Professional Documents
Culture Documents
Troubleshooting
12.b
Lab Guide
JLJn1Per NETWORKS
Worldwide Education Services
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system lias
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software. or to the extent applicable, in an
agreement executed between you and Juniper Networks. or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software. may contain prohibitions against certain uses. and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
Lab 1:: Troubleshooting Security Zones and Policies ........................ 1-1
Part 1: Accessing Your Device and Verifying the Connectivity ..................................... 1-2
Part 2: Troubleshooting Zones .............................................................. 1-7
Part 3: Troubleshooting Security Policies .................•................................... 1-11
Part 4: Troubleshooting Security Policies for Host Traffic ........................................ 1-16
This one-day course is designed to provide students with information about troubleshooting IPsec,
security zones and policies, other security features, and chassis clustering. Students will gain
experience in monitoring and troubleshooting these topics through demonstration as well as
hands-on labs. The course exposes students to common troubleshooting commands and tools
used to troubleshoot various intermediate to advanced issues.
This course uses Juniper Networks SRX Series Services Gateways for the hands-on component, but
the lab environment does not preclude the course from being applicable to other Juniper hardware
platforms running the Junos OS. This course is based on Junos OS Release 12.1R5.5.
Objectives
After successfully completing this course, you should be able to:
Troubleshoot security zones.
Troubleshoot security policies.
Troubleshoot IPsec virtual private network (VPN) problems.
Troubleshoot Internet Key Exchange (IKE) phase 1 issues.
Troubleshoot IKE phase 2 issues.
Verify and troubleshoot AppSecure.
Monitor and troubleshoot intrusion prevention systems (IPS).
Verify and troubleshoot UTM.
Verify, monitor, and troubleshoot chassis clustering issues.
Troubleshoot different chassis clustering modes.
List the general chassis components.
Identify different methods for troubleshooting major chassis components.
Troubleshoot redundant Routing Engine and Control Board communication.
lntend1�d Audience
The primary audience for this course is the following:
Individuals responsible for configuring and monitoring devices running the Junos OS.
Course Level
Advanced Junos Enterprise Security Troubleshooting is an advanced-level course.
Prerequisites
The following courses are the prerequisites for this course:
Junos Troubleshooting in the NOC (JTNOC);
Advanced Junos Security (AJSEC);
Junos Intrusion Prevention Systems (JIPS): and
Junos Unified Threat Management (JUTM).
Day1
Chapter 1: Course Introduction
Chapter 2: Troubleshooting Security Zones and Policies
Troubleshooting Security Zones and Policies Lab
Chapter 3: Troubleshooting IPsec
Troubleshooting IPsec Lab
Chapter 4: Troubleshooting Security Features
Troubleshooting Security Features Lab
Chapter 5: Troubleshooting Chassis Clusters
Troubleshooting Chassis Clustering Lab
Appendix A: SRX Hardware Troubleshooting
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
CLI Input Text that you must enter. lab@San Jose> show route
GUI Input Select File > Save, and type
config. ini in the Filename field.
CLI Undefined Text where the variable's value is Type set policy policy-name.
the user's discretion or text where
ping 10.0.�
the variable's value as shown in
GUI Undefined the lab guide might differ from the Select File > Save, and type
value the user must input filename in the Filename field.
according to the lab topology.
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
Go to http://www.juniper.netjtechpubs/.
Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
Overview
In this lab, you will troubleshoot security zones and policies. You will use Junos OS CLI
commands and analyze trace log files to find out the causes for the detected problems.
Next you define the solution for the issues and perform it.
By completing this lab, you will perform the following tasks:
Troubleshoot security zones.
Troubleshoot security policies.
Perform configuration corrections.
In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the CLI to log
in to your designated station. Next, you will load the starting configuration 'or the
lab. Then, you will verify the connectivity between your assigned virtual routers and
your device.
Note
Depending on the class, the lab equipment
used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you the details needed to access your
assigned device.
Step 1.1
Ensure that you know to which device you are assigned. Check with your instructor if
necessary. Consult the Management Network Diagram to determine the
management address of your student device.
Step 1.2
Access the command-line interface (CLI) at your station using either the console,
Telnet, or SSH as directed by your instructor.
I, Connect� [__ca_n_ce_l�
Step 1.3
Log in as user lab with the password labl23. Enter configuration mode and load
the labl-start. configfrom the /var/home/lab/ajestj directory.Commit the
configuration when complete.
srxC-1 (ttypO)
login: lab
Password:
[edit]
lab@srxC-1# load override ajest/labl-start.config
load complete
lab@srxC-1>
Step 1.4
Check the status of your configured Gigabit Ethernet and loopback interfaces using
the show interfaces terse I match "ge I lo" command.
lab@srxC-1> show interfaces terse I match 11 gello 11
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.210.14.135/27
ge-0/0/1 up up
ge-0/0/2 up up
ge-0/0/3 up up
Step 1.5
Open a separate Telnet session to the virtual router attached to your team device.
Note
i Connect ij I Cancel J
Log in to the virtual router using the login information shown in the following table:
login: username
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
cl@vr-device>
Step 1.6
From the Telnet session established with the virtual router, verify reachability from
virtual routers assigned to you to their respective interface on your device using the
ping command. Be sure to source your ping from the correct virtual-router routing
instance.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
In this lab part, you will troubleshoot problems related to security zones and
interface assignment to security zones. You first experience the problem, then use
CU tools to find the problem cause and finally you define the solution and resolve
the problem.
Step 2.1
Test the connectivity from your Juniper virtual router to your SRX's loopback address.
cl@vr-d.evice> ping local-loopback routing-instance local-Juniper-VR count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Step 2.2
View the forwarding decision on your Juniper virtual router to the SRX's loopback.
cl@vr-d.evice> show route local-loopback table local-Juniper-VR.inet.O
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Step 2.3
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device check if the loopback interface loO.O zones
assignment and if the ping is allowed in the host-inbound-traffic.
lab@srxC-1> show interfaces loO.O I find Security
Security: Zone: Null
Protocol inet, MTU: Unlimited
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Default Is-Primary
Local: 192.168.l.l
Step 2.4
Enter configuration mode and assign the loO.O interface to either the Juniper-SV or
Juniper-WF zone. Check if the zone host-inbound-traffic allows ping. Commit the
configuration changes and exit to operational mode.
lab@srxC-1> configure
Entering configuration mode
[edit]
lab@srxC-1# set security zones security-zone Juniper-local interfaces loO.O
[edit]
lab@srxC-1# show security zones security-zone Juniper-local
address-book {
address vrl05 172.20.105.0/24;
}
host-inbound-traffic {
system-services {
all;
protocols
all;
interfaces
ge-0/0/4.105;
loO.O;
[edit]
lab@srxC-1# commit and-quit
commit complete
lab@srxC-1>
Step 2.5
Review the lo0.0 interface zone assignment and allowed services and prot,ocol in
host-in bound-traffic.
lab@srxC-1> show interfaces loO.O I find Security
Security: Zone: Juniper-SV
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf pgm pim
rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http
https ike
netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh
telnet
traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
Protocol inet, MTU: Unlimited
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Default Is-Primary
Local: 192.168.1.1
Step 2.6
Return to the Telnet session established with the virtual router.
