Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX350 chassis cluster - commit doesn't finish

    Posted 11 days ago
    Hello,

    I was trying to set up a ldap authentication to junos, but there's a part of configuration that I'm unable to commit. Strange thing, because there's no syntax error, but commit just doesn't end up, even after 30 minutes or so. Do you have any idea how to verify this issue?

    root@SRX1# show | compare
    [edit system]
    + authentication-order [ password ldaps ];


  • 2.  RE: SRX350 chassis cluster - commit doesn't finish

     
    Posted 11 days ago
    Could you share you whole auth configuration under
    system ldap-server
    system authentication-order

    or compare the complete configuration with the example here
    https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-ldaps-authentication.html#d124e102

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 11 days ago
    Thanks for your reply. I think there must be an error in ldap config, like junos is unable to connect to LDAP server and I have to debug it somehow, but didn't think  it'll make problems with commit.  

    Here's my configuration (authentication-order is empty, because commit didn't end):

    root@SRX1# show system ldap-server 
    address X.X.X.X;
    port 636;
    base ou=Users,dc=XX,dc=XX;
    binddn YYY;
    bindpw XXX;
    ldaps-cert google-ldap-cert-key;
    
    {primary:node0}[edit]
    root@SRX1# show system authentication-order 
    
    {primary:node0}[edit]
    ​



  • 4.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 10 days ago
    Any idea?


  • 5.  RE: SRX350 chassis cluster - commit doesn't finish

     
    Posted 8 days ago
    Checking this config against the samples it does look complete.

    Do you get a meaningful error if you try to check the commit instead of starting it
    commit check

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 6.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 8 days ago
    I tried "commit check" with the same result. I also tried " commit | display detail" and saw the following output:

    root@SRX1# commit | display detail 
    node0: 
    2022-08-05 13:57:19.50467 CEST: Obtaining lock for commit
    2022-08-05 13:57:19.65923 CEST: merging latest committed configuration
    2022-08-05 13:57:19.69824 CEST: Using fast-diff method to generate diff
    2022-08-05 13:57:21.663784 CEST: UI extensions feature is not configured
    2022-08-05 13:57:21.669778 CEST: Started running translation script
    2022-08-05 13:57:21.671852 CEST: Finished running translation script
    2022-08-05 13:57:21.672574 CEST: start loading commit script changes
    2022-08-05 13:57:21.672846 CEST: no commit script changes
    2022-08-05 13:57:21.675192 CEST: no transient commit script changes
    2022-08-05 13:57:21.675446 CEST: finished loading commit script changes
    2022-08-05 13:57:21.675618 CEST: No translation output from the scripts
    2022-08-05 13:57:21.683728 CEST: building groups inheritance path proportional in candidate db
    2022-08-05 13:57:21.687644 CEST: finished groups inheritance path
    2022-08-05 13:57:21.687853 CEST: copying juniper.db to juniper.data+
    2022-08-05 13:57:21.755440 CEST: finished copying juniper.db to juniper.data+
    2022-08-05 13:57:21.759050 CEST: exporting juniper.conf
    2022-08-05 13:57:21.867682 CEST: expanding interface-ranges
    2022-08-05 13:57:21.871216 CEST: finished expanding interface-ranges
    2022-08-05 13:57:21.874113 CEST: setup foreign files
    2022-08-05 13:57:21.897187 CEST: propagating foreign files
    2022-08-05 13:57:26.710966 CEST: constraints passed in mustd - not checking constraints in propagation
    



  • 7.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 7 days ago
    Do you have any loopback filters applied and is the LDAP server reachable from inet.0?

    What model and version? Also, have you verified the PKI parameters and cert chain per the docs mentioned above?

    ------------------------------
    David Divins
    ------------------------------



  • 8.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 7 days ago
    LDAP server is reachable from junos:

    root@SRX1# run telnet Y.Y.Y.Y port 636 source X.X.X.X inet   
    Trying Y.Y.Y.Y...
    Connected to Y.Y.Y.Y.
    Escape character is '^]'.
    ​


    There's one filter on the loopback:

    root@SRX1# show interfaces lo0 
    unit 0 {
        family inet {
            filter {
                input filter_bgp179;
            }
    
    
    root@SRX1# show firewall family inet filter filter_bgp179 
    term 1 {
        from {
            source-address {
                0.0.0.0/0;
            }
            source-prefix-list {
                plist_bgp179 except;
            }
            destination-port bgp;
        }
        then {
            reject;
        }
    }
    term 2 {
        then accept;
    }
    



    The model and version:

    I have two SRX 340, Junos: 20.2R3-S2.5, working in a chassis cluster. Regarding PKI parameters - I think it's required only if SRX works as a ldap server and needs own private CA to authenticate clients. In my case SRX is ldap client and I had to import client cert and key from external CA.