Author Archives: DataPlumber
Author Archives: DataPlumber
Just downloaded Atom – a ‘hackable’ editor that has a really slick user interface on the Mac. It’s really nice application, but weighs in at 200MB!
I was doing some work on a few router config files – about 2MB each file – when I noticed the fan spin up on the computer. Looking at the process list, ‘Atom Helper’ and Apple’s spell-check processes were both running very high. There’s not much point in having spell-check on a router config I guess, so I disabled it – problem fixed…
This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!
On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are… See below:
imtech@srx650-1-POD1> show security flow session tunnel extensive Session ID: 38046, Status: Normal Flag: 0x10000 Policy name: N/A Source NAT pool: Null Dynamic application: junos:UNKNOWN, Maximum timeout: N/A, Current timeout: N/A Session State: Valid Start time: 105905, Duration: 52592 In: 10.1.0.9/49698 --> 10.1.0.1/27622;esp, Interface: ge-2/0/13.0, Session token: 0xa, Flag: 0x100621 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 0, Bytes: 0 Session ID: 38047, Status: Normal Flag: 0x10000 Policy name: N/A Source NAT pool: Null Dynamic application: junos:UNKNOWN, Maximum timeout: N/A, Current timeout: N/A Session State: Valid Start time: 105905, Duration: 52592 In: 10.1.0.9/0 --> 10.1.0.1/0;esp, Interface: ge-2/0/13.0, Session token: 0xa, Flag: 0x621 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 0, Bytes: 0 Total sessions: 2
This is a new one on me – obviously I’ve not been paying much attention since it has been around since 10.2!
On 12.1X45-D15.5 the counters for packets/bytes all show zero, but at least you can see that your tunnel is up and what the various parameters in use are… See below:
imtech@srx650-1-POD1> show security flow session tunnel extensive Session ID: 38046, Status: Normal Flag: 0x10000 Policy name: N/A Source NAT pool: Null Dynamic application: junos:UNKNOWN, Maximum timeout: N/A, Current timeout: N/A Session State: Valid Start time: 105905, Duration: 52592 In: 10.1.0.9/49698 --> 10.1.0.1/27622;esp, Interface: ge-2/0/13.0, Session token: 0xa, Flag: 0x100621 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 0, Bytes: 0 Session ID: 38047, Status: Normal Flag: 0x10000 Policy name: N/A Source NAT pool: Null Dynamic application: junos:UNKNOWN, Maximum timeout: N/A, Current timeout: N/A Session State: Valid Start time: 105905, Duration: 52592 In: 10.1.0.9/0 --> 10.1.0.1/0;esp, Interface: ge-2/0/13.0, Session token: 0xa, Flag: 0x621 Route: 0x110010, Gateway: 10.1.0.2, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 0, Bytes: 0 Total sessions: 2
Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP]. But otherwise, this is a very useful set of instructions.
It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID. If the index number keeps changing, it means your tunnel is going down and coming back up all the time. If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.
Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself. I’ve not used packet-filters in flow debug before, so will definitely be trying that out.
Link to SRX debug article at fir3net.com
Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP]. But otherwise, this is a very useful set of instructions.
It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID. If the index number keeps changing, it means your tunnel is going down and coming back up all the time. If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.
Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself. I’ve not used packet-filters in flow debug before, so will definitely be trying that out.
Link to SRX debug article at fir3net.com
Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:
imtech@srx220-1-POD3> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count 1 VR3a VR3b P1 0 2 VR3a untrust 3to1VPN 8320 3 VR3a untrust P1 3249 4 VR3b VR3a P1 0 5 VR3b untrust P1 0 6 untrust junos-host P1 8 7 untrust VR3a 1to3 5523 8 untrust VR3a P1 5 9 untrust VR3b permit-to-3b 0 10 untrust VR3b DEFAULT-DENY 16
Not sure why this command has to be so obscure, but I stumbled on this while writing a training course tonight – quite a nice way to see if packets are hitting your policies:
imtech@srx220-1-POD3> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count 1 VR3a VR3b P1 0 2 VR3a untrust 3to1VPN 8320 3 VR3a untrust P1 3249 4 VR3b VR3a P1 0 5 VR3b untrust P1 0 6 untrust junos-host P1 8 7 untrust VR3a 1to3 5523 8 untrust VR3a P1 5 9 untrust VR3b permit-to-3b 0 10 untrust VR3b DEFAULT-DENY 16
To run Wireshark on OS X you have to install X11 for some reason, and Apple has apparently stopped developing this. It is now a separate thing called XQuartz.
It seems that at some point, either some files moved or a symlink got deleted, so Wireshark won’t start. When you click it, the top menu says “Wireshark” but the user interface never appears.
To get Wireshark running do the following:
Download Quartz 2.2.7 and install it on your OS X 10.10.4 system.
Open a terminal window and enter this command to re-make the symbolic link:
sudo ln -s /opt/X11 /usr/X11
(you will need to be an admin user of the system and put in your password at this point).
