Routing
Highlighted
Routing

SRX220's - OSPF interrupted during configuration commit

‎04-07-2016 11:18 AM

We are deploying several hundred SRX220's (v12.1X46-D40.2)  out across our enterprise campus which all come back to our central datacenter via VPN.  We run OSPF out over the VPN link and basically everything is great. However we discovered that when committing changes on the 220's it momentarily breaking our OSPF adjaceny.  So pinging the firewall during a commit yields this:

 

Reply from 172.28.19.51: bytes=32 time=17ms TTL=61
Reply from 172.28.19.51: bytes=32 time=16ms TTL=61
Reply from 172.28.19.51: bytes=32 time=16ms TTL=61
Request timed out.
Reply from 172.28.19.51: bytes=32 time=18ms TTL=61
Request timed out.
Reply from 172.28.19.51: bytes=32 time=17ms TTL=61
Reply from 172.28.19.51: bytes=32 time=18ms TTL=61
Reply from 172.28.19.51: bytes=32 time=17ms TTL=61
Request timed out.
Reply from 172.28.19.51: bytes=32 time=17ms TTL=61
Reply from 172.28.19.51: bytes=32 time=16ms TTL=61
Reply from 172.28.19.51: bytes=32 time=16ms TTL=61
Reply from 172.28.19.51: bytes=32 time=18ms TTL=61
Request timed out.
Request timed out.
Request timed out.
Reply from 172.28.19.51: bytes=32 time=18ms TTL=61
Request timed out.
Reply from 172.28.19.51: bytes=32 time=17ms TTL=61
Reply from 172.28.19.51: bytes=32 time=17ms TTL=61
Reply from 172.28.19.51: bytes=32 time=18ms TTL=61

 

Is this expected? Is there a way to work around it or avoid it all together?

4 REPLIES 4
Highlighted
Routing

Re: SRX220's - OSPF interrupted during configuration commit

‎04-08-2016 07:02 AM

Hello,

It looks like You are using very short OSPF timers.

And please post Your sanitized config.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: SRX220's - OSPF interrupted during configuration commit

‎04-08-2016 11:16 AM

For brevity I snipped a bunch of inconsequential stuff out.  Here is the config. Really we are just using defaults for OSPF.

 

netadmin5@1951-BB-Lab> show configuration | no-more    
## Last commit: 2016-04-08 10:42:50 PDT by netadmin1
version 12.1X46-D40.2;
groups {
    default-deny-ping-template {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy allow-icmp {
                        match {
                            source-address any;
                            destination-address any;
                            application junos-icmp-ping;
                        }
                        then {
                            permit;
                        }
                    }
                    policy default-deny {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}
apply-groups default-deny-ping-template;
system {
    host-name 1951-BB-Lab;
    domain-name savers.com;
    time-zone America/Los_Angeles;
    authentication-order [ tacplus password ];
    root-authentication {
        encrypted-password ""; ## SECRET-DATA
    }
    name-server {
        192.0.6.47;
        192.168.32.128;
    }
    tacplus-server {
        10.29.100.3 {
            secret ""; ## SECRET-DATA
            source-address 10.209.51.1;
        }
    }
    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus {
                server {
                    10.29.100.3 {
                        secret ""; ## SECRET-DATA
                        source-address 10.209.51.1;
                    }
                }
            }
        }
    }
    login {
        class Administrator {
            idle-timeout 60;
            permissions all;
        }
        class Config-Reader {
            idle-timeout 5;
            permissions [ view view-configuration ];
        }
        class Operator {
            idle-timeout 5;
            permissions view;
        }
        user remote {
            full-name "Default remote user template";
            uid 100;
            class Operator;
        }
        user remote-extended-ro {
            full-name "Remote users that are read-only but have full view of configuration minus secrets.";
            uid 120;
            class Config-Reader;
        }
        user remote-su {
            full-name "Remote users with super-user privileges";
            uid 110;
            class Administrator;
        }
    }
    services {
        ssh {
            protocol-version v2;
        }
        netconf {
            ssh;
        }
        dhcp {
            pool 10.209.51.0/24 {
                address-range low 10.209.51.200 high 10.209.51.254;
                domain-name savers.com;
                name-server {
                    192.0.6.47;
                    192.168.32.128;
                }
                router {
                    10.209.51.1;
                }
                propagate-settings reth1.200;
            }
            pool 10.229.51.0/24 {
                address-range low 10.229.51.200 high 10.229.51.254;
                name-server {
                    208.67.222.222;
                    8.8.8.8;
                }
                router {
                    10.229.51.1;
                }
                propagate-settings reth1.210;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        host 10.29.100.5 {
            any any;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file denylog {
            any any;
            match default-deny;
        }
        source-address 10.209.51.1;
    }
    max-configurations-on-flash 45;
    max-configuration-rollbacks 45;
    commit synchronize;
    ntp {
        server 192.0.6.47;
        source-address 10.209.51.1;
    }
}
chassis {
    cluster {
        control-link-recovery;
        reth-count 4;
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 51;
            preempt;
            interface-monitor {
                ge-0/0/3 weight 55;
                ge-0/0/4 weight 200;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Retail Redundant Link";
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-0/0/1 {
        disable;
    }
    ge-0/0/2 {
        disable;
    }
    ge-0/0/3 {
        description "BB/DSL Redundant Link";
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-0/0/4 {
        description "Cradlepoint Redundant Link";
        gigether-options {
            redundant-parent reth3;
        }
    }
    ge-3/0/0 {
        description "Retail Redundant Link";
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-3/0/1 {
        disable;
    }
    ge-3/0/2 {
        disable;
    }
    ge-3/0/3 {
        description "BB/DSL Redundant Link";
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-3/0/4 {
        description "Cradlepoint Redundant Link";
        gigether-options {
            redundant-parent reth3;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/5;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                ge-3/0/5;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.28.19.51/32;
            }
        }
    }
    reth1 {
        description "Trunked Interface";
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 200 {
            description "Store VLAN 200";
            vlan-id 200;
            family inet {
                address 10.209.51.1/24;
            }
        }
        unit 210 {

            vlan-id 210;
            family inet {
                address 10.229.51.1/24;
            }
        }
    }
    reth2 {

    }
    reth3 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            description "Cellular Carrier";
            family inet {
                dhcp;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 172.20.128.10/17;
            }
        }
    }
}
snmp {
	*snip*
}
routing-options {
    graceful-restart;
    static {
        route 0.0.0.0/0 next-hop 192.132.61.121;
    }
    autonomous-system 65001;
}
protocols {
    ospf {
        export Export-OSPF;
        area 0.0.0.0 {
            interface st0.0;
            interface lo0.0 {
                passive;
            }
        }
    }
}
policy-options {
    policy-statement Export-OSPF {
        term ignore {
            from {
                route-filter 192.132.61.120/30 orlonger;
                route-filter 172.20.128.0/17 orlonger;
            }
            then reject;
        }
        term default {
            from protocol direct;
            then accept;
        }
    }
}
security {
		*snip*
    nat {
        source {
            rule-set Outbound {
                from zone Retail;
                to zone Public;
                rule default {
                    match {
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
		*snip*
    }
}
Highlighted
Routing

Re: SRX220's - OSPF interrupted during configuration commit

‎04-08-2016 01:32 PM

Hello,

Thanks for posting the config. Is it an SRX220H or SRX220H2?

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: SRX220's - OSPF interrupted during configuration commit

‎04-08-2016 02:54 PM

SRX220H2

Feedback