpn license listed?  I don't see any on mine.  The "2 users" licenses are missing since 10.2 and above.
rotearc

NULL wrote:

Dear rotearc,

 

2 Licenses are included

 

Note: If more than two simultaneous user connections are required, a dynamic VPN license must be installed

 

Source: LINK


 


That should be the 'normal' behavior that the free dynamic vpn license is not listed anymore.

 

SRX Services Gateway

Re: SRX210 running 10.4 dynamic vpn license

12.12.10   |  
‎12-12-2010 04:30 PM

 

Gosi,
If that is the case, why is the alarmd is complaining and filling up the message log file with these,
Dec 12 15:54:17  SRX210 alarmd[1082]: LICENSE_EXPIRED: License for feature dynamic-vpn(55) expired
Dec 12 15:55:17  SRX210 alarmd[1082]: LICENSE_EXPIRED: License for feature dynamic-vpn(55) expired
Dec 12 15:56:17  SRX210 alarmd[1082]: LICENSE_EXPIRED: License for feature dynamic-vpn(55) expired
Dec 12 16:07:17  SRX210 last message repeated 11 times
Dec 12 16:17:17  SRX210 last message repeated 10 times

gosi wrote:

 


That should be the 'normal' behavior that the free dynamic vpn license is not listed anymore.

 


 

SRX Services Gateway

Re: SRX210 running 10.4 dynamic vpn license

12.22.10   |  
‎12-22-2010 11:50 AM

Hi rotearc,

 

that is a good question! Please open a ticket on JTAC and ask them if this is a bug. I'm interested on this answer too!

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

[ Edited ]
01.24.11   |  
‎01-24-2011 11:41 PM

I have same problem in junos 10.4.

I think there is not feature for free license for dynamic VPN for ever for two users am using the dynamic VPN smoothly from about one months, but today I get same problem unexpectedly. I can't solve the problem so I Downgraded the OS 10.4 to 10.0 hoping that will resolve the problem.

 

If license need for free two user, how to get the license for dynamic VPN. I get to study there is change in 10.4 for dynamic VPN, may this cause the occuring the problem

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

01.25.11   |  
‎01-25-2011 09:36 AM

There is most def a license for two users by default.

 

However, I have seen PULSE, specifically 1.3 not clean-up ike / ipsec SAs very well so they might be hung.

 

Check by issuing "show security ike security-association"

 

If they are hung, clear by...

 

admin@SRX240A_0011_Mark_Cole> clear security dynamic-vpn user <username> ike-id <ike-id>

 

And yes, the license doesn't show anymore with "show system license".

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

01.26.11   |  
‎01-26-2011 01:36 AM

Hi Cole,

 

The commands, clear security dynamic-vpn user <username> ike-id <ike-id>,  you posted is not supported in srx.

 

root@abo> show security dynamic-vpn users gs
                                                                         ^
syntax error, expecting <command>.
root@abo> show security dynamic-vpn users gs

 

I think you are worong

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

[ Edited ]
01.26.11   |  
‎01-26-2011 06:22 AM

EDIT, late night, even earlier morning...

 

remove the "s" from users.

 

admin@labgw-fw> show security dynamic-vpn users
User: mcole , Number of connections: 1
    Remote IP: 76.7.X.X
    IPSEC VPN: wizard_dyn_vpn
    IKE gateway: gw_wizard_dyn_vpn
    IKE ID   : mcolesrxlab
    IKE Lifetime: 28800
    IPSEC Lifetime: 3600
    Status: CONNECTED


admin@labgw-fw> clear security dynamic-vpn user mcole ike-id mcolesrxlab
Connection entry for user mcole has been cleared

admin@labgw-fw>

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

01.26.11   |  
‎01-26-2011 08:59 PM

Hi cobe,

 

root@abo> show security dynamic-VPN users
User: ghanshyam , Number of connections: 1
    Remote IP: 202.x.x.x
    IPSEC VPN: dynamic-VPN-dilip
    IKE gateway: dyn-gw-test
    IKE ID   : ghanshyam
    IKE Lifetime: 3600
    IPSEC Lifetime: 28800
    Status: CONNECTED

 

But the command, clear security dynamic-VPN ..........., doesn't work.

it look as when I entered

root@abo> clear security dynamic-VPN
                                                          ^
syntax error, expecting <command>.
root@abo> clear security dynamic-VPN

 

If u able to enter this command, why don't I  enter ?and like to post, I can't omit from 's' from 'users' without it shows as above.Just check this command once  again to conform

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

01.27.11   |  
‎01-27-2011 07:42 AM

It's case sens...  don't caps.  VPN.  just vpn.  dynamic-vpn.

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

01.27.11   |  
‎01-27-2011 09:03 PM

Again I am getting the same error

 

root@abo# run clear security dynamic-vpn
                                                     ^
syntax error, expecting <command>.
root@abo# run clear security dynamic-vpn

Highlighted
SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

01.28.11   |  
‎01-28-2011 04:51 AM

Did you down-grade?

 

Platform, version?

SRX Services Gateway

Re: SRX210 running 10.4 dynamic VPN license

03.02.11   |  
‎03-02-2011 12:06 AM

Just wanted to confirm that the clear command works for me running 10.4R2.7 on a SRX100

 

 

clear security dynamic-vpn user *username* ike-id *ike-id*

 

 

I found that if you just close access manager without disconnecting the license assignment seems to hang for a bit.  I've not tested for how long it hangs yet.  Could be a nasty issue if you have say a 25 user dynamic vpn license, and users are fond of just "x"ing out of access manager or just shutting down their PCs.

 

if I figure out why they hang or for how long I will post the results.