Junos
Reply
Visitor
jsimundic@cs.hr
Posts: 5
Registered: ‎10-25-2011
0
Accepted Solution

Could not SSH to Junos J2320

Hello!

 

I would need someone help regarding accessing my Juniper J2320 device running ver 9.3R4.4 through SSH.

 

When I issue telnet command to IP correct address over port 22, it gets accepted, but when I try to access device through putty client it fails. 

 

I have attached my config with this post. 

 

I would appreciate any advice!

 

Kind Regards,

 

Jure

Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: Could not SSH to Junos J2320

I don't rember on wich version flow mode is default, but I think it is in 9.3. So you need to configure security zones and host-inbound-traffic system-service or enable packet mode with set security forwarding-options family mpls mode packet-based. See also http://kb.juniper.net/InfoCenter/index?page=content&id=KB11963. This setting doesn't do anything with mpls btw, it just bypasses the flow module completly this way.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
dclarkjr1122
Posts: 27
Registered: ‎11-24-2009
0

Re: Could not SSH to Junos J2320

If you can handle and outage you can run:

load override /etc/config/jsr-series-routermode-factory.conf

then load your configuration back in. This command will erase your config, but as long as you place it back in before commit you should be okay.

To get all of the set commands, enter edit, then do a show | display set, so you can have all of the set commands to restore your config after teh load override command

Thanks

Visitor
jsimundic@cs.hr
Posts: 5
Registered: ‎10-25-2011
0

Re: Could not SSH to Junos J2320

Screenie,

thank you for reply. However, setting everything according to that KB did not help. I still cannot SSH to the device.

" root@cslab-j2320% telnet 192.168.2.57 22
Trying 192.168.2.57...
Connected to 192.168.2.57.
Escape character is '^]'.
Connection closed by foreign host. "

Do you think there is something to be done with SSH keys or certificates?
Visitor
jsimundic@cs.hr
Posts: 5
Registered: ‎10-25-2011
0

Re: Could not SSH to Junos J2320

Dclarkjr1122,

thank you for your reply. I must say I am not quite sure if I understood you correctly but if not mistaken, you want me to
1. issue "load override /.../-factory.conf", and then
2. issue "load override /config/junifer.conf.gz" and then
3. commit ... right?

Doing things in that order did not also allow me to SSH to device.

Regards,

Jure
Recognized Expert
NateK
Posts: 234
Registered: ‎02-03-2009
0

Re: Could not SSH to Junos J2320

A device in router/packet mode has something like this at the end of 'show configuration':

 

security {
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                all;
            }
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        real disable;
        rsh disable;
        rtsp disable;
        sccp disable;
        sip disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
    flow {
        allow-dns-reply;
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }

 

A flow mode device will have a bunch of policies listed for denying traffic between zones.

 

To flip from flow mode to packet mode requires the following:

 

  • Backup your Junos configuration
  • Make sure you are at the top level of configuration mode
  • load override /etc/config/jsr-series-routermode-factory.conf
  • set system root-authentication plain-text-password
  • set system services ssh root-login allow
  • set system services ssh protocol-version v2
  • delete system autoinstallation
  • delete interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 and replace with appropriate value
  • You can run 'load terminal merge' and paste in your Junos config if you want here, you will have to be careful to remove flow related items in your config before doing this
  • commit
  • quit
  • request system reboot

I have also seen a reference to the following in configuration mode (at the top of the tree) although I have not tried it myself:

 

  • delete security
  • set security forwarding-options family mpls mode packet-based
  • commit

 

 

 

Contributor
dclarkjr1122
Posts: 27
Registered: ‎11-24-2009
0

Re: Could not SSH to Junos J2320

Close but try this order:

1) enter edit, do "show | display set" (copy this to notepad)

2) enter load override /etc/config/jsr-series-routermode-factory.conf

3) paste in output copied to notepad into the terminal

4) commit

 

Let me know if that helps

Thanks

 

 

Visitor
jsimundic@cs.hr
Posts: 5
Registered: ‎10-25-2011
0

Re: Could not SSH to Junos J2320

[ Edited ]

Dear Dclarkjr1122,

 

I did what you had instructed me, but that did not help me.

 

I am not sure what was wrong with my SSH access but it was not until I confirmed one more time interface ge-0/0/0 (not ge-0/0/0.0) under security zone settings and allowed SSH ver 1, that I managed to SSH successfully. 


ersion 9.3R4.4;
system {
    host-name cslab-j2320;
    domain-name cslab.hr;
    root-authentication {
        encrypted-password "$1$.urQQgr3$uMcCLbIOrpSpfMnP.k..Y/";
    }
    name-server {
        192.168.0.11;
    }
    login {
        user nsm_admin {
            uid 2003;
            class super-user;
            authentication {
                ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuZ4oEW/5qOEvejpr9JNqNTUqkYGfUVnRHU/fRQF/VwwGw9FIcaQYAOTjaRTag4TOKllrrsyip7D+B+zpYBhUbrixXp59NYm119+11bKIR4RcDLBrspKMX3sGNFDYvej8i283uWewVJC7v+yIeVa82oNOnL+gTbtbBknaBmFZ4t38sHsWlPTUEd/xFhCdo2Lka/iRQ/4gicEpKCZmHb6GMsJdYrsx3nkKCN7ggjv1Ojq47/x+Mt+KcVlP7ZHtsaOuGHBUHhsfonoDFr/veLLwibTZP1uH2B6Yfiq54Jbd6ZhXmz0CPHO3dXi/hj3Qf+ZiXkTCGpcZbEj39KvkeLShpQ== nsm_admin@nsm";
            }
        }
        user web_admin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$IkzqoM2o$1zst3l8ksN2gNvI79wMSc.";
            }
        }
    }
    services {
        ftp {
            connection-limit 10;
            rate-limit 4;
        }
        ssh {
            root-login allow;
            protocol-version [ v2 v1 ];
            connection-limit 10;
            rate-limit 4;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.2.57/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.2.1;
    }
}
security {
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    telnet;
                    ssh;
                    http;
                    ping;
                }
            }
            interfaces { ge-0/0/0.0;
            }
        }
    }
}

#####

UPDATE: I found out that my router does not support SSH ver 2 and it only works when I set ver1. (ver 9.3R4.4 world-wide download packet) 

 

Just, a a question more - does Junos 9.3 support  3DES for SSH at all?! 

 

Regards,

 

Jure

Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: Could not SSH to Junos J2320

DES or 3DES depends on the version you install. There's the domestic (to US/Canada) or the export (worldwide on download page) version. On the export version only ssh v1 and DES is omplemented due to regulations..............  When your outside US/Canada you might need to fill in an encryption Agreement to use the domestic version.

 

Domestic shows domestic in the image name, WW will show export.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
jsimundic@cs.hr
Posts: 5
Registered: ‎10-25-2011
0

Re: Could not SSH to Junos J2320

Screenie,

 

could you help me more with this please?! It is very important to me to have SSH ver2 because I am testing NSM software with Juniper appliances and SSHver2 must be used according to NSM Admin Guide.

 

I have link to 9.3 Junos software here and would like to ask you which packet i should install?

 

Currently on-box I have ver 9.3R4.4 running from this World Wide package:

 

J-series Junos with Enhanced Services Install Package
Advance BGP and JFlow require a license key to enable the features.

 

Regards,

 

Jure


Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.