I still have an issue on one SRX that simply will not accept SSH connectivity. It is configured exactly the same as the other SRX does allow SSH connectivity. As this equipment is going into the Data Centres next week it is critical that I get this working before then or we will only have console access which is not part of the remit as it will be a single point of failure.....
MX240s - SSH perfectly
SRX1500 01 - SSH perfectly
SRX1500 02 - SSH not working
I have configured the following:
set system services ssh root-login denyset system services ssh connection-limit 3
The VR that the connection comes in on is an "any any any permit" policy as per below:
set security policies from-zone Customer-Network to-zone Customer-Network policy customer match source-address anyset security policies from-zone Customer-Network to-zone Customer-Network policy customer match destination-address anyset security policies from-zone Customer-Network to-zone Customer-Network policy customer match application anyset security policies from-zone Customer-Network to-zone Customer-Network policy customer then permit
Does anyone have any help they could offer please?
I am assuming your running a cluster and you are configuring out-if-band management (fxp0)?
If so, there are number of reasons this will happen, for example: https://kb.juniper.net/InfoCenter/index?page=content&id=KB17161&actp=METADATA
If you search and browse the juniper articles your will probably find your problem, but a simple work around will be to login to either node from the other:
lab@host> request routing-engine login node 1
Thank you for the response.
No, we are not utilising a cluster for a specific reason that I cannot give. But that reason overrides the need for a cluster. FXP0 not being utilised.
The direction of the SSH connectivity request is as follows:
Laptop --> SRX01 --> core01 --> Core02 --> SRX02 (customer VR)
As mentioned, if I could SSH to any of the other devices I would know the answer, but I can SSH to everything except SRX02.
As an add on, here is the configuration for the security zone:
set security zones security-zone Customer-Network host-inbound-traffic system-services allset security zones security-zone Customer-Network host-inbound-traffic protocols allset security zones security-zone Customer-Network interfaces ae2.0
Even from the CLI of the other devices I get the "ssh_exchange_identification: Connection closed by remote host" error....
If this is a certificate issue, I don't know where to find the certificate file to delete and renew.
I think I have found a way around this, or at least to test, but when I login to the shell as root and try and make a directory under /etc I get the followng error:
mkdir: test1: Read-only file system
Why, if I am logged into the shell as root, is it read only?
It looks like you do not have certificate.
>start shell user root% ssh-keygen rsa -f /etc/ssh/ssh_host_rsa_key
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Unfortunately I get "Too many arguments" with this command.
Reboot no success either.
Okay, I tried a different command, which the SRX accepted:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
However, I got the following message and I am not a Linux expert:
Saving key "/etc/ssh/ssh_host_rsa_key" failed: Too many levels of symbolic links
I've found the issue......
ssh -> /var/db/ssh
It's constantly pointing to itself within /etc
ssh -> /cf/etc/ssh
Yes it is link
Solved it (well, I've solved this with the issue, I have yet to see if my resolution has affected anything else)...... For anyone esle having the same issue:
I couldn't use "unlink" because the command did not exist so that only left me one option within the /dev/db directory and that was as follows:
Now I can SSH to the SRX.
Thank you all for pointing me in the right direction.
> start shell user root
% cd /cf/etc/ssh
% ssh-keygen -t rsa -f ssh_host_rsa_key
As per the error message, it looks like there is a filesystem issue. Please try to reboot and then try.