SSL VPN
Reply
Visitor
Markus_Z
Posts: 6
Registered: ‎09-02-2008
0

XML Import/Export flawed? (trying to export from a standalone SA to a virtual system)

[ Edited ]

Hello community,

 

first a little background info: A few weeks ago our company decided to transition our primary sslvpn installation to a new hardware where it should from now on run not as a stand alone unit, but as a virtual system (built-in virtual systems) on a shared hardware.

 

Naturally the first thing we tried when migrating our existing configuration was to do a XML export on our existing SA (authentication servers, realms, roles, profiles and policies only), then created a new vsys on the new SA, did the preliminary setup and then tried to import the xml file.

 

We had our fair share of 'challenges' while doing so. First, there were several xml elements in that file that were refused by the replacement SA, resulting in import errors. 'Network Connect', 'Mail-Proxy' to name a few. Juniper support suggested to remove these elements, which we did, as luckily they were not needed anyway.

 

So when trying to import  that file now, we ran into this issue: The import failed with an 'internal error'. Inspecting the device's event log, it seems that the import crashed an internal process ('Critical  ERR24632: Program impexpserver recently failed. Program terminated with signal 25, File size limit exceeded.'). I've checked with juniper support, but haven't heard from them yet.

 

The XML-File we tried to import was 16 MB in size, so we tried to split that file up, first importing only the authentication servers and roles, second only the profiles and policies. The import went good and there was no error, but resulted in some profiles not having their roles properly associated, while others have...

 

Both SA's had the same firmware version running (7.1R6). Has anyone tried this before and ran into the same issues? What size was the largest you could import in one go?

 

Additionally while messing with XML in general I've found that if you validate an unmodified XML export file with the supplied schema file you can also download off the SA, there are plenty of errors even starting at the very beginning at the first line (libxml 2.7.3):

 

DOMDocument::schemaValidate() generated errors!

Error 1866: Element '{http://xml.juniper.net/ive-sa/7.1R6}configuration', attribute 'iveData': The attribute 'iveData' is not allowed. in ive-export.xml on line 1
Error 1866: Element '{http://xml.juniper.net/ive-sa/7.1R6}configuration', attribute 'saData': The attribute 'saData' is not allowed. in ive-export.xml on line 1
Error 1841: Element '{http://xml.juniper.net/ive-sa/7.1R6}netbios': Character content is not allowed, because the content type is empty. in ive-export.xml on line 15138
Error 1841: Element '{http://xml.juniper.net/ive-sa/7.1R6}netbios': Character content is not allowed, because the content type is empty. in ive-export.xml on line 16725
Error 1841: Element '{http://xml.juniper.net/ive-sa/7.1R6}netbios': Character content is not allowed, because the content type is empty. in ive-export.xml on line 30843
Error 1841: Element '{http://xml.juniper.net/ive-sa/7.1R6}netbios': Character content is not allowed, because the content type is empty. in ive-export.xml on line 33013
Error 1841: Element '{http://xml.juniper.net/ive-sa/7.1R6}netbios': Character content is not allowed, because the content type is empty. in ive-export.xml on line 37442
Error 1841: Element '{http://xml.juniper.net/ive-sa/7.1R6}netbios': Character content is not allowed, because the content type is empty. in ive-export.xml on line 40170

...

Error 1871: Element '{http://xml.juniper.net/ive-sa/7.1R6}configuration': Missing child element(s). Expected is one of ( {http://xml.juniper.net/ive-sa/7.1R6}system, {http://xml.juniper.net/ive-sa/7.1R6}administrators, {http://xml.juniper.net/ive-sa/7.1R6}logical-systems ). in ive-export.xml on line 1

 

 

I wonder if anyone else dug deep into XML configuration importing/exporting and would like to share their experience with me, as our deadline draws near and I wasn't able to get it running as of yet.

 

br

Markus

Ray
Contributor
Ray
Posts: 75
Registered: ‎11-12-2007
0

Re: XML Import/Export flawed? (trying to export from a standalone SA to a virtual system)

I'm not sure what the XML export is for. When we've replaced hardware we were told we did not need it and we didn't. We just imported the Users and System and everything came back.

 

Ray

Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: XML Import/Export flawed? (trying to export from a standalone SA to a virtual system)

If you are moving a config, don't use XML; it won't move it all (resource profiles, network connect settings, mail proxy settings, certificates, and others as outlined in the release notes & admin guide).

Were you able to successfully move the config with the binary cfg files?
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.