DataPlumber

Author Archives: DataPlumber

Atom editor – high CPU usage

Just downloaded Atom – a ‘hackable’ editor that has a really slick user interface on the Mac.   It’s really nice application, but weighs in at 200MB!

I was doing some work on a few router config files – about 2MB each file – when I noticed the fan spin up on the computer.  Looking at the process list, ‘Atom Helper’ and Apple’s spell-check processes were both running very high.  There’s not much point in having spell-check on a router config I guess, so I disabled it – problem fixed…


Another useful SRX command for looking at IPSec tunnels

This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!

On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are…  See below:

imtech@srx650-1-POD1> show security flow session tunnel extensive 
Session ID: 38046, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/49698 --> 10.1.0.1/27622;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x100621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0

Session ID: 38047, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/0 --> 10.1.0.1/0;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0
Total sessions: 2

Another useful SRX command for looking at IPSec tunnels

This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!

On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are…  See below:

imtech@srx650-1-POD1> show security flow session tunnel extensive 
Session ID: 38046, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/49698 --> 10.1.0.1/27622;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x100621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0

Session ID: 38047, Status: Normal
Flag: 0x10000
Policy name: N/A
Source NAT pool: Null
Dynamic application: junos:UNKNOWN, 
Maximum timeout: N/A, Current timeout: N/A
Session State: Valid
Start time: 105905, Duration: 52592
 In: 10.1.0.9/0 --> 10.1.0.1/0;esp, 
 Interface: ge-2/0/13.0, 
 Session token: 0xa, Flag: 0x621
 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0
 Port sequence: 0, FIN sequence: 0, 
 FIN state: 0, 
 Pkts: 0, Bytes: 0
Total sessions: 2

Useful SRX debugging blog

Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP].   But otherwise, this is a very useful set of instructions.

It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID.  If the index number keeps changing, it means your tunnel is going down and coming back up all the time.   If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.

Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself.  I’ve not used packet-filters in flow debug before, so will definitely be trying that out.

Link to SRX debug article at fir3net.com


Useful SRX debugging blog

Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP].   But otherwise, this is a very useful set of instructions.

It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID.  If the index number keeps changing, it means your tunnel is going down and coming back up all the time.   If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.

Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself.  I’ve not used packet-filters in flow debug before, so will definitely be trying that out.

Link to SRX debug article at fir3net.com


A nice SRX command I’ve never come across before

Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:

imtech@srx220-1-POD3> show security policies hit-count 
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       VR3a             VR3b              P1             0            
 2       VR3a             untrust           3to1VPN        8320         
 3       VR3a             untrust           P1             3249         
 4       VR3b             VR3a              P1             0            
 5       VR3b             untrust           P1             0            
 6       untrust          junos-host        P1             8            
 7       untrust          VR3a              1to3           5523         
 8       untrust          VR3a              P1             5            
 9       untrust          VR3b              permit-to-3b   0            
 10      untrust          VR3b              DEFAULT-DENY   16

A nice SRX command I’ve never come across before

Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:

imtech@srx220-1-POD3> show security policies hit-count 
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       VR3a             VR3b              P1             0            
 2       VR3a             untrust           3to1VPN        8320         
 3       VR3a             untrust           P1             3249         
 4       VR3b             VR3a              P1             0            
 5       VR3b             untrust           P1             0            
 6       untrust          junos-host        P1             8            
 7       untrust          VR3a              1to3           5523         
 8       untrust          VR3a              P1             5            
 9       untrust          VR3b              permit-to-3b   0            
 10      untrust          VR3b              DEFAULT-DENY   16

Wireshark 1.12.6 on Yosemite (OS X 10.10.4)

To run Wireshark on OS X you have to install X11 for some reason, and Apple has apparently stopped developing this.  It is now a separate thing called XQuartz.

It seems that at some point, either some files moved or a symlink got deleted, so Wireshark won’t start.  When you click it, the top menu says “Wireshark” but the user interface never appears.

To get Wireshark running do the following:

Download Quartz 2.2.7 and install it on your OS X 10.10.4 system.

Open a terminal window and enter this command to re-make the symbolic link:

sudo ln -s /opt/X11 /usr/X11

(you will need to be an admin user of the system and put in your password at this point).

Now install Wireshark and you should be good to go.


Wireshark 1.12.6 on Yosemite (OS X 10.10.4)

To run Wireshark on OS X you have to install X11 for some reason, and Apple has apparently stopped developing this.  It is now a separate thing called XQuartz.

It seems that at some point, either some files moved or a symlink got deleted, so Wireshark won’t start.  When you click it, the top menu says “Wireshark” but the user interface never appears.

To get Wireshark running do the following:

Download Quartz 2.2.7 and install it on your OS X 10.10.4 system.

Open a terminal window and enter this command to re-make the symbolic link:

sudo ln -s /opt/X11 /usr/X11

(you will need to be an admin user of the system and put in your password at this point).

