Security

Hello,

Synchronizing with the SRX results in the following errors:

 

Error while reading config from device: Device
Operational RPC Command Results
Unable to establish connection with the device (Device Id: device_id). because all channels&n

 

does anyone know what it could be?

Hello,

 

As per the error it looks like Space SD is unable to establish connectivity with the Device/SRX.

It is not able to fetch the RPC from the device seems like NETCONF Channel is broken.

 

Have you recently modified the USER credentials on DEVICE with which you are managing it from Space /SD?

 

Please test the following-

• Is the device showing connection status as UP or DOWN in Device Management page ?
• What is the Configuration Status : InSync or Out Of Sync or Sync Failed?

 

Better to log a JTAC case to assist you in this regard.

 

Hello,

As per the error it looks like Space SD is unable to establish connectivity with the Device/SRX.
It is not able to fetch the RPC from the device seems like NETCONF Channel is broken.

Have you recently modified the USER credentials on DEVICE with which you are managing it from Space /SD?

Please test the following-

* Is the device showing connection status as UP or DOWN in Device Management page ?
* What is the Configuration Status : InSync or Out Of Sync or Sync Failed?

Better to log a JTAC case to assist you in this regard.

Device is displayed as up

Configuration Status: Out Of Sync

 

If the Device is UP then SSH connectivity between Space and Device is working fine.


Error : Unable to establish connection with the device (Device Id: device_id). because all channels&n
If Resync is not working with error – Because All Channels (Netconf) are busy then it looks like the device is not letting Space to establish a Netconf channel to do the RPC polling to bring the Device in Sync.

This happens when all the default 32-channels given in the SRX are busy and the existing sessions are not closed.

I suggest logging a SRX Ticket as well as a Space ticket for this issue.
In SRX as well, this was a Software version Bug. Better to involve TAC to investigate the Logs and apply the workaround.

From Space End, there is a related PR for this issue (Confidential PR) – which states to disable SD Device Monitoring and then restart Jboss service. But better not to do it without a JTAC assistance.

I get the SRX via the cli of Space per ssh without problems

Hi,

Space doesn’t do simple ssh to connect to Device.
It does ssh over netconf channel.

Test with : and run the below RPC Command from Space CLI-

ssh <device-username>@<device-ip> -s netconf



<rpc><get-interface-information></get-interface-information></rpc><rpc><close-session></close-session></rpc>

eg.:

[root@space-005056a9fa63 ~]# ssh labroot@10.2.3.4<labroot> -s netconf

Password:





<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

<capabilities>

<capability>urn:ietf:params:netconf:base:1.0</capability>

<capability>urn:ietf:params:netconf:capability:candidate:1.0</capability>

<capability>urn:ietf:params:netconf:capability:confirmed-commit:1.0</capability>

<capability>urn:ietf:params:netconf:capability:validate:1.0</capability>

<capability>urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file</capability>

<capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>

<capability>urn:ietf:params:xml:ns:netconf:capability:candidate:1.0</capability>

<capability>urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0</capability>

<capability>urn:ietf:params:xml:ns:netconf:capability:validate:1.0</capability>

<capability>urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>

<capability>http://xml.juniper.net/netconf/junos/1.0</capability>

<capability>http://xml.juniper.net/dmi/system/1.0</capability>

</capabilities>

<session-id>259</session-id>

</hello>

]]>]]>

<rpc><get-interface-information></get-interface-information></rpc><rpc><close-session></close-session></rpc>

## This command will fetch the RPC output for Interface info from Device.

If this works then please engage Space JTAC to manually bring the device down from Database and allow the Netconf channel to reestablish between Space and the Device.</labroot></device-ip></device-username>

Hi,

 

Space doesn’t do simple ssh to connect to Device.

It does ssh over netconf channel.

 

Test with : and run the below RPC Command from Space CLI-

 

ssh <Device-Username>@<Device-IP> -s netconf

 

<rpc><get-interface-information/></rpc><rpc><close-session/></rpc>

 

eg.:

[root@space-005056a9fa63 ~]# ssh labroot@10.2.3.4 -s netconf

Password:

<!-- No zombies were killed during the creation of this user interface -->

<!-- user root, class super-user -->

<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

  <capabilities>

    <capability>urn:ietf:params:netconf:base:1.0</capability>

    <capability>urn:ietf:params:netconf:capability:candidate:1.0</capability>

    <capability>urn:ietf:params:netconf:capability:confirmed-commit:1.0</capability>

    <capability>urn:ietf:params:netconf:capability:validate:1.0</capability>

    <capability>urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file</capability>

    <capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>

    <capability>urn:ietf:params:xml:ns:netconf:capability:candidate:1.0</capability>

    <capability>urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0</capability>

    <capability>urn:ietf:params:xml:ns:netconf:capability:validate:1.0</capability>

    <capability>urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>

    <capability>http://xml.juniper.net/netconf/junos/1.0</capability>

    <capability>http://xml.juniper.net/dmi/system/1.0</capability>

  </capabilities>

  <session-id>259</session-id>

</hello>

]]>]]>

<rpc><get-interface-information/></rpc><rpc><close-session/></rpc> 

 

## This command will fetch the RPC output for Interface info from Device.

 

If this works then please engage Space JTAC to manually bring the device down from Database and allow the Netconf channel to reestablish between Space and the Device.

 

Hi,

 

It seems you are getting "all channels are busy" error while sync, this is because all the channels are occupied already and no new channel is there to get the configuration.

 

on the SRX CLI, please check:

 

show configuration system services ssh 

 

It should have : 

set system services ssh max-sessions-per-connection 32

 

-PL

And this is mostly SRX code issue where SRX is not able to close the connection/channels.

I think it is fixed in 15.1X49-D200.

Please raise a case with SRX JTAC and confirm.

 

-PL

Hello,
I restarted the management server and it's working again.

Glad to know that the issue is resolved now but it may come again if you were getting “all channels are busy”.
I think after rebooting the management box (Junos Space), some of the channel used by JSpace were closed and that’s why now it is not showing that issue.

Thank you.

Regards,
PL

Its good to know that but will recommend getting this checked by the SRX TAC. The issue may re-occur as well.