Junos OS

last person joined: 20 hours ago 

Ask questions and share experiences about Junos OS.
Expand all | Collapse all

Could not SSH to Junos J2320

  • 1.  Could not SSH to Junos J2320

    Posted 10-27-2011 08:13
      |   view attached

    Hello!

     

    I would need someone help regarding accessing my Juniper J2320 device running ver 9.3R4.4 through SSH.

     

    When I issue telnet command to IP correct address over port 22, it gets accepted, but when I try to access device through putty client it fails. 

     

    I have attached my config with this post. 

     

    I would appreciate any advice!

     

    Kind Regards,

     

    Jure

    Attachment(s)

    txt
    j2320_config.txt   1 KB 1 version


  • 2.  RE: Could not SSH to Junos J2320

    Posted 10-27-2011 11:38

    I don't rember on wich version flow mode is default, but I think it is in 9.3. So you need to configure security zones and host-inbound-traffic system-service or enable packet mode with set security forwarding-options family mpls mode packet-based. See also http://kb.juniper.net/InfoCenter/index?page=content&id=KB11963. This setting doesn't do anything with mpls btw, it just bypasses the flow module completly this way.



  • 3.  RE: Could not SSH to Junos J2320

    Posted 10-27-2011 13:43

    If you can handle and outage you can run:

    load override /etc/config/jsr-series-routermode-factory.conf

    then load your configuration back in. This command will erase your config, but as long as you place it back in before commit you should be okay.

    To get all of the set commands, enter edit, then do a show | display set, so you can have all of the set commands to restore your config after teh load override command

    Thanks



  • 4.  RE: Could not SSH to Junos J2320

    Posted 10-28-2011 01:39
    Dclarkjr1122,

    thank you for your reply. I must say I am not quite sure if I understood you correctly but if not mistaken, you want me to
    1. issue "load override /.../-factory.conf", and then
    2. issue "load override /config/junifer.conf.gz" and then
    3. commit ... right?

    Doing things in that order did not also allow me to SSH to device.

    Regards,

    Jure


  • 5.  RE: Could not SSH to Junos J2320
    Best Answer

    Posted 10-28-2011 15:21

    A device in router/packet mode has something like this at the end of 'show configuration':

     

    security {
        zones {
            security-zone trust {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        any-service;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    all;
                }
            }
        }
        policies {
            default-policy {
                permit-all;
            }
        }
        alg {
            dns disable;
            ftp disable;
            h323 disable;
            mgcp disable;
            msrpc disable;
            sunrpc disable;
            real disable;
            rsh disable;
            rtsp disable;
            sccp disable;
            sip disable;
            sql disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        forwarding-options {
            family {
                inet6 {
                    mode packet-based;
                }
                iso {
                    mode packet-based;
                }
            }
        }
        flow {
            allow-dns-reply;
            tcp-session {
                no-syn-check;
                no-syn-check-in-tunnel;
                no-sequence-check;
            }
        }

     

    A flow mode device will have a bunch of policies listed for denying traffic between zones.

     

    To flip from flow mode to packet mode requires the following:

     

    • Backup your Junos configuration
    • Make sure you are at the top level of configuration mode
    • load override /etc/config/jsr-series-routermode-factory.conf
    • set system root-authentication plain-text-password
    • set system services ssh root-login allow
    • set system services ssh protocol-version v2
    • delete system autoinstallation
    • delete interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 and replace with appropriate value
    • You can run 'load terminal merge' and paste in your Junos config if you want here, you will have to be careful to remove flow related items in your config before doing this
    • commit
    • quit
    • request system reboot

    I have also seen a reference to the following in configuration mode (at the top of the tree) although I have not tried it myself:

     

    • delete security
    • set security forwarding-options family mpls mode packet-based
    • commit

     

     

     



  • 6.  RE: Could not SSH to Junos J2320

    Posted 10-28-2011 17:52

    Close but try this order:

    1) enter edit, do "show | display set" (copy this to notepad)

    2) enter load override /etc/config/jsr-series-routermode-factory.conf

    3) paste in output copied to notepad into the terminal

    4) commit

     

    Let me know if that helps

    Thanks

     

     



  • 7.  RE: Could not SSH to Junos J2320

    Posted 11-04-2011 03:22

    Dear Dclarkjr1122,

     

    I did what you had instructed me, but that did not help me.

