Michael McNamara

technology, networking, virtualization and IP telephony

DHCP/BOOTP Relay with Juniper SRX Gateways

by

I’ve recently started deploying the Juniper SRX series gateways, placing an SRX 210 at branch office locations with an SRX 650 at the main office locations. We utilize a central DHCP/DNS/IPAM solution so we prefer to relay all DHCP/BOOTP requests to one of our centralized DHCP/DNS servers as opposed to utilizing the DHCP server functionality built into the SRX itself.

I had to spend more than a few minutes trying to get the DHCP relay working on the SRX 210. The configuration was pretty straight forward, the trick in the end was the “vpn” statement (see below) that allows the DHCP/BOOTP packets to be relayed across a VPN tunnel. Please note that the DHCP server at 10.1.1.1 is accessible via the VPN tunnel.

forwarding-options {
 helpers {
  bootp {
   relay-agent-option;
   description "Branch DHCP Relay";
   server 10.1.1.1;
   maximum-hop-count 10;
   minimum-wait-time 1;
   vpn;
   interface {
    vlan.0;
   }
  }
 }
}

The next big step will be deploying OSPF between all the SRX gateways.

Cheers!

Juniper SRX JUNOS Software Upgrade 10.1R1.8

by

Juniper SRX650 ImageWe recently purchased two Juniper SRX 650s to replace our aging Nortel VPN Routers (formerly Contivity Extranet Switches). We finally have both gateways/routers/firewalls racked and connected to the network and we started working our way through the JUNOS configuration and command line interface. The SRX650 we received from our reseller came with 10.0R8 so we decided to upgrade them to 10.1R1.8 based on some feedback we had received from Juniper concerning the slow response from the Web GUI while evaluating the SRX platform a few months ago.

You can find the release notes for JUNOS 10.1 on the Juniper website.

We started by placing the software (junos-srxsme-10.1R1.8-domestic.tgz) on an internal web server (10.1.20.1).

The upgrade itself took at least 5 minutes and the reboot took at least another 5 minutes, you definitely need to be patient when upgrading the SRX. It took a really long time compared to anything else I’ve upgraded in the past.

root> request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot
/var/tmp/incoming-package.1145                        1500 kB 1500 kBps
Package contains junos-10.1R1.8.tgz ; renaming ...
NOTICE: Validating configuration against junos-10.1R1.8.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 631.0MB (1292236 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 157.75MB, 10096 blks, 20224 inodes.
super-block backups (for fsck -b #) at:
32, 323104, 646176, 969248
** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 317928 free (24 frags, 39738 blocks, 0.0% fragmentation)
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_10_0_0
Verified junos-10.0R1.8-domestic signed by PackageProduction_10_0_0
Using junos-10.1R1.8-domestic from /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic
Copying package ...
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/etc/voip/musiconhold.conf: No such file or directory
Verified manifest signed by PackageProduction_10_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 84,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR IDL IDR Decode Error -1(Garbled Message)
Link Layer Discovery Protocol: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
mgd: commit complete
Validation succeeded
Installing package '/altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic' ...
Verified junos-boot-srxsme-10.1R1.8.tgz signed by PackageProduction_10_1_0
Verified junos-srxsme-10.1R1.8-domestic signed by PackageProduction_10_1_0
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
JUNOS 10.1R1.8 will become active at next reboot
Saving package file in /var/sw/pkg/junos-10.1R1.8 ...
cp: /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic is a directory (not copied).
Saving state for rollback ...
Rebooting ...
shutdown: [pid 1888]
Shutdown NOW!

*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY

I hope to post some additional information as we move forward with the Juniper SRX platform.

Cheers!

Nortel VPN Client Release 10.04.016 for Windows 7

by

Nortel has released version 10.04.016 of their VPN client that now supports both 32-bit and 64-bit versions of Windows 7. This single client supports the following operating systems (in both 32-bit and 64-bit versions);

  • Windows 7: Home Basic, Home Premium, Professional, Enterprise and Ultimate
  • Vista: Home Basic, Home Premium, Business, Enterprise, and Ultimate
  • XP: Home, Professional, and Tablet

There are quite a few resolved bugs in this release and quite a few known issues. I would advise everyone to read the release notes thoroughly before spending too much time troubleshooting.

You can find the actual NVC (Nortel VPN Client) on the Nortel/Avaya website and the release notes here.

Cheers!

Updated September 2, 2010
It would seem that this is a very popular post given the number of people searching for information regarding the Nortel VPN Client (NVC) and Microsoft Windows 7. I’ve uploaded the complete documentation archive containing the installation instructions and troubleshooting instructions. In addition if you are looking for the new NVC you can download it directly from Nortel here. While the client software isn’t “licensed” it is restricted by US export laws because of it’s 128-bit (and greater) encryption capabilities.
Updated Friday December 17, 2010

I’ve added links to the 32-bit and 64-bit clients in the comments below.

