Month: December 2015

dst-port error in NSM

Nils Magnus EliassenLeave a comment

I got a new error while updating a SRX650 from the Juniper Network and Security Manager. The error started after I upgraded the SRX650 to 12.1X47-D30. The error I got is shown below:

Error Code: 

Error Text:
   Update fails UpdateDevice Results
sanityCheckCmd Success.
lock Success.
GenerateEditConfig Failed .
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X47/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <rpc-error>
      <error-severity>error</error-severity>
      <error-info>
         <bad-element>dst-port</bad-element>
      </error-info>
      <error-message>syntax error</error-message>
   </rpc-error>
   <rpc-error>
      <error-severity>error</error-severity>
      <error-info>
         <bad-element>dst-port</bad-element>
      </error-info>
      <error-message>syntax error</error-message>
   </rpc-error>
</rpc-reply>


unlock  Success .


Error Details:
   

Logs:
<configuration>
  <version>12.1X47-D25.4</version>
  <system>
    <host-name>casur-srx650-cluster</host-name>
  </system>
  <security>
    <nat>
      <destination>
        <rule-set>
          <name>ca-camera</name>
          <rule>
            <name>camera-01-8200</name>
            <dest-nat-rule-match>
              <destination-port operation="delete">
                <name>8200</name>
              </destination-port>
              <destination-port operation="create">
                <dst-port>8200</dst-port>
              </destination-port>
            </dest-nat-rule-match>
          </rule>
        </rule-set>
      </destination>
    </nat>
  </security>
</configuration>

It’s saying that the destination nat section has problems setting the dst-port. For some reason it was deleting the value and creating it with a new command (dst-port).

I then checked the supported Junos versions on the NSM and I discovered that the last supported version was 12.1X47-D25. Did the downgrade and updated the OS in the NSM. Still the same error as before.

Spoke to JTAC and they informed me that this error was known and that it would help downgrading to D15. This was due to a changed command in Junos. I downgraded to D15 but still the same issue. Researched a bit myself and discovered that it was introduced between X46 and X47.

Earlier it had not been possible to downgrade the versions in NSM. But for some reason I was able to do it now. First from D30 to D25, and after that from X47D15 to X46D40. When I reached  X46D40 I was able to run the update and everything was working.

Advertisement

1121 not registering to WLC

Nils Magnus EliassenLeave a comment

I was converting AP’s from Autonomous to Lightweight AP’s yesterday when I ran into issues with a couple of old 1121G. I only saw the AP register to the controller for 3-4 seconds before it disconnected. While pinging the AP it responded for 1 minute before it did go into a reboot.

I then logged into the WLC to do a debug. I used the following debug command:

(Cisco Controller) >debug capwap errors enable

The output from this repeated itself every time the AP was up and running.

Dec 03 11:26:02.616: 00:1e:4a:a8:b1:88 Join Priority Processing status = 0, Incoming Ap's Priority 0, MaxLrads = 100,joined Aps =1
*spamApTask0: Dec 03 11:26:12.645: Could not find BoardDataPayload
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Refusing image download to AP 00:1e:4a:a8:b1:88 - unable to open image file /bsn/ap//c1100
 Error:No such file or directory(2)
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Number of open file descriptors for spam process is: 97
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Decoding of Image Data failed from AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:20.733: Unable to find deleted AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:20.733: 00:1e:4a:a8:b1:88 Join Priority Processing status = 0, Incoming Ap's Priority 0, MaxLrads = 100,joined Aps =1
*spamReceiveTask: Dec 03 11:26:32.658: b4:b6:76:c3:56:db Unable to get RadId. Sending of PMK cache entry to all APs in flexconnect group failed :: bssid 00:00:00:00:00:00

Security processing of Image Data failed for AP was a message in the output that I thought was strange and also other references to the image. I then checked the Cisco Wireless Controller Compability Matrix, to my dissapointment the AP was no longer supported. It ended up with a long and slow process of having one of the local guys in Chile downgrading from Controllerbased AP to a Standalone….