I work for a small company and we just brought in a Juniper EX4200 switch so that we are able to test our SFP's and XFP's. I went through the EZSetup process however when I try to re-connect afterwards it just tells me that my subnet for the switch is different then the PC. I have tried assigning a static IP but that is not working for me either
View 8 Replies
Is a CA/CS required to deploy 802.1x? Google searches is confusing me with multiple answers. Im currently trying to test without a CA/CS and im having no luck.
Lab
2008 R2 DC
2008 R2 NPS
Juniper EX4200
User Win 7 PC
This is for a wired connection
I need to create a trunk between a Cisco 3560 and a Juniper EX4200I am perfectly happy with the the Cisco side and want to only allow 1 vlan across the trunk, which I was going to configure on the 3560 side. Any experience on trunking to a Juniper Ex4200.Looking at the Juniper side it looks like I just set the port as a L2 uplink.
View 3 Replies View RelatedI have a lot of problems with the connection between our Cisco 2950 and Juniper EX4200.We got two different types of connection, two swtiches with LAG (LACP) and three switches with standard Trunk (STP).
The Problem:If i connect a new switch to the EX4200, both LAG-interfaces goes down with the following message in the cisco-log:
%PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Gi0/1 in err-disable state
: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Gi0/2 in err-disable state
This does not always happen, maybe 20-40% of the times i connect a new swtich or move a switch from a port to another.This happens reglardless if i have the EX4500 connected or not.
Any known issues connecting an ASA to a Juniper switch?
We have a remote site where we have an ASA 5505 installed set up running EzVPN. We do not have not have control/access to the internet connection or the internal infrastructure. We basically have an office within their building. Our ASA has one of their external IP addresses and is connected to thier Juniper switch. Our pc's/printers are patched to another Juniper switch which is uplinked to our ASA. The issue we are having is that the connection is intermittently dropping where we cannot ping the pc's/printers at the remote site through the VPN tunnel but we are still able to ping the external IP address of our remote ASA. The strange thing is that we cannot manage the ASA via SSH or ASDM using the outside interface but can ping it when this occurs. For the most part the VPN tunnel does not drop when we check the sessions at the headend although it occasionally will.
We have a 3750 as core switch with critical oracle servers ( production & development ) connected to this. The goal is to have these servers behind a firewall, which is to be done by logically routing the traffic towards the device.Now, we need to connect the 3750 with two juniper srx firewall physically. The oracle server VLAN will be removed from 3750 and same layer 3 vlan will be created in the juniper firewall. How do i connect the 3750 to the two junipers. what configurations will be involved, on a logical basis.
View 11 Replies View RelatedWhat I am trying to do is I have one switch with say a 10.1.9.1 sub-net I need to have one of the ports to be trucked with two vlans one for DSL and the other for a local connection with the sub-net of 10.1.5.1 both of the sub-nets are configured in the core as 9 and 5 so I have port 0 set up as a trunk and it is set up as ge-0/0/0.0 vlan_5, vlan_192 on the 10.1.9.1 subnet switch. The DSL is working but the local is not pulling a 10.1.5.1 IP and has no connectivity. Everything looks as if it is configured correctly but still the DSl is working but not the Local connection.
View 2 Replies View RelatedThe ultimate setup thread mentioned only connecting routers together, and it would be cheaper (would it?) to get a new router and a switch instead of two routers of the same type.I admit I don't know much about networking. I tried Googling, but kept getting results about people asking what the difference between a switch and a router is, or how to set up two subnets on one router or switch.My current router is pretty old, its a V2 WRT54GS. I don't want to let it go but the lack of WiFi-n and Gigabit can get limiting, especially when sending large files across systems on a network or streaming video.However, I have another issue that wouldn't really be resolved by replacing it anyway, the fact that most if not all home routers have 4 Ethernet ports max. The amount of wired devices I use in the same area is increasing, and while I can switch some of them to wireless to make room for the wired-only ones, I would prefer not to. Some of these are multimedia or gaming devices and I would prefer the lower latency as well as higher LAN network speeds of Ethernet for them. I was told that I can connect a switch to my router and have everything act as if its on the same subnet.Will devices plugged directly into the router and those on the switch act as if they are on the same subnet and see each other without issue? Wouldn't this cut down on the speed of the devices if I have several plugged into the switch since they are sharing the single port the switch is plugged into the router with? Would it be better to get a switch with several gigabit ports and just plug everything into that for LAN speed? Its not like the WAN connection will come anywhere even close to 100Mbit, much less Gigabit, but would that still cause a bottleneck if several devices are trying to access the WAN over a switch that is plugged into a single port on the router, or no? Or would it be better to plug as many devices as I can into the router and the rest into the switch?
