SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Moving from SRX210 to SRX220

    Posted 08-04-2016 11:25

    I have had a SRX210 up and running in production for a few years now. Works great, been able to get it to everything I could want dual ISP routing, vpns, vlans, etc.  I picked up a SRZX220 because the fe ports on the 210 started giving me issues as my traffic grew. Both the 210 and 220 have 12.1X46-D40.2 installed. I took the config on the 210 and basically just replace fe with ge and renumber the ports. Plugged it in and worked like a like charm for the network on site.

     

    The dynamic vpn on the other hand is giving me problems. Pulse attempts to connect, it asks user to accept the certificate, fails and starts trying to connect again. It will sit in that loop forever if you let it. I never even asks for a username or password. First thing I tried was deleting out the old connection from Pulse. Next I double checked the config, ike and https are setup for the inferface. The correct external interface is set. I walked though this [SRX] Pulse client not able to connect to SRX due to configuration issues to make sure I wasn't missing something easy.  No luck there so I decide to delete the dynamic vpn and run the wizard though the web interface. I run the wizard setup a everything, but I still get the same results in Pulse. 

     

    The Pulse debuglog.log didn't seem every helpful when I took a look. I pulled up the KMD log from the SRX220 and it shows a "KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received" from a few days ago but nothing recent.



  • 2.  RE: Moving from SRX210 to SRX220
    Best Answer

    Posted 08-05-2016 02:28

    Hi,

     

    you have possibly hit this bug: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780

     

    I had the same on a SRX240 with 12.1X46-D40 and JTAC asked me to upgrade to D45 or above. This made dynamic VPN working again.

     

    Please try this a revert with the result.


    #SRX
    #dynamicVPN


  • 3.  RE: Moving from SRX210 to SRX220

    Posted 08-05-2016 05:15

    Hi,

     

    Jonas is correct. Dynamic VPN does not work on D40 due to the bug.

     

    Upgrading would resolve the issue for you.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 4.  RE: Moving from SRX210 to SRX220

    Posted 08-05-2016 11:26

    Thanks for the responses i will try upgrading and see it helps! This whole thing was making me feel very stupid.



  • 5.  RE: Moving from SRX210 to SRX220

    Posted 08-08-2016 19:56

    That fixed everything. Thanks so much.