exec nsrp vsd-group <group ID> mode master

Notes:

  • Performed on the standby/backup firewall

[ # ]

exec licese-key <key>
get license

Notes:

  • Refers to what follows "advanced=", no spaces or line breaks

[ # ]

get sys  !! Uptime
get perf session  !! Connection Count
get perf cpu detail
get perf cpu all detail  !! * means above threshold
get event level critical  !! View failovers or other critical evens
get counter statistics  !! CRC errors, etc

[ # ]

unset nsm enable
set nsm enable

[ # ]

!! Configure the Zone, Tunnel Interface, and Route
set zone "VPN" tcp-rst 
set zone "VPN" screen syn-flood queue-size 1024

set interface "tunnel.<#>" zone "VPN"
set interface tunnel.<#> ip unnumbered interface <External-Interface>

set route <Pool-Network>/<CIDR> interface tunnel.<#>

!! Configuring ACE/RSA Settings
set auth-server "<Ace-Name>" server-name "<Primary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" backup1 "<Secondary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" account-type xauth 
set auth-server "<Ace-Name>" timeout 0
set auth-server "<Ace-Name>" forced-timeout 2
set auth-server "<Ace-Name>" radius secret "<Ace-Password>" 

!! Configure the pool
set ippool "<VPN-Pool-Name>" <Pool-Start-IP> <Pool-End-IP>

!! Configuring User VPN Defaults
set xauth default ippool "<VPN-Pool-Name>"
set xauth default dns1 <Primary-DNS-Server>
set xauth default dns2 <Secondary-DNS-Server>
set xauth default wins1 <Primary-WINS-Server>
set xauth default wins2 <Secondary-WINS-Server>
set xauth default auth server "<Ace-Name>"

!! Configuring the Users And VPNs
set user "<username>" ike-id fqdn "<username>" share-limit 1            !! Share-limit for each user MUST be 1 if more than 1 user will be added to the group
set user "<username>" type ike xauth
unset user "<username>" type auth
set user "<username>" "enable"
set user-group "<Group-Name>" user "<username>"

set ike gateway "<Gateway-Name>" dialup "<User-Group>" Aggr outgoing-interface "<External-Interface>" preshare "<PSK>" proposal "pre-g2-3des-sha"
set ike gateway "<Gateway-Name>" nat-traversal udp-checksum
set ike gateway "<Gateway-Name>" nat-traversal keepalive-frequency 5
set ike gateway "<Gateway-Name>" xauth server "<Ace-Name>"

set vpn "<VPN-Name>" gateway "<Gateway-Name>" no-replay tunnel idletime 10 proposal "nopfs-esp-3des-sha" 
set vpn "<VPN-Name>" bind interface tunnel.<#>

!! Configure the policies to use Accept - Example Below
set address "VPN" "VPN-Pool" 10.100.100.0 255.255.255.0
set policy from "VPN" to "Trust" "VPN-Pool" "Any" "Any" Permit log

Notes:

  • This configuration would tunnel ALL traffic and not split-tunnel. Split tunneling will require multiple VPNs with proxy-ids

Documentation

[ # ]

set routing-options static route <ip/cidr> next-hop <gw>

[ # ]

get vpn
get ike cookies
get sa active
get event include vpn

SRC    DEST    PROXY ID (SRC/DEST)
Group  Group   0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0
Group  Subnet  0.0.0.0/0.0.0.0 > Subnet
Subnet Subnet  Subnet > Subnet

Notes:

  • Use subnets instead of groups to solve issues with proxy id / encryption domains. 1 rule per subnet pair

[ # ]

save software fom tftp <ip> <filename> to flash

[ # ]

set interface <interface> monitor track-ip ip
set interface <interface> monitor track-ip threshold 255
set interface <interface> monitor track-ip ip <IP-to-monitor> threshold 10
set interface <interface> monitor track-ip ip <IP-to-monitor> weight 255

Notes:

  • Interface will be brought down after 10 failed pings

[ # ]

Please note that this describes the process to upgrade an HA pair at JunOS code pre-11. Newer versions of the JunOS code allow for upgrading without corrupting the policy of the peer devices.