From your assigned virtual router, verify your changes. Test the reachability from the
affected virtual router to the SRX's loopback address using the ping command. Be
sure to source your ping from the correct virtual-router routing instance.
cl@vr-device> ping local-loopback routing-instance local-Juniper-VR count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp seq=O ttl=64 time=4.005 ms
64 bytes from 192.168.1.1: icmp_seq=l ttl=64 time=3.622 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=3.622 ms
In this lab part, you will troubleshoot problems related to security policies. You first
experience the problem then use CLI tools to find the problem cause and finally you
define the solution and resolve the problem.
Step 3.1
From Telnet session established with the virtual router, verify the reachability from
your Juniper virtual router to the Internet host using telnet.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Note
If the session does not establish after
couple of seconds use Ctrl+C key
combination to break the attempt.
Step 3.3
View in detail the existing policies in the context from-zone Juniper-local
to-zone untrust.
lab@srxC-1> show security policies from-zone Juniper-local to-zone untrust
detail
Policy: internet-Juniper-SV, action-type: permit, State: enabled, Index: 15,
Scope Policy: O
Policy Type: Configured
Sequence number: 1
From zone: Juniper-SV, To zone: untrust
Source addresses:
vrl05: 172.20.105.0/24
Destination addresses:
internet-host: 172.31.16.1/32
Application: any
Step 3.4
Modify the address entry in the address book of the untrust zone that it will
match only the Internet host. Commit the change and exit to the operational mode.
lab@srxC-1> configure
Entering configuration mode
[edit]
lab@srxC-1# edit security zones security-zone untrust
protocols
all;
interfaces {
ge-0/0/3.0;
lab@srxC-1>
Step 3.5
Return to the Telnet session established with the virtual router.
From your assigned virtual router, test the telnet from your Juniper virtual router to
the Internet host again.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Note
The Internet host is another virtual router
instance on the same device as all the
other virtual routers. For telnet use same
credentials as you use for the virtual router.
vr-device (ttypl)
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
cl@vr-device>
Step 3.6
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, examine the session table for telnet sessions to the
Internet host.
lab@srxC-1> show security flow session destination-port 23 destination-prefix
172.31.15.1
Session ID: 44472, Policy name: internet-Juniper-SV/15, Timeout: 1780, Valid
In: 172.20.105.10/56728 --> 172.31.15.l/23;tcp, If: ge-0/0/4.105, Pkts: 9,
Bytes: 619
Out: 172.31.15.1/23 --> 172.20.105.10/56728;tcp, If: ge-0/0/3.0, Pkts: 8,
Bytes: 589
Total sessions: 1
lab@sr:x:C-1>
Step 3.7
Return to the Telnet session established with the virtual router.
From your assigned virtual router, exit from the established telnet session to the
Internet host.
cl@vr-device>
In this lab part, you will troubleshoot problems related to traffic destined for the SRX
device. You first experience the problem then use CU tools to find the problem
cause and finally you define the solution and resolve the problem.
Step 4.1
From Telnet session established with the virtual router try to open a telnet session
from the Juniper virtual router to the SRX interface in the ACME-local zo e.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Note
If the session does not establish after
couple of seconds use Ctrl+C key
combination to break the attempt.
Step 4.2
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device test which security policy is used to handle the telnet
connection from your Juniper virtual router to the SRX interface in the ACME-local
zone. Utilize the show security match-policies command and use zones from the lab
diagram and enter any arbitrary value for the source-port from the range< 1024 -
65000>.
Step 4.3
Verify if telnet is allowed on the SRX interface in the ACME-local zone.
lab@sr:x:C-1> show interfaces ge-0/0/4.ACME-unit extensive I find Security
Security: Zone: ACME-SV
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
ospf pgm pim
rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http
https ike
netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh
telnet
tra.ceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
Flow Statistics :
Flow In.put statistics
Self packets 3519
Step 4.4
Enter configuration mode and enable the traceoptions for the packet flow
processing. Define flow-log as the file name and specify packet filter that only
messages destined to the interface in the ACME-local zone. Commit your
configuration and exit to the operational mode when complete.
lab@srxC-1> configure
Entering configuration mode
[edit]
lab@srxC-1# set security flow traceoptions file flow-log
[edit]
lab@srxC-1# set security flow traceoptions flag basic-datapath
[edit]
lab@srxC-1# set security flow traceoptions packet-filter Fl destination-prefix
local-ACME-address/32
[edit]
lab@srxC-1# show security flow
traceoptions {
file flow-log;
flag basic-datapath;
packet-filter Fl {
destination-prefix 172.20.205.1/32;
[edit]
lab@srxC-1# coIIIIllit and-quit
commit complete
Exiting configuration mode
lab@srxC-1>
Step 4.5
Return to the Telnet session established with the virtual router.
From your assigned virtual router, try the telnet connection from your Juniper virtual
router to the SRX interface in the ACME-local zone again.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Note
If the session does not establish after
couple of seconds use Ctrl+C key
combination to break the attempt.
Step4.6
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, examine the flow-log trace file.
Note
For the sake of clarity and time, the
interesting lines are balded in the output.
Step4.7
View in detail the security policies in the from-zone ACME-local to-zone
junos-host context.
lab@sr:x:C-1> show security policies from-zone ACME-local to-zone junos-host
detail
Policy: drop-telnet, action-type: deny, State: enabled, Index: 5, Scope Policy:
0
Policy Type: Configured
Sequence number: 1
From zone: ACME-SV, To zone: junos-host
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-telnet
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: (23-23]
Per policy TCP Options: SYN check: No, SEQ check: No
Step4.8
Enter configuration mode and delete the security policy in the from-zone
ACME-local to-zone junos-host context. Commit the configuration and exit to
operational mode when complete.
lab@srxC-1> configure
Entering configuration mode
[edit]
lab@srxC-1# edit security policies
lab@srxC-1>
Step4.9
Return to the Telnet session established with the virtual router.
From your assigned virtual router, try the telnet connection from your Juniper virtual
router to the SRX interface in the ACME-1 ocal zone again.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Note
If the session does not establish after
couple of seconds use Ctrl+C key
combination to break the attempt.
