Juniper SRX Cluster Config Synchronise
user@host> request chassis cluster configuration-synchronize Performing configuration synchronization from remote node.
Memorise
Juniper Hardware LED check
{primary:node1}
enroute@SRX> show chassis craft-interface
node0:
Front Panel System Indicator:
Routing Engine 0
OK *
Front Panel Alarm Indicator:
RED *
ORANGE .
Front Panel HA Indicator:
RED .
ORANGE .
GREEN *
Front Panel PS Indicator:
PS 0
RED .
GREEN *
node1:
Front Panel System Indicator:
Routing Engine 0
OK *
Front Panel Alarm Indicator:
RED .
ORANGE .
Front Panel HA Indicator:
RED .
ORANGE .
GREEN *
Front Panel PS Indicator:
PS 0
RED .
GREEN *
{primary:node1}
enroute@SRX> show chassis cluster information | match “Current LED color”
Current LED color: Green
Current LED color: Green
JunOS: Cleanup Storage Space
Sometimes you will want to install a switch or router update, and you will find that there is not enough space:
root@Switch01> request system software add /var/tmp/ex-2300-18.3R1.9.tgz reboot ERROR: estimate of space required: 115 Mbytes, available: 89 Mbytes
One option is to request a ‘cleanup’. The dry-run option below lists the files that are candidates to be removed. If you’re happy with the list, run the command again without ‘dry-run’ to do the actual cleanup.
root@Switch01> request system storage cleanup dry-run
fpc0:
--------------------------------------------------------------------------
List of files to delete:
Size Date Name
6B Jan 1 13:07 /var/jail/tmp/alarmd.ts
7416B Jan 1 14:01 /var/log/interactive-commands.0.gz
25.1K Jan 1 14:01 /var/log/messages.0.gz
27B Jan 1 10:03 /var/log/wtmp.0.gz
27B Jan 1 10:06 /var/log/wtmp.1.gz
45B Jan 1 10:05 /var/preserve/jdhcp_client_data
45B Jan 1 10:05 /var/preserve/jdhcp_client_data_bkp
50B Jan 1 10:36 /var/tmp/bcast.bdisp.log
73B Jan 1 10:36 /var/tmp/bcast.disp.log
57B Jan 1 10:36 /var/tmp/bcast.rstdisp.log
64B Jan 1 10:36 /var/tmp/bcast.undisp.log
321.4M Jan 1 13:44 /var/tmp/ex-2300-18.3R1.9.tgz
4740B Jan 1 10:04 /var/tmp/ex_autod_config
3701B Jan 1 10:03 /var/tmp/ex_autod_rollback_cfg
6298.8K Jan 1 13:44 /var/tmp/jweb-ex-app-x86-32-18.3A1.tgz
57B Jan 1 10:03 /var/tmp/krt_rpf_filter.txt
72B Jan 1 13:53 /var/tmp/package.log
42B Jan 1 10:05 /var/tmp/pfe_debug_commands
0B Jan 1 10:06 /var/tmp/pkg_cleanup.log.err
0B Jan 1 10:03 /var/tmp/rtsdb/if-rtsdb
0B Jan 1 10:04 /var/tmp/stable
WARNING: This cleanup cleans out the /var/tmp directory, which may contain the image that you’re trying to install.
Cleaning up Packages
Sometimes a regular cleanup will not free up enough space, especially after the system has been updated.
In this case, we can look at cleaning up unused packages:
User@Switch01> start shell user root root@Switch01:RE:0% pkg setop rm previous root@Switch01:RE:0% pkg delete old
If you run df -h before and after these commands, you can see how much was cleaned up.
Further Cleanup
There may be packages installed that you don’t need. For example, you may not need jweb and phone-home. If you don’t need these, you can uninstall them:
request system software delete jweb-ex
request system software delete jweb-ex-app
request system software delete jphone-home
If you still don’t have enough space, it’s time to look for bigger files:
User@Switch01> start shell user root root@Switch01:RE:0% find / -size +100000 /var/rundb/render.db /packages/db/junos-runtime-arm-32-20180920.185504_builder_junos_183_r1/contents/contents.izo /packages/mnt/jpfe-EX34XX32-cc3f6403/usr/sbin/fxpc
In the case above, we found three large files. If you know what you’re doing, you can delete some of these files.
