Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
Coming soon
Original Poster1 point · 17 days ago

Do you think that's mostly it? Is there anything I can do on my end?

see more

Yes you need to make Traffic selectors on your Junos Device to mimic the ACL they have applied on the ASA.

The ASA does not want to bring the tunnel up because it is not getting the correct proxy-ids from the SRX. So to appease it you can do traffic-selectors.

The traffic selector must match the ASA's access-list. traffic-selectors can't supply application info (layer 4) so don't put ports in your access list. keep the access-list applied the the ASA VPN Config , layer 3 only.

I am not knowledgable on ASA's but if they require access-lists with layer 4 then your best bet is a Gre Tunnel. Create proxy-id's instead with the application of gre. Then route everything through the gre tunnel.

2 points · 24 days ago

Yes. Isn't an 340 a bit overkill for only so few users?

see more
2 points · 24 days ago

Yes. Isn't an 340 a bit overkill for only so few users?

Actually yeah I think a srx300 would be more than enough.

  • 6* 1Gbps copper
  • 2*1Gbps SFP.
  • 16 Security Zones
  • 32 Virtual Routers
  • 256 IPSec Tunnels
  • 300 Mbps IPSEC
  • 1Gbps Statefull firewall
  • 1000 NAT Rules
  • 1000 Security Policies

I suppose if you think you are going to need an MPIM down the road an srx320 might come in useful. The only one I'd be interested in is the 4G/LTE MPIM. Also I think it comes in a POE Flavor.

That being said if they want to use the srx340 as a 16 port switch that does simplify things.

Original Poster1 point · 1 month ago

Thanks for the helpful answer, really do appreciate it.

The switches are indeed managed switches, they are these: NETGEAR-GS748T . As for the APs, I am using Ubiquitis. I was thinking of having them on a separate network/VLAN, but it isn't really necessary.

We will only have about 80 employees in the office, and they just need internet access really.

I currently have an internal to internet zone/policy applied with the ge-0/0/1 interface, with an IP of , ge-0/0/0 is for net access.

I just want 2 other interfaces on that same subnet, so that I can just plug the switches into them and get an IP from the DHCP server. The APs could be on the 4th with a different network, or the same.

Again, thanks for walking a noob through this!

see more
1 point · 1 month ago · edited 1 month ago

These switches do RSTP. They also have no cli and a terribly buggy web interface that works on a mixture of chrome, firefox and ie 6 (keep that xp box handy) depending what you are doing... I would maybe accidentally make something happen to them... Drop them Fell down the stairs as you were carrying them up. Luckily you were alright (and are not going to sue) but the Netgears did not make it...

Seriously if you have to use them I guess they will be good out of the box with a simple VLAN 1 config and RSTP 32K bpdu. I really hate them though. Good luck trying to trouble shoot a broadcast storm or loop with these things. I would uplink each one individually to your srx. Avoid connecting them to each other. Set your SRX's BPDU lower than 32K(28K at least).

But after you "set it" (however painful) you can "forget it". I have not touched my GS748P's since I setup all the vlans, trunks and RSTP. I think it does MSTI aswell but I can't be sure because and I am never going to log into them again! I am going to replace mine with some used ex4200's.

These things have scarred me. But they also taught be some valuable lessons and helped me understand the importance of a good basic STP setup. I wish they could block bpdu on edge ports. I get though, to a beginner, these could seem more friendly as they have a web interface(but it's bad trust me). Maybe there is a new firmware or they have new models , IDK. Could I even load it with a modern browser? Sorry I guess this opened some old wounds. I can't wait to drop them fall down the stairs.

2 points · 1 month ago

Travelling right now but maybe look into gratuitous arp on your reth interfaces. I know nothing about the switches you are using and their cam/Mac address table life but this could mess things up on a failover. By setting up gratuitous arp you would be advertising the reth mac Addy's new location to the switches. If the switches are sending the traffic to the wrong port that would mess up forwarding traffic.

3 points · 1 month ago


I have seen this help before by increasing the garp for each redundancy group. I have had problems twice in the past with ISP's cisco switches. I think I raised the rg garp to 8 but I think in retrospect 16 is better.

Also reading your post again you should maybe not reboot to test failover but instead request chassis cluster failover then run a clear chassis cluster failover

3 points · 1 month ago · edited 1 month ago

Please run on master node but if it reports other node lost do this on both:

> show chassis cluster status    
> show chassis cluster interfaces
> show chassis cluster information

Run this one on both nodes:

> show log jsrpd

See what you get post back here or look through it.

