Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Can't connect via ssh to a MX104 router

    Posted 07-23-2021 06:40
    Hello,

    I'm still trying to configurate a MX-104 router in a lab for my company.

    The router is now pingable from the management network, everything seems ok, even on the physical side (fxp0 interface...etc).

    We are trying to set the ssh so that we will be able to connect remotely to the device, not only through the console port.

    Here is the issue: the ssh configuration seems to be ok, no error during the commit, but we can't connect to the device.

    We get the message when we try to connect via putty to the device:

    Remote side unexpectedly closed network connection

    On the MX104 we can find the following log messages:

    CORE-MX-104-LAB inetd[1825]: cannot execute /usr/sbin/sshd: Authentication error
    CORE-MX-104-LAB /kernel: veriexec: no fingerprint for file='/usr/sbin/sshd' fsid=66 fileid=24698 gen=1661856401 uid=0 pid=1825


    We tried to launched the "sshd" in shell mode, but we get the error:

    /usr/sbin/sshd : Authentication error


    We think it's a version issue or a lack of a the "JUNOS Crypto Software Suite" which is not present in the version of our OS.

    Could it be the reason why we can't connect via ssh to the device? or could it be something else?

    And if it's the case, is there a solution to fix that problem apart from having the JUNOS Crypto Software Suite?

    Thank you in advance for your help!



  • 2.  RE: Can't connect via ssh to a MX104 router

    Posted 07-23-2021 10:11
    Edited by ankurv 07-23-2021 10:13
    Hi

    This could be due to file system corruption , so best option will be re image this box with formatting flash. Here you can find the Techpub articles how to perform a recovery installation:

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/recovery-using-emergency-boot.html 

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB27369

     

    You will need the "Install Media" file from the Juniper site, do not use the "Install Package" file for this.



    ------------------------------
    ANKUR
    ------------------------------



  • 3.  RE: Can't connect via ssh to a MX104 router

    Posted 07-23-2021 10:39
    Thanks for you response.

    We already try to recreate a a bootable disk, but we don't have the image, and we don't have have enough 'rights' to install package from the juniper site...

    So we can't create an image.


  • 4.  RE: Can't connect via ssh to a MX104 router

    Posted 07-23-2021 11:14
    If you have console access to the MX  check whether veriexec is enforced by running the following commands from the Junos OS CLI shell

    >Start  shell
    % sysctl security.mac.veriexec.state
    security.mac.veriexec.state: loaded active enforce
    %

    If veriexec is enforced, the output is security.mac.veriexec.state: loaded active enforce. If veriexec is not enforced, the output is security.mac.veriexec.state: loaded active.

    For Junos OS Release 20.3R1 and later, use request system software add /var/tmp/xxx.tgz no-copy no-validate command to install Junos OS with fingerprints normally.  For Junos OS Releases prior to 20.3R1, if the veriexec-capable loader is in use and the target Junos OS image for previous releases are not supported by the veriexec-capable loader, then use the request system software add /var/tmp/xxx.tgz no-copy no-validate command to automatically downgrade to the old loader from the veriexec-capable loader. The veriexec-capable loader is not supported for Junos OS Releases prior to 20.3R1.

    Your best bet is to downgrade or upgrade your MX to fix the fingerprint on the veriexec.



    ------------------------------
    ANKUR
    ------------------------------



  • 5.  RE: Can't connect via ssh to a MX104 router

    Posted 07-24-2021 10:47
    I think your Junos image do not contain ssh application. you probably need to reinstall Junos image which contain ssh application. you can use telnet instead of ssh in your mx104


  • 6.  RE: Can't connect via ssh to a MX104 router

    Posted 08-02-2021 05:24
    Hello,

    We upgraded the equipment and the ssh is now working!

    Thank you for your help!


  • 7.  RE: Can't connect via ssh to a MX104 router

    Posted 07-24-2021 11:23
    The versions of Junos without ssh and crypto installed generally show the word limited in the version name.

    Can you confirm the system services ssh configuration matches your working devices.

    Also confirm there is no protect-re firewall filter applied that might be blocking ssh

    And check the message log after ssh attempts to see what is there.
    show log messages

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------