Junos
Highlighted
Junos

Can't SSH to my JuniperSRX320.

‎03-12-2020 02:05 AM

Hi everyone,


So first of all, I am very new to juniper... So sorry if this is a rather dumb question. But I am just kind of stuck here.

The case: I have a juniper SRX320. I reset it to default settings and created a new admin user and setup a password for it.

I connect to the device over a serial cable btw. 

I got a few questions:

1. All ethernet leds are solid green even though there are no cables plugged in, is this normal behaviour for a juniper device?

2. I setup the ip 192.168.2.1/24 for ge-0/0/0 and on my laptop I have 192.168.2.2/24 configured. However, I can't ping from either the laptop or the firewall to eachother? No route to host.. When I open wireshark on my laptop not even a single packet is transmitted over my ethernet interface... Windows actually says no cable attached!? I tried the same cable in a different switch and everything works just fine.. My question here, could someone point me in the right direction how to basically set it up so I can just connect to ge-0/0/0 over ssh instead of an serial cable..

3. Is it normal that it takes like 2-5 minutes whenever I commit a change?

 

My current config:

 

## Last changed: 2020-03-11 16:28:23 UTC
version 15.1X49-D140.2;
system {
    autoinstallation {
        traceoptions {
            level verbose;
            flag {
                all;
            }
        }
        interfaces {
            ge-0/0/0 {
                bootp;
            }
            ge-0/0/7 {
                bootp;
            }
        }
    }
    root-authentication {
        encrypted-password ""; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        user blabla{
            uid 2000;
            class super-user;
            authentication {
                encrypted-password ""; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        netconf {
            ssh;
        }
        dhcp-local-server {
            group jdhcp-group {
                interface irb.0;
            }
        }
        web-management {
            http {
                interface ge-0/0/0.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    phone-home {
        server https://redirect.juniper.net;
        rfc-complaint;
    }
}
security {
    log {
        mode stream;
        report;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                irb.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            https;
                            ssh;
                            http;
                        }
                    }
                }
                ge-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                dl0.0 {
                    host-inbound-traffic {
                        system-services {
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet;
        }
    }
    cl-1/0/0 {
        dialer-options {
            pool 1 priority 100;
        }
    }
    dl0 {
        unit 0 {
            family inet {
                negotiate-address;
            }
            family inet6 {
                negotiate-address;
            }
            dialer-options {
                pool 1;
                always-on;
                dial-string 1234;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
    rstp {
        interface all;
    }
}
access {
    address-assignment {
        pool junosDHCPPool {
            family inet {
                network 192.168.1.0/24;
                range junosRange {
                    low 192.168.1.2;
                    high 192.168.1.254;
                }
                dhcp-attributes {
                    router {
                        192.168.1.1;
                    }
                    propagate-settings ge-0/0/0.0;
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface irb.0;
    }
}
9 REPLIES 9
Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-12-2020 02:23 AM

Hi Kasperb,

 

I hope you are doing great!

 

  1. All ethernet leds are solid green even though there are no cables plugged in, is this normal behaviour for a juniper device?

 

That is not normal.

 

Can you please configure the following command?

 

set security forwarding-options family mpls mode packet-based

 

After you commit this you will need to reboot the box, once it comes up try to SSH again, if you are able to SSH then I would say that there is a problem with trusted zone configuration, please make sure that the interface where the laptop is connected is on a trusted zone, from your configuration I noticed the ge-0/0/0 is not on a trusted zone.

 

On this KB you will find everything you need to know regarding security zones and how to configure them:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16556&actp=METADATA

 

If you need anything else, please let me know!

 

If this solves your problem, please mark this post as "Accepted Solution" Pura vida 😄

Warm regards,

Pablo Restrepo -

Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-12-2020 02:32 AM

Hi Pablo,

 

Thanks for your quick response!

 

When I try to run the command you provided, I get the following error msg:

commit
[edit security forwarding-options family mpls mode]
  'mode packet-based'
    MPLS mode packet-based not allowed when [security policies] are configured.
error: commit failed: (statements constraint check failed)

Should ge-0/0/0 normally be a trusted zone? If so, Ill try and configure that.

Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-12-2020 02:34 AM

Also, another issue when I run:

run show interfaces terse

Interface               Admin Link Proto    Local                 Remote
dl0                     up    up
dl0.0                   up    up   inet
                                   inet6
fxp2                    up    down
fxp2.0                  up    down tnp      0x1
gre                     up    up
ipip                    up    up
irb                     up    up
irb.0                   up    down inet     192.168.1.1/24
jsrv                    up    up
jsrv.1                  up    up   inet     128.0.0.127/2
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down
vtep                    up    up

I don't see my ge-0/0/0 interface?

Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-12-2020 03:05 AM

Looks like FPC is not online because of some reason. Please provide output of below mnetioned commands:

show version

show system uptime

show chassis alarm

show system core-dump

show chassis fpc pic-status

show chassis fpc detail

show chassis routing-engine

show system process summary

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-12-2020 05:31 AM

Hello,

Output of the commands:

 

show version

Model: srx320
Junos: 15.1X49-D140.2
JUNOS Software Release [15.1X49-D140.2]

show system uptime

Current time: 2020-03-12 12:30:07 UTC
Time Source:  LOCAL CLOCK
System booted: 2020-03-12 09:56:14 UTC (02:33:53 ago)
Protocols started: 2020-03-12 09:56:14 UTC (02:33:53 ago)
Last configured: 2020-03-12 09:49:30 UTC (02:40:37 ago) by wifinity
12:30PM  up 2:34, 1 user, load averages: 7.94, 8.65, 9.02

show chassis alarm

No alarms currently active

show system core-dump

/var/crash/*core*: No such file or directory
-rw-rw----  1 root  wheel   22757805 Nov 9  04:15 /var/tmp/flowd_octeon_hm.core-tarball.1.tgz
-rw-rw----  1 root  wheel   52216659 Nov 9  04:21 /var/tmp/flowd_octeon_hm.core-tarball.2.tgz
-rw-rw----  1 root  wheel   13441449 Nov 9  04:23 /var/tmp/flowd_octeon_hm.core-tarball.3.tgz
-rw-rw----  1 root  wheel   16612688 Mar 12 12:30 /var/tmp/flowd_octeon_hm.core-tarball.4.tgz
-rw-rw----  1 root  wheel   54575394 Nov 9  04:11 /var/tmp/flowd_octeon_hm.core.0.gz
-rw-rw----  1 root  wheel   54575088 Nov 9  05:48 /var/tmp/flowd_octeon_hm.core.1.gz
-rw-rw----  1 root  wheel   54579041 Nov 21 11:57 /var/tmp/flowd_octeon_hm.core.2.gz
-rw-rw----  1 root  wheel   13467658 Nov 21 13:48 /var/tmp/flowd_octeon_hm.core.3.gz
-rw-rw----  1 root  wheel   29097994 Mar 12 12:30 /var/tmp/flowd_octeon_hm.core.4.gz
/var/tmp/pics/*core*: No such file or directory
/var/crash/kernel.*: No such file or directory
/var/jails/rest-api/tmp/*core*: No such file or directory
/tftpboot/corefiles/*core*: No such file or directory
total files: 9

show chassis fpc pic-status

Slot 0   Present      FPC

show chassis fpc detail

Slot 0 information:
  State                               Present
  Total CPU DRAM                      ---- CPU less FPC ----

show chassis routing-engine

Routing Engine status:
    Temperature                 34 degrees C / 93 degrees F
    CPU temperature             55 degrees C / 131 degrees F
    Total memory              4096 MB Max   778 MB used ( 19 percent)
      Control plane memory    2624 MB Max   787 MB used ( 30 percent)
      Data plane memory       1472 MB Max     0 MB used (  0 percent)
    5 sec CPU utilization:
      User                       5 percent
      Background                 0 percent
      Kernel                    83 percent
      Interrupt                  0 percent
      Idle                      12 percent
    Model                          RE-SRX320
    Serial ID                      CW2716AF0335
    Start time                     2020-03-12 09:56:14 UTC
    Uptime                         2 hours, 35 minutes, 42 seconds
    Last reboot reason             0x200:normal shutdown
    Load averages:                 1 minute   5 minute  15 minute
                                       9.47       9.06       9.14

show system process summary

show system processes summary
last pid:  7994;  load averages: 11.69,  9.61,  9.33  up 0+02:36:37    12:32:21
169 processes: 17 running, 138 sleeping, 2 stopped, 12 waiting