Note
Use credentials for accessing your SRX
device.
srxC-1 (ttypO)
login: lab
Password:
cl@vr-device>
Step 4.11
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, log out using the exit command.
lab@srxC-1> exit
srxC-1 (ttyuO)
login:
m::mlJ Workstations
Management Addressing
SIXA-1 srxD-1
SIXA-2 srxD-2
Sll<B-1 vr-device
Sll<B-2 Server
srx!r1 Gateway
srx!r2 Term Server _ _ _
_
--[fl
Host 1.72.31.15.1
V0/4.201 -- -- ge-0/0/4.102
Tagged Interface
172.20.201.0/24 (see VlAN Assignments table) 172.20.102.0/24 172.20.202.0/24
(.10)
I I
)
,/(10
0
vr1 3
Juniper-SV Juniper-WF ACME-WF
Hostname
srxC-1
srxC-2
VLAN-ID
105, 205
106, 206
--El
Host 172.31.15.1
Juniper-SV
V0/4.207
-- --ge-0/0/4.108 (.1) V0/4.208
Tagged Interface
172.20.107.0/24 172.20.207.0/24 (see VIJ\N Assignments table} 172.20.108.0/24 172.20.208.0/24
Overview
In this lab, you will troubleshoot IPsec. You will use Junos OS CLI commands and analyze
trace log files to find out the causes for the detected problems. Next you define the
solution for the issues and perform it.
By completing this lab you will perform the following tasks:
Troubleshoot IKE phase 1.
Troubleshoot IKE phase 2.
Troubleshoot route-based IPsec VPNs.
Perform configuration corrections.
In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the CU to log
in to your designated station. Next, you will load the starting configuration for the
lab.
Note
Step 1.1
Ensure you know what device you are assigned. Check with your instructor if
necessary. Consult the Management Network Diagram to determine the
management address of your student device.
Step 1.2
Access the command-line interface (CU) at your station using either the console,
Telnet, or SSH as directed by your instructor.
�-
(1.lltc����Jfi4W1,}¢;%.ti?hk'�= "'�h' �� 't""· "'>" ..,. •� ' ""•,,.y�
Protocol:
Hostname:
Port:
login: lab
Password:
[edit]
lab@sr:x:C-1# load override ajest/lab2-start.config
load complete
lab@sr:x:C-1>
Step 1.4
From the operational mode check the status of your configured Gigabit Ethernet,
loopback interfaces and tunnel interfaces using the show interfaces terse
I match "ge I lo I stO" command.
lab@sr:x:C-1> show interfaces terse I match "gelstOlloO"
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.210.14.135/27
ge-0/0/1 up up
ge-0/0/2 up up
ge-0/0/3 up up
www.juniper.net Troubleshooting IPsec • Lab 2-3
Advanced Junes Enterprise Security Troubleshooting
In this lab part, you will examine the existing IPsec configuration on your SFIX device
and troubleshoot problems related to IPsec VPNs. You first experience the problem
then use CLI tools to find the problem cause and finally you define the solution and
resolve the problem.
Step 2.1
Examine the existing IPsec • IKE phase 1 configuration on your SRX.
lab@srxC-1> show configuration security ike
policy policy-1 {
mode main;
proposal-set basic;
pre-shared-key ascii-text "$9$0VD91EyM87s2alK2aZU.m01R"; ## SECRET-DATA
}
policy policy-2 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$0VD91EyM87s2alK2aZU.m01R"; ## SECRET-DATA
Step 2.2
Examine the existing IPsec - IKE phase 2 configuration on your SRX.
lab@srxC-1> show configuration security ipsec
policy policy-sec {
proposal-set standard;
vpn srxC-1-to-spoke-l {
bind-interface stO.O;
ike {
gateway spoke-1;
ipsec-policy policy-sec;
establish-tunnels immediately;
vpn srxC-1-to-spoke-2
bind-interface stO.O;
ike {
gateway spoke-2;
ipsec-policy policy-sec;
establish-tunnels immediately;
Step 2.3
Restart the IPsec key management daemon. (Note: You would not typically need to
do this but we need to restart this process because of the way this troubleshooting
lab is built.)
lab@srxC-1> restart ipsec-key-management
IPSec Key Management daemon started, pid 3285
lab@srxC-1>
Step 2.4
Check if any IKE phase 1 and IKE phase 2 SAs are present on the device.
lab@srxC-1> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
243597 UP 308f83af84cll27d a774dl633604c29e Main 192.168.30.4
Step 2.5
Verify the routing information to reach both spokes loopback addresses is correct on
your SRX. For topology refer to the lab diagram.
lab@sr:x:C-1> show route spoke-1-loO-address
Step 2.6
Verify the reachability to both spokes loopback addresses using the ping utility.
Define the IP address of "external-interface" from the IKE phase 1 configuration as
the source address for the ping.
lab@srxC-1> ping spoke-1-loO-address source local-lo0.0-address count 3
PING 192.168.30.3 (192.168.30.3): 56 data bytes
64 bytes from 192.168.30.3: icmp_seq=O ttl=63 time=2.250 ms
64 bytes from 192.168.30.3: icmp_seq=l ttl=63 time=l.816 ms
64 bytes from 192.168.30.3: icmp_seq=2 ttl=63 time=l.900 ms
Step 2.7
Enter configuration mode and enable traceoptions for IKE phase 1 and IKE phase 2.
For the traceoptions configuration define flag all and use the default trace file
/var /log/kmd. Before committing the configuration clear the /var /log/kmd
file for easier examination. Commit the configuration changes and exit to
operational mode when complete.
lab@sr:x:C-1> configure
Entering configuration mode
[edit]
lab@sr:x:C-1# edit security
[edit s:ecurity]
lab@srxC-1# set ike traceoptions flag all
[edit security]
lab@srxC-1# show ike traceoptions
flag all;
[edit E:ecurity]
lab@srxC-1# set ipsec traceoptions flag all
[edit security]
lab@srxC-1# show ipsec traceoptions
flag all;
[edit security]
lab@srxC-1# run clear log kmd
[edit security]
lab@srxC-1# commit and-quit
commit complete
Exitin9 configuration mode
lab@srxC-1>
Step 2.8
Review the /var/log/kmd file.
Note
For the sake of clarity and time, the
n
i teresting lines are balded in the output.
Step 2.9
Enter configuration mode and change the proposal-set for the spoke-l's IKE phase 1
to standard. Commit the configuration changes and exit to operational mode when
complete.
lab@srxC-1> configure
Entering configuration mode
[edit]
lab@srxC-1# edit security ike
lab@srxC-1>
Step 2.10
Verify the status of IKE phase 1 and IKE phase 2 SAs on your SRX.
lab@srxC-1> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
243606 UP 76fc7377169db6a4 57fa23262fdb5db5 Main 192.168.30.3
243597 UP 308f83af84c1127d a774d1633604c29e Main 192.168.30.4
In this lab part, you will troubleshoot connectivity problems through IPsec VPNs. You
first experience the problem then use CLI tools to find the problem cause and finally
you define the solution and resolve the problem.
