SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  error: 'interface' is not a valid interface-range or alias name

    Posted 01-30-2020 11:05

    Hello Juniper Gurus,

     

    Currently, I am trying to connect SRX 320 (Spoke)  to SRX 345 ( Hub), The spoke is already configured but in the Hub when I committed, it showed this message.      error: 'interface' is not a valid interface-range or alias name 

     

    On the other hand, if I can get any VPN configuration template for SRX from you, I will be thankful.  

     

    I found this link but it is not clear.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB32015&cat=EX_SERIES&actp=LIST&showDraft=false

     

    I am sending the configuration of the Hub

     

    set system authentication-order password
    set system root-authentication encrypted-password "xxxxxx"
    set system services web-management http interface fxp0.0
    set system syslog file messages any any

    set system processes dhcp-service traceoptions file dhcp.log
    set system processes dhcp-service traceoptions flag all
    set system ntp server x.x.x.x
    set services flow-monitoring version9 template ipv4-test ipv4-template

    set security ike traceoptions file ike.log
    set security ike traceoptions flag all
    deactivate security ike traceoptions
    set security ike proposal ike-prop authentication-method pre-shared-keys
    set security ike proposal ike-prop dh-group group2
    set security ike proposal ike-prop authentication-algorithm sha1
    set security ike proposal ike-prop encryption-algorithm aes-256-cbc
    set security ike proposal ike-prop lifetime-seconds 3600

    set security ike policy ike-pol mode aggressive
    set security ike policy ike-pol proposals ike-prop
    set security ike policy ike-pol pre-shared-key ascii-text "XXXXXXX"

    set security ike gateway ike-gw ike-policy ike-pol
    set security ike gateway ike-gw address x.x.x.x
    set security ike gateway ike-gw local-identity hostname srx345-spoke-2
    set security ike gateway ike-gw external-interface ge-0/0/0.0

    set security ipsec proposal juniper_profile_1 protocol esp
    set security ipsec proposal juniper_profile_1 authentication-algorithm hmac-sha-256-128
    set security ipsec proposal juniper_profile_1 encryption-algorithm aes-256-cbc
    set security ipsec proposal juniper_profile_1 lifetime-seconds 3600

    set security ipsec policy juniper_profile_1 perfect-forward-secrecy keys group2
    set security ipsec policy juniper_profile_1 proposals juniper_profile_1

    set security ipsec vpn ipsec-vpn-s2 bind-interface st0.0
    set security ipsec vpn ipsec-vpn-s2 ike gateway ike-gw
    set security ipsec vpn ipsec-vpn-s2 ike ipsec-policy juniper_profile_1
    set security ipsec vpn ipsec-vpn-s2 establish-tunnels immediately
    set security flow tcp-mss ipsec-vpn mss 1350


    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface


    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone trust to-zone vpn policy default-permit match source-address any
    set security policies from-zone trust to-zone vpn policy default-permit match destination-address any
    set security policies from-zone trust to-zone vpn policy default-permit match application any
    set security policies from-zone trust to-zone vpn policy default-permit then permit
    set security policies from-zone vpn to-zone trust policy default-permit match source-address any
    set security policies from-zone vpn to-zone trust policy default-permit match destination-address any
    set security policies from-zone vpn to-zone trust policy default-permit match application any
    set security policies from-zone vpn to-zone trust policy default-permit then permit


    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust host-inbound-traffic system-services dhcp
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust host-inbound-traffic system-services snmp
    set security zones security-zone untrust host-inbound-traffic system-services snmp-trap

    set security zones security-zone untrust interfaces ge-0/0/0.0

    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces lo0.0
    set security zones security-zone trust interfaces irb.10

    set security zones security-zone vpn host-inbound-traffic system-services all
    set security zones security-zone vpn host-inbound-traffic protocols all
    set security zones security-zone vpn interfaces st0.0

    set security zones security-zone test host-inbound-traffic system-services all
    set security zones security-zone test host-inbound-traffic protocols all
    set security zones security-zone test interfaces ge-0/0/7.0

