SRX

I am somewhat familiar with Juniper ScreenOS, but not with JunOS or SRX devices, so please go easy on me! We have recently acquired some SRX320 firewalls running 17.4. I am comfortable entering commands via the CLI, but ideally I need support configuring via (the truly awful) J-Web, specifically a VDSL module in ADSL mode. I have tried following a number of Juniper KB articles and have contacted JTAC, but neither have been fruitful, I simply can't get a connection to the ISP. This type of straightforward requirement was relatively simple for me in the ScreenOS GUI, but I am finding J-Web difficult to navigate.

 

I have tried:-

https://www.juniper.net/documentation/en_US/junos/topics/example/adsl-pim-security-interface-configu...

https://www.juniper.net/documentation/en_US/junos/topics/example/vdsl2-interface-in-adsl-mode-securi...

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25400 

 

I realise this is all a bit vague, but I need to start the ball rolling somehow. Any thoughts or suggestions would be greatly appreciated.

If you have already applied the config from CLI/J-web and finding issues in getting the link up, please use “monitor traffic interface at-x/x/x no-resolve” to understand that the negotiation with ISP/Peer. “show interface at-x/x/x extensive” can also give some details on this issue.

Here's the relevant ScreenOS config that I'd like to convert/translate into JunOS speak:-

 

set interface adsl1/0 phy operating-mode auto
set interface "adsl1/0" pvc 0 38 mux vc protocol bridged qos ubr zone "Untrust"
set interface adsl1/0 ip 8x.7x.5x.8x/32
set interface adsl1/0 route
set interface adsl1/0 ip manageable
set interface adsl1/0 manage ping

set pppoa name "TestLine" username "user@zen" password "Wjb5y/6iNQIzcas71ACA4c5KUxnwN5nsDg=="
set pppoa name "TestLine" interface adsl1/0
set pppoa name "TestLine" ppp lcp-echo-retries 10
set pppoa name "TestLine" ppp lcp-echo-timeout 180

I don't have a box or line to test but I think this is what you need.  

Obviously set your passwords accordingly.

 

set interfaces at-1/0/0 sl1-options operating-mode auto
set interfaces at-1/0/0 unit 0 pop-options pap access-profile TestLine
set interfaces at-1/0/0 unit 0 pop-options pap local-name user@zen
set interfaces at-1/0/0 unit 0 pop-options pap local-password ****
set interfaces at-1/0/0 unit 0 pop-options pap passive
set access profile testline client user@zen pap-password ******
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping

 

 

Hey Steve, thank you! When I commit your instructions I receive the following error:-

 

[edit security zones security-zone untrust]
'interfaces fe-0/0/0.0'
Interface fe-0/0/0.0 must be configured under interfaces
error: configuration check-out failed

 

What do I need to do to correct this?

looks like you have copied configuration from a SRX100/200 platform as SRX320 doesn't have any 100 Mbps (fe-) interfaces.

 

'delete security zones security-zone untrust interface fe-0/0/0.0' should make it possible for you to commit the configuration.

Thank you Jonas. Should I replace the deleted line(s) with anything? If not, should Steve's resulting suggestion now look like this?

 

set interfaces at-1/0/0 sl1-options operating-mode auto
set interfaces at-1/0/0 unit 0 pop-options pap access-profile TestLine
set interfaces at-1/0/0 unit 0 pop-options pap local-name user@zen
set interfaces at-1/0/0 unit 0 pop-options pap local-password ****
set interfaces at-1/0/0 unit 0 pop-options pap passive
set access profile testline client user@zen pap-password ******

That particular line can certainly be deleted.

 

But as Jonas noted, there are no fe interfaces on the SRX300 series all are ge interfaces.  So if you have any configuration setup using fe- you need to remove these and configure using the corresponding ge- port for that configuraiton overall.

 

Ok, so the corresponding LAN interface in this situation is ge-0/0/1, so the relevant lines in your config should now read:-

 

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

 

I have found that despite entering the config. supplied in your original post, that I still need to go into J-Web to the at interface and change the interface type to ADSL from VDSL, what is the command to achieve this please?

---

set interfaces at-1/0/0 sl1-options operating-mode auto
set interfaces at-1/0/0 unit 0 pop-options pap access-profile TestLine

---

 

Regarding the above text in red, these don't seem to be valid, please can someone confirm what they should be?

 

I tried changing pop-options to ppp-options, but I receive the following error: "PPP options only valid on atm-ppp, atm-mlppp, and frame-relay-ppp encapsulations or for PPPoE and Dialer ifls"

I don't use the web gui much from the cli you would remove the interface

delete interfaces fe-0/0/0

 

Is this an ADSL or VDSL line?

The example I have was from setting up ADSL.  If yours is VDSL then this is the correct example.

https://www.juniper.net/documentation/en_US/junos/topics/example/vdsl2-pim-security-interface-property-configuring.html

 

Thank you Steve.

 

It's an ADSL connection.

 

Is anyone able to correct the items in red please? I receive syntax errors when I try to enter these lines.

 

set interfaces at-1/0/0 sl1-options operating-mode auto
set interfaces at-1/0/0 unit 0 pop-options pap access-profile TestLine

I apologize.  My config sample was from a SRX220 using this mini pim

https://www.juniper.net/us/en/local/pdf/datasheets/1000311-en.pdf

 

After looking more closely the DSL process and card are different on the SRX300 series using this card.

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/concept/mpim-vdsl2-srx300-series-srx550-m-overview.html

 

And I see in the documentation that at interfaces are no longer supported.  

 

Looking again at your ScreenOS working example this is PAP with PPOA or PPOE.  For the SRX300 these are on the same page here.