If you’re not sure, contact J-TAC for assistance.
root@AWABA-NET-SW-AM01:RE:0% cli User@Switch01> file delete /packages/db/junos-runtime-arm-32-20180920.185504_builder_junos_183_r1/contents/contents.izo
How to delete Service in Windows Server 2012
Syntax
Copy
sc [<ServerName>] delete [<ServiceName>]
Parameters
| Parameter | Description |
|---|---|
| <ServerName> | Specifies the name of the remote server on which the service is located. The name must use the Universal Naming Convention (UNC) format (for example, \\myserver). To run SC.exe locally, omit this parameter. |
| <ServiceName> | Specifies the service name returned by the getkeyname operation. |
| ? | Displays help at the command prompt. |
Remarks
Use Add or Remove Programs on Control Panel to delete DHCP, DNS, or any other built-in operating system services. Note that Add or Remove Programs will not only remove the registry subkey for the service, but it will also uninstall the service and delete any shortcuts to it.
Examples
To delete the service subkey NewServ from the registry on the local computer, type:Copy
sc delete newservSource: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742045(v=ws.11)
Troubleshooting a Site to Site VPN on a SRX
1. Confirm Configuration
First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end.
admin@srx> show configuration security ike
admin@srx> show configuration security ipsec
{loadposition content_lock}
2. Confirm Phase 1
To confirm the successful completion of Phase 1 run the following command. If Phase 1 fails to complete revisit your Phase 1 parameters using the commands shown in Section 1.
admin@srx> show security ike security-associations
node1:
————————————————————————–
Index Remote Address State Initiator cookie Responder cookie Mode
6950 [LOCAL PEER IP] UP 33204fba87663d94 70acacd5f938f89b Main
3. Confirm Phase 2
To confirm the successful completion of Phase 2 run the following command. If Phase 2 fails to complete revisist your Phase 2 parameters using the commands shown in Section 1.
admin@srx> show security ipsec security-associations
node1:
————————————————————————–
Total active tunnels: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 4fb2c1cc 2041/ unlim – root
>131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 3e576ead 2041/ unlim – root
If Phase 2 has completed you can confirm further details on each of the SA`s (Security Associations) by using the SA index.
admin@srx> show security ipsec security-associations index 131073
node1:
————————————————————————–
Virtual-system: root
Local Gateway: [REMOTE PEER IP], Remote Gateway: [LOCAL PEER IP]
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
DF-bit: clear
Direction: inbound, SPI: 4fb2c1cc, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 3e576ead, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
4. IPSEC Statistics
To confirm statistics based on the Phase 2 SA run the following command. The output will contain a number of counters. The most interesting of these (for troubleshooting purposes) are the Encrypted and Decrypted counters.
admin@srx> show security ipsec statistics index 131073
node1:
————————————————————————–
ESP Statistics:
Encrypted bytes: 133593600
Decrypted bytes: 1128704777
Encrypted packets: 923864
Decrypted packets: 1438716
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 1021
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
5. Perform Debug (Traffic)
If Phase 1 and Phase 2 are both establishing but traffic is still not passing the VPN tunnel, a packet-filter traffic debug of the tunnel will provide further granularity into each of the steps the packet takes.
admin@srx> configuration
admin@srx# edit security flow traceoptions
[edit security flow traceoptions]
admin@srx# set file vpn-debug
admin@srx# set flag basic-datapath
admin@srx# set flag packet-drops
admin@srx# set level 15
admin@srx# set packet-filter filter1 source-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter1 destination-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter1 protocol esp
admin@srx# set packet-filter filter2 destination-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter2 source-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter2 protocol esp
admin@srx# set packet-filter filter3 destination-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter3 destination-port ssh
admin@srx# set packet-filter filter3 protocol tcp
admin@srx# set packet-filter filter4 source-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter4 destination-port ssh
admin@srx# set packet-filter filter4 protocol tcp
admin@srx# run show log vpn-debug
6. Perform Debug (Crypto)
To debug the crypto engine the following commands are run.
