Management
Management

Security director no longer communicating with SRX

‎06-06-2019 02:30 PM
Hi,

Got an unusual problem with security director; been using it for a few months now and it’s great. However, today I decided to tweak a rule on the SRX directly and the director lost sync with the device.

So I logged into security director and pushed out the policy and it wouldn’t complete ... I tried to Resynchronize with the device - wouldn’t work.

So I deleted the device from security director to try and re add it to security director - It won’t see the device.

I SSH onto security director and try to ping the device ... won’t reply - but I load a ssh to the SRX directly and look at security flow session - it shows the connection ... a rule that allows it also but a ping won’t work. Security director to my other devices work fine.

It is almost like security director still has it in its database but has been deleted in the front end so corrupted the connection? Is there any way to troubleshoot this?

I know 100% that security director and the SRX were working fine and now they won’t communicate ... I can see the communications flowing between them but whatever I do now - security director is not happy. The rules are still in place and the rule I added directly was unrelated to the zones in question.

Thanks
9 REPLIES 9
Management

Re: Security director no longer communicating with SRX

‎06-08-2019 12:49 AM
Little update to this - still not working

I have restarted all the services in JUNOS space and rebooted the whole appliance.

I have rebooted the SRX involved.

I have opened the firewall rules to allow anything to these devices.

I SSH onto JUNOS - ping the SRX (timesout) ... at the same time I am running show security session on the SRX and can see this traffic coming in / out to form a TCP connection. It’s like the SRX is happy with the traffic but JUNOS is not happy with the reply?

Any ideas?
Management

Re: Security director no longer communicating with SRX

‎06-08-2019 12:50 AM
When I run device discovery in Security Director - I take off ping and SNMP as they just fail

Then when I run it it says device discovered successfully... pauses to test ssh and says connection failed - device might not be reachable.

But on the SRX in question I can see that traffic being allowed into the device
Management

Re: Security director no longer communicating with SRX

[ Edited ]
‎06-08-2019 02:28 AM

I SSH onto JUNOS - ping the SRX (timesout) ... at the same time I am running show security session on the SRX and can see this traffic coming in / out to form a TCP connection. It’s like the SRX is happy with the traffic but JUNOS is not happy with the reply?

 

Based on this the issue is likely some configuration on the SRX itself.

How are you looking at the access on the SRX side?

What is the security zone and the host inbound traffic settings for that zone?

Do you have any junos-host zone policies on the SRX?

Are there any firewall filters applied on the SRX?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Management

Re: Security director no longer communicating with SRX

‎06-08-2019 05:49 AM
Thanks - just to be clear, this was being managed just fine with security director

Then I added a zone to new interfaces on the device with a permit to any any and then tried to resynchronise it with security director.

So essentially I have logged onto the SRX directly made some changes and then tried to get security director to see these new changes and it’s crashed out.

I’ve since undone those changes and security director still won’t manage the device.
Management

Re: Security director no longer communicating with SRX

‎06-08-2019 03:20 PM
Just been on with TAC support - this one is really strange

Installed new JUNOS space and still not working so must be something wrong with communications to SRX

Can see from show commands on the SRX it gets the trafffic and responds.

From SRX can ping to Junos space default gateway but not the appliance itself.

Rules are in place to allow all of this but just can’t get Junos to see this traffic.

Any help appreciated
Management

Re: Security director no longer communicating with SRX

‎06-08-2019 09:48 PM
Try stopping iptables on Junos space, service iptables stop
Can you ping SRX from Space?
Check if SRX is having outbound ssh command in it.


Regards,
PL
Management

Re: Security director no longer communicating with SRX

‎06-09-2019 03:42 AM
So weird - started and stopped ip tables and no problems now

Thanks
Management

Re: Security director no longer communicating with SRX

‎06-09-2019 04:01 AM
So iptables solved the issue?

Regards,
Pravin
Management

Re: Security director no longer communicating with SRX

‎06-09-2019 04:13 AM
So I wonder why the reboot did not clear this originally then.
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home