Bandwidth limiter in Junos

Today I had to limit a internet connection on one of the sites for the company I work for. The internet connection is mainly used for guest access and backup since the main traffic travels over a MPLS connection. The same internet connection was going to be used for a VPN tunell towards a supplier that has a VPN device behind my SRX240. Since this location is in the middle of nowhere it’s limited to 1 Mbps SDSL connection. The issue then is that there is no bandwidth left for the external VPN on the connection when guest users are using the connection.

I have added the main information regarding the configuration below:
Guest subnet: 192.168.200.0/26
Guest interface: vlan.20

The first step is to define the policer. Since I want to keep some bandwidth for the VPN I limit the 1 mbps to 800 kbps. As you can see from the text below there is an abbreviation for kbps that is k. You can specify a value in bits per second either as a complete decimal number or as a decimal number followed by the abbreviation k (1000),m (1,000,000), or g (1,000,000,000). You can also specify a value in cells per second by entering a decimal number followed by the abbreviation c; values expressed in cells per second are converted to bits per second using the formula 1 cps = 384 bps. The value can be any positive integer. In this example its set to 800 k.

set firewall policer policer-800k if-exceeding bandwidth-limit 800k
set firewall policer policer-800k if-exceeding burst-size-limit 625k
set firewall policer policer-800k then discard

The next part is to set the filter itself. Here I wan’t to configure the same speed limit both for up and down traffic. You can create diffrent limits for the different directions if you want to but in this example I have the same speed both ways. In the end of the filter I have a accept all to let the remaining traffic go trough the interface. I did not need to do that in this example but I like to make sure I don’t block anything that I shouldnt.

set firewall filter meeting-limit term from-meeting from source-address 192.168.200.0/26
set firewall filter meeting-limit term from-meeting then policer policer-800k
set firewall filter meeting-limit term from-meeting then accept
set firewall filter meeting-limit term to-meeting from destination-address 192.168.200.0/26
set firewall filter meeting-limit term to-meeting then policer policer-800k
set firewall filter meeting-limit term to-meeting then accept
set firewall filter meeting-limit term accept then accept

In the end we have to apply the filter to an interface as both inbound and outbound. The best practice is to only do this on the inbound side so you don’t process the traffic that you are discarding. In my case I had some issues with that. If I had filtered the traffic from the internet towards 192.168.200.0/26 network I wouldnt filter anything. The reason for this is that the traffic I would see is the NAT’ed address on the internet. So the destination adress would be my public IP. When I filter the outbound traffic on the port after it has returned trough NAT it get’s the correct IP and I can filter the traffic.

set interfaces vlan unit 20 description meetingroom
set interfaces vlan unit 20 family inet filter input meeting-limit
set interfaces vlan unit 20 family inet filter output meeting-limit
set interfaces vlan unit 20 family inet address 192.168.200.1/26

The configuration should in the end look something like this:

firewall {
	policer policer-800k {
		if-exceeding {
			bandwidth-limit 800k;
			burst-size-limit 625k;
		}
		then discard;
	}
}
filter meeting-limit {
    term from-meeting {
        from {
            source-address {
                192.168.200.0/26;
            }
        }
        then {
            policer policer-800k;
            accept;
        }
    }
    term to-meeting {
        from {
            destination-address {
                192.168.200.0/26;
            }
        }
        then {
            policer policer-800k;
            accept;
        }
    }
    term accept {
        then accept;
    }
}

interfaces{
	vlan {
		unit 20 {
			description meetingroom;
			family inet {
				filter {
					input meeting-limit;
					output meeting-limit;
				}
				address 192.168.200.1/26;
			}
		}
	}
}

As a reference I used KB28161

Advertisements

dst-port error in NSM

I got a new error while updating a SRX650 from the Juniper Network and Security Manager. The error started after I upgraded the SRX650 to 12.1X47-D30. The error I got is shown below:

Error Code: 

Error Text:
   Update fails UpdateDevice Results
sanityCheckCmd Success.
lock Success.
GenerateEditConfig Failed .
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X47/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <rpc-error>
      <error-severity>error</error-severity>
      <error-info>
         <bad-element>dst-port</bad-element>
      </error-info>
      <error-message>syntax error</error-message>
   </rpc-error>
   <rpc-error>
      <error-severity>error</error-severity>
      <error-info>
         <bad-element>dst-port</bad-element>
      </error-info>
      <error-message>syntax error</error-message>
   </rpc-error>
</rpc-reply>


unlock  Success .


Error Details:
   

Logs:
<configuration>
  <version>12.1X47-D25.4</version>
  <system>
    <host-name>casur-srx650-cluster</host-name>
  </system>
  <security>
    <nat>
      <destination>
        <rule-set>
          <name>ca-camera</name>
          <rule>
            <name>camera-01-8200</name>
            <dest-nat-rule-match>
              <destination-port operation="delete">
                <name>8200</name>
              </destination-port>
              <destination-port operation="create">
                <dst-port>8200</dst-port>
              </destination-port>
            </dest-nat-rule-match>
          </rule>
        </rule-set>
      </destination>
    </nat>
  </security>
</configuration>

It’s saying that the destination nat section has problems setting the dst-port. For some reason it was deleting the value and creating it with a new command (dst-port).

I then checked the supported Junos versions on the NSM and I discovered that the last supported version was 12.1X47-D25. Did the downgrade and updated the OS in the NSM. Still the same error as before.

Spoke to JTAC and they informed me that this error was known and that it would help downgrading to D15. This was due to a changed command in Junos. I downgraded to D15 but still the same issue. Researched a bit myself and discovered that it was introduced between X46 and X47.