admin@srx> configuration
admin@srx# edit security ike traceoptions
[edit security ike traceoptions]
admin@srx# set file vpn-debug-ike
admin@srx# set flag all
admin@srx# set level 15
admin@srx# top
[edit]
admin@srx# edit security ipsec traceoptions
[edit security ipsec traceoptions]
admin@srx# set file vpn-debug-ipsec
admin@srx# set flag all
admin@srx# set level 15
admin@srx# run show log vpn-debug-ike
admin@srx# run show log vpn-debug-ipsec
7. Additional
A useful tip when viewing the debug logs is to tail the file via the shell whilst also removing the empty lines. This a) makes it easier to view and 2) also (as long as your ssh client buffer is configured correctly) allows you to go back over previous output should the debug log reach its maximum size.
root@srx100> start shell
root@srx100% tail -f /var/log/[logfile] | grep -Evi ^$
How to retrieve iLo Licence Key
https://host_iLO_IP_address/xmldata?item=CpqKey
Force Active Directory replication on a domain controller
To force Active Directory replication run the command ‘repadmin /syncall /AeD’ on the domain controller. Run this command on the domain controller in which you wish to update the Active Directory database. For example, if DC2 is out of Sync, run the command on DC2.
A = All Partitions
e = Enterprise (Cross Site)
D = Identify servers by distinguished name in messages.
By default, this does a pull replication – which is how AD works by default. If you want to do a push replication use the following command:
repadmin /syncall /APeD
P = Push
You want to do a push replication if you make changes on a DC and you want to replicate those changes to all other DC’s. For example, you make a change on DC1 and you want all other changes to get that change instantly, run repadmin /syncall /APeD on DC1.
For all repadmin syntax please see:
http://technet.microsoft.com/en-us/library/cc736571(v=ws.10).aspx
Juniper SRX – Configuring BT FTTP PPPoE
This configuration is set up on Juniper SRX 340 running JUNOS 20.2R1.10
Note: The username is the same for everyone
btbusinesshub@business.btclick.com
password is anything
chap authentication method
outside/untrust interface being ge-0/0/7.0
set interfaces ge-0/0/7 unit 0 encapsulation ppp-over-ether
–Optional —
set security zones security-zone Internet interfaces pp0.0 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces pp0.0 host-inbound-traffic system-services ssh
set interfaces pp0 traceoptions flag all
set interfaces pp0 unit 0 bandwidth 900m
–Optional —
set interfaces pp0 unit 0 ppp-options chap default-chap-secret “$9$kmPTn/A”
set interfaces pp0 unit 0 ppp-options chap local-name “btbusinesshub@business.btclick.com”
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/7.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 1
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 no-keepalives
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
Troubleshooting
show ppp statistics
show pppoe statistics
show interfaces pp0
Check for
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
CHAP state: Success
Cabling guide:
Plug the RJ45 cable direct from the Openreach socket to ge-0/0/7
Juniper SRX certificate ‘aamw-srx-cert’: certificate does not exist
error: certificate ‘aamw-srx-cert’: certificate does not exist .
error: trusted-ca ‘aamw-cloud-ca’ does not exist!
error: trusted-ca ‘aamw-secintel-ca’ does not exist!
Error:
{primary:node0}[edit]
root# commit and-quit
[edit security pki]
‘ca-profile aamw-secintel-ca’
Missing mandatory statement: ‘ca-identity’
[edit security pki]
‘ca-profile aamw-cloud-ca’
Missing mandatory statement: ‘ca-identity’
error: commit failed: (missing mandatory statements)
FIX:
{primary:node0}[edit]
root# delete security pki
{primary:node0}[edit]
root# commit and-quit
warning: You have changed enhanced services mode.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
node0:
commit complete
Exiting configuration mode
Once joined to the cluster sync this with working SRX that will update all the cert.