P.S. I use static IPs because I like to know which device has what IP to communicate with them directly if need be, and the WRT54GS has no way for my to reserve an IP based on port, MAC, or anything. Would that cause a problem? Is there any way to assign/reserve IPs on the newer routers (especially Linksys) with their stock firmware so I can switch to DHCP for guest devices?
Have our public IP address space masked on /24 at our Internet Router. The router portion of 3845 connects to Internet, while the internal switch connects to my internal network and seeds it with the public address space. The switch had a port configured no switchport (L3) with an ip address with /24 (ie 67.63.145.1 /24) this connects to internal IPS/IDS then to Firewall which NATs to internal, then packet shaper, web filter etc etc etc. I need to test my ISP speed so I need to "break in" to the link between the switch and the IPS/IDS. I figured I could configure another port on the switch on the 3845 but my problem is the port to my network is routed and is masked on entire /24. I tried to configure a port on VLAN 1 and give myself an available address in the L3 address space and this did not work (figured it would not but gave it a try)
Any way to get two ports configured to use the same subnet while one is a L3 routed port and the other is just part of that layer 3 routed network?
I decided to switch away from my DIR-655 wireless router due to multiple issues and go with an Untangle box. Everything appears to be set up great... except when it comes to my VPN connection to work via Juniper VPN Client v. 6.5.0.15507. For some reason, the VPN connection keeps dropping every 3-5 minutes and I have to wait for it to either reconnect, or sometimes the client completely stops and I have to restart it.
View 16 Replies View RelatedI have a ASA 5520 with a functional IPSEC VPN using the Cisco VPN client. This allows my remote users (Staff) using laptops to come in from anywhere on the Internet and tunnel in. Works great.Next, we need to stand up a VPN over a Juniper SSG5 so that when we have groups working outside of our network, they can tunnel back into our network. If they were going to be coming from a known, fixed IP, or even netblock, we'd probably use Route-based setup from a Juniper SSG5 into the ASA 5520. But they may very well be coming from any IP. I am thinking this leads us to Site-to-Site VPNs- it won't be Network Client access obviously, nor will it be Clientless (browser-based).
View 9 Replies View RelatedIs there any problems expected in working with core switch of Juniper EX8208 with access switches of Nortel Baystack5520 / 380 / 425 and 325? Whether the VLAN, Multicasting, streaming, STP, SNMP, etc will work without any issues?
View 2 Replies View RelatedI'm trying to enable LAG between WLC and a Juniper switch EX-4200 but it is not working.
In the lab i managed to enable LACP between Cisco 2960 and juniper EX-4200 and works with the atached configs that i found on juniper forum. Also LACP between Cisco 2960 and WLC works with te same config, but never between the WLC and Juniper. I've tried with passive mode and slow mode, always seems that juniper is not seeing the WLC BPDUs. I tried with WLC 4402 and 5508 both with 7.0 firmware.
I have set up an ACS 5.4 box and have some test devices connected to it.Cisco and Juniper, both working fine using TACACS I can connect to both using SSH or Telnet but my problem is the J-Web Juniper GUI I can access the J-web no problem with the root account. i can not seem to get it to work, no matter what I try. Here is my shell from the ACS box And the following Juniper configuration. I have tried binding the local-user-name attribute to both the remote and remoteadmin with no luck.
version 9.6R1.13;
system {
host-name Juniper-Firewall;
authentication-order [ tacplus password ];
root-authentication {
encrypted-password "$1$1tRuy9o2$LwSPxNwe4XGNMOMIMo1pd1"; ## SECRET-DATA
[code].....
Local LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP.
2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
Several of my older netscreen devices only support radius authentication and I'm having trouble migrating them from ACS 4.2 to ACS 5.1. When I try to authenticate, the authentication passes in ACS but it doesn't log you into the Netscreen (you see a auth failure in the Netscreen logs). I believe that the custom attributes are not being passed from ACS to the Netscreen. The custom attribute we are trying to pass is "NS-Admin-Privilege" with type integer and a value of 2. The netscreen is setup so that the user privledges are obtained from the ACS server.
Any setup where they are using Cisco radius authentication to authenticate Netscreen devices?
I have ASA 5510 with 8.4 connected to ISG 1000, when traffic is passing the VPN tunnel is working fine, when the traffic stops, ASA will drop the packet but the VPN tunnel on ISG still up .When new traffic started from ISG side, it will drop, as the tunnel is not up on ASA side.
View 2 Replies View RelatedI am trying to authenticate on Juniper NSM express using cisco ACS 5.2. The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.
View 4 Replies View RelatedIn the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS 4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3 tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
A capture shows Auth Status: 0x11 (ERROR).
i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?
View 2 Replies View Relatedi am setting up a LAN to LAN VPN between Cisco ASA 5520 and Juniper device. its my first time i am setting this up. What will be the peer device of my device that i need to give to the other person.. is this the outside address of my device ?
