Failing to configure Junos on an SRX-240H

I’ve spent a large amount of time trying to configure a Juniper SRX-240H security appliance with no luck. For some reason a simple config change just won’t work.

Right now I’ve stopped looking at it & will come back to it later, but I’m writing this just in case someone else knows what’s causing it to fail.

If I reset it to the default configuration it comes up with the default network of 192.168.1.0/24 which indicates it’s working fine. I can test it by connecting a Raspberry PI 400 to port ge-0/0/1 and it gets an IP (192.168.1.2) & I can connect to the web UI of the router (192.168.1.1).

However, I can’t use that IP range is it’s already in use here so I needed to reconfigure it to something more useful – for me 192.168.93.0/24.

Now this should have been a simple case of changing the IP’s from 192.168.1 to 192.168.93 but when that is done none of the ports respond – the PI just gets the usual 169.254 address as it’s not getting a DHCP response.

On the router I can see it’s mac address being detected on the port so it’s trying, just not getting any response. If I reset the configuration back to what it was via the CLI it still doesn’t work… odd.

Right now the only way to get it back to working again is to reset the device back to the factory defaults – even if the configuration is byte-for-byte identical.

I’ve even tried resetting it back to factory defaults, exporting the config to a USB stick, editing the config locally & copying it back via USB to no avail. Once the changes are made I can only access it over the console serial port.

So, for now I’m putting this project back onto the back burner until I can find out what is going on, but in case someone can spot it, here’s the config I’m trying to use (with the password commented out for obvious reasons):

The changes made from factory defaults are:

  • Change 192.168.1.1 to 192.168.93.1
  • Change 192.168.1.1/24 to 192.168.93.1/24
  • Change the DHCP address range from 192.168.1.2 – 192.168.1.254 to 192.168.93.100 – 192.168.93.254
  • host-name, domain-name & root-authentication are set but those get preserved during the factory reset & don’t affect the issue
## Last changed: 2021-03-14 11:14:49 UTC
version 11.2R4.3;
system {
    host-name router;
    domain-name example.com;
    root-authentication {
        encrypted-password "encrypted-password"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.93.1;
            }
            pool 192.168.93.0/24 {
                address-range low 192.168.93.100 high 192.168.93.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Author: petermount1

Prolific Open Source developer who also works in the online gaming industry during the day. Develops in Java, Go, Python & any other language as necessary. Still develops on retro machines like BBC Micro & Amiga A1200

2 thoughts on “Failing to configure Junos on an SRX-240H”

  1. Its been a while
    but I rember something about rescue config Pressing the reset button for less than 15 seconds loads a rescue configuration. You have to hold it for 15 seconds until the status light turns red. Press and release will also turn the status light red.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s