Step 3.1
Verify the reachability to the spoke-1 and spoke-2 host IP addresses. For the spokes'
host IP addressing details, consult the lab diagrams.
lab@srxC-1> ping spoke-I-address count 3
PING 192.171.30.3 (192.171.30.3): 56 data bytes
Step 3.2
Test the forwarding decision on your SRX for the spoke-1 and spoke-2 IP addresses.
lab@srxC-1> show route spoke-1-address
Step 3.3
Create a static route for spoke-2 traffic to use the IPsec VPN tunnel. Use the spoke-2
stO.O interface as next-hop. Commit the change and exit to the operational mode
when complete.
lab@srxC-1> configure
Entering configuration mode
[edit]
lab@srxC-1# edit routing-options static
lab@srxC-1>
Step 3.4
Test the forwarding to spoke-2 after the change.
lab@srxC-1> show route spoke-2-address
Step 3.5
Check the connectivity to spoke-2
lab@srxC-1> ping spoke-2-address count 3
PING 192.171.30.4 (192.171.30.4): 56 data bytes
Step 3.6
View the next-hop tunnel binding table.
lab@sr:x:C-1> show security ipsec next-hop-tunnels
Next-hop gateway interface IPSec VPN name Flag
10.10.30.3 stO.O srxC-1-to-spoke-l Auto
10.10.30.4 sto.o srxC-1-to-spoke-2 Auto
Step 3.7
Examine the tunnel interface stO.O statistics to see if any traffic is going into the
tunnel.
lab@srxC-1> show interfaces stO.O statistics
Logical interface stO.O (Index 70) (SNMP if Index 596)
Fla,gs: No-Multicast SNMP-Traps Encapsulation: Secure-Tunnel
Input packets : O
Out.put packets: 9
Security: Zone: Null
Protocol inet, MTU: 9192
Flags: Send.beast-pkt-to-re
1',ddresses, Flags: Is-Preferred Is-Primary
Destination: 10.10.30/24, Local: 10.10.30.1
Step 3.8
Enter the configuration mode and assign the stO.O interface to the vpn zone.
Commit the change and exit to the operational mode when complete.
lab@srxC-1> configure
Entering configuration mode
[edit]
lab@srxC-1# edit security zones
host-inbound-traffic {
system-services {
all;
protocols
all;
security-zone Juniper-SV {
host-inbound-traffic {
system-services {
all;
protocols
all;
interfaces {
ge-0/0/4.105;
security-zone ACME-SV {
protocols
all;
interfaces {
ge-0/0/4.205;
security-zone untrust {
host-inbound-traffic {
system-services {
all;
protocols
all;
interfaces
ge-0/0/3.0;
loO.O;
security-zone vpn
interfaces {
stO.O;
lab@srxC-1>
Step3.9
Verify the tunnel interface stO.O is assigned to the correct zone.
lab@srxC-1> show interfaces stO.O statistics
Logical interface stO.O (Index 70) (SNMP if Index 596)
Flags: No-Multicast SNMP-Traps Encapsulation: Secure-Tunnel
Input packets : O
Out.put packets: 9
Security: Zone: vpn
Protocol inet, MTU: 9192
Flags: Sendbcast-pkt-to-re
.ll.,ddresses, Flags: Is-Preferred Is-Primary
Destination: 10.10.30/24, Local: 10.10.30.1
Step3.10
Test the reachability to spoke-1 and spoke-2 IP addresses again.
lab@srxC-1> ping spoke-1-address count 3
PING 192.171.30.3 (192.171.30.3): 56 data bytes
64 bytes from 192.171.30.3: icmp_seq=O ttl=64 time=2.723 ms
64 bytes from 192.171.30.3: icmp_seq=l ttl=64 time=2.325 ms
64 bytes from 192.171.30.3: icmp seq=2 ttl=64 time=2.611 ms
Step3.11
Examine the tunnel interface stO.O.
lab@srxC-1> show interfaces stO.O statistics
Logical interface stO.0 (Index 70) (SNMP ifIndex 596)
Flags: No-Multicast SNMP-Traps Encapsulation: Secure-Tunnel
Input packets : 6
Output packets: 15
Security: Zone: vpn
Protocol inet, MTU: 9192
Step3.12
Log out using the exit command.
lab@srxC-1> exit
srxC-1 (ttyuO)
login:
Ea' A? Workstations
Management Addressing
I srxA-1 srx0-1
I:
srx0-2
2
srxA-
srx.lH
1:::
I
Server
Gateway
SO<C- Term Server ___ _
_
2
Server Note: Your instructor will provide address and access information.
Spoke2A-2
stO: 10.1010.7/24
loO: 192.168.10. 7
srxA-1 srxA-2
stO: 10.10.10.1/24 stO: 10.10.10.2/24
loO: 192.168.10.1 loO: 192.168.10.2
srxC-1
stO: 10.10.30.1/24
loO: 192.168.30.1
Spoke2 D-1
stO: 10.10.40.4/24
loO: 192.168.40.4
.Z;,<
e,,·.ze.<o
-o_,,o_,,.(.Jo
srxD-1 r.,,;�---s-rx_ _2__... ,
D-
stO: 10.10.40.1/24 stO: 10.10.402/24
loO: 192.168.40.1 loO: 192.168.40.2
Overview
In this lab, you will troubleshoot security features - AppSecure and UTM. You will use
Junos OS CLI commands and analyze log file to determine the reason for experienced
behavior.
By completing this lab, you will perform the following tasks:
Troubleshoot UTM.
Troubleshoot AppSecure features.
In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the CU to log
in to your designated station. Next, you will load the starting configuration for Lab 5.
Then, you will verify the connectivity between your assigned virtual routers and your
device.
Note
Depending on the class, the lab equipment
used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you the details needed to access your
assigned device.
Step 1.1
Ensure that you know to which device you are assigned. Check with your instructor if
necessary. Consult the Management Network Diagram to determine the
management address of your student device.
Step 1.2
Access the command-line interface (CU) at your station using either the console,
Telnet, or SSH as directed by your instructor.
Connect Cancel
Step 1.3
Log in as user lab with the password lab123. Enter configuration mode and load
the lab3-start. configfrom the /var/home/lab/ajestj directory. Commit the
configuration when complete.
srxC-1 (ttypO)
login: lab
Password:
[edit]
lab@sr:x:C-1# load override ajest/lab3-start.config
load complete
lab@sr:x:C-1>
Step 1.4
From the operational mode check the status of your configured Gigabit Ethernet and
loopback interfaces using the show interfaces terse I match "ge I lo"
command.
lab@sr:x:C-1> show interfaces terse I match "gelloO"
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.210.14.135/27
ge-0/0/1 up up
ge-0/0/2 up up
ge-0/0/3 up up
www.juniper.net Troubleshooting Security Features • Lab 3-3
Advanced Junos Enterprise Security Troubleshooting
Step 1.5
Open a separate Telnet session to the virtual router attached to your team device.
Note
This lab step requires you to open a
separate Telnet session to the virtual router
to emulate an external host. Keep the
current Telnet session established with
your assigned SRX device open to monitor
results. The virtual router is a J Series
Services Router configured as several
logical devices. Refer to the Management
Network Diagram for the IP address of the
vr-device.
l Connect. • I
•
Cancel J
Log in to the virtual router using the login information shown in the following table:
login: username
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
cl@vr-device>
Step 1.6
From the Telnet session established with the virtual router, verify reachability from
virtual routers assigned to you to their respective interface on your device using the
ping command. Be sure to source your ping from the correct virtual-router routing
instance.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
In this lab part, you will examine and troubleshoot UTM to determine the reason of
experienced traffic processing.