Earlier it had not been possible to downgrade the versions in NSM. But for some reason I was able to do it now. First from D30 to D25, and after that from X47D15 to X46D40. When I reached  X46D40 I was able to run the update and everything was working.

1121 not registering to WLC

I was converting AP’s from Autonomous to Lightweight AP’s yesterday when I ran into issues with a couple of old 1121G. I only saw the AP register to the controller for 3-4 seconds before it disconnected. While pinging the AP it responded for 1 minute before it did go into a reboot.

I then logged into the WLC to do a debug. I used the following debug command:

(Cisco Controller) >debug capwap errors enable

The output from this repeated itself every time the AP was up and running.

Dec 03 11:26:02.616: 00:1e:4a:a8:b1:88 Join Priority Processing status = 0, Incoming Ap's Priority 0, MaxLrads = 100,joined Aps =1
*spamApTask0: Dec 03 11:26:12.645: Could not find BoardDataPayload
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Refusing image download to AP 00:1e:4a:a8:b1:88 - unable to open image file /bsn/ap//c1100
 Error:No such file or directory(2)
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Number of open file descriptors for spam process is: 97
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Decoding of Image Data failed from AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:20.733: Unable to find deleted AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:20.733: 00:1e:4a:a8:b1:88 Join Priority Processing status = 0, Incoming Ap's Priority 0, MaxLrads = 100,joined Aps =1
*spamReceiveTask: Dec 03 11:26:32.658: b4:b6:76:c3:56:db Unable to get RadId. Sending of PMK cache entry to all APs in flexconnect group failed :: bssid 00:00:00:00:00:00

Security processing of Image Data failed for AP was a message in the output that I thought was strange and also other references to the image. I then checked the Cisco Wireless Controller Compability Matrix, to my dissapointment the AP was no longer supported. It ended up with a long and slow process of having one of the local guys in Chile downgrading from Controllerbased AP to a Standalone….

Could not connect to node1 : No route to host

Today I had some issues when working on a SRX650. We had to replace the Services and Routing Engine a few days ago. When I was supposed to get the cluster back online I got the following error message when trying to run a few of the commands on the device:

Could not connect to node1 : No route to host

I got this error when typing show interface ge-0/0/2. I also entered the command on the node1 so I felt it was a bit strange that node1 could not connect to node1.

The firewall was also saying that it was in a hold mode

{hold:node1}

So it was not showing as secondary or primary. It was keeping this status all the time and didn’t try to go to any other modes while the issue was occuring.

The reason for my issues was that I had not deleted all the default config from the new Service and Routing engine card that we got. My config was not correct for all the cluster ports since some of the ports in the cluster is dedicated to cluster services (on the SRX650 it is ge-0/0/0 (fxp0) and ge-0/0/0 (control plane)). These ports are not to be configured as network ports and that is the reason for my issues. When I deleted the config and set a default root authentication password everything was connected. When I did a commit from the primary node the config was correct on both devices and everything connected succesfully.

During my search on the internet I read that some people also forgot to set the reth-count and got the same error. The command to set the number of reth interfaces is:

set chassis cluster reth-count 4

A great source for more information is the following chapter of the book “Juniper SRX Series” written by Brad Woodberg and Rob Cameron.

http://chimera.labs.oreilly.com/books/1234000001633/ch07.html#activating_juniper_services_redundancy

Problems with HP Port Replicator 3005pr

I had some issues with the screens and usb devices after upgrading from Windows 8 to Windows 10 the other day. It was only one screen that was working and none of the USB devices where working.

When trying to update the driver for HP Port Replicator 3005 pr I got the following error message: “A previous uninstall of HP Port Replicator Software is not yet complete. Please reboot your computer and run this installer again to installation.”

I tried several solutions to solve the issue but none of the ones I found on the internet helped me. Most of the problems was solved with the compability mode but for some reason that was not good enough for me. After some troubleshooting I discovered that it failed during the update of the displaylink software. I then downloaded the Display Link software manually and tried to run the setup. I got a message saying that the installation had failed (I don’t have a screenshot or the correct words).

When I did the complete uninstall of the DisplayLink software I was able to install the port replicator driver. The uninstall software can be found here. The software is named “DisplayLink Installation Cleaner” and starts a command window where you will press enter to remove the old software.

Let people without Dropbox upload files

Let people without Dropbox upload files to you

Go to https://dropbox.com and log in. Then you click on «File requests»
0016

Press «Request files»
0015

Enter a description for the request. This will show on the upload page. Then you press «Change folder» so the files are uploaded to the correct folder. The folder name and location will not be shown to the person uploading the files.
0013

Browse to the correct folder and mark the folder you want the files to be stored in.
0011

You can now see that the folder name is changed. Pres “Next to continue”
0010

In the next page you will get the link that you can send to the person that needs to upload files to you. There is also a function where you can let Dropbox send the link for you.
0009
After this you are done. Now you just have to wait for the files to be uploaded.

The following is what needs to be done by the uploader

The person uploading the files will get an e-mail like this. He should press «Upload files» to upload the files to your Dropbox.
0008

When the «Upload files» is pressed an internet browser should open and you should see the following image. Press «Choose files» to continue.
0007

Then you will have the possibility to upload one or more files for uploading. To select more than one file keep Control (CTRL) pressed while selecting files.
0005

The uploader should now see a list over files that is ready for upload. He can also press «Add another file» to add more files to the same upload. He can also enter his name and e-mail address so that it’s possible to see who uploads what. The files are uploaded when pressing “Upload”
0004

When that is completed the upload is finished and the files are in the Dropbox.0002