- Pulse Secure Community
- :
- Pulse Secure Forums
- :
- Pulse Connect Secure
- :
- Unable to manage an SRX-100 when connecting thru J...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Unable to manage an SRX-100 when connecting thru Junos Pulse client (MAG-2600)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2012
06:56:AM
10-03-2012
06:56:AM
Unable to manage an SRX-100 when connecting thru Junos Pulse client (MAG-2600)
Hi
I have a lab-environment with a SRX-100, SSG5, SSG-320M, several switches and a MAG-2600. I have a out-of-band Management network at 192.168.100.0/24 and every device i connected to the same Management-switch and my computer is connected as well to the switch and has the IP-address 192.168.100.100/24. I can manage every device from my computer when I'm connected thru the management-switch with my wired network-card.
I recently added the MAG-2600 and started to set it up, and I can connect to the MAG-2600 from my computer using the Junos Pulse client (I get the IP-address 192.168.100.80/24). Everything seems fine exept that I can't manage or ping the SRX-100 device. The zone which the Management-interface is in allow connections from ANY network and application. I've even tried to change the management address on the SRX-100 to 192.168.100.13/24 without any result (I can manage the SRX-100 on that address when I'm connected directly to the Management switch.
Do anyone know where the problem might be?
Thanks in advance!
Rough topology
**************************************************
________
|Computer| 192.168.100.100
|
_________|________
-----------|Management-Switch| 192.168.100.10
| _______
|--------------------|SRX-100| 192.168.100.1
| _________
|--------------------|SSG-320M| 192.168.100.2
| ______
|--------------------|SSG-5| 192.168.100.5
| _____
|--------------------|Switch| 192.168.100.8
| _____
|--------------------|Switch| 192.168.100.9
| _________
|--------------------|MAG-2600| 192.168.100.11
|Computer| 192.168.100.80
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2008
07:21:AM
01-29-2008
07:21:AM
Re: Unable to manage an SRX-100 when connecting thru Junos Pulse client (MAG-2600)
When you connect via the Pulse client can you do anything in regards the SRX? IE - does it respond to pings? Have you enabled logging on the policy (log on session init) which will show you if you are being denied. Can you share your SRX config?
When you try and connect to the SRX directly your traffic type is "self" versus "transit" so you can use the monitor command to see if traffic is coming into the SRX itself for that I/F.
Just some random thoughts.
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador
Juniper Elite Reseller
J-Partner Service Specialist - Implementation
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2012
08:17:AM
10-03-2012
08:17:AM
Re: Unable to manage an SRX-100 when connecting thru Junos Pulse client (MAG-2600)
Thanks for the quick reponse.I can't ping the SRX when I go thru the MAG, only when I'm directly connected.
I haven't tried the logging yet, but if it is as you say that the traffic type is "transit" instead of "self" that can be an explination.
Here is my configuration. The SRX is inside a working lab, so that's why there are so many subinterfaces, bgp et.c.
## Last commit: 2013-09-20 17:27:40 UTC by Manager
version 12.1X45;
system {
host-name SRX-650;
root-authentication {
encrypted-password "$1$1DHsDkZd$QYRc2HvOBGqWIs6ozBfox1"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
message "LAB";
retry-options {
tries-before-disconnect 3;
}
class super-user-local {
idle-timeout 10;
permissions all;
}
user Manager {
full-name Manager;
uid 101;
class super-user-local;
authentication {
encrypted-password "$1$nyhhmF2L$KpuNP1J/3jg5KcOROeBS/."; ## SECRET-DATA
}
}
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
interface [ vlan.0 lo0.0 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
vlan-tagging;
unit 2545 {
vlan-id 2545;
family inet {
address 146.150.254.158/29;
}
}
}
fe-0/0/1 {
description TO-SSG-320M;
unit 0 {
family inet {
address 146.150.252.227/28;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
description ISP-1;
vlan-tagging;
unit 407 {
description CUSTOMER-1;
vlan-id 407;
family inet {
address 146.150.195.97/29;
}
}
unit 612 {
description CUSTOMER-2;
vlan-id 612;
family inet {
address 146.150.195.137/29;
}
}
unit 616 {
description CUSTOMER-3;
vlan-id 616;
family inet {
address 146.150.251.73/29;
}
}
unit 661 {
description CUSTOMER-4;
vlan-id 661;
family inet {
address 146.150.60.185/29;
}
}
}
fe-0/0/5 {
description ISP-2;
vlan-tagging;
unit 2023 {
description CUSTOMER-1;
vlan-id 2023;
family inet {
address 146.150.63.121/29;
}
}
unit 2050 {
description CUSTOMER-2;
vlan-id 2050;
family inet {
address 146.150.253.177/29;
}
}
unit 2057 {
description CUSTOMER-3;