Mem: 358M Active, 233M Inact, 1562M Wired, 349M Cache, 112M Buf, 1476M Free
Swap:


  PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
   20 root        1 171   52     0K    16K CPU1   1 155:27 93.21% idle: cpu1
 7892 root        3 139    0  1557M   483M RUN    0   0:28 83.45% flowd_octeon_hm
Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-12-2020 11:49 AM

Hello Kasperb,

 

There are definitely no dumb questions here man, don't be hard on you 🙂

 

for your questions and latest findings (hope it helps):

 

1. All ethernet leds are solid green even though there are no cables plugged in, is this normal behaviour for a juniper device?

Not normal, they should lid up only with cables connected, you may like to test the latest recommended release Junos 18.2R3-S2 if you can. if not try loading up the default configuration 

 

The SSH connectivity problem is indeed related to the fact that the ge-0/0/0 is not showing up, hence the connectivity will not be succesfull

 

What is the operational status of the ge-0/0/0, you must ensure the ge-0/0/0 is up and operational, if you keep having issues with the ports something may be wrong with the chassis, i would start by setting up default configuration and start from the scratch.

 

> show interfaces extensive ge-0/0/0

 

You can set the SRX for packet mode which is going to remove the flow based features and leave the SRX as a simple router as Pablo88020 mentioned, but you will need to remove the configuration of zones and other firewall related or you won't be able to commit the changes. this can be a nice test, check if the interfaces appear after the required reboot.

 

3. Is it normal that it takes like 2-5 minutes whenever I commit a change?

 

In my experience, the SRX firewalls take a lot of time committing changes in flow-based mode, so no worries, 5 minutes may be the worst case delay for a commit on a SRX for me,. if you are curious why the commit takes that much time use teh detail option when committing:

 

# commit | display details

 

To load factory setting use the following process

 

  1. Type the load factory-default command:
root@host# load factory-default
  1. Use the set system root-authentication plain-text-password command to set a new root password for the device:
root@host# set system root-authentication plain-text-password
  1. Type the root password and retype it to confirm it:
New password:
Retype new password:

Caution: Prior to committing the changes, if an IP address is not assigned for the "ge-0/0/0" interface, create a local user account and type the routing information, either via the CLI configuration or DHCP. The SRX device will no longer be remotely accessible.

To manage the SRX device, you must connect a PC or laptop to the physical console or attach the PC or laptop to a subnet that is directly connected to the ge-0/0/0 interface, which is assigned an IP address of "192.168.2.1."

  1. Use the commit and-quit command to commit the configuration and exit configuration mode, if the configuration contains no errors and the commit is successful:
root@host# commit and-quit

I hope i helped you.

Cheers,

 

Benjamin

Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-12-2020 09:06 PM

Thanks for the outputs. The FPC (PFE) is not online because of flowd core dump. You may remove all the configuration except root authentication and check status of fpc and flowd core.  fpc status should be online and no new core should be created. If not, you may need to contact JTAC for furhter assistance.

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-13-2020 02:58 AM

Hi Benjamin,

 

Thanks for the extensive answer! I actually just performed and factory-default and after that the ethernet port LEDs were green. So I guess there is something wrong with the FW itself.

 

Il try and upgrade to new version of Junos and come back to you!

Highlighted
Junos

Re: Can't SSH to my JuniperSRX320.

‎03-25-2020 02:33 PM

I had the same issue with a bunch of SRX300 where all the LED are green eventhough nothing is connected to them. I usually reboot the SRX to recover.

 

If all the LEDs are green, none of the ge- interfaces show up using "show interfaces terse"

 

 

Feedback