junos – Networks and rants

Secondary node locked when commiting

April 10, 2016April 10, 2016 Nils Magnus EliassenLeave a comment

The other day I got a problem with one of my SRX clusters when I was running a commit. The commit was not able to complete and I got the following error:

{primary:node0}[edit]
srx1400# commit
node1:
error: configuration database modified
node0:
error: remote lock-configuration failed on node1

The reason for this error is some uncommited configuration on the secondary node. Earlier the same day I changed the primary for redundancy-group 0 and I guess that I didn’t commit all the config on node1 before changing to node0.

To solve this I had to go into the secondary node (node1) and rollback the uncommitted configuration. Normally you can use OOB to connect to the secondary node but I dont have it at this location. So I have to connect to the secondary node trough the primary node. This is done with the following command on branch devices (SRX650 and below): request routing-engine login node 1
On High end devices like the one I’m working on (SRX1400 and above) you use: rlogin -T node1

{secondary:node1}% rlogin -T node1
root@srx1400>
--- JUNOS 11.4R9.4 built 2013-08-22 06:24:21 UTC
{secondary:node1}
root@srx1400> configure
warning: Clustering enabled; using private edit
error: shared configuration database modified

Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'

As you can see from the error I have to use configure shared to be able to edit the configuration.

root@srx1400> configure shared
Entering configuration mode
The configuration has been changed but not committed

Before entering the rollback command you can check the uncommitted configuration by running show | compare. This will display all the uncommited configuration

{secondary:node1}[edit]
root@srx1400# show | compare
[edit access profile unos clientjunos]
- pap-password "$9$2V4GDikP5T3fTrvLXwsz36C0B"; ## SECRET-DATA
+ pap-password "$9$jhHP5QF/CA09AxdsYGUp0BRyl"; ## SECRET-DATA

Now you can rollback the uncommited config, check that there is any uncommited config left and exit the configuration mode.

{secondary:node1}[edit]
root@rx1400# rollback
load complete

{secondary:node1}[edit]
root@srx1400# show | compare

{secondary:node1}[edit]
root@srx1400# exit
Exiting configuration mode

{secondary:node1}
root@srx1400>

Now you can close the session and try to commit the configuration from the primary node again. It worked for me! 🙂

As a note I also know that alot of people has had a success of using just the command commit synchronize force on the primary node but it does not work for everyone.

Bandwidth limiter in Junos

January 7, 2016January 8, 2016 Nils Magnus EliassenLeave a comment

Today I had to limit a internet connection on one of the sites for the company I work for. The internet connection is mainly used for guest access and backup since the main traffic travels over a MPLS connection. The same internet connection was going to be used for a VPN tunell towards a supplier that has a VPN device behind my SRX240. Since this location is in the middle of nowhere it’s limited to 1 Mbps SDSL connection. The issue then is that there is no bandwidth left for the external VPN on the connection when guest users are using the connection.

I have added the main information regarding the configuration below:
Guest subnet: 192.168.200.0/26
Guest interface: vlan.20

The first step is to define the policer. Since I want to keep some bandwidth for the VPN I limit the 1 mbps to 800 kbps. As you can see from the text below there is an abbreviation for kbps that is k. You can specify a value in bits per second either as a complete decimal number or as a decimal number followed by the abbreviation k (1000),m (1,000,000), or g (1,000,000,000). You can also specify a value in cells per second by entering a decimal number followed by the abbreviation c; values expressed in cells per second are converted to bits per second using the formula 1 cps = 384 bps. The value can be any positive integer. In this example its set to 800 k.

set firewall policer policer-800k if-exceeding bandwidth-limit 800k
set firewall policer policer-800k if-exceeding burst-size-limit 625k
set firewall policer policer-800k then discard

The next part is to set the filter itself. Here I wan’t to configure the same speed limit both for up and down traffic. You can create diffrent limits for the different directions if you want to but in this example I have the same speed both ways. In the end of the filter I have a accept all to let the remaining traffic go trough the interface. I did not need to do that in this example but I like to make sure I don’t block anything that I shouldnt.

set firewall filter meeting-limit term from-meeting from source-address 192.168.200.0/26
set firewall filter meeting-limit term from-meeting then policer policer-800k
set firewall filter meeting-limit term from-meeting then accept
set firewall filter meeting-limit term to-meeting from destination-address 192.168.200.0/26
set firewall filter meeting-limit term to-meeting then policer policer-800k
set firewall filter meeting-limit term to-meeting then accept
set firewall filter meeting-limit term accept then accept

In the end we have to apply the filter to an interface as both inbound and outbound. The best practice is to only do this on the inbound side so you don’t process the traffic that you are discarding. In my case I had some issues with that. If I had filtered the traffic from the internet towards 192.168.200.0/26 network I wouldnt filter anything. The reason for this is that the traffic I would see is the NAT’ed address on the internet. So the destination adress would be my public IP. When I filter the outbound traffic on the port after it has returned trough NAT it get’s the correct IP and I can filter the traffic.

set interfaces vlan unit 20 description meetingroom
set interfaces vlan unit 20 family inet filter input meeting-limit
set interfaces vlan unit 20 family inet filter output meeting-limit
set interfaces vlan unit 20 family inet address 192.168.200.1/26

The configuration should in the end look something like this:

firewall {
	policer policer-800k {
		if-exceeding {
			bandwidth-limit 800k;
			burst-size-limit 625k;
		}
		then discard;
	}
}
filter meeting-limit {
    term from-meeting {
        from {
            source-address {
                192.168.200.0/26;
            }
        }
        then {
            policer policer-800k;
            accept;
        }
    }
    term to-meeting {
        from {
            destination-address {
                192.168.200.0/26;
            }
        }
        then {
            policer policer-800k;
            accept;
        }
    }
    term accept {
        then accept;
    }
}

interfaces{
	vlan {
		unit 20 {
			description meetingroom;
			family inet {
				filter {
					input meeting-limit;
					output meeting-limit;
				}
				address 192.168.200.1/26;
			}
		}
	}
}

As a reference I used KB28161

Could not connect to node1 : No route to host

November 25, 2015December 9, 2015 Nils Magnus EliassenLeave a comment

Today I had some issues when working on a SRX650. We had to replace the Services and Routing Engine a few days ago. When I was supposed to get the cluster back online I got the following error message when trying to run a few of the commands on the device:

Could not connect to node1 : No route to host

I got this error when typing show interface ge-0/0/2. I also entered the command on the node1 so I felt it was a bit strange that node1 could not connect to node1.

The firewall was also saying that it was in a hold mode

{hold:node1}

So it was not showing as secondary or primary. It was keeping this status all the time and didn’t try to go to any other modes while the issue was occuring.

The reason for my issues was that I had not deleted all the default config from the new Service and Routing engine card that we got. My config was not correct for all the cluster ports since some of the ports in the cluster is dedicated to cluster services (on the SRX650 it is ge-0/0/0 (fxp0) and ge-0/0/0 (control plane)). These ports are not to be configured as network ports and that is the reason for my issues. When I deleted the config and set a default root authentication password everything was connected. When I did a commit from the primary node the config was correct on both devices and everything connected succesfully.

During my search on the internet I read that some people also forgot to set the reth-count and got the same error. The command to set the number of reth interfaces is:

set chassis cluster reth-count 4

A great source for more information is the following chapter of the book “Juniper SRX Series” written by Brad Woodberg and Rob Cameron.

http://chimera.labs.oreilly.com/books/1234000001633/ch07.html#activating_juniper_services_redundancy