Step 2.1
Establish an ftp connection from your Juniper virtual router to your SRX's interface in
the ACME zone. Use the same credentials as for logging in to your SRX device.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
Step 2.2
Try to download the labl-start. configfile from the ajest folder.
ftp> ge,t ajest\labl-start.config
local: ajestlabl-start.config remote: ajestlabl-start.config
200 PORT command successful.
550 172.20.205.1:21->172.20.105.10:56091 Requested action not taken and the
request is dropped for Content Filtering file extension block list.
ftp>
Step 2.3
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, find the session in the session table for your ftp
connection.
lab@srxC-1> show security flow session destination-port 21
Session ID: 1516, Policy name: app-service-policy/9, Timeout: 1702, Valid
Resource information : FTP ALG, 1, O
In: 172.20.105.10/56091 --> 172.20.205.l/2l;tcp, If: ge-0/0/4.105, Pkts: 36,
Bytes: 1694
Out: 172.20.205.1/21 --> 172.20.105.10/56091;tcp, If: .local..0, Pkts: 18,
Bytes: 1233
Total sessions: 1
Step 2.4
Display the details about your ftp session. Use session ID from the previous step and
execute the show security flow session session-identifie,r
session-id command.
lab@srxC-1> show security flow session session-identifier session-id
Session ID: 1516, Status: Normal
Flag: Ox500042
Policy name: app-service-policy/9
Source NAT pool: Null, Application: junos-ftp/1
Lab 3-8 • Troubleshooting Security Features www.juniper.net
Advanced Junos Enterprise Security Troubleshooting
Dynamic application: junos:FTP,
Application firewall rule-set: Allowed-services, Rule: ftp
Maximum timeout: 1800, Current timeout: 1684
Session State: Valid
Start time: 10066, Duration: 187
Client: FTP ALG, Group: 1, Resource: O
In: 172.20.105.10/56091 --> 172.20.205.l/2l;tcp,
Interface: ge-0/0/4.105,
Session token: Ox9, Flag: Ox2621
Route: OxaOOlO, Gateway: 172.20.105.10, Tunnel: O
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 36, Bytes: 1694
Out: 172.20.205.1/21 --> 172.20.105.10/5609l;tcp,
Interface: .local..0,
Session token: Ox2, Flag: Ox2630
Route: Oxfffb0006, Gateway: 172.20.205.1, Tunnel: O
Port sequence: 0, FIN sequence: 0,
FIN state: o,
Pkts: 18, Bytes: 1233
Total sessions: 1
Step 2.5
session-init;
session-close;
Step 2.7
Check the referenced UTM policy configuration.
lab@srxC-1> show configuration security utm utm-policy UTM-check
content-filtering {
ftp {
upload-profile denied-content;
download-profile denied-content;
Step 2.8
Examine the content filtering feature profile from the previous step.
lab@srxC-1> show configuration security utm feature-profile content-filtering
profile denied-content
block-extension Deny-extensions;
Step 2.9
Examine the referenced custom object from the previous step.
lab@srxC-1> show configuration security utm custom-objects filename-extension
Deny-extensions {
value config;
Step 2.1'.L
View the UTM content filtering statistics using the show security utm
content-filtering statistics command.
lab@srxC-1> show security utm content-filtering statistics
Content-filtering-statistic: Blocked
Base on command list: 0
Base on mime list: 0
Base on extension list: 1
ActiveX plugin: 0
Java applet: 0
EXE files: 0
ZIP files: 0
HTTP cookie: 0
Step 2.12
Return to the Telnet session established with the virtual router.
From your assigned virtual router, close the ftp connection.
ftp> bye
221 Goodbye.
cl@vr-device>
Step 2.13
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, view the last 10 lines of the RF-FLOW log file.
Note
The RT-FLOW log file is a custom file
receiving messages generated from the
data plane, such as security policy logging.
In this lab part, you will examine and troubleshoot application identification and
application firewall to determine the reason of experienced traffic processing.
Step 3.1.
Return to the Telnet session established with the virtual router.
From your assigned virtual router, establish an ssh connection from your Juniper
virtual router to your SRX's interface in the ACME zone. Use the same credentials as
for logging in to your SRX device.
Note
Step 3.2:
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, find the session for your ssh connection.
lab@srxC-1> show security flow session destination-port 22
Session ID: 1683, Policy name: app-service-policy/9, Timeout: 1792, Valid
In: 172.20.105.10/50554 --> 172.20.205.l/22;tcp, If: ge-0/0/4.105, Pkts: 10,
Bytes: 2001
Out: 172.20.205.1/22 --> 172.20.105.10/50554;tcp, If: .local..0, Pkts: 9,
Bytes: 2005
Total sessions: 1
Step 3.3
Display the details about your ssh session. Use session ID from the previous step
and execute the show security flow session session-identifier
session-id command.
lab@srxC-1> show security flow session session-identifier session-id
Session ID: 1683, Status: Normal
Flag: Ox500040
Policy name: app-service-policy/9
Source NAT pool: Null, Application: junos-ssh/22
Dynamic application: junos:SSH,
Application firewall rule-set: Allowed-services, Rule: ssh
Maximum timeout: 1800, Current timeout: 1744
Session State: Valid
Start time: 10954, Duration: 56
In: 172.20.105.10/50554 --> 172.20.205.l/22;tcp,
Interface: ge-0/0/4.105,
Session token: Ox9, Flag: Ox621
Route: OxaOOlO, Gateway: 172.20.105.10, Tunnel: O
Port sequence: 0, FIN sequence: 0,
FIN state: o,
Pkts: 10, Bytes: 2001
Out: 172.20.205.1/22 --> 172.20.105.10/50554;tcp,
Interface: .local ..0,
Session token: Ox2, Flag: Ox630
Route: Oxfffb0006, Gateway: 172.20.205.1, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: o,
Pkts: 9, Bytes: 2005
Total sessions: 1
Step 3.4
Return to the Telnet session established with the virtual router.
From your assigned virtual router, execute the show system uptime and show system
users commands and then close the ssh connection.
lab@srxC-1> show system uptime
Current: time: 2013-04-06 00:32:00 UTC
System booted: 2013-04-05 21:28:31 UTC (03:03:29 ago)
Protocols started: 2013-04-05 21:30:56 UTC (03:01:04 ago)
Last configured: 2013-04-06 00:27:18 UTC (00:04:42 ago) by lab
12:32AM up 3:03, 4 users, load averages: 0.16, 0.16, 0.15
lab@srxC-1> exit
Connection to 172.20.205.1 closed.