Location of Certificates
The certificates/key-pairs used for IKE negotiations are stored in following locations,
/var/db/certs/common/key-pair
/var/db/certs/common/local
/var/db/certs/common/certification-authority
If the cert is missing, use WinSCP to copy the /var/db/certs folder.
Aruba Resetting Admin Password
Resetting Admin Password
This section describes how to reset the password for the default administrator user account (admin) on the managed device. Use this procedure if the administrator user account password is lost or forgotten.
1. Connect a local console to the serial port on the managed device.
2. From the console, login into the managed device as a password recovery user. For information, read Password Recovery user.
3. Enter configuration mode by typing in configure terminal.
4. To reset the administrator user account password, use the mgmt-user admin root command.
5. Enter a new password for this account and retype the same to confirm.
6. Exit from the configuration mode and the user mode.
If you have defined a management user password policy, make sure that the new password conforms to this policy. For details, see Implementing Specific Management Password Policy.
The following is an example of how to reset the admin password as a default password recovery user. If you have configured an alternate password recovery user, use its credentials to login to the controller. The commands in bold type are what you enter:
User: password
Password: forgetme!
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #mgmt-user admin root
Password:********
Re-Type password:********
(host) (config) #exit
(host) #exit
Password Recovery user
A password recovery user is a management user with root rights that is used to reset the admin password in the event of a lost or forgotten password. Starting with ArubaOS 8.4.0.0, a configurable alternate password recovery user can be created in addition to the default password recovery feature.
| Password recovery access using either the default password recovery user or the alternate password recovery user is allowed only through the serial console of a controller. | |
| Password recovery users can be configured only through SSH sessions and serial console sessions with a controller and not through WebUI. | |
| Aruba recommends to enable the default password recovery user before generating and sharing the tech-support logs or configuration files with customer support. | |
| It is recommended that either the default password recovery user is disabled or the alternate password recovery user is configured when setting up the network to ensure. This is to ensure that there are no vulnerabilities. |
Default password recovery user
In the event of a lost/forgotten password, the administrator can login to the controller and reset the admin password as the default password recovery user using the username password and the password forgetme!. The default password recovery user is defined and is enabled by default . Disabling the Default password recovery user is recommended if the network uses a TACACS server to authenticate its management users.
To disable the default password recovery user, execute the following command in the configuration mode:
(host) (config) #password-recovery-disable
To enable the default password recovery user, execute the following command in the configuration mode:
(host) (config) #no password-recovery-disable
Alternate password recovery user
Starting with ArubaOS 8.4.0.0, an alternate password recovery user with a username and password can be created to reset the admin password. The alternate user’s username can be 16 characters long and the password can be 32 characters long. Configuring the alternate password recovery user automatically disables the default password recovery user. Configuring the alternate password recovery user is highly recommended if the network is managed locally.
| The alternate password recovery user will not be shown in the management user section of the WebUI. This user role cannot be configured through the WebUI. |
To configure the alternate password recovery user, execute the following command in the configuration mode:
(host) (config) #password-recovery-user <username>
Password:******
Re-Type password:******
To disable the alternate password recovery user, execute the following command in the configuration mode:
(host) (config) #no password-recovery-user
The following is an example to configure the alternate password recovery user:
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #password-recovery-user recadmin
Password:******
Re-Type password:******
(host) (config) #exit
Use the show mgmt-user command to view the configured management users and the status of the default password recovery user.
The following is an example of the show mgmt-user command with the default password recovery user enabled.
(host) #show mgmt-user
Default password recovery user: Enabled
Management User Table
———————
USER PASSWD ROLE STATUS
—- —— —- ——
admin ***** root ACTIVE
The following is an example of the show mgmt-user command when the alternate password recovery user is configured.
(host) #show mgmt-user
Default password recovery user: Disabled
Management User Table
———————
USER PASSWD ROLE STATUS
—- —— —- ——
admin ***** root ACTIVE
recadmin ***** passR ACTIVE
source: https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Content/ArubaFrameStyles/Management_Utilities/enab_radsec_reset_admin_enabl_pwd.htm