Now install Wireshark and you should be good to go.
To run Wireshark on OS X you have to install X11 for some reason, and Apple has apparently stopped developing this. It is now a separate thing called XQuartz.
It seems that at some point, either some files moved or a symlink got deleted, so Wireshark won’t start. When you click it, the top menu says “Wireshark” but the user interface never appears.
To get Wireshark running do the following:
Download Quartz 2.2.7 and install it on your OS X 10.10.4 system.
Open a terminal window and enter this command to re-make the symbolic link:
sudo ln -s /opt/X11 /usr/X11
(you will need to be an admin user of the system and put in your password at this point).
Now install Wireshark and you should be good to go.
Update: The problem described in this article was logged with JTAC. It took a while but eventually they informed me they had resolved an issue with provisioning VMX in the Junosphere system. I have tried it since and the issue does appear to have gone away. However I am leaving this post up in case it has simply become more intermittent. Please let me know if you experience a situation like what is described below.
I usually use the ‘experimental’ VMX in my Junosphere topologies because I don’t like the VJX all that much. The VJX has security code in it, so it’s not quite like an MX really. Also I’ve seen oddities where it came up in flow mode with a default firewall policy of denying everything, and I was never able to work out why.
So instead I use the VMX for everything – which is better these days because it doesn’t use two VM units for the data and control planes like it used to. Why VMX is still ‘experimental’ after so long is a mystery to me.
However one thing just keeps cropping up with this that is just Continue reading
I usually use the ‘experimental’ VMX in my Junosphere topologies because I don’t like the VJX all that much. The VJX has security code in it, so it’s not quite like an MX really. Also I’ve seen oddities where it came up in flow mode with a default firewall policy of denying everything, and I was never able to work out why.
So instead I use the VMX for everything – which is better these days because it doesn’t use two VM units for the data and control planes like it used to. Why VMX is still ‘experimental’ after so long is a mystery to me.
However one thing just keeps cropping up with this that is just a bit annoying. Every so often I start a topology I know was working, but one or more routers aren’t accessible for some reason. The problem is usually caused by the way Junosphere has put the management address onto the VM. To get access to the VM you instead need to telnet to it via the console server at 10.233.255.254 using a specific port number
The fxp0 IP address should be created in the Continue reading
Just a note for future reference:
Space’s local database backups are kept in /var/cache/jboss/backups (Platform version 13.1R1)
You can retrieve these using WinSCP in SFTP mode. For some reason there’s a shell error when using SCP. This appears to have started happening since the bash shell vuln was discovered – although I’ve never applied Juniper’s bash patch to the system. Upgraded WinSCP to the latest, but no luck.
Just a note for future reference:
Space’s local database backups are kept in /var/cache/jboss/backups (Platform version 13.1R1)
You can retrieve these using WinSCP in SFTP mode. For some reason there’s a shell error when using SCP. This appears to have started happening since the bash shell vuln was discovered – although I’ve never applied Juniper’s bash patch to the system. Upgraded WinSCP to the latest, but no luck.
I’ve been using Junosphere a lot recently, and it’s a great tool – quick and easy creation of topologies without the need to go to a physical lab to try things out. Takes the guesswork out of a lot of things, which is a real bonus. There are obviously a few things you can’t do in a virtual environment that would be possible in a real one (e.g. QoS, MTU greater than 2000 bytes, MS-MIC in an MX), but it caters for 80% of what you need.
I always thought that it put Juniper leagues ahead of Cisco because you can buy credits to use the system right on the front page. Cisco were late to the party with something called VIRL – Virtual Internet Routing Lab. They were late, but rumour had it that a lot of developers moved from Juniper to Cisco to bring VIRL about. However Junosphere always had the edge for the networking student (as we all remain, whether we are JNCIE or not) because of its accessibility – with VIRL you had to be a Cisco customer and gain access through your account manager. I’ll stick with GNS3 thanks!
That appears Continue reading
I’ve been using Junosphere a lot recently, and it’s a great tool – quick and easy creation of topologies without the need to go to a physical lab to try things out. Takes the guesswork out of a lot of things, which is a real bonus. There are obviously a few things you can’t do in a virtual environment that would be possible in a real one (e.g. QoS, MTU greater than 2000 bytes, MS-MIC in an MX), but it caters for 80% of what you need.
I always thought that it put Juniper leagues ahead of Cisco because you can buy credits to use the system right on the front page. Cisco were late to the party with something called VIRL – Virtual Internet Routing Lab. They were late, but rumour had it that a lot of developers moved from Juniper to Cisco to bring VIRL about. However Junosphere always had the edge for the networking student (as we all remain, whether we are JNCIE or not) because of its accessibility – with VIRL you had to be a Cisco customer and gain access through your account manager. I’ll stick with GNS3 thanks!