As for your point with MAC addresses I am not sure what you mean. If you are concerned about the reth interface it is a calculated MAC based on the reth # and cluster ID. Have a look

I am sorry I just skimmed through the post. But the commands above would be more useful for others to see what is going on, without actually knowing anything. A diagram might helpful. Did the swapped out SRX ever work/transit traffic.

1 point · 1 month ago · edited 1 month ago

I want to basically clone the firmware/config of the unit I configured onto other units instead of doing the traditional setup of each unit through web gui/cli.

I can think of a different (I think better) way to do this:

Copy Junos and config to a fat32 usb stick with preferred Manufacturer of (Sandisk, Transcend, Unigen, Kingston, and Lexar recommended by Juniper - I have had generic usb sticks cause me problems in past)

Boot into the Loader> prompt by pressing Enter when prompted:

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.8
(, Tue Feb 10 00:32:30 PST 2015)
Memory: 4096MB
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
[1]Booting from eUSB slice 3
|/-\can't load '/kernel'
|/-\can't load '/kernel.old'
Press Enter to stop auto bootsequencing and to enter loader prompt.

From the loader prompt install your junos versoin:

Loader> install file:///junos-xxxxxx.tgz

Boot up Login to shell and mount usb.

% ls /dev    
--->remove usb 
% ls /dev
--->what device is missing - now plugin usb again
% mkdir /tmp/usb
% mount -t msdos /dev/da1s1 /tmp/usb
% ls /tmp/usb

set root password:

% cli
> configure
# set system root plain-text-password
# commit

Load your config from usb:

# load override /tmp/usb/myconfig.conf
----> make any other necessary changes.
# commit

Check if both slices have junos version of choice:

> show system snapshot media internal

if not copy primary to backup

> request system snapshot slice alternate

Actually there is an autoinstall method i found. But havent confirmed if you can add a rescue config to it as well. But yeah what you suggested is good too but included an additional few steps.

I realized my problem was incompatible flash brand! :P

see more

Yup flash brand is more important than you realize. I wish it wasn't. I have had a generic USB stick removal reboot an srx. Not Cool.. Let me know how you make out with the auto install sounds interesting...

I would only do this if I needed to simplify(or at least simpler than other ways) my routing... e.g.:

  • I have multiple customers/environments and I do not want them to be able to route to each other.
  • I am trying to manipulate traffic flow so one routing instance prefers a different path to a subnet then another routing instance
  • If I run an HA pair I like to put a routing instance for all transit traffic and have fxp0 in the default instance
  • I am a poor student and I want to study routing protocols but can only afford 1 srx. We can make ospf, bgp, isis and other routing topologies and leverage the lt-0/0/0 interface.

So I need to renew my VMCA shortly as it will expire at the end of the month. It is an intermediate Sub CA of my Windows AD Enterprise CA. I noticed because I was unable to renew a few esxi servers that were also expiring at the end of the month.

So I started up the certificate-managerhoping to find a renew VMCA otions but this is what I was presented with:

# /usr/lib/vmware-vmca/bin/certificate-manager
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                |                                                                     |
                |      *** Welcome to the vSphere 6.0 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |                                                                     |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.

So I started by taking 2 snapshots of the vcsa. One with the vcsa powered on and the other with the vcsa powered off, just for good measure.

Looking at the above options #4 seems the most logical?

Anyone have some advice before I do anything(stupid)?


It shouldn’t trigger a failover. Replacing the ESXi certs should be nondisruptive for what it’s worth.

Glad you got it sorted, though.

see more
Original Poster1 point · 2 months ago

I think the process caused the Hypervisor's to miss a heartbeat. Not sure why. So I was doing the renew's consecutively pretty quickly, to members of the same cluster.

I used to script it and never had that problem. /shrug

see more
Original Poster1 point · 2 months ago

/shrug don't know why then. It happened.

Load more comments


I am trying to create a module that uses office365 PSSession. However I have issues sharing my pssession with the module. I think I would have to setup a connection to office 365 pssession through the module itself. Is there a another way? Is there a better way?

I guess I could possibly not use a module. Either add these functions to my profile alternatively. But I like the idea of a module and was hoping to get this to work.

Appreciate any help

2 points · 2 months ago · edited 2 months ago

What are you trying to run from your module?

Where is your code example of what is failing for you?

Have you Dot-Sourced your module / imported your module to your local logon session for use in your normal session?

O365 will only run the Exchange cmdlets in E2K16 as that is what get proxied to you whne you do this connection.

If you are trying to do AAD stuff, then you need to alos conenct to AAD and have that module locally installed.