     

    I am not sure what was wrong with my SSH access but it was not until I confirmed one more time interface ge-0/0/0 (not ge-0/0/0.0) under security zone settings and allowed SSH ver 1, that I managed to SSH successfully. 


    ersion 9.3R4.4;
    system {
        host-name cslab-j2320;
        domain-name cslab.hr;
        root-authentication {
            encrypted-password "$1$.urQQgr3$uMcCLbIOrpSpfMnP.k..Y/";
        }
        name-server {
            192.168.0.11;
        }
        login {
            user nsm_admin {
                uid 2003;
                class super-user;
                authentication {
                    ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuZ4oEW/5qOEvejpr9JNqNTUqkYGfUVnRHU/fRQF/VwwGw9FIcaQYAOTjaRTag4TOKllrrsyip7D+B+zpYBhUbrixXp59NYm119+11bKIR4RcDLBrspKMX3sGNFDYvej8i283uWewVJC7v+yIeVa82oNOnL+gTbtbBknaBmFZ4t38sHsWlPTUEd/xFhCdo2Lka/iRQ/4gicEpKCZmHb6GMsJdYrsx3nkKCN7ggjv1Ojq47/x+Mt+KcVlP7ZHtsaOuGHBUHhsfonoDFr/veLLwibTZP1uH2B6Yfiq54Jbd6ZhXmz0CPHO3dXi/hj3Qf+ZiXkTCGpcZbEj39KvkeLShpQ== nsm_admin@nsm";
                }
            }
            user web_admin {
                uid 2001;
                class super-user;
                authentication {
                    encrypted-password "$1$IkzqoM2o$1zst3l8ksN2gNvI79wMSc.";
                }
            }
        }
        services {
            ftp {
                connection-limit 10;
                rate-limit 4;
            }
            ssh {
                root-login allow;
                protocol-version [ v2 v1 ];
                connection-limit 10;
                rate-limit 4;
            }
            telnet;
            netconf {
                ssh;
            }
            web-management {
                http;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.168.2.57/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 192.168.2.1;
        }
    }
    security {
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        telnet;
                        ssh;
                        http;
                        ping;
                    }
                }
                interfaces { ge-0/0/0.0;
                }
            }
        }
    }

    #####

    UPDATE: I found out that my router does not support SSH ver 2 and it only works when I set ver1. (ver 9.3R4.4 world-wide download packet) 

     

    Just, a a question more - does Junos 9.3 support  3DES for SSH at all?! 

     

    Regards,

     

    Jure



  • 8.  RE: Could not SSH to Junos J2320

    Posted 11-04-2011 03:51

    DES or 3DES depends on the version you install. There's the domestic (to US/Canada) or the export (worldwide on download page) version. On the export version only ssh v1 and DES is omplemented due to regulations..............  When your outside US/Canada you might need to fill in an encryption Agreement to use the domestic version.

     

    Domestic shows domestic in the image name, WW will show export.



  • 9.  RE: Could not SSH to Junos J2320

    Posted 11-04-2011 04:51

    Screenie,

     

    could you help me more with this please?! It is very important to me to have SSH ver2 because I am testing NSM software with Juniper appliances and SSHver2 must be used according to NSM Admin Guide.

     

    I have link to 9.3 Junos software here and would like to ask you which packet i should install?

     

    Currently on-box I have ver 9.3R4.4 running from this World Wide package:

     

    J-series Junos with Enhanced Services Install Package
    Advance BGP and JFlow require a license key to enable the features.

     

    Regards,

     

    Jure




  • 10.  RE: Could not SSH to Junos J2320

    Posted 11-04-2011 04:56
    The link you gave is to the domestic package, so the right one I believe. Just download the package for j-series there.


  • 11.  RE: Could not SSH to Junos J2320

    Posted 11-06-2011 10:16

    Dear Jure,

     

    I don't have much knowledge about your application issue.

     

    I do have a suggestion, pls check the firewall filter applied on Routing Engine. Some times we do block SSH ports or applied some prefix-list with the SSH port, resultant specific SSH packet drop by RE.

     

     

    regards

    Gaurav Jhawar



  • 12.  RE: Could not SSH to Junos J2320

    Posted 10-28-2011 01:31
    Screenie,

    thank you for reply. However, setting everything according to that KB did not help. I still cannot SSH to the device.

    " root@cslab-j2320% telnet 192.168.2.57 22
    Trying 192.168.2.57...
    Connected to 192.168.2.57.
    Escape character is '^]'.
    Connection closed by foreign host. "

    Do you think there is something to be done with SSH keys or certificates?