    set interfaces ge-0/0/0 description "outside connection"
    set interfaces ge-0/0/0 speed 100m
    deactivate interfaces ge-0/0/0 speed
    set interfaces ge-0/0/0 ether-options no-auto-negotiation
    set interfaces ge-0/0/0 ether-options link-mode full-duplex
    deactivate interfaces ge-0/0/0 ether-options
    set interfaces ge-0/0/0 unit 0 family inet dhcp-client vendor-id Juniper-srx345
    set interfaces ge-0/0/1 unit 0 description "to host-3"
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/2 unit 0 description "to host-3"
    set interfaces ge-0/0/2 unit 0 family inet dhcp-client
    set interfaces ge-0/0/3 unit 0 description "to host-3"
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/4 unit 0 description "to host-3"
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/5 unit 0 description "to host-3"
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/6 unit 0 description "to host-3"
    set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/7 disable
    set interfaces ge-0/0/7 unit 0 description "to host-3"
    set interfaces ge-0/0/7 unit 0 family inet dhcp-client
    set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members VLAN10
    deactivate interfaces ge-0/0/7 unit 0 family ethernet-switching
    set interfaces ge-0/0/8 unit 0 description "to host-3"
    set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/9 unit 0 description "to host-3"
    set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/10 unit 0 description "to host-3"
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/11 unit 0 description "to host-3"
    set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/12 unit 0 description "to host-3"
    set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/13 unit 0 description "to host-3"
    set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/14 unit 0 description "to host-3"
    set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces ge-0/0/15 unit 0 description "to host-3"
    set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members VLAN10
    set interfaces fxp0 unit 0 family inet address x.x.x.x/25

    set interfaces irb unit 10 family inet address x.x.x.x/27
    set interfaces lo0 unit 0 family inet address x.x.x.x/32
    set interfaces st0 unit 0 family inet mtu 1400
    set interfaces st0 unit 0 family inet address x.x.x.x/24
    set routing-options static route x.x.0.0/16 next-hop x.x.x.x
    set routing-options static route x.x.0.0/16 next-hop x.x.x.x
    set routing-options static route x.x.x.x/24 next-hop 10.1.10.1
    set routing-options static route x.x.x.x/32 next-hop 10.1.10.1
    set routing-options router-id x.x.x.x

    set protocols ospf area 0.0.0.3 interface st0.0 interface-type p2p
    set protocols ospf area 0.0.0.3 interface st0.0 hello-interval 20
    set protocols ospf area 0.0.0.3 interface st0.0 dead-interval 300
    set protocols ospf area 0.0.0.3 interface st0.0 neighbor x.x.x.x
    set protocols ospf area 0.0.0.3 interface lo0.0 passive
    set protocols ospf area 0.0.0.3 interface irb.10 passive
    set routing-instances test instance-type virtual-router
    set routing-instances test interface ge-0/0/7.0

    set vlans VLAN10 vlan-id 10
    set vlans VLAN10 l3-interface irb.10
    =========================================

     

    Lab@SRX345-HUB# commit
    error: 'interface' is not a valid interface-range or alias name

     

     



  • 2.  RE: error: 'interface' is not a valid interface-range or alias name
    Best Answer

    Posted 01-30-2020 13:28

    Hi John,

     

    I looked at the configuration and cannot find any errors. I tried putting in random passwords and IP addresses in the set commands and did commit check on a device... and it validates.

     

     

    Did you do a "delete" from the top of the configuration before loading in the set commands listed? the set commands will only merge into already existing config.

     

    You should do something like this to ensure you are not merging existing configuration into your new one:

     

    user@srx340> configure
    Entering configuration mode
    
    [edit]
    user@srx340r# delete
    This will delete the entire configuration
    Delete everything under this level? [yes,no] (no) yes
    
    
    [edit]
    user@srx340# load set terminal
    [Type ^D at a new line to end input]
    <paste in all set commands here and hit ctrl + d afterwards>
    load complete
    
    [edit]
    
    user@srx340# commit check
    configuration check succeeds
    
    [edit]
    user@srx340# 

    Alternately - if you have the configuration in {} style, you can do a "load override" from the top of configuration mode and then just paste configuration into your device.



  • 3.  RE: error: 'interface' is not a valid interface-range or alias name

    Posted 01-31-2020 11:24

    Hello,  

     

    Thanks for your response, about your question really I don't remember, it is probably because I have been setting and deleting different command lines. I will be trying your configuration advice also I am going to use the SRX VPN configurator.

     

    Thanks for your help. 



  • 4.  RE: error: 'interface' is not a valid interface-range or alias name

    Posted 01-30-2020 13:30

    And regarding VPN configuration, you can create your own template via the SRX VPN configurator: https://support.juniper.net/support/tools/vpnconfig/ 🙂