Click the Exhibit button. You are asked to troubleshoot a new IPsec VPN that is not
establishing. You do not receive any output from the show security ike security-associations
command. Referring to the exhibit, which section of the configuration is causing the
problem?

[edit] user@SRX-1# show security ike traceoptions file ike-trace; flag all; [edit]
user@SRX-1# show security ipsec traceoptions flag all; user@SRX-1> show log ike-trace
… Jun 13 17:00:33 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 –
4ea713e7 d2487276 [1] / 0x9828a32e } QM; Invalid protocol_id = 0 Jun 13 17:00:34
Received authenticated notification payload unknown from local:192.168.1.10
remote:192.168.1.11 IKEv1 for P1 SA 3075335 Jun 13 17:00:34
iked_pm_ike_spd_notify_receiveD. Negotiation is already failed. Reason: TS unacceptable.
Jun 13 17:00:34 QM notification `(null)’ (40001) (size 8 bytes) from 192.168.1.11 for
protocol Reserved spi[0…3]=0f f0 ce d3 Jun 13 17:00:34 ike_st_i_private: Start Jun 13
17:00:34 ike_st_o_qm_hash_2: Start Jun 13 17:00:34 ike_st_o_qm_sa_values: Start Jun
13 17:00:34 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 – 4ea713e7
d2487276 [1] / 0x9828a32e } QM; Error = No proposal chosen (14) Jun 13 17:00:34
ike_alloc_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276} Jun 13
17:00:34 ike_encode_packet: Start, SA = { 0x15276b72 6656c3b6 – 4ea713e7 d2487276 } /
65407839, nego = 2 Jun 13 17:00:34 ike_send_packet: Start, send SA = { 15276b72
6656c3b6 – 4ea713e7 d2487276}, nego = 2, dst = 192.168.1.11:500, routing table id = 0
Jun 13 17:00:34 ike_delete_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7
d2487276}, nego = 2 Jun 13 17:00:34 ike_free_negotiation_info: Start, nego = 2 Jun 13
17:00:34 ike_free_negotiation: Start, nego = 2 Jun 13 17:00:34 IPSec negotiation failed for
SA-CFG Unknown for local:192.168.1.10, remote:192.168.1.11 IKEv1. status: TS
unacceptable Jun 13 17:00:34 P2 ed info: flags 0x0, P2 error: TS unacceptable Jun 13
17:00:34 iked_pm_ipsec_sa_done: Phase2 failed 2/3 times for P1 SA 3075335 The IPsec
tunnel is not establishing between SRX-1 and a remote device. Referring to the exhibit,
what is causing this problem?

Click the Exhibit button. You have created a new VPN tunnel to your partner’s site but IKE
Phase 1 is not coming up. You check the trace log and find the following log message: Jun
[IKED 2] iked_pm_id_validate id NOT matched. Considering the topology and the SRX
Series device’s configuration shown in the exhibit, which modification is needed under [edit
security gateway Partner]?

user@host> show log ike-test … Jun 13 10:36:52 ike_st_i_cr: Start Jun 13 10:36:52
ike_st_i_cert: Start Jun 13 10:36:52 ike_st_i_private: Start Jun 13 10:36:52 ike_st_o_iD.
Start Jun 13 10:36:52 ike_st_o_hash: Start Jun 13 10:36:52 ike_find_pre_shared_key: Find
pre shared key key for 172.168.100.2:500, id = ipv4(udp:500,[0..3]=172.168.100.2) ->
192.168.101.2:500, id = No Id Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start
Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true Jun 13 10:36:52
ike_st_o_status_n: Start Jun 13 10:36:52 ike_st_o_private: Start Jun 13 10:36:52
ike_policy_reply_private_payload_out: Start Jun 13 10:36:52 ike_st_o_encrypt: Marking
encryption for packet Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b
93a10c7c – c6c3a771 f0475656 } / 00000000, nego = -1 Jun 13 10:36:52 ike_send_packet:
Start, send SA = { 86b8160b 93a10c7c – c6c3a771 f0475656}, nego = -1, src =
172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0 Jun 13 10:36:52 ike_get_s

user@host> request services application-identification application copy
junos:AIM-HTTP-API error: Can not commit to junos configure DB.
———————————————————————- could not lock modified database mgd
xcommit failed Copy application junos:AIM-HTTP-API failed. You want to make a custom
copy of the junos: AIM-HTTP-API application signature. However, when you attempt to copy
the application signature, you receive the error shown in the Above. What is causing the

problem?