Step 3.5
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, view the last 10 lines of the RF-FLOW log file.
lab@srxC-1> show log RT-FLOW I last 10
Apr 6 00:31:38 srxC-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN:
172.20.105.10/52965->172.20.205.1/22 junos-ssh 172.20.105.10/
52965->172.20.205.1/22 None None 6 app-service-policy Juniper-SV ACME-SV
1663 14(2353) 13(2293) 8 SSH UNKNOWN N/A(N/A) ge-0/0/4.105 No
Step 3.6
View the application system cache (ASC) using the show services
application-identification application-system-cache command.
lab@srxC-1> show services application-identification application-system-cache
Application System Cache Configurations:
application-cache: on
nested-application-cache: on
cache-unknown-result: on
cache-entry-timeout: 3600 seconds
pie: 0/0
Logical system name: 0
IP address: 172.20.205.1 Port: 22 Protocol: TCP
Application: SSH Encrypted: No
Step 3.7
Return to the Telnet session established with the virtual router.
From your assigned virtual router, establish a telnet connection from your Juniper
virtual router to your SRX's interface in the ACME zone. Use the same credentials as
for logging in to your SRX device.
Note
Keep in mind that when working with
virtual routers and routing instances,
command syntax is different. If needed,
please reference the detailed lab guide for
sample command syntax for the individual
verification tasks performed within this lab.
srxC-1 (ttyp2)
login: lab
Password:
Step 3.8
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, find the session for your telnet connection.
lab@srxC-1> show security flow session destination-port 23 destination-prefix
local-ACME-address
Session ID: 1746, Policy name: app-service-policy/9, Timeout: 1774, Valid
In: 172.20.105.10/50447 --> 172.20.205.l/23;tcp, If: ge-0/0/4.105, Pkts: 30,
Bytes: 1724
Out: 172.20.205.1/23 --> 172.20.105.10/50447;tcp, If: .local..0, Pkts: 23,
Bytes: 1446
Total sessions: 1
Step 3.9
Display the details about your telnet session. Use session ID from the previous step
and execute the show security flow session session-identifier
session-id command.
lab@srxC-1> show security flow session session-identifier session-id
Session ID: ·1746, Status: Normal
Flag: Ox500042
Policy name: app-service-policy/9
Source NAT pool: Null, Application: junos-telnet/10
Dynamic application: PENDING,
Application firewall rule-set: Allowed-services, Rule: PENDING
Maximum timeout: 1800, Current timeout: 1764
Session State: Valid
Start time: 11228, Duration: 40
In: 172.20.105.10/50447 --> 172.20.205.l/23;tcp,
Interface: ge-0/0/4.105,
Session token: Ox9, Flag: Ox2621
Route: OxaOOlO, Gateway: 172.20.105.10, Tunnel: O
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 30, Bytes: 1724
Out: 172.20.205.1/23 --> 172.20.105.10/50447;tcp,
Interface: .local..0,
Session token: Ox2, Flag: Ox2630
Route: Oxfffb0006, Gateway: 172.20.205.1, Tunnel: O
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 23, Bytes: 1446
Total sessions: 1
Step 3.10
View the application firewall statistics using the show security application-firewall
rule-set all command.
lab@srxC-1> show security application-firewall rule-set all
Rule-set: Allowed-services
Rule: ftp
Dynamic Applications: junos:FTP
Action:permit
Number of sessions matched: 1
Rule: ssh
Dynamic Applications: junos:SSH
Action:permit
Number of sessions matched: 1
Default rule:deny
Number of sessions matched: O
Number of sessions with appid pending: 1
Step3.11
Return to the Telnet session established with the virtual router.
From your assigned virtual router, execute the show system uptime and show system
users commands and then close the telnet connection.
lab@srxC-1> show system uptime
Current time: 2013-04-06 00:39:07 UTC
System booted: 2013-04-05 21:28:31 UTC (03:10:36 ago)
Protocols started: 2013-04-05 21:30:56 UTC (03:08:11 ago)
Last configured: 2013-04-06 00:27:18 UTC (00:11:49 ago) by lab
12:39AM up 3:11, 5 users, load averages: 0.11, 0.12, 0.12
lab@srxC-1> show
Step3.12
Terminate the stuck telnet session by hitting the CTRL+] key combination and
entering the quit command.
telnet> quit
Connection closed.
cl@vr-device>
Step3.13
Return to the Telnet session established with your assigned SRX device.
From your assigned SRX device, view the application firewall statistics using the
show security application- firewall rule-set all command again.
lab@srxC-1> show security application-firewall rule-set all
Rule-set: Allowed-services
Rule: ftp
Dynamic Applications: junos:FTP
Action:permit
Number of sessions matched: 1
Rule: ssh
Dynamic Applications: junos:SSH
Action:permit
Number of sessions matched: 1
Default rule:deny
Number of sessions matched: 1
Number of sessions with appid pending: O
Step 3.14
View the last 15 lines of the RF-FLOW log file.
lab@srxC-1> show log RT-FLOW I last 15
Apr 6 00:38:04 srxC-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created
172.20.105.10/50447->172.20.205.l/23 junos-telnet 172.20.105.10/
50447->172.20.205.1/23 None None 6 app-service-policy Juniper-SV ACME-SV
1746 N/A(N/A) ge-0/0/4.105
Apr 6 00:39:04 srxC-1 RT_FLOW: APPTRACK_SESSION_VOL_UPDATE: AppTrack volume
update: 172.20.105.10/50447->172.20.205.l/23 junos-telnet TELNET UNKNOWN
172.20.105.10/50447->172.20.205.l/23 None None 6 app-service-policy
Juniper-SV ACME-SV 1746 31(1777) 23(1446) 60 N/A N/A N/A
Apr 6 00:39:28 srxC-1 RT_FLOW: RT_FLOW_SESSION_DENY: session denied
172.20.105.10/50447->172.20.205.l/23 junos-telnet 6(0) app-service-policy
Juniper-SV ACME-SV UNKNOWN UNKNOWN N/A(N/A) ge-0/0/4.105 No
Apr 6 00:39:28 srxC-1 RT FLOW: RT FLOW SESSION CLOSE: session closed
application failure or action: l72.20.l05.l0/50447->l72.20.205.l/23
junos-telnet 172.20.105.10/50447->172.20.205.l/23 None None 6
app-service-policy Juniper-SV ACME-SV 1746 55(3042) 38(2546) 84 UNKNOWN
UNKNOWN N/A(N/A) ge-0/0/4.105 No
Apr 6 00:39:28 srxC-l RT_FLOW: APPTRACK_SESSION_CLOSE: AppTrack session closed
application failure or action: 172.20.105.10/50447->172.20.205.l/23
junos-telnet TELNET UNKNOWN l72.20.l05.10/50447->l72.20.205.l/23 None None 6
app-service-policy Juniper-SV ACME-SV 1746 55(3042) 38(2546) 84 N/A N/A N/A
www.juniper.
net Troubleshooting Security Features • Lab3-23
Advanced Junos Enterprise Security Troubleshooting
Step 3.15
Log out of your assigned device using the exit command.
lab@srxC-1> exit
srxC-1 (ttyuO)
login:
.- Serial Console
, , '-,
Terminal \:\
Server \ '
'- Connections srxA-2 �
&c:1111: Workstations
'-
'
\ '- srxD-2 ----�-"""i
srxD-1
\ srxD-2
\ 1�2 vr-device
' sncB-1
\ I S<XB-2 Server
\D
I =1 Gateway
Tenn Server
Server Note: Your instructor will provide address and access information.
