Re: help!! because There was a preexisting session from the same peer
I am occur the same error in route based SSG550 (hub) and SRX100H2 (spokes) vpn configuration. when I use in SRX100 the following commands set security policies from-zone internet to-zone internet...
View ArticleClik here to view.
SSG5 firmware upgrading in a VRRP environment
Hey guys, I hope this message finds you well. I have a question (or more of a confirmation of my suspicions) regarding updating firmware in a VRRP environment. We have the following set-up: What I...
View ArticleRe: Basic BGP Configuration
Ok, this is currently set for tomorrow. I just go the ip information from the ISP and from what I'm seeing they'd like SSG140(A) to use an ip of a /30 directly connected to their equipment and...
View ArticleRe: SSG5 firmware upgrading in a VRRP environment
1: If you are updating the software key, then have a local TFTP server ready just in case if it's needed. or you may delete the software key to bypass the software key check. 2: There is no such known...
View ArticleChanging tunnel interface MTU on SSG5
Hi, I have two SSG5 firewalls running the latest firmware. Each firewall is connected to the internet. Behind the firewall are two private networks A and B. I have an ipsec tunnel connect A and B....
View Articlehigh cpu isg2000
Hello, been fighting high cpu on a juniper isg2000 firewall running 6.3.0r17b.0. firewall(M)-> get performance cpu all detail Average System Utilization: 76% (flow 85 task 85)Last 60 seconds:59:...
View ArticleRe: high cpu isg2000
Both flow and task CPU utilisation is high. If you are ok with sharing the logs, please sanitise and share them here.
View ArticleRe: Changing tunnel interface MTU on SSG5
Hi Chris, YOu need to check the below information to see how traffic is getting allowed: 1: get interface <tunnel.x>2: debug flow basic (make sure you have specific filters for Ips e.g. set...
View ArticleRe: SSG5 firmware upgrading in a VRRP environment
Awesome. Thank you so much for your input. I highly appreciate it. Time to update!
View ArticleRe: high cpu isg2000
Hi thanks. attached the fprofile outputs. Let me know if anything stands out. Thanks.
View ArticleRe: high cpu isg2000
1 ip 0x11 10.133.120.145 213.212.65.205 514 514 500514 12.05% 2 ip 0x01 216.203.2.133 60.9.185.16 11 0 468402 11.28% 1: Is there any specific reason why syslog is using source port 514 instead of...
View ArticleRe: high cpu isg2000
thanks for the reply. - Im not sure.. we have a syslog server on the inside of our firewall and customers firewalls are sending logs to it from untrust to trust. - hmm so the first address is our...
View ArticleRe: SSG5 firmware upgrading in a VRRP environment
Our procedure is this: reboot slave first.reboot master after slave has come back (these are important because SSG are known to "brick" due to bad memory sticks -- easy fix, but if you are not onsite...
View ArticleRe: high cpu isg2000
Hi, The syslog traffic maybe legit or something that can be controlled in your network. But I am more interested in the second one - ICMP type-11 Code-0 traffic from 1src to 1 destination, consuming...
View ArticleRe: high cpu isg2000
Also, please collect fprofile another 3-4 times and share it here. Just to ensure we do not miss any other top-talker. Vector is not necessary, just fprofile will do. get performance cpu all...
View ArticleClik here to view.
help guys..!! (address: duplicate entry issue)
Hello all,I have a problem when configuring IP on policy. As you can see below captured picture, there are IP which are same.When I configured these, "address:duplicate entry" sentence appeared..! so,...
View ArticleRe: Basic BGP Configuration
You probably have this all worked out now. But the answer depends on how your cluster is setup. Normally in Active/Passive clusters there is just one address and one peer and the BGP session will...
View ArticleRe: help guys..!! (address: duplicate entry issue)
Hi, Did you create another address entry while creating the security policy rather selecting previously configured address from the drop down list? It should work, but remember to have more specific...
View ArticleRe: help!! because There was a preexisting session from the same peer
I had to add the ike service into the interface level as well as the zone level security-zone Internet host-inbound-traffic system-services ike; interfaces fe-0/0/0.0...
View ArticleUpgrade Path
Dear All , Could someone suggest upgrade path from 6.0.0r4.0 to 6.3.0r21 .Please help on urgent basis .
View Article