SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX345 21.4R1.12

    Posted 01-25-2022 09:50

    Hello community

    I would like to query some data from a SRX345 via REST API, but can't get it to run and am getting desperate. I tried all possible variations under system services rest (also https).

    # show system services rest | display set
    set system services rest http port 3080
    set system services rest http addresses 10.109.255.1
    set system services rest control allowed-sources 10.130.161.197
    set system services rest control allowed-sources 10.130.60.89
    set system services rest control connection-limit 16
    set system services rest enable-explorer
    # run show system processes | grep light
     2019  ??  S      0:00.47 /usr/sbin/web-api -D -f /var/etc/lighttpd.conf
    87985  ??  S      0:00.15 /usr/sbin/lighttpd -D -f /var/etc/lighttpd.conf -m /u
    % netstat -an | grep 3080
    tcp6       0      0  *.3080                                        *.*                                           LISTEN
    tcp4       0      0  *.3080                                        *.*                                           LISTEN

    This is the only thing that confuses me a bit, because web-api is not enabled, only rest-api.

    % cd /var/chroot/rest-api/
    % pwd
    /web-api

    From the machine itself, the API is working... from a directly connected host: timeout.

    % curl 10.109.255.1:3080
    <!--
    - $Id$
    -
    - Copyright (c) 2014, Juniper Networks, Inc.
    - All rights reserved.
    -->
    <!DOCTYPE html>
    <html>
        <head>
            <title>REST-API explorer</title>

    # show security zones security-zone MPLS host-inbound-traffic | display set
    set security zones security-zone MPLS host-inbound-traffic system-services all
    set security zones security-zone MPLS host-inbound-traffic protocols all
    # show security zones security-zone MPLS interfaces | display set
    set security zones security-zone MPLS interfaces lo0.0
    set security zones security-zone MPLS interfaces ae0.882
    # show security policies from-zone MPLS to-zone MPLS | display set
    set security policies from-zone MPLS to-zone MPLS policy allow-all match source-address any
    set security policies from-zone MPLS to-zone MPLS policy allow-all match destination-address any
    set security policies from-zone MPLS to-zone MPLS policy allow-all match application any
    set security policies from-zone MPLS to-zone MPLS policy allow-all then permit

    # show interfaces lo0 | display set
    set interfaces lo0 unit 0 family inet address 10.109.255.1/32 primary
    set interfaces lo0 unit 0 family inet address 10.109.255.1/32 preferred
    set interfaces lo0 unit 0 family inet address 10.109.248.1/32
    # show interfaces ae0 unit 882 | display set
    set interfaces ae0 unit 882 vlan-id 882
    set interfaces ae0 unit 882 family inet mtu 1500
    set interfaces ae0 unit 882 family inet address 10.250.0.49/29
    set interfaces ae0 unit 882 family mpls mtu 9000
    set interfaces ae0 unit 882 family mpls filter input packet-mode-mpls


    I can reach the machine via SSH and J-Web, but not the API....
    Policy is permit-all for testing purposes, no filters on the interface.

    Used Example: Configuring the REST API | Junos OS | Juniper Networks as guide.

    Thank you very much in advance for any tips.

    Many greetings from Germany,
    Dennis



    ------------------------------
    DENNIS BOEHM
    ------------------------------


  • 2.  RE: SRX345 21.4R1.12

    Posted 01-25-2022 13:20
    Hello again

    Figured it out.

    rest-api is not a defined system service under host-inbound-traffic system-services.
    Needed to change from all to any-service

    Any ideas why?

    Could not find a note on the guide linked above and in Security Zones | Juniper Networks

    Have a great day
    Dennis

    ------------------------------
    DENNIS BOEHM
    ------------------------------



  • 3.  RE: SRX345 21.4R1.12

    Posted 01-25-2022 13:53
    ...

    receiving 500's now...


    tried to follow PR1426588 - Juniper Networks PR Search
    but no success... 

    monitoring via ssh comments for now... dirty but lost hours debugging api now...

    Best regards,
    Dennis

    ------------------------------
    DENNIS BOEHM
    ------------------------------



  • 4.  RE: SRX345 21.4R1.12

     
    Posted 01-26-2022 05:33
    Hi Dennis,
    that PR has been fixed way before your 21.4R1, so shouldn't be relevant here anymore.
    Anything from 'show system core-dumps'?
    Regards
    Ulf


  • 5.  RE: SRX345 21.4R1.12

    Posted 01-26-2022 17:45
    Hi Ulf, 

    thank you for your reply. 

    Yes there are two core-dumps, but they are old. 

    Regards,
    Dennis

    ------------------------------
    DENNIS BOEHM
    ------------------------------



  • 6.  RE: SRX345 21.4R1.12

     
    Posted 01-28-2022 09:31
    Hi Dennis,

    ok, no recent core dumps is good and bad news: Good because nothing is failing that bad, bad news because that would be a valuable piece of evidence  Juniper support could have worked on. Anyway: I think I've found that at least one other person/party has also encountered such an issue and or engineers are already working on this. I'll try to confirm and then get back to you.

    Regards

    Ulf


  • 7.  RE: SRX345 21.4R1.12

    Posted 01-31-2022 05:31
    I have found the same issue with syslog messages too. If lo0 is in a zone and the interface connecting to syslog server does not have system services any on that security zone our graylog servers wont see the traffic. Interzone policy is just any. Same sort of issues was working in earlier releases. Not bothered reporting the issue as I don't have the time to send 50 emails 20 lots of tracers and waiting 12 months for a fix so for now I have found a work around.

     



    ------------------------------
    Steven Waite
    ------------------------------