Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  ATP 'AAMWD' and ' SecIntel' errors

    Posted 07-22-2023 06:00

    I have the following 2 alarms on all of my SRX devices. They persist after reboots. I have checked the DNS configuration and resolution. I am based in the UK, so connect to the European servers, which do not appear to be reachable via ping, but I guess this might not be unusual. This has been ongoing for a number of months now. Is anyone else experiencing this issue or indeed resolved it?

    2 alarms currently active
    Description
    AAMWD control channel down, it will impact AAMW functionality
    SecIntel channel down, it will impact SecIntel functionality



  • 2.  RE: ATP 'AAMWD' and ' SecIntel' errors

     
    Posted 07-24-2023 07:10

    Any chance your SRX is behind another FW or did you apply any strict firewall filter that might affect the outgoing system connections?

    Please run the request services advanced-anti-malware diagnostics pre-detection detail srxapi.eu-west-1.sky.junipersecurity.net command and share the output.



    ------------------------------
    M Gi
    ------------------------------



  • 3.  RE: ATP 'AAMWD' and ' SecIntel' errors

    Posted 07-24-2023 11:14

    Hi M Gi, thank you for getting back to me.

    None of the affected devices are behind another firewall.

    No firewalls filters have been changed or added.

    The output is as follows:-

    3> request services advanced-anti-malware diagnostics pre-detection detail srxapi.eu-west-1.sky.junipersecurity.net 
        [INFO]    Try to get IP address for hostname srxapi.eu-west-1.sky.junipersecurity.net
    ping: cannot resolve srxapi.eu-west-1.sky.junipersecurity.net: Host name lookup failure
    DNS check                                            : [Failure]
    Error: DNS lookup failure is detected, please check your DNS configuration

    As mentioned, DNS has been checked and verified.




  • 4.  RE: ATP 'AAMWD' and ' SecIntel' errors

     
    Posted 07-24-2023 12:05

    hi EMTSU, no problem.

    According the test this really look as a DNS issue. What's the the show host srxapi.eu-west-1.sky.junipersecurity.net output?



    ------------------------------
    M Gi
    ------------------------------



  • 5.  RE: ATP 'AAMWD' and ' SecIntel' errors

    Posted 07-24-2023 12:33

    I appreciate that, but I find it hard to believe given the number of different DNS providers we use. I can't even ping the address from my home.

    The name, however, resolves to 34.249.176.154

    The output is:

    > show host srxapi.eu-west-1.sky.junipersecurity.net 
    ;; connection timed out; no servers could be reached




  • 6.  RE: ATP 'AAMWD' and ' SecIntel' errors

     
    Posted 07-24-2023 12:44

    That's definitely a DNS issue. I would recommend checking SRX DNS servers under system name-server.

    The IPs are not pingable but port 443 is open.

    root@srx> show host srxapi.eu-west-1.sky.junipersecurity.net
    srxapi.eu-west-1.sky.junipersecurity.net has address 52.17.56.65
    srxapi.eu-west-1.sky.junipersecurity.net has address 34.249.176.154

    root@srx> telnet 52.17.56.65 port 443
    Trying 52.17.56.65...
    Connected to ec2-52-17-56-65.eu-west-1.compute.amazonaws.com.
    Escape character is '^]'.
    ^]
    telnet> quit
    Connection closed.

    root@srx> telnet 34.249.176.154 port 443
    Trying 34.249.176.154...
    Connected to ec2-34-249-176-154.eu-west-1.compute.amazonaws.com.
    Escape character is '^]'.
    ^]
    telnet> quit
    Connection closed.

    Anyway, I have to wrap it up for today. As I said, I would double-check the SRX DNS configuration, and possibly also  the firewall filter config.



    ------------------------------
    M Gi
    ------------------------------



  • 7.  RE: ATP 'AAMWD' and ' SecIntel' errors

    Posted 07-24-2023 12:54

    Ok. I think my concern is that nothing has changed, in terms of the config (e.g. DNS / firewall filter) on these devices, so everything was ok and now it's not.

