Juniper SRX |

How to Juniper SRX static route failover

February 22, 2020 Leave a comment

Za normalnych okolnosti by sa routing failover mal realizovat na urovni dynamickych protokolov v sieti a nie na endpointoch. Niekedy sa vsak takemuto stavu nevyhneme a vtedy nam pride vhod funkcia RPM na SRX boxoch.

V nasom prostredi sa hodi na failover staitckeho routingu medzi lokalimtami BA-KE. Ked spadne konekt niekde po ceste a endpointy maju interfacy stale hore nevieme vyuzit funkcionalitu qualified-next-hop nakolko povodna cesta bude stale v routovacej tabulke a zariadenie nevie o vypadku po ceste. Pomocou RPM nastavime monitoring linky (ICMP) medzi boxami a ked na primarnej linke nebudu schopne komunikovat prehodia staticke cesty na backup linku.

Nastavime potrebne staticke cesty cez primarnu linku.

#route 192.168.0.0/24 next-hop 192.168.254.9;
#route 192.168.201.0/24 next-hop 192.168.254.9;

Vytvorime RPM probe ktory monitoruje druhu stranku IPsec tunela a ked neprejdu 3 ping v ramci casovych intervalov je test vyhodnoteny ako FAILED. V nasom pripade to bude 35s.

# run show configuration services rpm probe BA-KE-LINK 
test PRIMARY {
    target address 192.168.254.9;
    probe-count 3;
    probe-interval 5;
    test-interval 10;
    source-address 192.168.254.10;
    thresholds {
        successive-loss 3;
        total-loss 3;
    }
}

Tento stav je monitorovany serviceom ip-monitoring, ktoru pri FAILED stave prida staticku cestu cez backup linku.

# run show configuration services ip-monitoring 
policy BA-KE-PRIMARY {
    match {
        rpm-probe BA-KE-LINK;
    }
    then {
        preferred-route {
            route 192.168.0.0/24 {
                next-hop 192.168.254.1;
            }
            route 192.168.201.0/24 {
                next-hop 192.168.254.1;
            }
        }
    }
}

A mozeme skontrolovat

# run show services ip-monitoring status 

Policy - BA-KE-PRIMARY (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status   
    ---------------------- --------------- ---------------- ---------
    BA-KE-LINK             PRIMARY         192.168.254.9    PASS     
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- ------------- 
    inet.0            192.168.0.0/24    192.168.254.1    NOT-APPLIED  
    inet.0            192.168.201.0/24  192.168.254.1    NOT-APPLIED

Filed under Juniper SRX Tagged with juniper srx ex route failover rpm prbing

Force JunOS to use ntp server

November 16, 2018 Leave a comment

Ak sa nam stane ze mam spravne nakonfigurovany ntp server a po commite sa nam nenastavi spravny cas je potrebne spravit “force” na nastavenie casu

> show configuration system ntp 
server 192.168.1.86;
source-address 10.0.10.2;

> set date ntp all-members 192.168.1.86 
fpc0:
--------------------------------------------------------------------------
16 Nov 23:13:05 ntpdate[81186]: step time server 192.168.1.86 offset 0.000631 sec

Filed under Juniper EX series, Juniper SRX, Short Howto's Tagged with junos ntp force

How to replace node on SRX cluster [JunOS 12.1.x]

November 6, 2018 Leave a comment

Ak je potrebne vymenit node v SRX chasis clustery z dovodu HW problemu pripadne ako sa mne stalo poskodeniu konfiguracneho suboru. Tu je navod ako na to.

1. Ako prve odpojime uzol z klastra. Uzol vypneme.

>request system power-off

2.Odpojime data-plane a control-plane kable. Pri modely SRX240 je to port ge-0/0/1 a ge-0/0/2.
Odpojeny uzol zapneme a nahrame konfiguracny subor zo zalozneho beziaceho uzla. Konfiguracny subor mozeme pouzit zo system-archivu, pripadne poziadat o vytvorenie na zaloznom uzle.

#save juniper.conf

Konfiguracny subor je ulozeny v root domacom adresary. Konfiguracny subor pomocou scp skopirujeme k sebe.

3. Konfiguracny subor nahrame na USB so suborovym system FAT32 a vlozime do SRX. Na firewalle vojdeme do konzoloveho rezimu pripojime USB a skopirujeme konfiguracny subor do adresara /var/tmp/

>start shell
%mkdir /var/tmp/usb/
%mount_msdosfs /dev/da1s1 /var/tmp/usb
%cp /var/tmp/usb/juniper.conf /var/tmp/

4. Ked mame konfiguracny subor na zariadeni zmazeme povodnu konfiguraciu a loadneme ulozeny config.

# delete
# load override /var/tmp/juniper.conf

5. Vypneme uzol

>requset system power-off

6. Pripojime control-plane a data-plane kable medzi uzlami a zapneme uzol. Po nabehnuti by sa mali uzly navzajom zosynchrnoziovat a koncit v optimalnom stave.

> show chassis cluster status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary        no       no  
    node1                   1           secondary      no       no  

Redundancy group: 1 , Failover count: 1
    node0                   100         primary        yes      no  
    node1                   1           secondary      yes      no

Filed under Juniper SRX Tagged with srx replace node chasis cluster

Juniper SRX: Could not load host key: /etc/ssh/ssh_host_rsa_key

June 29, 2018 Leave a comment

Po upgrade firewall clusteru pozostavajuceho z dvoch SRX240 nebolo mozne prihlasit sa na zariadenie cez ssh.