 

PPPOA example

https://www.juniper.net/documentation/en_US/junos/topics/example/adsl-pim-security-interface-configuring.html#jd0e170

 

PPPOE example

https://www.juniper.net/documentation/en_US/junos/topics/example/adsl-pim-security-interface-configuring.html#jd0e1251

 

 

Hey Steve. Thank you for getting back to me on this. I have been trawling the Juniper KB and have already tried everything I could find including the PPOA example link you posted, but still no joy. I also found and tried this article https://kb.juniper.net/InfoCenter/index?page=content&id=KB25400, and the set of customised commands I ended up with are as follows:-

 

set interfaces at-1/0/0 description ADSL
set interfaces at-1/0/0 unit 0 description PPPoA
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 encapsulation atm-pvc atm-options vpi 0
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux vci 0.38
set interfaces at-1/0/0 unit 0 ppp-options chap access-profile ADSL client zen@zen
set access profile ADSL client zen@zen chap-secret 1234567
set interfaces at-1/0/0 unit 0 ppp-options chap passive
set interfaces at-1/0/0 unit 0 ppp-options pap default-password 1234567
set interfaces at-1/0/0 unit 0 ppp-options pap local-name zen@zen
set interfaces at-1/0/0 unit 0 ppp-options pap local-password 1234567
set interfaces at-1/0/0 unit 0 ppp-options pap passive
set interfaces at-1/0/0 unit 0 family inet address 8x.7x.x9.x1/32
set routing-options static route 0.0.0.0/0 next-hop at-1/0/0.0
set security zones security-zone Internet interfaces at-1/0/0.0 host-inbound-traffic system-services all
set security zones security-zone Internet interfaces at-1/0/0.0 host-inbound-traffic protocols all

 

This is a known good working connection i.e. as soon as I take the modem cable and plug it into an SSG5 it works. I have triple checked my username and password for typos and checked the exact detailed ISP requirements. I note on the SSG5 the Authentication type is set to Auto; in the above config. there's reference to both PAP and CHAP. The ISP says it doesn't matter which is used, but if one needs to be specified then I was instructed to use CHAP.

P.s. it's worth mentioning that on the MPIM there is a solid green SYNC LED and intermittent activity on the Rx/Tx LED.

When I try to ping an external IP address from the console I receive the following error message: "no route to host". Does this help get me closer to a resolution?

Are you able to ping the dsl inteface:

 

set interfaces at-1/0/0 unit 0 family inet address 8x.7x.x9.x1/32

 

IS this route active in the table

show route
set routing-options static route 0.0.0.0/0 next-hop at-1/0/0.0

 

 

 

---

wrote:

Are you able to ping the dsl inteface:

 

set interfaces at-1/0/0 unit 0 family inet address 8x.7x.x9.x1/32 - I am not able to ping the external IP address, is that what you mean?

 

IS this route active in the table

show route
set routing-options static route 0.0.0.0/0 next-hop at-1/0/0.0 - No, it does not appear.

---

 

Here are some results:-

 

show route

8x.7x.x9.x1/32 *[Local/0] 00:00:02  Reject

 

show interfaces at-1/0/0 terse

Interface Admin Link Proto Local Remote
at-1/0/0 up up
at-1/0/0.0 up down inet 8x.7x.x9.x1 --> 0/0
at-1/0/0.32767 up up

 

Trying to sort through the options here, but this is the fundamental problem.  The static sub interface on the dSL is up/down

at-1/0/0.0 up down inet 8x.7x.x9.x1 --> 0/0

 

Since this is down your public address is in reject instead of active

and your default route will not install because the interface is down.

 

I cannot see the error with the configuration causing the connection negociation to fail.

Can you try enabling trace options on the at interface and see what logging we get for the connection?

 

set interface at-1/0/0 traceoptions file dsl.log

set interface at-1/0/0 traceoptions flag all

 

Then show the results using:

show log dsl.log

 

Hi Steve and anyone else who might be interested. I have finally cracked this, here's the config. that worked for my Zen Internet (UK) ADSL connection:-

 

set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 encapsulation atm-pvc atm-options vpi 0
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux vci 0.38
set interfaces at-1/0/0 unit 0 ppp-options chap local-name zen@zen
set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret 12345678 
set interfaces at-1/0/0 unit 0 ppp-options chap passive
set interfaces at-1/0/0 unit 0 family inet address 8x.7x.x9.x1/32
set routing-options static route 0.0.0.0/0 next-hop at-1/0/0.0

Glad you have it working.  Thanks for posting the configuration.

Thank you for all of your invaluable help Steve, I really appreciate it.

Are you assigned a static ip address on this service?  I had been assuming it was dhcp but noticed this in your SSG config

 

set interface adsl1/0 ip 8x.7x.5x.8x/32
set interface adsl1/0 route

You may need to set the family inet on the interface directly

Route/nat mode does not apply to the SRX

 

I also notice this is a /32 so I'm not sure how your outbound static default route will work in this setup.  I've not seen that before.

 

These we converted to host inbound services.
set interface adsl1/0 ip manageable
set interface adsl1/0 manage ping

 

---

wrote:

Are you assigned a static ip address on this service?  I had been assuming it was dhcp but noticed this in your SSG config   - It is static

 

You may need to set the family inet on the interface directly - What do I need to do to achieve this?

Route/nat mode does not apply to the SRX - I don't understand the implications of this, I'm sorry.

 

I also notice this is a /32 so I'm not sure how your outbound static default route will work in this setup.  I've not seen that before. - Ok, we only have a single ISP assigned IP, so not sure how I could tweak this.