SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Getting error while configuring Traffic selector

    Posted 03-11-2023 07:41

    Hi Guys,I am adding one  server IP address to already existing Route based VPN config, please help on this, how to push my configuration 1500 srx firewall.

    Below are the configuration,

    This is the existing configuration,

     show configuration | display set | match 10.231.157.
    set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-11 remote-ip 10.231.157.181/32
    set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-12 remote-ip 10.231.157.186/32
    set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-13 remote-ip 10.231.157.188/32
    set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-14 remote-ip 10.231.157.189/32
    set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-15 remote-ip 10.231.157.190/32
    set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-16 remote-ip 10.231.157.191/32
    set security address-book global address TFSV-11 10.231.157.181/32
    set security address-book global address TFSV-12 10.231.157.186/32
    set security address-book global address TFSV-13 10.231.157.188/32
    set security address-book global address TFSV-14 10.231.157.189/32
    set security address-book global address TFSV-15 10.231.157.190/32
    set security address-book global address TFSV-16 10.231.157.191/32
    set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.181/32
    set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.186/32
    set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.188/32
    set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.189/32
    set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.190/32
    set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.191/32
    set routing-options static route 10.231.157.181/32 next-hop st0.21
    set routing-options static route 10.231.157.186/32 next-hop st0.21
    set routing-options static route 10.231.157.188/32 next-hop st0.21
    set routing-options static route 10.231.157.189/32 next-hop st0.21
    set routing-options static route 10.231.157.190/32 next-hop st0.21
    set routing-options static route 10.231.157.191/32 next-hop st0.21

    ======================

    I am adding one TS to above below,

    set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-17 remote-ip 10.231.157.192/32
    set security address-book global address TFSV-17 10.231.157.192/32
    set routing-options static route 10.231.157.192/32 next-hop st0.21

    set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.192/32

    =========

    but i am getting below error in production,please help what is i am missing

    {primary:node0}[edit]
    root@XIUS-PRIMARY# set security address-book global address TFSV-17 10.231.157.192/32

    {primary:node0}[edit]
    root@XIUS-PRIMARY# set security ipsec vpn TFSV-P2-vpn traffic-selector ts-TFSV-17 remote-ip 10.231.157.192/32

    {primary:node0}[edit]
    root@XIUS-PRIMARY# set firewall family inet filter ISP term VPN_Traffic from destination-address 10.231.157.192/32

    {primary:node0}[edit]
    root@XIUS-PRIMARY# set routing-options static route 10.231.157.192/32 next-hop st0.21

    {primary:node0}[edit]
    root@XIUS-PRIMARY#

    {primary:node0}[edit]
    root@XIUS-PRIMARY#

    {primary:node0}[edit]
    root@XIUS-PRIMARY# show | compare
    [edit security ipsec vpn TFSV-P2-vpn]
          traffic-selector ts-TFSV-16 { ... }
    +     traffic-selector ts-TFSV-17 {
    +         remote-ip 10.231.157.192/32;
    +         ## Warning: missing mandatory statement(s): 'local-ip'
    +     }
    [edit security address-book global]
         address OCMP-192.168.149.102 { ... }
    +    address TFSV-17 10.231.157.192/32;
    [edit firewall family inet filter ISP term VPN_Traffic from destination-address]
             10.27.1.232/29 { ... }
    +        10.231.157.192/32;
    [edit routing-options static]
         route 10.231.157.191/32 { ... }
    +    route 10.231.157.192/32 next-hop st0.21;

    {primary:node0}[edit]
    root@XIUS-PRIMARY# commit check
    [edit security ipsec vpn TFSV-P2-vpn]
      'traffic-selector ts-TFSV-17'
        Missing mandatory statement: 'local-ip'
    error: configuration check-out failed: (missing mandatory statements)

    Please anyone help how to config in to the device.

    Thanks

    Rakesh



    ------------------------------
    Rakesh A
    ------------------------------


  • 2.  RE: Getting error while configuring Traffic selector

     
    Posted 03-11-2023 09:49

    Hello Rakesh,

    Looks like you have configured only the remote IP in traffic selector. 

    Please configure a local-ip as well. 

    Local ip:- The ip or subnet which would receive or send traffic on your end. 

    Regards,



    ------------------------------
    Brijil R
    ------------------------------