Updated Sunday April 10, 2011

I can no longer host the Avaya VPN client software do to the enormous bandwidth utilization on my host. In addition there are just too many people abusing my gesture. I had a single IP address from China download the client software so many times that it consumed 10GB of bandwidth.

Updated Saturday May 7, 2011

Avaya has released v10.04.109 of their VPN client software which is available in this post.

Juniper Secure Access SSL VPN Software 6.5R2 is a winner

by

Juniper Networks logoIf you’ve been following this blog you’ll know that we’ve had quite a few issues with our Juniper Secure Access SSL VPN appliances over the past two years.  Juniper was very slow to add WSAM support for Windows Vista 64-bit and by the time they started supporting Windows Vista, Windows 7 was released by Microsoft.

You might recall that I wrote about software release 6.5R2 back in December 2009, detailing our troubles with the 6.5R1 software release and our hope that Juniper could save the day.

Thankfully I’m hear to tell that software release 6.5R2 for the Juniper Secure Access SSL VPN appliances appears to be a winner!

About six days ago I upgraded a pair of SA4000s running 6.5R1 to 6.5R2. The primary goal was to resolve the compatibility issues that were introduced in 6.5R1 and finally provide support for both Windows Vista 64-bit and Windows 7 64-bit. The actually upgrade of the appliances was pretty straight forward and the initial testing didn’t reveal any issues. Unfortunately there’s no amount of testing can always predict how things will go when working with home personal computers and the myriad of software available. We waited nervously for the first few days… thankfully the calls never came. While we had one or two users that needed some hand holding during the software upgrade/installation process, the majority of our 800+ users didn’t seem to have any issues whatsoever.

Let me congratulate Juniper Networks on a job well done!

I’ve created discussion forum for anyone that would like to discuss the Juniper Secure Access SSL VPN appliances. If you have a question or would like to make a comment why not join the discussion?

Cheers!

Juniper SSL VPN Secure Access 6.5R2 Available – Windows 7

by

Juniper has released a new version of software for their SSL VPN (Secure Access) appliances. The new release, 6.5R2, hopefully corrects all the issues and heartache that 6.5R1 brought to Juniper’s customers. I won’t rehash the issues that we discovered in 6.5R1, if you haven’t heard about them you can go read the earlier posts on the subject;

I will be testing 6.5R2 on a spare SA4000 appliance (waiting for an evaluation license key from Juniper) and will share my results with everyone here.

You can find the release notes for 6.5R2 here.

Windows 7

When will Juniper Network’s SSL VPN (SA platform/IVE OS) support Microsoft’s Windows 7 OS as a supported client platform? You can refer to Juniper knowledge base article, KB13195.

Juniper states that “Microsoft Windows 7 is qualified” (not supported) on 6.5R2 and there should be no major issues aside from the know caveats/issues.

Known Issues/Caveats:

* All client components:

  1. 1. Unable to install (or) launch client component using IE8 (64 bit). This is expected as IE8 (64 bit) browser is not supported. Please use IE8 (32 bit) to avoid this issue. (470316)

* EndPoint Integrity:

  1. When using IE 8 on 64-bit Windows 7 the reason string is not available when a patch assessment policy fails. (485421)

* Secure Virtual Workspace (SVW):

  1. When opening a file with Windows Photo Viewer inside SVW, the file is shown on the real desktop rather than inside the SVW session. (447409)
  2. On Windows 7, saving a MS Office 2003 file inside SVW fails. (486104)
  3. On Windows 7, Control Panel is accessible inside SVW even if it is disabled under application to allow list. (486104)

* WSAM:

  1. If Kaspersky Anti-Virus Version 2009 (8.0.0.506) is installed on a Windows 7 (OR) Windows Vista computer, WSAM will not be able to intercept and secure traffic. This issue is not seen with older versions of Kaspersky Anti-Virus (434715).

Cheers!

Update: January 6, 2009

I should point out that I’ve discovered that JSAM will not launch properly with Windows 7 (64-bit) when running 6.5R1 software. I initially thought it might have something to-do with the 32-bit/64-bit versions of Internet Explorer or the 32-bit/64-bit versions of the Java Runtime Environment. I tested the same machine today with 6.5R2 and it worked fine using the 32-bit version of Internet Explorer. I didn’t try the 64-bit version of Internet Explorer. So it would appear the problem is resolved in 6.5R2 software, please see the forums for additional details.

Recent Posts

Categories

SUBSCRIBE BY EMAIL