!! Note: interface names are the physical and not logical names
!! The following assumes node0 is master and node1 is backup
01.) download package to /var/tmp on both devices
02.) Disable node1\'s interfaces by running the following on node0. Commit will replicate to node1
  set interfaces ge-8/0/0 disable        [-- Should be node1's interfaces, NOT node0's
  set interfaces ge-8/0/1 disable
  set interfaces ge-8/0/2 disable
  set interfaces ge-8/0/3 disable
  set interfaces ge-8/0/4 disable
  set interfaces ge-8/0/5 disable
  set interfaces ge-8/0/6 disable
  set interfaces ge-8/0/7 disable
  set interfaces ge-8/0/8 disable
03.) Disable requiring three way handshake for session on node 0 (primary)
  set security flow tcp-session no-syn-check
  set security flow tcp-session no-sequence-check
04.) Save on node 0 (primary)
  commit
05.) Disconnect the fiber link (fab# interfaces) and the control interface cables
06.) Commit on both devices
07.) Upgrade node 1 (Backup)
  request system software add /var/tmp/junos-srx1k3k-10.4R3.4-domestic.tgz no-validate no-copy
  request system reboot
08.) Perform the following on node 1 (currently backup and now newly upgraded) to verify
  show version
  show chassis cluster status
  show chassis fpc pic-status
09.) After running "show chassis fpc pic-status," wait for the slots to come online, not Present before going to step 10
10.) Node 0 then Node 1, perform ALL the following commands
  delete interfaces ge-8/0/0 disable
  delete interfaces ge-8/0/1 disable
  delete interfaces ge-8/0/2 disable
  delete interfaces ge-8/0/3 disable
  delete interfaces ge-8/0/4 disable
  delete interfaces ge-8/0/5 disable
  delete interfaces ge-8/0/6 disable
  delete interfaces ge-8/0/7 disable
  delete interfaces ge-8/0/8 disable
  set interfaces ge-0/0/0 disable
  set interfaces ge-0/0/1 disable
  set interfaces ge-0/0/2 disable
  set interfaces ge-0/0/3 disable
  set interfaces ge-0/0/4 disable
  set interfaces ge-0/0/5 disable
  set interfaces ge-0/0/6 disable
  set interfaces ge-0/0/7 disable
  set interfaces ge-0/0/8 disable
11.) Save on both devices at same time  !! IMPORTANT TO BE DONE AT THE SAME TIME !!
  commit
12.) Verify that node1 has correctly taken over as master (if input increasing on monitor command, it has taken over)
  show security flow session summary
  run monitor interface traffic
13.) On node 0:
  request system software add /var/tmp/junos-srx1k3k-10.4R3.4-domestic.tgz no-validate no-copy
  request system reboot
14.) On node 0, after upgrade:
  show version
  show chassis cluster status
  show chassis fpc pic-status
15.) Wait for all interfaces to come "online" after "show chassis fpc pic-status" command
16.) Node 1 then Node 0 (this will failover so node0 is now master again)
  delete interfaces ge-0/0/0 disable
  delete interfaces ge-0/0/1 disable
  delete interfaces ge-0/0/2 disable
  delete interfaces ge-0/0/3 disable
  delete interfaces ge-0/0/4 disable
  delete interfaces ge-0/0/5 disable
  delete interfaces ge-0/0/6 disable
  delete interfaces ge-0/0/7 disable
  delete interfaces ge-0/0/8 disable
  set interfaces ge-8/0/0 disable
  set interfaces ge-8/0/1 disable
  set interfaces ge-8/0/2 disable
  set interfaces ge-8/0/3 disable
  set interfaces ge-8/0/4 disable
  set interfaces ge-8/0/5 disable
  set interfaces ge-8/0/6 disable
  set interfaces ge-8/0/7 disable
  set interfaces ge-8/0/8 disable
17.) Save on both devices at same time
  committ
18.) Reconnect control plane cable
19.) Veryify node0 is primary
  run show chassis cluster status
20.) Reboot Node1 and connect fab# interface cables between nodes while device is rebooting
21.) Verify node0 is still passing traffic
  run monitor interface traffic
22.) Wait for all interfaces to come "online"
  show chassis fpc pic-status
23.) Verify group 2 failover shows priority
24.) Re-enable interfaces on node1 and check for proper tcp sequence checks (run on node0, commit will replicate to node1)
  delete interfaces ge-8/0/0 disable
  delete interfaces ge-8/0/1 disable
  delete interfaces ge-8/0/2 disable
  delete interfaces ge-8/0/3 disable
  delete interfaces ge-8/0/4 disable
  delete interfaces ge-8/0/5 disable
  delete interfaces ge-8/0/6 disable
  delete interfaces ge-8/0/7 disable
  delete interfaces ge-8/0/8 disable

  delete security flow tcp-session no-syn-check
  delete security flow tcp-session no-sequence-check
25.) commit
26.) Verify failover group (group 0 and 1 should show primary or secondary and priorities)
  run show chassis cluster status
    26.a) If group 2 is not showing with priorities and status on node1 is "disabled", another reboot may be necessary. This is related to the fab# interfaces
    26.b) When node1 comes back online, verify fab interfaces are showing up and give a minute or 2 for "show chassis cluster status" to show priorities and status
    26.c) May take time due to sessions being synchronized
27.) Run on node0 to download and install IDP updates if needed. Status is for verifying progress of download or install
  run request security idp security-package download full-update
  run request security idp security-package download status

  run request security idp security-package install
  run request security idp security-package install status
28.) Verify versions match on both nodes and verify they are up to date
  run show security idp security-package-versionrun show
  run request security idp security-package download check-server
    28.a) Failover may be required to download IDP if no internet access on node0 (Per Juniper) or versions do not match

Notes:

  • If the firewalls can communicate during upgrade, the policies may become corrupted

[ # ]