vlan-id 2057;
family inet {
address 146.150.71.41/29;
}
}
unit 2059 {
description CUSTOMER-4;
vlan-id 2059;
family inet {
address 146.150.60.121/29;
}
}
unit 2090 {
description CUSTOMER-5;
vlan-id 2090;
family inet {
address 146.150.71.9/29;
}
}
unit 2189 {
description CUSTOMER-6;
vlan-id 2189;
family inet {
address 146.150.60.137/29;
}
}
}
fe-0/0/6 {
description ISP-3;
vlan-tagging;
unit 2808 {
description CUSTOMER-1;
vlan-id 2808;
family inet {
address 146.150.60.145/29;
}
}
}
fe-0/0/7 {
description ISP-4;
vlan-tagging;
unit 696 {
description CUSTOMER-1;
vlan-id 696;
family inet {
address 146.150.253.113/29;
}
}
unit 728 {
description CUSTOMER-2;
vlan-id 728;
family inet {
address 146.150.26.65/29;
}
}
unit 4000 {
description CUSTOMER-3;
vlan-id 4000;
family inet {
address 146.150.253.193/29;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.100.254/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.100.1/24;
}
}
}
}
routing-options {
static {
route 10.200.116.0/24 next-hop 146.150.71.14;
route 146.150.246.32/27 next-hop 146.150.251.78;
route 10.200.254.0/24 next-hop 146.150.26.70;
route 10.200.241.0/24 next-hop 146.150.60.190;
route 146.150.3.224/27 next-hop 146.150.60.150;
route 0.0.0.0/0 {
next-hop 146.150.254.153;
retain;
}
route 146.150.203.144/28 next-hop 146.150.195.142;
}
autonomous-system 64512;
}
protocols {
bgp {
group SPOKE {
type external;
export BARA-DEFAULT-ROUTE;
neighbor 146.150.253.118 {
metric-out 100;
local-preference 200;
local-address 146.150.253.113;
peer-as 65006;
}
neighbor 146.150.195.102 {
metric-out 100;
local-address 146.150.195.97;
peer-as 65023;
}
neighbor 146.150.71.46 {
metric-out 200;
local-address 146.150.71.41;
peer-as 65023;
}
neighbor 146.150.253.182 {
local-preference 100;
local-address 146.150.253.177;
peer-as 65006;
}
neighbor 146.150.253.198 {
metric-out 100;
local-preference 200;
local-address 146.150.253.193;
peer-as 65019;
}
neighbor 146.150.63.126 {
metric-out 200;
local-preference 100;
local-address 146.150.63.121;
peer-as 65019;
}
}
group CORE {
local-address 10.150.254.158;
}
}
ospf {
export STATIC-AND-DIRECT-TO-OSPF;
area 0.0.0.0 {
interface fe-0/0/6.0;
interface fe-0/0/1.0 {
priority 1;
}
}
}
stp;
}
policy-options {
policy-statement ONLY-DEFAULT-ROUTE {
term ALSO-OK {
from interface lo0.0;
then accept;
}
term OK {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term EJ-OK {
then reject;
}
}
policy-statement STATIC-AND-DIRECT-TO-OSPF {
term MATCH-STATIC {
from protocol static;
then {
metric 10;
external {
type 1;
}
accept;
}
}
term MATCH-DIRECT {
from protocol direct;
then {
metric 10;
external {
type 1;
}
accept;
}
}
term MATCH-BGP {
from protocol bgp;
then {
metric 10;
external {
type 1;
}
accept;
}
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy ALLOW_ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ to-zone DMZ {
policy DHCPTEST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ to-zone trust {
policy ALLOW-MANAGEMENT {
match {
source-address any;
destination-address 192.168.100.0/24;
application [ junos-https junos-ftp junos-icmp-all junos-ssh junos-tftp junos-telnet junos-syslog ];
}
then {
permit;
}
}
}
from-zone trust to-zone DMZ {
policy FROM_MANAGEMENT {
match {
source-address 192.168.100.0/24;
destination-address any;
application [ junos-icmp-all junos-ftp junos-ssh junos-telnet junos-tftp junos-syslog ];
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address 192.168.100.0/24 192.168.100.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
ssh;
dhcp;
https;
tftp;
snmp;
ftp;
}
}
}
fe-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
ospf;
}
}
}
fe-0/0/0.2545;
lo0.0;
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone DMZ {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
interfaces {
fe-0/0/4.407 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
bfd;
}
}
}
fe-0/0/5.2057 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
bfd;
}
}
}
fe-0/0/7.696 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
bfd;
}
}
}
fe-0/0/5.2090 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/5.2050 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
bfd;
}
}
}
fe-0/0/4.616 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/7.728 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/4.661 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/6.2808 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/3.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/5.2189 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/5.2059 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/4.612 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
}
}
fe-0/0/7.4000 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
bfd;
}
}
}
fe-0/0/5.2023 {
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
bgp;
bfd;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