Apr 27 19:11:09 company-fw init: low_mem_signal_processes: send signal 16 to routing Apr
27 19:11:09 company-fw /kernel: KERNEL_MEMORY_CRITICAL: System low on free
memory, notifying init (#4). Apr 27 19:11:09 company-fw rpd[1268]: Processing low memory
signal Apr 27 19:11:09 company-fw init: low_mem_signal_processes: send signal 16 to
idp-policy Apr 27 19:11:09 company-fw idpd[1295]: Processing low memory signal Apr 27
19:11:10 company-fw idpd[1987]: IDP_SECURITY_INSTALL_RESULT: security package
install result Done;Install aborted due to system reaching low memory condition!) You are
troubleshooting a problem where the IDP signature database update on your Junos device
has failed. Which action will resolve this problem?

[edit security utm] user@host# show custom-objects { url-pattern { blocklist { value [
http://badsite.com http://blocksite.com ]; } acceptlist { value http://juniper.net; } }
custom-url-category { blacklist { value blocklist; } whitelist { value acceptlist; } } }
feature-profile { web-filtering { url-whitelist whitelist; url-blacklist blacklist; type juniper-local;
juniper-local { profile web-filter { custom-block-message “Site is not allowed”;
fallback-settings { default log-and-permit; } } } } } utm-policy utm1 { web-filtering { http-profile
web-filter; } } You set up Web filtering to allow employees to only access your internal
website. You notice that employees are still able to reach websites outside of the blacklists.
Which parameter must be changed?

user@host> show configuration security utm custom-objects { url-pattern { block-juniper {
value *.spammer.com; } } custom-url-category { blacklist { value block-juniper; } } }
feature-profile { anti-spam { address-blacklist block-juniper; sbl { profile myprofile {
no-sbl-default-server; spam-action block; } } } } utm-policy wildcard-policy { anti-spam {
smtp-profile myprofile; } } You added a blacklist to your antispam policy to block any e-mails
from the spammer.com domain. However, your users are complaining that they are still
receiving spam e-mails from that domain. You run the utm test-string test and confirm that
the blacklist is not working. What is causing this problem?

{hold:node0} user@host1> show chassis cluster status Cluster ID. 1 Node Priority Status
Preempt Manual failover Redundancy group: 0 , Failover count: 0 node0 1 hold no no
node1 0 lost n/a n/a {hold:node0} user@host1> show configuration | no-more system {
host-name host1; root-authentication { encrypted-password
“$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1”; ## SECRET-DATA } name-server {
172.16.10.100; } services { ssh; telnet; web-management { http; } } syslog { user * { any
emergency; } file messages { any any; authorization info; } file interactive-commands {
interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family inet { address
10.210.14.131/26; } } } ge-0/0/8 { unit 0 { family inet { address 172.16.1.1/24; } } } ge-0/0/9 {

unit 0 { family inet { address 172.16.10.1/24; } } } } security { policies { default-policy {
permit-all; } } zones { functional-zone management { interfaces { ge-0/0/0.0; }
host-inbound-traffic { system-services { ssh; telnet; ping; traceroute; http; snmp; } } }
security-zone Trust { host-inbound-traffic { system-services { any-service; } } interfaces {
ge-0/0/9.0; } } security-zone Untrust { host-inbound-traffic { system-services { any-service; } }
interfaces { ge-0/0/8.0; } } } } —————- {hold:node1} user@host2> show chassis cluster
status Cluster ID. 1 Node Priority Status Preempt Manual failover Redundancy group: 0 ,
Failover count: 0 node0 0 lost n/a n/a node1 1 hold no no {hold:node1} user@host2> show
configuration | no-more system { host-name host2; root-authentication {
encrypted-password “$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1”; ## SECRET-DATA }
name-server { 172.16.10.100; } services { ssh; telnet; web-management { http; } } syslog {
user * { any emergency; } file messages { any any; authorization info; } file
interactive-commands { interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family
inet { address 10.210.14.132/26; } } } ge-0/0/8 { unit 0 { family inet { address 172.16.1.1/24; }
} } ge-0/0/9 { unit 0 { family inet { address 172.16.10.1/24; } } } } security { policies {
default-policy { permit-all; } } zones { functional-zone management { interfaces { ge-0/0/0.0; }
host-inbound-traffic { system-services { ssh; telnet; ping; traceroute; http; snmp; } } }
security-zone Trust { host-inbound-traffic { system-services { any-service; } } interfaces {
ge-0/0/9.0; } } security-zone Untrust { host-inbound-traffic { system-services { any-service; } }
interfaces { ge-0/0/8.0; } } } } A user attempted to form a chassis cluster on an SRX240;
however, the cluster did not form. While investigating the problem, you see the output
shown in the Above. What is causing the problem?

Click the Exhibit button. There is an existing chassis cluster connected to the corporate
network 192.168.1.0/24. You are asked to connect another department to this VLAN. To
achieve this, you add a new chassis cluster to the network. After connecting to the network,
the cluster experiences traffic problems. You have verified that the addresses and VLAN
IDs are configured correctly. Referring to the exhibit, which configuration would resolve this
problem?