Start an O365 sessing, you are usign your currently logged on user identity to the host you are on and then loggin into an O365/AAD session using a specific O365/AAD session whcih is remote and not a login profile on your localhost.

Your persoanlly installed modules and it's functions / commands are / should be direclty avaialibe to you in your local host loggged on session, but anything you throw at O365/AAD must be using the O365/AAD cmdlets specifically. Not something that O365/AAD has no idea what it is.

see more
Original Poster2 points · 2 months ago · edited 2 months ago

OK I think you misunderstood me. To be fair maybe I did not word clearly or It's hard to understand. Maybe not. Maybe there is a simple answer I am not seeing.

Imagine I have a module saved as AuditO365.PSM1 that uses the office365 command Search-UnfiedAuditLog

function Search-UserAuditLog
    if (Get-Command Search-UnifiedAuditLog -ErrorAction SilentlyContinue|Out-Null){
        $IPList=import-csv "$($MyInvocation.MyCommand.Module.ModuleBase)\IPLIST.csv"
        $UnifiedAuditLog=Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (get-date) -UserIds $UserIds -ResultSize 5000 #-Operations PasswordLogonInitialAuthUsingPassword 
        $AUDIT=$UnifiedAuditLog | %{$_.auditdata|ConvertFrom-Json}

        foreach ($rec in $AUDIT){
            $found=$IPList|? {$rec.clientIP -match $_.IPAddress}
            if (!$found){
                $geoip=Get-GeoIP $rec.ClientIP
                $location="$($geoip.City) $($geoip.region_name) $($geoip.country_code)"


                $out|Add-Member -MemberType NoteProperty -Name Location -Value $location
                $out| Add-Member -MemberType NoteProperty -Name City -Value $
                $out| Add-Member -MemberType NoteProperty -Name Region_Name -Value $geoip.region_name
                $out| Add-Member -MemberType NoteProperty -Name Country_Code -Value $geoip.country_code
                $recordtype=($UnifiedAuditLog| ? {$_.Identity -eq $rec.Id}).RecordType
                $out| Add-Member -MemberType NoteProperty -Name RecordTypeName -Value $recordtype



        return $Inspect
    }else{ Write-Error "Please connect to Office 365 PSSession!"}


Export-ModuleMember Search-UserAuditLog

Now let's say that I load this module. Then I connect to office365 like so:

Import-Module AuditO365
$o365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $o365cred -Authentication Basic -AllowRedirection    
Import-PSSession $o365Session -AllowClobber -DisableNameChecking

ModuleType Version    Name                                ExportedCommands                                                                                                                                                      
---------- -------    ----                                ----------------                                                                                                                                                      
Script     1.0        tmp_bleepboop123.wut                {Add-AvailabilityAddressSpace, Add-DistributionGroupMember, Add-MailboxFolderPermission, Add-MailboxLocation...}   

I now have the ability to run Search-UnifiedAuditlog, Get-mailbox or anything that is provided to me by the temporary module that get's installed when I create a pssession to Office 365.

Here is my problem. My module AuditO365, which has been successfully loaded, is unable to access, use or run any of the commands provided by the pssession module: tmp_bleepboop123.wut. So instead it returns the Write-Error statement.

My question is how can I share my pssession and all of it's commands into my module so that my module can run the command Search-UnifiedAuditLog in this particular case.

I know I could establish a PSSession inside my module. I don't like that though. It's ugly. I know I could just save the code to my profile or a .ps1 file but I want to make a module so I can give/deploy it to other admins.


This is somewhat of a guess but I'd imagine you need to import the temporary module into your custom module. Without doing that your module has no knowledge of the commands from the temp module created by the session.

Alternatively, it looks like you could use the -Global parameter of Import-Module passing the Import-PSSession command to Import-Module to import the commands into the global session

Import-Module (Import-PSSession $o365Session) -Global
see more
Original Poster1 point · 2 months ago

Thanks u/obsidianclock; the Import-Module (Import-PSSession $o365Session) -Global worked. I think coupled with the issue u/purplemonkeymad pointed too, that seems to have solved my issue!

Load more comments

Well there is this

If you want to make your own this might be a helpful example.