Also with the setup i have made i am getting the follwong error msg:
IKE Peer: 81.45.22.222 Type : L2L Role : responder Rekey : no State : MM_WAIT_MSG5
also i was getting Type: user intead of l2l - what does htis mean as well
We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.This is logs from Cisco:%%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100 ,%%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer.
View 3 Replies View RelatedHaving an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase. There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)
View 6 Replies View RelatedWe have a VPN established between the above devices (I don't have more info on the Juniper as it's a client site) The Juniper initiates the VPN and all is well, tunnel is up all ok but approx every 45 minutes the VPN drops.
the tunnel parameters are set to keep it alive for 8 hours but that doesn't work.
I am using 6500 with VPN Accelerator on this device. I have a dozen other VPN connections GRE and IPSEC to routers and ASA and other Juniper Firewalls.
They all work perfectly.The error I get is map_db_find_best did not find matching map (Never seen this error be for) [code]I can't put the whole config for security reasons.
Is it possible to set up a vpn tunnel on a 1721 router that uses the following ios:
c1700-y7-mz.124-13b.bin
I thought I had read somewhere that tunnels were not supported on the 1700s but wanted to make sure. If they are I would like to know if they are supported in the above ios.
I need to configure a new RV042 behind a SSG5 firewall. All VPN connections is client to gateway.
Firstly, i tried doing a direct connection(bypassing the firewall), the quickVpn status says connect but I can't even ping the rv. I suspect is due to client own ip is 192.168.1.x and the gateway ip is also 192.168.1.10. How do I resolve this such that users can connect anywhere without having to worry about clash of ip?
VPN tunnel between ASA 5520 ver 8.0(4) and a remote Juniper firewall keep tearing down during Phase 1 rekeying. After the rekeying process fails, manually pinging one of the remote hosts that are proteced behind the Juniper firewall,initates the tunnel renegoation and rebuilds the tunnel successfully.
When the tunnel is down, sh crypto isakmp sa shows no active SA for the remote peer. That indicates the PHASE 1 negotation had indeed failed.When the tunnel is working, sh crypto isakmp sa indicates an IKE role of Responder - always.Clearly that also means Phase 1 negotation works only one way, i.e. negotation initated by the remote Juniper unit only.
Interestingly, the Syslog server logged the following SNMP trap messages at the time rekeying Phase1.Note, Line#2 and #7 and wrapped to the next line for easy of reading.
Line#1: IP = Remote-Peer-IP-#, Starting phase 1 rekey
Line#2: IP = Remote-Peer-IP-#, IKE Initiator: Rekeying Phase 1, Intf outside,
IKE Peer Remote-Peer-IP-# local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)
Line#3: IP = Remote-Peer-IP-#, constructing ISAKMP SA payload
[code]...
As I understand from the above syslog trap, the Responder ( the ASA unit this time) started Phase 1 rekey (Line #1). It prepare a message to be sent to IKE Initiator, that it is about to start rekeying Phase 1 (Line #2). Down on the next line, it indicated that the local Proxy, remote Proxy and Crypto map as N/A ( not avaiable).Why would the ASA unit send N/A message as shown in Line#2, is that normal?
I wants to inegrate Juniper netscreen firewall in Tacacs Cisco Acs 5.1.As I go through Juniper KB which mentioned that I need to enable Netscreen Service in Cisco ACS 5.1. how to enable Netscreen service in Cisco Acs 5.1 and how I got Further to integrate Juniper Netscreen Device in Cisco cs 5.1
View 2 Replies View RelatedI'm having an issue bringing a L2L tunnels up between my ASA 5510 and an ISPs Netscreens. I can establish the tunnels from my side by initiating traffic to the far end. The tunnels come up and stay up as long as there is traffic. Once the tunnels drop, they will not re-establish with inbound traffic. The only way to re-establish the tunnel is to send traffic outbound from our network. My ASAs are on ASA Version 7.0(8) in active/standby. [code]
View 2 Replies View RelatedI have configured ACS 5.1 and using Tacacs. I have two juniper SSG140 FW's in different subnet. Tacacs authentication is working on one SSG140 FW, but not on the other one. Tacacs configuration on both FW's are exactly the same. Both FW's have been added in the ACS server with the same shared secret key same profile etc. I don't even see the authentication requests from the FW. ACS can ping both FW's and vice versa. [code]
View 2 Replies View RelatedWe're attempting to SSH from a Cisco 2960S to an SRX240, and are having some issues. The error we're seeing on the switch is: ops-switch1#ssh -l root 10.10.10.1. Any way to work around this on either the server or client side?
View 1 Replies View RelatedI have internet on my computer at home and i have unpluged the computer and moved in to another room it is saying that i need to reconnect the internet.
View 1 Replies View Related
