SRX Services Gateway
Highlighted
SRX Services Gateway

Access denied to do any changes in the firewall.

‎06-10-2020 10:03 AM

The srx 1500 firewall is not accessible through the ssh for any changes, Also can not perform any changes through the gui. The error message is "access denied ". Could login using root account in the GUI but still can't do any changes, even reboot the firewall.

 

Network connectivity and traffic are working fine. kindly help to provide a suggestion. The firewall is a standalone firewall.

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Access denied to do any changes in the firewall.

‎06-10-2020 10:48 AM

Hi Rakesh,

 

Was there any recent upgrade/change performed on the device? 

 

I found an old discussion for a specific instance, please check if the conditions are applicable for you:

https://forums.juniper.net/t5/SRX-Services-Gateway/No-ssh-root-access-after-upgrading-to-JunOs-17-3R...

 

Hope this helps:)

 

Please mark "Accepted Solution" if this helps you solve your query.

 

Kudos are always appreciated

Highlighted
SRX Services Gateway

Re: Access denied to do any changes in the firewall.

‎06-10-2020 10:49 AM

Hello Rakesh,

 

Good day!

Can you please check the following when you login to the device using root user.

1. Check the configuration of the login class. Do you have all the sufficient privileges configured?
2. Are you using TACACS authentication or only local authentication?
3. Try to re-configure the login-class and user credentials on the device and see if you can connect.

 

Please check the below document for the configuration statements and how to configure access privileges.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-login-class.html

 

This looks like a privilege issue. Also, check the logs to see if you are seeing any issues/errors.

If there is any empty directory indicated in the logs, create that directory from the shell prompt and try again. 

 If it still does not work, a new RSA and keygen might need to be generated. Regenerate the RSA and DSA keys for SSH with the following commands:

>start shell user root
% ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

You will see this message:

Generating public/private dsa key pair.
/etc/ssh/ssh_host_dsa_key already exists.
Overwrite (y/n)? >>>select yes

%ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
Generating public/private dsa key pair.
/etc/ssh/ssh_host_dsa_key already exists.
Overwrite (y/n)? >>>select yes


Regards,
Vishaal


Accept as Solution = cool ! (Help fellow community members with similar query be redirected here instead of them reposting again)
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Access denied to do any changes in the firewall.

‎06-10-2020 06:15 PM

Hi rakesh_gupta, 

 

Greetings, 

I understand that the ssh is being denied and also GUI doesn't seem to work. 

Try power-cycling / rebooting the device SRX 1500 again and get access to the gui / cli and you will have to enable the 

set system services ssh root-login allow

You need a admin-control privilege to add this config, so check if any other user with that privilege or higher can do apart from root user.

 

Hope this helps. Smiley Happy

Please mark "Accept as solution" if this answers your query. 

 

Kudos are appreciated too! 

 

Regards, 

Sharat Ainapur

Highlighted
SRX Services Gateway

Re: Access denied to do any changes in the firewall.

‎06-10-2020 11:27 PM

Hello Rakesh,

 

Greetings!

 

I understand that you are not able to access the device via SSH and also GUI doesn't work.

 

  • Can you check the telnet access to the Management interface?
  • Can you check if you have Source NAT enabled on the SRX device?

Step 1:

Follow the below KB which explains SSH/Telnet is not working on an external interface when Source NAT is enabled:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28124&cat=SRX_220&actp=LIST

 

If you are using the source NAT, can you check the SSH by configuring source NAT-off knob?

 

security {
    nat {
        source {
            rule-set R1 {
                from zone trust;
                to zone untrust;
               rule r1 {
                    match {
                        destination-address 100.1.1.1/32;
                    }
                    then {
                        source-nat {               <<< Use this Knob
                                                                  off;
                        }
                    }
                }

 

If the above doesn't work, try to follow the below steps:

 

Step 2:

The following are some possible troubleshooting steps:

  1. Make sure that SSH or Telnet is configured on the SRX. If not, configure it using the following commands and commit:

    #set system services ssh
    #set system services telnet
  2. Check the logs messages for the following error: empty directory missing in /var.

    If you see this message, create a directory named “empty” by using the following commands:

    >start shell user root :

    Password : ----enter root password---

    - % cd /var
    - % mkdir empty
  3. Try again. If it still does not work, a new RSA and keygen might need to be generated. Regenerate the RSA and DSA keys for SSH with the following commands:

    >start shell user root

    % ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

    You will see this message:

    Generating public/private dsa key pair.
    /etc/ssh/ssh_host_dsa_key already exists.
    Overwrite (y/n)? >>>select yes

    %ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
    Generating public/private dsa key pair.
    /etc/ssh/ssh_host_dsa_key already exists.
    Overwrite (y/n)? >>>select yes

If the above doesn't work, try step 3.

 

Step 3:

 

Try to manually power-cycle the device by taking the device off-production.

 

If all 3 steps don't work, we can further investigate.

 

I hope this helps. Please mark this post "Accept as solution" if this answers your query.

 

Kudos are always appreciated! Smiley Happy

 

Best Regards,

Lingabasappa H

 

Feedback