(=:):-�
Hostname VLAN·ID
s r xA1
- 101, 201
s r xA2
- 102, 202
Host 172.31.15.1
Juniper-WF ACME-WF
lcO: 192.168.2.1
�lJ
V0/4_203 -- ___.., ge-0/0/4- V0/4-204
Tagged Interface / ,.
172_20.203.0/24 (see VLAN Assignments table) 172.20.104.0/24 172.20.204.0/24
(.10) (.10)
Juniper-WF AC M EWF
-
--iEJ
Host name VLAN-10
srxC-1 105, 205
srxC-2 106, 206
Host 1.72.31.15.1
lcO: 192.168.2.1
���
V0/4_205 -- ___... ge-0/0/4_1 0/4-206
Tagged Interface / \.J-J '\.- -.
172.20_205_0/24 (see VIAN Assignments table) 172.20.106.0/24 172_20.206.0/24
(.10) (.10)
Host .172.31.15.l
Overview
In this lab, you will troubleshoot chassis clustering. You will work with the remote team in
your pod to combine your assigned devices into a single chassis cluster. You will use
Junos OS CLI commands and analyze trace log files to find out the causes for the
detected problem. Next you define the solution for the issues and perform it.
By completing this lab, you will perform the following tasks:
Build the chassis cluster.
Troubleshoot chassis cluster using Junos CLI command and trace file.
Perform configuration corrections.
Monitor and verify the chassis cluster status.
In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the CU to log
in to your designated station. Next, you will load the starting configuration for the
lab. Then, you will verify the connectivity between your assigned virtual routers and
your device.
Note
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the Management Network Diagram to
determine the management address of your student device.
Step 1.2
Access the command-line interface (CU) at your station using either the console to
maintain connectivity even during device reboot.
-�·
Q!!j'l£,���01,,&;-, , ,,pg{ ,,', i 'pg•, cillm'0 ,wAlHJ�
Protocol:
Hostname:
Por:t
Step 1.3
Log in as user lab with the password labl23. Enter configuration mode and load
the lab4-start. configfrom the /var/home/lab/ajest/ directory. Commit the
configuration when complete.
srxC-1 (ttypO)
login: lab
Password:
[edit]
lab@srxC-1# load override ajest/lab4-start.config
load complete
lab@srxC-1>
In this lab part, you enable and troubleshoot high availability chassis clustering.You
will work with the remote team in your assigned pod to make some configuration
adjustments and then join your assigned devices into a single virtual device using
chassis clustering.You will troubleshoot problems related to chassis clustering.You
first experience the problem then use CLI tools to find the problem cause and finally
you define the solution and resolve the problem.
Note
Step 2.1
Clear the j srpd log file to simplify the troubleshooting process later in the lab.
lab@srxC-1> clear log jsrpd
Step 2.2
Initiate the chassis cluster pairing by issuing the command set chassis cluster
cluster-id 1 node node-id reboot, where node-id is O for SRX1 and
node-id is 1 for SRX2.
lab@srxC-1> set chassis cluster cluster-id 1 node node-id reboot
Successfully enabled chassis cluster. Going to reboot now
lab@srxC-1>
*** FINAL System shutdown message from root@srxC-1 ***
Step 2.3
Log in to the device once it has rebooted. Use the username and password provided
by your instructor.
login: lab
Password:
Step 2.4
Check the chassis cluster status using the show chassis cluster status
command.
{hold:nodeO}
lab@srxC-1> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
{hold:nodeO}
lab@srxC-1>
Step 2.5
View the chassis cluster statistics using the show chassis cluster
statisticsand s how chassis cluster control-plane statistics
command.
{hold:nodeO}
lab@srxC-1> show chassis cluster statistics
Control link statistics:
Control link 0:
www.juniper.net Troubleshooting Chassis Clustering • Lab 4-5
Advanced Junes Enterprise Security Troubleshooting
Heartbeat packets sent: 0
Heartbeat packets received: O
Heartbeat packet errors: 0
Fabric link statistics:
Child link O
Probes sent: O
Probes received: O
Child link 1
Probes sent: O
Probes received: O
error: usp_ipc_client_open: failed to connect to the server after 1 retries
{hold:nodeo}
lab@srxC-1> show chassis cluster control-plane statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 0
Heartbeat packets received: O
Heartbeat packet errors: 0
Fabric link statistics:
Child link O
Probes sent: 0
Probes received: O
Child link 1
Probes sent: 0
Probes received: 0
{hold:nodeO}
lab@srxC-1>
Step 2.6
Check the chassis cluster interfaces using the show chassis cluste:r::
interfaces command.
Lab 4-6 • Troubleshooting Chassis Clustering www.juniper.net
Advanced Junos Enterprise Security Troubleshooting
{hold:nodeO}
lab@srxC-1> show chassis cluster interfaces
Control link status: Down
Control interfaces:
Index Interface Status
0 fxpl Down
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fabO
fabO
{hold:nodeO}
lab@srxC-1>
Step 2.7
Check all the fxp interfaces status.
{hold:nodeO}
lab@srxC-1> show interfaces terse I match fxp
fxpO up up
fxpl up up
fxp2 up up
{hold:nodeO}
lab@srxC-1>
Step 2.8
View chassis cluster details using the show chassis cluster information
command.
{hold:nodeO}
lab@srxC-1> show chassis cluster information detail
error: Could not connect to nodeO : No route to host
Step 2.9
Examine the j srpd log file.
{hold:nodeo}
lab@srxC-1> show log jsrpd
Apr 5 18:08:35 successfully set default traceoptions cfg
Apr 5 18:08:37 JSRPD release 12.lRS.5 built by builder on 2013-01-17 07:43:20
UTC starting, pid 1041
Apr 5 18:08:37 node id nodeO, cluster-id 1 in kernel
Apr 5 18:08:37 Unable to read data link status blob No such file or directory
Apr 5 18:08:37 printing fpc_num O
Apr 5 18:08:37 printing fpc_num 1
Apr 5 18:08:37 Interface fxpl is down. devflags: Ox3, ifdm_flags: Ox8
Apr 5 18:08:45 Flowd Up handler called. Ignoring event because RGO is not yet
initialized
Apr 5 18:08:45 printing fpc num O
Apr 5 18:08:45 jsrpd_ifd_msg_handler: Interface fxpO is up
Apr 5 18:08:45 Error getting IFF for fxpO inreface
Apr 5 18:09:07 Control ifl -1 is still not valid, restarting hold timer for rg
0
Step 2.10
Check if any configuration is present for the ge-0/0/0 or ge-0/0/1 interfaces.
