SRX Next-Gen Firewalls

Oh, yeah, didn't think about that. The IP Spoofing screen also uses the routing table to make its decisions. If it fits your network, you should also be able to avoid triggering the screen by having by ISP interfaces in the same zone, rather than disabling ...

Took a closer look at the SPAN. I saw ICMP responses. And... these logs being spammed over and over again. USER.ERR: Jul 7 15:52:45 LabBR RT_IDS: RT_SCREEN_IP: IP spoofing! source: 8.8.8.8, destination: 10.255.250.13, protocol-id: 1, zone name: ...

Thanks for that bit of info! That command does return a list of next-hop gateway IPs (the private ones) and the corresponding certificate, which is useful for correlating the private IPs with the hostname in the cert's CN. I just wish it would show ...

JunOS has show security ipsec next-hop-tunnels which should be similar ish, I think ... ------------------------------ Nikolay Semov ------------------------------

That is an excellent question. I haven't been able to find any ADVPN-specific commands yet which could shed light on it. For example, Cisco has "show nhrp" and "show ip nhrp" ------------------------------ ae_zero ------------------------------

Check the VLAN tagged/untagged assignments on the port: show ethernet-switching interface ge-0/0/1 If you see VLAN 1 (LAN) listed as both untagged and tagged on the port, remove LAN from unit 0 vlan members, so that only the untagged version remains ...

Interesting. As far as ADVPN is concerned, the two suggesters don't know about each other ... I wonder what would happen if a spoke receives a competing (or perhaps a duplicate) suggestion for a spoke-to-spoke connection. ------------------------------ ...