2 points · 2 months ago · edited 2 months ago

Seperate your Account Skuid with Semicolons ;


Bertram Gilfoyle,Bertram,Gilfoyle,,US,piedpiper:ENTERPRISEPACK;piedpiper:ATP_ENTERPRISE

Then run something like this:

$success=@();$failed=@();Import-Csv -Path "C:\My Documents\NewAccounts.csv" | ForEach-Object {New-MsolUser -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -UserPrincipalName $_.UserPrincipalName -UsageLocation $_.UsageLocation -LicenseAssignment ($_.AccountSkuId).Split(";") -ErrorAction SilentlyContinue; if (!$?){$failed+=$_}else{$success+=$_}}

Couple things to note about what you posted. you need to user Foreach-Object or %

foreach is used like this:

$users=import-csv c:\myfol\myfile.csv
foreach ($user in $users){

You did $.Attribute in your foreach loop and it should bet $_.attribute

I don't know if exporting your results to csv would actually do anyting because I am not sure if new-msoluser actually returns an object. So instead I added if (!$?){} so that if it fails we add the user record to the $failed variable and if it succeeds we add it to the $success variable. You can export-csv those if you like.

Maybe start by pasting it in Powershell ISE script page. Step through your code.

Have not,

But I think separating both untrust interfaces into there own routing-instances is a good start.

Then maybe look at filter based forwarding all public ip traffic from your trust/private ip sided out your 1000/1000.

You can still use single quotes you just have to wrap your variable in $()


New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery 'subject:$($subject)'
see more
5 points · 5 months ago · edited 5 months ago

I think this won't work. as $($subject) will only work between ""

Generally you use $($var) because you can't get a object property in a string with double quotes. I will just show you in an example it is easier:

$process=Get-Process notepad
 $str1="1 - the process: $($process.Name) has ID: $($"
write-host $str1
$str2= '2 - the process: ' + $process.Name + ' has ID: ' + $
write-host $str2

Try the following

$ContentMatchQuery1='subject:' + $subject
#verify strings look good
write-host $ContentMatchQuery1
write-host $ContentMatchQuery2
#3 different ways to skin this cat - I THINK - not confirmed
New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery $ContentMatchQuery1
New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery $ContentMatchQuery2
New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery "subject:$subject"

So the following way I believe would not work. This is because of the + operator:

New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery 'subject:' + $subject

But this might:

 New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery $('subject:' + $subject)

This is probably confusing. PowerShell has many ways to manipulate strings and variables. But when you start mixing those different string and variable methods then things can break.

Anytime you replace a device and reuse the old device's IP address(es) you can run into ARP issues, since the adjacent devices will often continue to use their old, stale ARP entries for the new device, which won't work because the new device has a different MAC address. This is much more likely to be a problem "soon" after the device swap, since most devices will age out ARP entries after a while, but that often doesn't happen quickly enough to prevent connectivity problems during testing. For example, many Cisco devices have a 4 hour ARP timeout, which is quite a while, especially during a maintenance window. Clearing the ARP entries in the adjacent devices is usually sufficient, but sometimes it's easier to just reboot them.

see more
1 point · 5 months ago · edited 5 months ago

Also push your MAC address out the connected ethernet switches with gratuitous arp:

set interfaces ge-0/0/x gratuitous-arp-reply

This will make the srx spew out it's own MAC address by asking for it's own IP address. The switches will see the traffic and learn. It's helped me on switches that I have no control over (usually ISP).

Original Poster1 point · 5 months ago

Very sorry for the confusion. I'm just looking for some help that's all.

I'm replacing my cisco ASA firewall with a Juniper SRX Firewall. Our ASA firewall is end of support in September. We were able to get a new firewall through e-rate. I had assistance from the company I purchased from on setting up the initial config on the SRX. When we cut over to the new firewall we weren't able to get out to the internet. The person that was helping me said there was something wrong with my network. And that's where my confusion lies. Nothing has changed as far as the network is concerned, so to me that makes me feel I'm missing something on my firewall config.

see more

Be vary careful not to have asymmetric network. Your network diagram really is not that fleshed out.

SRX do not like asymmetric networks and will drop the traffic(tcp) if it receives packets that it detects assymetry. UDP traffic generally works.

Learn how traffic is routed on your network. If there is asymmetry clean it up/redesign. Because it is easier to do that then to work around the problem with NAT. Also More secure and elegant than turning off sequence check and syn checks for tcp.

send traffic from your client to the internet. something you can narrow down. (e.g. ping -t) then do:

> show security flow session source-prefix destination-prefix

take note of the ingress interface displayed in the output. or if it even see's the flow.

Then do:

show route

take note of the route and interface used.

If they are different then you have asymmetric network.

But you still have not provided enough info:

  • traceroute or pathping
  • ipconfig of host showing subnet and default gw
  • the subnets that lie in between your client and the srx. Their subnets and masks.