$ ssh fwza
ssh: connect to host fwba port 22: Connection refused

Po skontrolovani logov bolo jasne ze zariadenie nema vygenerovany par rsa/dsa klucov.

>show log messages
Jun 29 23:33:57  fwza sshd[4167]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Jun 29 23:33:57  fwza sshd[4167]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Jun 29 23:33:57  fwza sshd[4167]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jun 29 23:33:57  fwza sshd[4167]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jun 29 23:33:57  fwza sshd[4167]: Disabling protocol version 2. Could not load host key
Jun 29 23:33:57  fwza sshd[4167]: sshd: no hostkeys available -- exiting.

Podla dokumentacie som teda skusil vygenerovat park klucov manulane.

root@fwza% ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Saving key "/etc/ssh/ssh_host_dsa_key" failed: No such file or directory

Vygenerovanie bolo vsak neuspesne nakolko vraj neexistuje adresar /etc/ssh/. Ked vsak skontrolujem adresar existuje.

root@fwza% ls /etc/ssh 
/etc/ssh

Po lepsom skumani priciny je adresar /etc/ssh zamorejme linkovany. A povodny adresar /var/db/ssh sa v systeme nenachadza.
Pre fixnutie problemu s neexistujucimi klucmi je treba najprv vytvorit adresar a nasledne vygenerovat nove kluce.

root@fwza% mkdir /var/db/ssh

root@fwza% ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
root@fwza% ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

Kluce su uspesne vygenerovane a zariadeie akceptuje pripojenie pomocou ssh.

$ ssh root@fwza
The authenticity of host '192.168.2.1 (192.168.2.1)' can't be established.
RSA key fingerprint is SHA256:dpNa/Xdz5KsCQQ+RsnutP6GxCWZzOdeer/S7wHQ9WBA.
RSA key fingerprint is MD5:1c:a2:31:d6:ed:ce:sf:e9:eb:ac:50:cf:40:4d:71:5b.
Are you sure you want to continue connecting (yes/no)?

Filed under Juniper SRX, Networking Tagged with juniper ssh

How to upgrade Juniper SRX cluster

June 25, 2018 Leave a comment

1. Priprava

A.Skontrolujeme ze fw necaka na commit konfiguracie.

>show configuration | compare

B. Vsetky karty by mali byt online

>show chassis fpc pic-status

C. Vsetky LACP interfacy by mali byt collecting distributing”

>show lacp interface

D. Control-plane aj Data-plane by mali byt primarne na jednom uzle (node0). Oba uzly su online a nemaju nastavenu prioritu na 255.

>show chassis cluster status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 0
    node0                   200         primary        no       no
    node1                   100         secondary      no       no

Redundancy group: 1 , Failover count: 0
    node0                   200         primary        no       no
    node1                   100         secondary      no       no

E. Vsetky interfacy by mali byt up.

>show chassis cluster interfaces

F. Cluster nema ziadny error

>show chassis cluster information detail

G. Pocet sessions by mal byt pre oba uzly rovnaky pred aj po upgrade.

>show security flow session summary | match Unicast-sessions

H. Overime dostatok miesta pre upload image-u

>show system storage

I. Snapshot na oboch uzloch by mal byt rovnakej verzie ak nie je spravime ” request system snapshot”

>show system snapshot

J. Overime ze nemame na fw ziaden alarm

>show chassis alarms

K. Skontrolujeme verzie na oboch ulzoch MUSIA BYT ROVNAKE

>show version

2. FW upgrade

A. Nakopirujeme image na aktivny uzol cez scp.(node0)

B. Skontrolujem integritu image-u

root@SRX% md5 junos-srx1k3k-11.4R12.4-domestic.tgz
        MD5 (junos-srx1k3k-11.4R12.4-domestic.tgz) = c492a673c78ecefefc57712cce9e3de5
        root@SRX3600L% cat junos-srx1k3k-11.4R12.4-domestic.tgz.sha
        MD5: c492a673c78ecefefc57712cce9e3de5
        SHA1: 0e52f99e3fa042dbf599864cb502577b692b3609

C. Vytvorime backup config

>request system configuration rescue save

D. SPUSTIME SAMOTNY UPGRADE

root@SRX> request system software in-service-upgrade /var/tmp/junos-srx1k3k-11.4R12.4-domestic.tgz reboot

Pocas upgrade-u v labe nastal 5s vypadok.

Filed under Juniper SRX Tagged with juniper srx upgrade in-service

← Older posts

How to Juniper SRX static route failover

Force JunOS to use ntp server

How to replace node on SRX cluster [JunOS 12.1.x]

Juniper SRX: Could not load host key: /etc/ssh/ssh_host_rsa_key

How to upgrade Juniper SRX cluster

Categories

Archives

How to Juniper SRX static route failover

Share this:

Force JunOS to use ntp server

Share this:

How to replace node on SRX cluster [JunOS 12.1.x]

Share this:

Juniper SRX: Could not load host key: /etc/ssh/ssh_host_rsa_key

Share this:

How to upgrade Juniper SRX cluster

Share this:

Categories

Archives