SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

SSH Issue on SRX1500

  • 1.  SSH Issue on SRX1500

     
    Posted 04-18-2018 02:54

    Hi all,

     

    I still have an issue on one SRX that simply will not accept SSH connectivity. It is configured exactly the same as the other SRX does allow SSH connectivity. As this equipment is going into the Data Centres next week it is critical that I get this working before then or we will only have console access which is not part of the remit as it will be a single point of failure.....

     

    MX240s - SSH perfectly

    SRX1500 01 - SSH perfectly

    SRX1500 02 - SSH not working

     

    I have configured the following:

     

    set system services ssh root-login deny
    set system services ssh connection-limit 3

     

    The VR that the connection comes in on is an "any any any permit" policy as per below:

    set security policies from-zone Customer-Network to-zone Customer-Network policy customer match source-address any
    set security policies from-zone Customer-Network to-zone Customer-Network policy customer match destination-address any
    set security policies from-zone Customer-Network to-zone Customer-Network policy customer match application any
    set security policies from-zone Customer-Network to-zone Customer-Network policy customer then permit

     

    Does anyone have any help they could offer please?



  • 2.  RE: SSH Issue on SRX1500

     
    Posted 04-18-2018 03:11

    I am assuming your running a cluster and you are configuring out-if-band management (fxp0)?

     

    If so, there are number of reasons this will happen, for example: https://kb.juniper.net/InfoCenter/index?page=content&id=KB17161&actp=METADATA

     

    If you search and browse the juniper articles your will probably find your problem, but a simple work around will be to login to either node from the other:

     

    {primary:node0}

    lab@host> request routing-engine login node 1



  • 3.  RE: SSH Issue on SRX1500

     
    Posted 04-18-2018 03:41

    Hi Dawid,

     

    Thank you for the response.

     

    No, we are not utilising a cluster for a specific reason that I cannot give. But that reason overrides the need for a cluster. FXP0 not being utilised.

     

    The direction of the SSH connectivity request is as follows:

     

    Laptop --> SRX01 --> core01 --> Core02 --> SRX02 (customer VR)

     

    As mentioned, if I could SSH to any of the other devices I would know the answer, but I can SSH to everything except SRX02.

     

    As an add on, here is the configuration for the security zone:

    set security zones security-zone Customer-Network host-inbound-traffic system-services all
    set security zones security-zone Customer-Network host-inbound-traffic protocols all
    set security zones security-zone Customer-Network interfaces ae2.0


    Even from the CLI of the other devices I get the "ssh_exchange_identification: Connection closed by remote host" error....

     

    If this is a certificate issue, I don't know where to find the certificate file to delete and renew.



  • 4.  RE: SSH Issue on SRX1500

     
    Posted 04-18-2018 04:02

    I think I have found a way around this, or at least to test, but when I login to the shell as root and try and make a directory under /etc I get the followng error:

     

    mkdir: test1: Read-only file system

     

    Why, if I am logged into the shell as root, is it read only?



  • 5.  RE: SSH Issue on SRX1500

    Posted 04-18-2018 04:36

    It looks like  you do not have certificate.

    To  generate:

     

    >start shell user root
    % ssh-keygen rsa -f /etc/ssh/ssh_host_rsa_key

     

    Regards

    Leon Smirnov

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 6.  RE: SSH Issue on SRX1500

     
    Posted 04-18-2018 05:13

    >start shell user root
    % ssh-keygen rsa -f /etc/ssh/ssh_host_rsa_key

     

    Unfortunately I get "Too many arguments" with this command.

     

    Reboot no success either.



  • 7.  RE: SSH Issue on SRX1500

     
    Posted 04-18-2018 05:25

    Okay, I tried a different command, which the SRX accepted:

     

    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

     

    However, I got the following message and I am not a Linux expert:

    Saving key "/etc/ssh/ssh_host_rsa_key" failed: Too many levels of symbolic links

     



  • 8.  RE: SSH Issue on SRX1500

     
    Posted 04-18-2018 05:32

    I've found the issue......

    ssh -> /var/db/ssh

     

    It's constantly pointing to itself within /etc

    /cf/etc

    ssh -> /cf/etc/ssh

     

     



  • 9.  RE: SSH Issue on SRX1500

    Posted 04-18-2018 05:39

    Yes it is link

    Leon



  • 10.  RE: SSH Issue on SRX1500

     
    Posted 04-18-2018 05:43

    Solved it (well, I've solved this with the issue, I have yet to see if my resolution has affected anything else)...... For anyone esle having the same issue:

     

    I couldn't use "unlink" because the command did not exist so that only left me one option within the /dev/db directory and that was as follows:

     

    rm ssh

    mkdir ssh

    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

     

    Now I can SSH to the SRX.

     

    Thank you all for pointing me in the right direction.

     



  • 11.  RE: SSH Issue on SRX1500
    Best Answer

    Posted 04-18-2018 05:38

    Try this

    > start shell user root

    % cd /cf/etc/ssh

    % ssh-keygen -t rsa -f  ssh_host_rsa_key

     

    Regards

    Leon Smirnov

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 12.  RE: SSH Issue on SRX1500

    Posted 04-18-2018 04:40

    Hi,

    As per the error message, it looks like there is a filesystem issue. Please try to reboot and then try.