    The config is as follows:-

        name-server {
            8.8.8.8;
            208.67.222.222;
            1.1.1.1;
        }
    Here are my Telnet outputs:-

    > telnet 52.17.56.65 port 443 
    Trying 52.17.56.65...
    telnet: connect to address 52.17.56.65: Operation timed out
    telnet: Unable to connect to remote host

    > telnet 34.249.176.154 port 443 
    Trying 34.249.176.154...
    telnet: connect to address 34.249.176.154: Operation timed out
    telnet: Unable to connect to remote host

    Thank you for sticking with me on this :)


  • 8.  RE: ATP 'AAMWD' and ' SecIntel' errors

     
    Posted 07-25-2023 03:21

    That's your problem then.

    You have to figure out if that's issue on the box (routing, junos-host, fw filters, etc.) or somewhere upstream. Fingers crossed.



    ------------------------------
    M Gi
    ------------------------------



  • 9.  RE: ATP 'AAMWD' and ' SecIntel' errors

    Posted 07-25-2023 11:13

    The 'issue' has been found, well, partly at least. During a recent project to setup loopback addresses on all devices, 'default-address-selection' was enabled. This 'caused' the issue. This has now been resolved. On some devices , however, the 'AAMWD control channel down, it will impact AAMW functionality' alarm remains with the following error 'Connection status: Request client certificate failed'. 

    Thank you for your time and assistance M Gi.




  • 10.  RE: ATP 'AAMWD' and ' SecIntel' errors

    Posted 08-08-2023 08:59

    Hi EMTSU

    Which version are you running ? we have the samen error in version JUNOS 21.2R3-S2.9 a couple times a day, it was fixed in the latest recommended version but that version has a memory leak causing the network going down so we had to rollback.

    Aug  8 02:04:37.590  xxx alarmd[2148]: Alarm set: IPFD id=-1677721599, color=RED, class=CHASSIS, reason=SecIntel channel down, it will impact SecIntel functionality
    Aug  8 02:10:08.520  xxx alarmd[2148]: Alarm cleared: IPFD id=-1677721599, color=RED, class=CHASSIS, reason=SecIntel channel down, it will impact SecIntel functionality
    Aug  8 05:16:09.092  xxx alarmd[2148]: Alarm set: IPFD id=-1677721599, color=RED, class=CHASSIS, reason=SecIntel channel down, it will impact SecIntel functionality
    Aug  8 05:21:11.841  xxx alarmd[2148]: Alarm cleared: IPFD id=-1677721599, color=RED, class=CHASSIS, reason=SecIntel channel down, it will impact SecIntel functionality
    Aug  8 09:53:18.680  xxx alarmd[2148]: Alarm set: AAMWD id=-1694498815, color=RED, class=CHASSIS, reason=AAMWD control channel down, it will impact AAMW functionality
    Aug  8 09:53:18.706  xxx alarmd[2148]: Alarm set: AAMWD id=-1694498813, color=RED, class=CHASSIS, reason=SMS control channel down, it will impact SMS functionality
    Aug  8 09:59:29.923  xxx alarmd[2148]: Alarm cleared: AAMWD id=-1694498815, color=RED, class=CHASSIS, reason=AAMWD control channel down, it will impact AAMW functionality
    Aug  8 09:59:29.929  xxx alarmd[2148]: Alarm cleared: AAMWD id=-1694498813, color=RED, class=CHASSIS, reason=SMS control channel down, it will impact SMS functionality
    Aug  8 10:54:54.129  xxx alarmd[2148]: Alarm set: IPFD id=-1677721599, color=RED, class=CHASSIS, reason=SecIntel channel down, it will impact SecIntel functionality
    Aug  8 11:00:00.014  xxx alarmd[2148]: Alarm cleared: IPFD id=-1677721599, color=RED, class=CHASSIS, reason=SecIntel channel down, it will impact SecIntel functionality




  • 11.  RE: ATP 'AAMWD' and ' SecIntel' errors

    Posted 10-02-2023 11:13

    It was the recommended release at the time, which has changed recently. Another step, which cleared remaining alarms was a simple reboot - not an uncommon requirement with SRX devices unfortunately.