Thanks for the update, strange that official docs are up but the feature is not active. I wonder if it is active on platforms other than the SRX.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 08-17-2022 05:13
From: Unknown User
Subject: SRX350 chassis cluster - commit doesn't finish
Today I received an answer from JTAC. It's strange for me, because there's official documentation about LDAPS.
"
Thank you for your patience on this case. What I did next:
++Upgrade cluster to 20.4R3-S3 and noticed that I did not even have the option for authentication order ldaps
++Downgraded cluster to 19.4R3 and noticed again the same, I am not getting an option for authentication order lapds, only password radius and tacplus
So, it seems that only 20.2 allows the ldaps option, but does not commit it successfully. Then I checked internally and this feature is not supported, which makes sense since I am not even getting the option on other releases. The developers likely forgot to change the code for 20.2 accordingly to have the option removed.
"
Original Message:
Sent: 08-08-2022 14:06
From: Unknown User
Subject: SRX350 chassis cluster - commit doesn't finish
LDAP server is reachable from junos:
root@SRX1# run telnet Y.Y.Y.Y port 636 source X.X.X.X inet Trying Y.Y.Y.Y...Connected to Y.Y.Y.Y.Escape character is '^]'.
There's one filter on the loopback:
root@SRX1# show interfaces lo0 unit 0 { family inet { filter { input filter_bgp179; }root@SRX1# show firewall family inet filter filter_bgp179 term 1 { from { source-address { 0.0.0.0/0; } source-prefix-list { plist_bgp179 except; } destination-port bgp; } then { reject; }}term 2 { then accept;}
The model and version:
I have two SRX 340, Junos: 20.2R3-S2.5, working in a chassis cluster. Regarding PKI parameters - I think it's required only if SRX works as a ldap server and needs own private CA to authenticate clients. In my case SRX is ldap client and I had to import client cert and key from external CA.
Original Message:
Sent: 08-08-2022 11:46
From: David Divins
Subject: SRX350 chassis cluster - commit doesn't finish
Do you have any loopback filters applied and is the LDAP server reachable from inet.0?
What model and version? Also, have you verified the PKI parameters and cert chain per the docs mentioned above?
------------------------------
David Divins
Original Message:
Sent: 08-08-2022 04:00
From: Unknown User
Subject: SRX350 chassis cluster - commit doesn't finish
I tried "commit check" with the same result. I also tried " commit | display detail" and saw the following output:
root@SRX1# commit | display detail node0: 2022-08-05 13:57:19.50467 CEST: Obtaining lock for commit2022-08-05 13:57:19.65923 CEST: merging latest committed configuration2022-08-05 13:57:19.69824 CEST: Using fast-diff method to generate diff2022-08-05 13:57:21.663784 CEST: UI extensions feature is not configured2022-08-05 13:57:21.669778 CEST: Started running translation script2022-08-05 13:57:21.671852 CEST: Finished running translation script2022-08-05 13:57:21.672574 CEST: start loading commit script changes2022-08-05 13:57:21.672846 CEST: no commit script changes2022-08-05 13:57:21.675192 CEST: no transient commit script changes2022-08-05 13:57:21.675446 CEST: finished loading commit script changes2022-08-05 13:57:21.675618 CEST: No translation output from the scripts2022-08-05 13:57:21.683728 CEST: building groups inheritance path proportional in candidate db2022-08-05 13:57:21.687644 CEST: finished groups inheritance path2022-08-05 13:57:21.687853 CEST: copying juniper.db to juniper.data+2022-08-05 13:57:21.755440 CEST: finished copying juniper.db to juniper.data+2022-08-05 13:57:21.759050 CEST: exporting juniper.conf2022-08-05 13:57:21.867682 CEST: expanding interface-ranges2022-08-05 13:57:21.871216 CEST: finished expanding interface-ranges2022-08-05 13:57:21.874113 CEST: setup foreign files2022-08-05 13:57:21.897187 CEST: propagating foreign files2022-08-05 13:57:26.710966 CEST: constraints passed in mustd - not checking constraints in propagation
Original Message:
Sent: 08-07-2022 13:29
From: STEVE PULUKA
Subject: SRX350 chassis cluster - commit doesn't finish
Checking this config against the samples it does look complete.
Do you get a meaningful error if you try to check the commit instead of starting it
commit check
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-04-2022 09:18
From: Unknown User
Subject: SRX350 chassis cluster - commit doesn't finish
Thanks for your reply. I think there must be an error in ldap config, like junos is unable to connect to LDAP server and I have to debug it somehow, but didn't think it'll make problems with commit.
Here's my configuration (authentication-order is empty, because commit didn't end):
root@SRX1# show system ldap-server address X.X.X.X;port 636;base ou=Users,dc=XX,dc=XX;binddn YYY;bindpw XXX;ldaps-cert google-ldap-cert-key;{primary:node0}[edit]root@SRX1# show system authentication-order {primary:node0}[edit]
Original Message:
Sent: 08-04-2022 08:58
From: STEVE PULUKA
Subject: SRX350 chassis cluster - commit doesn't finish
Could you share you whole auth configuration under
system ldap-server
system authentication-order
or compare the complete configuration with the example here
https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-ldaps-authentication.html#d124e102
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-03-2022 15:29
From: Unknown User
Subject: SRX350 chassis cluster - commit doesn't finish
Hello,
I was trying to set up a ldap authentication to junos, but there's a part of configuration that I'm unable to commit. Strange thing, because there's no syntax error, but commit just doesn't end up, even after 30 minutes or so. Do you have any idea how to verify this issue?
root@SRX1# show | compare
[edit system]
+ authentication-order [ password ldaps ];