{hold:nodeo}
lab@srxC-1> show configuration interfaces ge-0/0/0
description "MGMT Interface - DO NOT DELETE";
unit O {
family inet
address 10.210.14.135/27;
{hold:nodeo}
lab@srxC-1> show configuration interfaces ge-0/0/1
{hold:nodeO}
lab@srxC-1>
Step 2.1:1
Remove the ge-0/0/0 configuration. Commit and exit to the operational mode when
complete.
{hold:nodeo}
lab@srxC-1> configure
warning: Clustering enabled; using private edit
error: shared configuration database modified
{hold:nodeo} [edit]
lab@srxC-1# delete interfaces ge-0/0/0
{hold:nodeO} [edit]
lab@srxC-1# commit and-quit
[edit ":ecurity zones functional-zone management]
'interfaces ge-0/0/0.0'
Interface ge-0/0/0.0 must be configured under interfaces
error: configuration check-out failed
{hold:nodeO} [edit]
lab@srxC-1# delete security zones functional-zone management interfaces ge-0/0/
0.0
{hold:nodeO} [edit]
lab@srxC-1# commit and-quit
nodeO:
{hold:nodeO}
lab@srxC-1>
Step 2.12
Reboot the node.
{primary:nodeO}
lab@srxC-1> request system reboot
Reboot the system ? [yes, no] (no) yes
Shutdown NOW!
[pid 1681]
{primary:nodeO}
lab@srxC-1>
*** FINAL System shutdown message from lab@srxC-1 ***
In this lab part, you will monitor the chassis cluster status using the CLI tools.
Note
Throughout this lab, you work as a team
with all the members in your assigned lab
pod. Because a chassis cluster combines
two physical devices into one logical device,
it is important to follow the steps in order
and in tandem as a team. Perform the next
several steps on the SRX1 and SRX2
devices.
Step 3.1
Log in to your assigned device once it has rebooted.
Boot media /dev/daO does not have dual root support
Fri Apr 5 18:29:28 UTC 2013
srxC-1 (ttyuO)
login: lab
Password:
Step 3.3
View the chassis cluster status.
{primary:nodeO}
lab@sr:x:C-1> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
{primary:nodeO}
lab@sr:x:C-1>
{primary:nodeO}
lab@srxC-1>
Step 3.5
Check the fabric interfaces status using the show interfac es terse I
match fab command.
{primary:nodeO}
lab@srxC-1> show interfaces terse I match fab
fabO up down
fabO. 0 up down inet 30.17.0.200/24
fabl up down
fabl.O up down inet 30.18.0.200/24
swfabO up down
swfabl up down
Step 3.6
Check the cluster interfaces status using the show chassis cluster
interfaces command.
{primary:nodeO}
lab@srxC-1> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Status
O fxpl Up
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fabO
fabO
fabl
fabl
Note
Perform the next step ONLY on the SRX1
device.
Step 3.7
Enter configuration mode and load the lab6-p3s8. configfrom the /var I
home/lab/aj est/ directory. Commit the configuration when complete.
{primary:nodeO}
lab@srxC-1> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode
www.juniper.net Troubleshooting Chassis Clustering • Lab 4-15
Advanced Junos Enterprise Security Troubleshooting
{primary:nodeO} [edit]
lab@srxC-1# load override ajest/lab6-p3s8.config
load complete
{primary:nodeO} [edit]
lab@srxC-1# commit and-quit
nodeO:
configuration check succeeds
nodel:
commit complete
nodeO:
commit complete
Exiting configuration mode
{primary:nodeO}
lab@srxC-1>
Step 3.8
View the control and fabric interfaces status using the show i nterfaces terse
I match "fxp I fab" command.
{primary:nodeO}
lab@srxC-1> show interfaces terse I match "fxplfab"
ge-0/0/2.0 up up aenet --> fabO.O
ge-5/0/2.0 up up aenet --> fabl.O
fabO up up
fabO.O up up inet 30.17.0.200/24
fabl up up
fabl.O up up inet 30.18.0.200/24
fxpO up up
fxpO.O up up inet 10.210.34.135/26
fxpl up up
fxpl.O up up inet 129.16.0.1/2
fxp2 up up
fxp2.0 up up tnp OxllOOOOl
swfabO up down
swfabl up down
Step 3.9
Display the cluster status using the show chassis cluster status
command.
{primary:nodeO}
lab@srxC-1>
Step 3.10
View the chassis cluster interfaces using the show chassis cluster
interfaces command.
{primary:nodeO}
lab@srxC-1> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Ind.ex Interface Status
0 fxpl Up
Redundant-ethernet Information:
Name Status Redundancy-group
rethO Up 1
rethl Up 2
Interface Monitoring:
Interface Weight Status Redundancy-group
ge-5/0/3 255 Up 2
{primary:nodeo}
lab@srxC-1>
Step 3.1:1
Displaydetailed information the show chassis cluster information
command.
{primary:nodeo}
lab@srxC-1> show chassis cluster information
nodeO:
Redundancy mode:
Configured mode: active-active
Operational mode: active-active
nodel:
Redundancy mode:
Configured mode: active-active
Operational mode: active-active
{primary:nodeO}
lab@srxC-1>
In this lab part, you break down the chassis cluster implementation. You will then
load the Lab 1 starting configuration on each node.
Step 4.1
Issue the set chassis cluster disable reboot command.
{primary:nodeO}
lab@srxC-1> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now{primary:nodeO}
lab@srxC-1>
*** FINAL System shutdown message from root@srxC-1 ***
System going down IMMEDIATELY
Step 4.2
Once your device reboots, log in with the credentials provide by your instructor. Enter
configuration mode and load the labl-start. configfrom the /var/home/
lab/ajest/ directory. Commit the configuration and return to operational mode
when complete.
Boot media /dev/daO does not have dual root support
Fri Apr 5 21:30:39 UTC 2013
Amnesiac (ttyuO)
login: lab
Lab 4-20 • Troubleshooting Chassis Clustering www.juniper.net
Advanced Ju nos Enterprise Security Troubleshooting
Password:
[edit]
lab# load override ajest/labl-start.config
load complete
[edit]
1 ab# co,[llll\it and-quit
commit complete
Exiting configuration mode
lab@srxC-1>
Step4.3
Log out of your assigned device using the exit command.
lab@srxC-1> exit
srxC-1 (ttyuO)
login:
' _J-m::D]fi2ir2:i_·
c:1
�Networn
• Serial Console
Terminal\:"\, Connections s r xA2
- . Student
Server \ I Workstations
C
'
��,' .
\\ \. \. '®'
\ \.
�
Management Addressing
\ \.Cl
\ \. srxD-2
::: �
srx,H srxD-1
'{]
srxG-2 Term Server -----
Server Note: Your instructor will provide address and access information
Untrust Zone
Cluster-ID 1
fxp1
Untrust Zone
Cluster-ID 1
fxpl
vr222 vr232
Untrust Zone
Cluster-ID 1
fxpl
LllJnm
,_
��i1- � <>,:»i-
Untrust Zone
Cluster-ID 1
lxpl