Now install Wireshark and you should be good to go.


Junosphere – inaccessible VMXes

Update:  The problem described in this article was logged with JTAC.  It took a while but eventually they informed me they had resolved an issue with provisioning VMX in the Junosphere system.  I have tried it since and the issue does appear to have gone away.  However I am leaving this post up in case it has simply become more intermittent.   Please let me know if you experience a situation like what is described below.

I usually use the ‘experimental’ VMX in my Junosphere topologies because I don’t like the VJX all that much.  The VJX has security code in it, so it’s not quite like an MX really.   Also I’ve seen oddities where it came up in flow mode with a default firewall policy of denying everything, and I was never able to work out why.

So instead I use the VMX for everything – which is better these days because it doesn’t use two VM units for the data and control planes like it used to.  Why VMX is still ‘experimental’ after so long is a mystery to me.

However one thing just keeps cropping up with this that is just Continue reading

Junosphere – inaccessible VMXes

I usually use the ‘experimental’ VMX in my Junosphere topologies because I don’t like the VJX all that much.  The VJX has security code in it, so it’s not quite like an MX really.   Also I’ve seen oddities where it came up in flow mode with a default firewall policy of denying everything, and I was never able to work out why.

So instead I use the VMX for everything – which is better these days because it doesn’t use two VM units for the data and control planes like it used to.  Why VMX is still ‘experimental’ after so long is a mystery to me.

However one thing just keeps cropping up with this that is just a bit annoying.   Every so often I start a topology I know was working, but one or more routers aren’t accessible for some reason.  The problem is usually caused by the way Junosphere has put the management address onto the VM. To get access to the VM you instead need to telnet to it via the console server at 10.233.255.254 using a specific port number

The fxp0 IP address should be created in the Continue reading

Junos Space backup location

Just a note for future reference:

Space’s local database backups are kept in /var/cache/jboss/backups  (Platform version 13.1R1)

You can retrieve these using WinSCP in SFTP mode.   For some reason there’s a shell error when using SCP. This appears to have started happening since the bash shell vuln was discovered – although I’ve never applied Juniper’s bash patch to the system.   Upgraded WinSCP to the latest, but no luck.


Junos Space backup location

Just a note for future reference:

Space’s local database backups are kept in /var/cache/jboss/backups  (Platform version 13.1R1)

You can retrieve these using WinSCP in SFTP mode.   For some reason there’s a shell error when using SCP. This appears to have started happening since the bash shell vuln was discovered – although I’ve never applied Juniper’s bash patch to the system.   Upgraded WinSCP to the latest, but no luck.


VIRL versus Junosphere

I’ve been using Junosphere a lot recently, and it’s a great tool – quick and easy creation of topologies without the need to go to a physical lab to try things out. Takes the guesswork out of a lot of things, which is a real bonus. There are obviously a few things you can’t do in a virtual environment that would be possible in a real one (e.g. QoS, MTU greater than 2000 bytes, MS-MIC in an MX), but it caters for 80% of what you need.

I always thought that it put Juniper leagues ahead of Cisco because you can buy credits to use the system right on the front page. Cisco were late to the party with something called VIRL – Virtual Internet Routing Lab.  They were late, but rumour had it that a lot of developers moved from Juniper to Cisco to bring VIRL about.  However Junosphere always had the edge for the networking student (as we all remain, whether we are JNCIE or not) because of its accessibility – with VIRL you had to be a Cisco customer and gain access through your account manager.  I’ll stick with GNS3 thanks!

That appears Continue reading

VIRL versus Junosphere

I’ve been using Junosphere a lot recently, and it’s a great tool – quick and easy creation of topologies without the need to go to a physical lab to try things out. Takes the guesswork out of a lot of things, which is a real bonus. There are obviously a few things you can’t do in a virtual environment that would be possible in a real one (e.g. QoS, MTU greater than 2000 bytes, MS-MIC in an MX), but it caters for 80% of what you need.

I always thought that it put Juniper leagues ahead of Cisco because you can buy credits to use the system right on the front page. Cisco were late to the party with something called VIRL – Virtual Internet Routing Lab.  They were late, but rumour had it that a lot of developers moved from Juniper to Cisco to bring VIRL about.  However Junosphere always had the edge for the networking student (as we all remain, whether we are JNCIE or not) because of its accessibility – with VIRL you had to be a Cisco customer and gain access through your account manager.  I’ll stick with GNS3 thanks!

That appears Continue reading

First steps with Python and Junos

I’m just spending the day trying to get my head around some very basic automation, so I thought I would install Python 2.7 and work through some of the tutorials on the Techwiki to see how I get on.

The tutorial I’m following is called Python for Non-Programmers and offers an easy way in for people like me.  Of course as with a lot of open-source stuff, you don’t just download Python and get started – there are various dependencies, and dependencies with dependencies that you need to install first.  If at the end of all that you’ve not forgotten what your name is or why you were doing all this shenanigans in the first place you can count yourself as winning.

