SRX

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Odd behavior - SRX 345 add static routes and two users, j-web stops responding and VPN fails

    Posted 12-29-2021 05:40
    I realize right up front that I don't have quite all the information you would normally expect so I am not looking for an answer, more of a "have you seen this behavior before" or "is there something more I need to do when I do this" kind of response.  I am a netadmin but most previous experience has been with Cisco ASA firewalls and VPN's

    First, we have a SRX 345 with a software release in the 20 series.  I can't get an exact version as its the holidays and I am the only one here at the moment.  I also don't currently have any access to the device as we are in a config change freeze window due to some project deadlines and especially after our issues configuring the device yesterday.  I am a net admin and this contract is my first experience with a JunOS based device, thank goodness I am not primary admin for this.  I will update the software release later after someone gets back in the new years if its still needed.

    So, the SRX is running as a firewall, VPN gateway and of course as a router, its a small deployment.  VPN was working, as well as routing.  After adding 3 routes and two user accounts (admins so I could assist with administration of the machine), I did a commit confirmed, tested the routes that I added and then finished the commit.  After about 10 minutes the j-web stopped responding when leadership logged out of the interface and tried to log in again.  When trying to log in remotely through the vpn it would no longer connect.

    I was able to SSH into the device (on the newly added route) with my new username and rollback the changes but even after the rollback and commit, the j-web was not responding and the VPN was still not functioning.  It wasn't until I power cycled the firewall that I was able to get things functioning again, sans new routes and users.

    My question is this:  was there any other action you would normally take after adding a route?  I wouldn't think that I would need to but every platform has their idiosyncrasies, although I have to say I do love the commit and commit confirm aspects of junos administration.  Same with the rollback command.

    If anyone can help a new guy out I'd appreciate it, this is my first experience with JunOS admin and while it was stressful, I learn more every day.  Thanks!

    ------------------------------
    DENNIS ASTON
    ------------------------------


  • 2.  RE: Odd behavior - SRX 345 add static routes and two users, j-web stops responding and VPN fails

    Posted 12-29-2021 05:51
    Did the routing change move any connection path from one zone to a different zone?  

    Security zones are assigned to interfaces.
    Policy is written from zone to zone
    If the route causes the zone to change then the applicable policy would need to be in place on the new path

    Any existing connections would be in the session table and still allowed. I think the time out for the current session would be 30 minutes.  But new attempts would require a policy be created in addition to the route if the traffic is not covered by an existing policy.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Odd behavior - SRX 345 add static routes and two users, j-web stops responding and VPN fails

    Posted 12-30-2021 05:45
    And thanks for your reply Steve.  Going to get with the current firewall admin after the new years and have them do a little cross training for the new guy (me) so I don't fubar this again!
    Happy new years!

    ------------------------------
    DENNIS ASTON
    ------------------------------



  • 4.  RE: Odd behavior - SRX 345 add static routes and two users, j-web stops responding and VPN fails

    Posted 12-30-2021 05:52
    Juniper education does have some free online self paced training you can access.  These first two would be related to your situation.

    General networking introduction
    https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=769

    Security material organized for the associate certification
    https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=12052

    Free learning home page with other resources
    https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=11478

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------