That appears Continue reading
I’m just spending the day trying to get my head around some very basic automation, so I thought I would install Python 2.7 and work through some of the tutorials on the Techwiki to see how I get on.
The tutorial I’m following is called Python for Non-Programmers and offers an easy way in for people like me. Of course as with a lot of open-source stuff, you don’t just download Python and get started – there are various dependencies, and dependencies with dependencies that you need to install first. If at the end of all that you’ve not forgotten what your name is or why you were doing all this shenanigans in the first place you can count yourself as winning.
Installation on a Windows machine is documented nicely here, but there are a few things which are out of date.
One part where it tells you run an executable to install ‘lxml’ but there isn’t one when you click the link provided. So instead you need to install it with a program called pip, which can be found in C:Python27scripts by default. pip is not in the PATH envirronment variable by default Continue reading
Cabling up a 100G link for a customer test we discovered we needed to buy a couple of 100G cables. The interfaces involved were multimode, and use parallel optical paths – i.e. 10 parallel fibres each carrying 10Gbps within a single cable.
It turns out the world of such cables is a bit confusing in its terminology. Some people call these cables MTP, and others call them MPO. After a bit of digging, it turns out that they’re basically the same, but MTP is a brand name for a connector that complies with the MPO standard. The brand is owned by a company called USConec. Confusion over…
There’s quite a nice photo close-up of this connector type available on Completeconnect’s website – here. You can see the parallel fibres in the end of the interface. The cable has 24 fibres in, but only 20 are used – 10 in each direction giving full duplex connectivity at 100Gbps.
The male-ness and female-ness of these types of connector is quite difficult to determine. If you see a pair of pins protruding from the connector at either end of the two rows of fibres, Continue reading
We just installed an MX in the lab for a customer type-approval test (TAT) and none of the cards came online.
The output of “show chassis hardware” showed that there were FPCs installed, but not the MICs that were in them:
[email protected]> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis JN1249BDBAFA MX960 Midplane REV 04 750-047849 ACRD2400 Enhanced MX960 Backplane FPM Board REV 03 710-014974 CADE9287 Front Panel Display PDM Rev 03 740-013110 QCS181650BM Power Distribution Module PEM 0 Rev 11 740-027760 QCS1806N0MP PS 4.1kW; 200-240V AC in PEM 1 Rev 11 740-027760 QCS1806N0SK PS 4.1kW; 200-240V AC in PEM 2 Rev 11 740-027760 QCS1806N07S PS 4.1kW; 200-240V AC in PEM 3 Rev 11 740-027760 QCS1812N02D PS 4.1kW; 200-240V AC in Routing Engine 0 REV 01 740-051822 9013061577 RE-S-1800x4 Routing Engine 1 REV 01 740-051822 9013056762 RE-S-1800x4 CB 0 REV 01 750-055976 CACX9090 Enhanced MX SCB 2 CB 1 REV 01 750-055976 CACZ4497 Enhanced MX SCB 2 CB 2 REV 01 750-055976 CADA1721 Enhanced MX SCB 2 FPC 0 REV 05 750-044444 CAAM5562 MPCE Type 2 3D P CPU FPC 1 REV 35 750-028467 CAAP9738 MPC 3D 16x Continue reading
Information on remote port mirroring on Junos routers doesn’t seem to be very easy to come by for some reason – there is quite a lot of information about doing this on EX switches (a bit like RSPAN in Cisco’s IOS), which wasn’t what I needed. Various other sources of information (such as Cluepon) say this can be done using a GRE tunnel, but that the capturing device needs to be a server that terminates the GRE tunnel – which all seemed a bit complicated.
I needed to remotely mirror a port on an MX to a second MX where a windows-based Wireshark was connected, so getting GRE working to a Windows host sounded like a non starter.
So I had to work it out myself – and hopefully this write-up will prove useful to someone else in the future.
An additional requirement for the customer was that the captured interface should be in a VRF, so the test-bed I set up below has production traffic flowing through a VRF, and the mirrored traffic in a GRE tunnel which is running in the global routing table.
Here’s the write-up I did for the customer:
I bought a nearly new Snom IP phone on eBay, but it was getting autoprovisioned as a Vodafone device. I wanted to use it as a SIP phone on another provider’s network, so needed to get rid of this.
I’ll try to write down the steps I followed, but I tried quite a few things so there may be inaccuracies.
Basically this phone tries three ways to autoprovision itself:
1. Redirection – it goes to a host run by Snom, is redirected to a Vodafone host and autoprovisions from there.
2. PnP – I think this is where it multicasts for a configuration server.
3. DHCP – where it receives details of the configuraiton server from DHCP options it receives with its IP address.
Redirection is the first one it tries by default, so you need to stop this happening. Snom say on their forums that they can’t do this for Vodafone devices, which must be a legal thing between them and Vodafone, because they are able to do it for Snom phones that are auto-provisioned on other providers. In the latter case a simple request on the forums with the phone’s MAC address appears to be sufficient.