Installation on a Windows machine is documented nicely here, but there are a few things which are out of date.

One part where it tells you run an executable to install ‘lxml’ but there isn’t one when you click the link provided.  So instead you need to install it with a program called pip, which can be found in C:Python27scripts by default.  pip is not in the PATH envirronment variable by default Continue reading

What’s the difference between MTP and MPO connectors for 100G?

Cabling up a 100G link for a customer test we discovered we needed to buy a couple of 100G cables.  The interfaces involved were multimode, and use parallel optical paths – i.e. 10 parallel fibres each carrying 10Gbps within a single cable.

It turns out the world of such cables is a bit confusing in its terminology.  Some people call these cables MTP, and others call them MPO.   After a bit of digging, it turns out that they’re basically the same, but MTP is a brand name for a connector that complies with the MPO standard.  The brand is owned by a company called USConec.    Confusion over…

There’s quite a nice photo close-up of this connector type available on Completeconnect’s website – here.   You can see the parallel fibres in the end of the interface.  The cable has 24 fibres in, but only 20 are used – 10 in each direction giving full duplex connectivity at 100Gbps.

The male-ness and female-ness of these types of connector is quite difficult to determine.  If you see a pair of pins protruding from the connector at either end of the two rows of fibres, Continue reading

MX with enhanced SCB2 – cards not coming online

We just installed an MX in the lab for a customer type-approval test (TAT) and none of the cards came online. 

The output of “show chassis hardware” showed that there were FPCs installed, but not the MICs that were in them:

[email protected]> show chassis hardware
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                JN1249BDBAFA      MX960
Midplane         REV 04   750-047849   ACRD2400          Enhanced MX960 Backplane
FPM Board        REV 03   710-014974   CADE9287          Front Panel Display
PDM              Rev 03   740-013110   QCS181650BM       Power Distribution Module
PEM 0            Rev 11   740-027760   QCS1806N0MP       PS 4.1kW; 200-240V AC in
PEM 1            Rev 11   740-027760   QCS1806N0SK       PS 4.1kW; 200-240V AC in
PEM 2            Rev 11   740-027760   QCS1806N07S       PS 4.1kW; 200-240V AC in
PEM 3            Rev 11   740-027760   QCS1812N02D       PS 4.1kW; 200-240V AC in
Routing Engine 0 REV 01   740-051822   9013061577        RE-S-1800x4
Routing Engine 1 REV 01   740-051822   9013056762        RE-S-1800x4
CB 0             REV 01   750-055976   CACX9090          Enhanced MX SCB 2
CB 1             REV 01   750-055976   CACZ4497          Enhanced MX SCB 2
CB 2             REV 01   750-055976   CADA1721          Enhanced MX SCB 2
FPC 0            REV 05   750-044444   CAAM5562          MPCE Type 2 3D P
  CPU
FPC 1            REV 35   750-028467   CAAP9738          MPC 3D 16x  Continue reading

Remote port-mirroring in Junos

Information on remote port mirroring on Junos routers doesn’t seem to be very easy to come by for some reason – there is quite a lot of information about doing this on EX switches (a bit like RSPAN in Cisco’s IOS), which wasn’t what I needed.  Various other sources of information (such as Cluepon) say this can be done using a GRE tunnel, but that the capturing device needs to be a server that terminates the GRE tunnel – which all seemed a bit complicated.

I needed to remotely mirror a port on an MX to a second MX where a windows-based Wireshark was connected, so getting GRE working to a Windows host sounded like a non starter.

So I had to work it out myself – and hopefully this write-up will prove useful to someone else in the future.

An additional requirement for the customer was that the captured interface should be in a VRF, so the test-bed I set up below has production traffic flowing through a VRF, and the mirrored traffic in a GRE tunnel which is running in the global routing table.

Here’s the write-up I did for the customer:


Remote port-mirroring using GRE Continue reading

Disabling Vodafone autoprovisioning on Snom 821

I bought a nearly new Snom IP phone on eBay, but it was getting autoprovisioned as a Vodafone device.   I wanted to use it as a SIP phone on another provider’s network, so needed to get rid of this.

I’ll try to write down the steps I followed, but I tried quite a few things so there may be inaccuracies.

Basically this phone tries three ways to autoprovision itself:

1. Redirection – it goes to a host run by Snom, is redirected to a Vodafone host and autoprovisions from there.

2. PnP – I think this is where it multicasts for a configuration server.

3. DHCP – where it receives details of the configuraiton server from DHCP options it receives with its IP address.

Redirection is the first one it tries by default, so you need to stop this happening. Snom say on their forums that they can’t do this for Vodafone devices, which must be a legal thing between them and Vodafone, because they are able to do it for Snom phones that are auto-provisioned on other providers.  In the latter case a simple request on the forums with the phone’s MAC address appears to be sufficient.

Continue reading