(TIL) Today I Learned...

SimonV · September 11, 2015, 02:30:54 PM

How did you end up fixing it?

deanwebb · September 11, 2015, 03:01:36 PM

Since the Cisco default is to have a proxy ID for the range being matched for interesting traffic and the Juniper side had been set up with host-by-host proxy IDs, I put a range proxy ID on the Juniper and it all worked just fine.

Nerm · September 11, 2015, 03:26:52 PM

TIL what dean just posted lol.

Reggle · September 11, 2015, 03:50:10 PM

Quote from: deanwebb on September 11, 2015, 01:59:56 PM
TIL that Juniper and Cisco VPNs define proxy-ids differently.

TI also L that, among other things, proxy-ids have to match for a VPN to work.

They work differently for practically every vendor. Very annoying.

SimonV · September 11, 2015, 04:56:42 PM

Quote from: deanwebb on September 11, 2015, 03:01:36 PM
Since the Cisco default is to have a proxy ID for the range being matched for interesting traffic and the Juniper side had been set up with host-by-host proxy IDs, I put a range proxy ID on the Juniper and it all worked just fine.

It depends on the number of subnets you need to cover, but for SRX to ASA/CheckPoint/whatever I tend to go with policy-based by default and manually specify the proxy ID as configured in the security policy. If it's a simple one with just one subnet on each end, a route based usually works fine though, but I still put in manual ProxyIDS

However, SRX to SRX sets it to 0.0.0.0/0 which is odd again.

Code Select

root@Branch-vSRX-01> show security ipsec security-associations index 131074 | match Ident
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

When an IPsec request comes in and it's a different vendor:

Otanx · September 18, 2015, 04:46:40 PM

TIL... NX-OS does not have a reload in or reload at command. Don't f-up your config.

-Otanx

NetworkGroover · September 18, 2015, 05:22:03 PM

Quote from: Otanx on September 18, 2015, 04:46:40 PM
TIL... NX-OS does not have a reload in or reload at command. Don't f-up your config.

-Otanx

Wow really? This made me go look in a certain vendor config guide to verify it was there

SimonV · September 25, 2015, 09:37:26 AM

Easter egg on Junos

Quotesomeuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

New router: 'Type-R.'
Chrome faceplate and neon lights!
Needs a big bat wing.

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

IS-IS screams,
BGP peers are flapping:
I want my mommy!

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

Blessed are the meek:
They shall inherit the earth.
Can I have the moon?

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

Glorious morning
Well beyond what I deserve
Stretch myself and grow

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

Holiday spirit
Christmas comes but once a year
Keep it shining bright

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

Weeks of studying,
Days of lab exercises:
JNCIE.

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

Juniper babies
The next generation starts
Gotta get more sleep

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

An ache you can taste
Be sore as heck tomorrow
One more shot on goal

{primary:node0}
someuser@somebox> show version and haiku
Hostname: somebox
Model: srx210he
JUNOS Software Release [12.1R4.7]

Not just the blue sky
Nor the mountains, nor the sea
Lucky live N.C.

that1guy15 · September 25, 2015, 10:06:56 AM

Awesome!

The next time I get access to a Juniper box Im doing this!!

SimonV · September 25, 2015, 10:18:10 AM

Three more

Quote
My session is dead:
Forgot to commit confirm.
Where are my car keys?

TTL down one
the end nearer with each hop
little packet, poof.

'show version and blame'
Gave away too many names
Now you get haiku

deanwebb · September 25, 2015, 10:25:19 AM

Love the haikus.

TIL that WMI error 0x80041003 is a show-stopper for CounterACT NAC only if we don't deploy the client.

And we're deploying the client.

deanwebb · December 03, 2015, 04:38:27 PM

TIL that for an FTP operation to be successful, the FTP server needs to be running the FTP service.

Thing is, I'd been going around and around with a backup operator for the last few months on getting this backup job set up, but my device would never connect to the FTP server, at all.

And then the different guy I get from the backup group today to help out says, "Hmm... none of those servers you were working with are running FTP."

And then I was all like...

He got me an IP address of an actual FTP server and everything went like a champ.

NetworkGroover · December 03, 2015, 04:41:45 PM

Quote from: deanwebb on December 03, 2015, 04:38:27 PM
TIL that for an FTP operation to be successful, the FTP server needs to be running the FTP service.

Thing is, I'd been going around and around with a backup operator for the last few months on getting this backup job set up, but my device would never connect to the FTP server, at all.

And then the different guy I get from the backup group today to help out says, "Hmm... none of those servers you were working with are running FTP."

And then I was all like...

He got me an IP address of an actual FTP server and everything went like a champ.

Wow....

Nerm · December 04, 2015, 07:29:31 AM

calaesha · February 10, 2016, 08:57:57 AM

TIL the OP has left the building.

(TIL) Today I Learned...

calaesha