Load more comments

aricade commented on
Original Poster1 point · 5 months ago

Apparently it works now.... Not sure why! I did have to connect to Ge-0/0/1 in GNS3 for it to be Ge-0/0/0 in the vSRX. I'll adjust the settings appropriately.

see more

Not sure why! I did have to connect to Ge-0/0/1 in GNS3 for it to be Ge-0/0/0 in the vSRX

Yeah I have heard of this. This is vSRX 17.x right? The interfaces do not get labelled correctly in GNS3.

David Bombal talks about that in his youtube video

aricade commented on
r/ccnaPosted by

i never got the gns vm to work in my vmworkstation like my other vm's that i run..gns vm always stated i need a VT supported chipset which I do or how else would I be running all my other vm's...perhaps a bios update but screw all that.

my laptop still has the old school gns3 that can run everything i need to test layer 3 stuff out plus when i want to lab up layer 2 or layer 3 switches with trunks i use Packet Tracer.

see more

don't know what you have tried. But you may need to enable it in your bios.

VT technology is enabled, its the reason i bought this mobo and cpu so that i can run virtualization, i have about 10 VM's that i currently run with VM Workstation..oh I also went the simple route with just using VM Player just like the GNS documentation states but at this point i dont want to attempt a bios update for the intel cpu and the whole rig goes south for one VM.

see more
1 point · 5 months ago · edited 5 months ago

The only thing I can think of, but you may have done already, is to enable the VT-X check box on the GNS3 VM's properties:

Anyway maybe you have tried this. Otherwise take a look.

Load more comments

Yeah, that's nonsense.

Look, TA has an impact on price if at least for the very reason that a portion of investors use TA to make their decisions.

And I'm not even a TA guy. I'm 95% FA, 5% TA. But goddamn are people quick to shoot down what they don't understand.

see more

I am just picking this up... Not a FIN guy...

TA= Technical Analysis

So I figured FA = Feelings analysis??? but no FA = Fundamental Analysis.

I guess Feelings Analysis should really be Qualitative Analysis and when describing the crypto the word "holistic" should be used vigorously... Else it's QA would be really really bad...

eg Ripple is a holistic solution for cross border payments, running on Google-juice, that empowers financial institutions to do stuff.

There better not be a Quantitative Analysis. I already claimed QA. They will have to just take QAA or something...

TIL: I guess I am a FA guy.

I'll just be leaving now...

Original Poster1 point · 5 months ago

This looks more like a router than a switch, is that correct?

see more

SRX S=Security R=Routing X=Switching

JE get's you registered so you can download app-id etc.. you wont be able to do a

> request services application-identification download 

You should have received an email from your vendor with a code/serial and instructions on how to register if you have JE. Once that is done you can download APP-ID. Aswell you can pay for IDP/AV/UTM features. This is an added cost but as I understand requires the JE feature/hardware.

Try something like this?

gr-0/0/0 {
    unit 0 {
        tunnel {
            routing-instance {
                destination r1;
        family inet {
            mtu 1400;

I do this on my srx.. Not sure about EX

Does it work fine on the console? Is it still switching after 20 seconds?

You are just having management cli issues?

If you can find the old Juniper JNCIS-SEC study Guides there are a good starting point.

I have resorted to using the vsrx-12.1X47-D20.7. If your purpose is simple enough I would recommend this. The differences are not that great.

I believe the vsrx for 15.x requires lots of ram an CPU (4gb 2 vcpu, but check it out I could be wrong). Make sure you give it enough when it's in a nested config. Even after that it was very unbearable to run(for me).

If you get it working though I'd love to hear about it!

Just had a co-worker say something so stupid he'll have to put it on his tombstone...."Test it live"

see more

considering that we were stuck at .18 to .40 cents for the past year... well this is not bad. Until XRP starts moving trillions of dollars a day... Then maybe we can have something to talk about...

For now Ripple will keep doing what they are doing. In the mean time hodl...

I've not looked at the Junos Genius prep for JNCIA since the app was refreshed a few months ago, but when I used it last year to prep it was only beneficial for 20-25% of the test tops. Knowing how to subnet, basics of routing and hands on experience configuring EX series were of greater benefit.

see more

I would add policy-statements is another thing you should brush up on. There was a lot of questions with sample policies where you had to determine which routes would be accepted into the routing table.
Understanding the logic, match criteria, route filters etc...

Chapter five of the O'Reilly Junos Enterprise Routing book was good. Look at page 152: CTRL-F Longest match wins, but may not….

If you understand that example and don't get tripped up then you should be good going into the exam. At least for that topic.

Cake day
March 12, 2011
Trophy Case (2)
Seven-Year Club

Verified Email

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.