SRX

Hi All,

       What a pain in the *** this is.  So far I have tried to do this about 6 times, each time the install barfs while validating the config, and each time I remove the part of code it complains about.  At first it was all UTM stuff so i took all that out because i can always re-add it.

Now it seems to complain about my policies.  Here is what it is complaining about:

[edit security policies from-zone trust to-zone untrust policy HACK-FTP match application]
  'any'
    application or application-set must be defined
[edit security policies from-zone trust to-zone untrust policy trust-to-untrust match application]
  'any'
    application or application-set must be defined
[edit security policies from-zone DMZ to-zone trust policy DMZ-Basic match application]
  'any'
    application or application-set must be defined

As you can see apparently SRX 10.3 does not support the ANY command for polices?? This is a joke or a bug because I refuse to beleive you can use the term any.  I am aware that I can do a no-validate but Im just a little worried that it will strip all this stuff from my config upon reboot.

Thanks for any help someone can provide.

Magraw

This sounds like an issue that should be brought up with J-Tac.

i've been able to create a policy using "any" on 10.3 without any trouble..  ( on a SRX240 )..

Somthing might be amiss with your config, can you post your policy config to the forum

Hi all,

    Thanks for the suggestions but I ended up calling JTAC.  The solution is *Quote*  " Oh....ya just ignore that, it doesnt work properly"  so essentially they recommended to do any and all upgrades with the no-validate option.  This begs the question why does it even exist.

ps.  10.3 does not solve the ethernet switching/Cluster config crash problem but does add great GUI enhancements.

Thanks!

This also happens sometimes when upgrading to 10.2R2.

you have to make sure that the configuration already includes the default application set , you can view them by :

show configuration groups junos-defaults applications  /// this group contains "any" as one of its elements

if you can still see them configured in operational mode then you can still commit them into the config , it is possible that you have deleted all the groups in [edit groups] section and thus , predefined group was wiped out.

you need to rollback to default configuration and make sure to import the config successfully. i have faced the same issue , i was deleting everything under [edit groups] and same errors started to come up  because the default application set does not appear by default under [groups].

it worked for me. hope that helps.

---

@Magraw wrote:

 

    Thanks for the suggestions but I ended up calling JTAC.  The solution is *Quote*  " Oh....ya just ignore that, it doesnt work properly"  so essentially they recommended to do any and all upgrades with the no-validate option.  This begs the question why does it even exist.

 

---

Yes, I was particularly nonplussed with that response when I opened a ticket a few months back. After ranting on twitter after accepting that the ticket be closed someone told me that JTAC have a fixed release, it's just not public, I've not verified since 10.3 is unacceptable to us for other reasons.

I just went through this exact issue, wish I'd checked here first, could have saved myself a few hours  {sigh} .....