CONNECTION_CHASSISD_FAIL The alarm process (alarmd) was unable to connect to the chassis process (chassisd). The problem related to this syslog message is described in the following sections: The CONNECTION_CHASSISD_FAIL is logged every 30 failed attempts by the alarm process to connect to the chassis process. When a CONNECTION_CHASSISD_FAIL event occurs, a syslog … [Read more...]
Best Practices for SRX Software Upgrade
Best Practices for SRX Software Upgrade Junos software provides "no-validate" option when the system administrator tries to upgrade the Junos software version to bypass the configuration compatibility check, but this option should be avoided if possible. This articles will show one of instance of a risk with "no-validate" option. As of 12.1X44-D10, High-End SRX Series … [Read more...]
SRX 5000 Series routing engine 1 upgrade procedure
SRX 5000 Series routing engine 1 upgrade procedure On SRX systems, the routing engine (RE) at slot 1 (0 based) RE1 is needed for dual control link redundancy and runs in single user mode. The normal upgrade process is not applicable to it and mostly not needed. However, there may be instances when the RE at slot 1 (called RE1 hereafter) needs to be upgraded. This article … [Read more...]
SSH to device does not work
This article talks about the error one gets while accessing the device through ssh and how to resolve the issue Suppose one tries to ssh the device to one of the interface ip address of the SRX on which ssh is enabled. The ssh connection is not successful and the below error message could be seen in the log messages root@frsar01fwl02> show log messages | match "host key" … [Read more...]
Juniper Clustering : Policy out of syn
Juniper SRX in a cluster, after re-ordering some security policies on the primary device and committing them , now can not make any other changes without the warning error: Policy is out of sync between RE and PFE cluster1.node1. Please resync before commit. error: configuration check-out failed. The out-of-sync can be due to: •A policy message from RE to PFE is … [Read more...]
SRX: ICMP redirect might not work for FTP traffic
On SRX100, SRX110, SRX210, and SRX220 devices with FTP ALG enabled, ICMP redirect might not work for FTP traffic. When FTP ALG is enabled on SRX100, SRX110, SRX210 and SRX220, ICMP redirect does not work. However, It only affect FTP traffic and Ping or other traffic will work without any problem. Once Ping packet is through, FTP connection will be success. Without ping or … [Read more...]
Firewall filter counters are not incrementing when applied under input-list.
This article discusses the reason why Firewall filter counters donot increment when applied under "input-list". Firewall filter counters are not incrementing for second filter when applied under input-list. Filter configuration: set firewall filter test1 term ftp from destination-port ftp set firewall filter test1 term ftp then count counter1 set firewall filter test1 … [Read more...]
DHCP Option 81 on SRX Devices
This article discuss the support of DHCP Option 81 on SRX devices. SRXis acting as a DHCP Server. DHCP option 81 "Client FQDN option" is being implemented on the SRX and Clients. Intention is to make SRX update the A and PTRrecords on the DNS server, whneevr a Client gets a new IP or IP gets renewed. SRX leases out the IP's as expected. The A and PTR records … [Read more...]
SRX: How to check the session ager status?
Session ager is a mechanism on SRX devices that takes care of continuous session age-out and cleanup process. This is done by running a timer on each SPU that uses ticks as a unit of time (provided by hardware). The goal of this article is to describe a way to check if the session ager tick counter is increasing on each SPU. In certain troubleshooting scenarios, where you … [Read more...]
E-mails are timed out when UTM is enabled
This article describes the issue of certain e-mails not going through the device and eventually being timed out, when UTM is enabled on SRX branch and J-series devices. Certain e-mails are not going through the device and are eventually timed out, when UTM is enabled on SRX branch and J-series devices. Currently, the UTM module on Branch SRX/J-series devices does not … [Read more...]