Junos OS

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about Junos OS.
Expand all | Collapse all

SRX350 chassis cluster - commit doesn't finish

  • 1.  SRX350 chassis cluster - commit doesn't finish

    Posted 08-04-2022 08:58
    Hello,

    I was trying to set up a ldap authentication to junos, but there's a part of configuration that I'm unable to commit. Strange thing, because there's no syntax error, but commit just doesn't end up, even after 30 minutes or so. Do you have any idea how to verify this issue?

    root@SRX1# show | compare
    [edit system]
    + authentication-order [ password ldaps ];


  • 2.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-04-2022 09:00
    Could you share you whole auth configuration under
    system ldap-server
    system authentication-order

    or compare the complete configuration with the example here
    https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-ldaps-authentication.html#d124e102

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-04-2022 13:43
    Thanks for your reply. I think there must be an error in ldap config, like junos is unable to connect to LDAP server and I have to debug it somehow, but didn't think  it'll make problems with commit.  

    Here's my configuration (authentication-order is empty, because commit didn't end):

    root@SRX1# show system ldap-server 
    address X.X.X.X;
    port 636;
    base ou=Users,dc=XX,dc=XX;
    binddn YYY;
    bindpw XXX;
    ldaps-cert google-ldap-cert-key;
    
    {primary:node0}[edit]
    root@SRX1# show system authentication-order 
    
    {primary:node0}[edit]
    ​



  • 4.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-06-2022 05:36
    Any idea?


  • 5.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-07-2022 13:29
    Edited by spuluka 08-07-2022 13:29
    Checking this config against the samples it does look complete.

    Do you get a meaningful error if you try to check the commit instead of starting it
    commit check

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 6.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-08-2022 04:01
    I tried "commit check" with the same result. I also tried " commit | display detail" and saw the following output:

    root@SRX1# commit | display detail 
    node0: 
    2022-08-05 13:57:19.50467 CEST: Obtaining lock for commit
    2022-08-05 13:57:19.65923 CEST: merging latest committed configuration
    2022-08-05 13:57:19.69824 CEST: Using fast-diff method to generate diff
    2022-08-05 13:57:21.663784 CEST: UI extensions feature is not configured
    2022-08-05 13:57:21.669778 CEST: Started running translation script
    2022-08-05 13:57:21.671852 CEST: Finished running translation script
    2022-08-05 13:57:21.672574 CEST: start loading commit script changes
    2022-08-05 13:57:21.672846 CEST: no commit script changes
    2022-08-05 13:57:21.675192 CEST: no transient commit script changes
    2022-08-05 13:57:21.675446 CEST: finished loading commit script changes
    2022-08-05 13:57:21.675618 CEST: No translation output from the scripts
    2022-08-05 13:57:21.683728 CEST: building groups inheritance path proportional in candidate db
    2022-08-05 13:57:21.687644 CEST: finished groups inheritance path
    2022-08-05 13:57:21.687853 CEST: copying juniper.db to juniper.data+
    2022-08-05 13:57:21.755440 CEST: finished copying juniper.db to juniper.data+
    2022-08-05 13:57:21.759050 CEST: exporting juniper.conf
    2022-08-05 13:57:21.867682 CEST: expanding interface-ranges
    2022-08-05 13:57:21.871216 CEST: finished expanding interface-ranges
    2022-08-05 13:57:21.874113 CEST: setup foreign files
    2022-08-05 13:57:21.897187 CEST: propagating foreign files
    2022-08-05 13:57:26.710966 CEST: constraints passed in mustd - not checking constraints in propagation
    



  • 7.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-08-2022 11:47
    Edited by David Divins 08-08-2022 11:50
    Do you have any loopback filters applied and is the LDAP server reachable from inet.0?

    What model and version? Also, have you verified the PKI parameters and cert chain per the docs mentioned above?

    ------------------------------
    David Divins
    ------------------------------



  • 8.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-08-2022 14:07
    LDAP server is reachable from junos:

    root@SRX1# run telnet Y.Y.Y.Y port 636 source X.X.X.X inet   
    Trying Y.Y.Y.Y...
    Connected to Y.Y.Y.Y.
    Escape character is '^]'.
    ​


    There's one filter on the loopback:

    root@SRX1# show interfaces lo0 
    unit 0 {
        family inet {
            filter {
                input filter_bgp179;
            }
    
    
    root@SRX1# show firewall family inet filter filter_bgp179 
    term 1 {
        from {
            source-address {
                0.0.0.0/0;
            }
            source-prefix-list {
                plist_bgp179 except;
            }
            destination-port bgp;
        }
        then {
            reject;
        }
    }
    term 2 {
        then accept;
    }
    



    The model and version:

    I have two SRX 340, Junos: 20.2R3-S2.5, working in a chassis cluster. Regarding PKI parameters - I think it's required only if SRX works as a ldap server and needs own private CA to authenticate clients. In my case SRX is ldap client and I had to import client cert and key from external CA. 

     




  • 9.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-17-2022 05:56
    Today I received an answer from JTAC. It's strange for me, because there's official documentation about LDAPS.

    "
    Thank you for your patience on this case. What I did next:

    ++Upgrade cluster to 20.4R3-S3 and noticed that I did not even have the option for authentication order ldaps
    ++Downgraded cluster to 19.4R3 and noticed again the same, I am not getting an option for authentication order lapds, only password radius and tacplus

    So, it seems that only 20.2 allows the ldaps option, but does not commit it successfully. Then I checked internally and this feature is not supported, which makes sense since I am not even getting the option on other releases. The developers likely forgot to change the code for 20.2 accordingly to have the option removed.
    "


  • 10.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-17-2022 06:00
    Thanks for the update, strange that official docs are up but the feature is not active.  I wonder if it is active on platforms other than the SRX.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 11.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-17-2022 06:37
    Hi,


    Which model SRX that u use? SRX350 not exists.

    Thanks


  • 12.  RE: SRX350 chassis cluster - commit doesn't finish

    Posted 08-17-2022 06:52
    SRX340, my mistake.