Wednesday, March 22, 2017

Juniper JUNOS Commands (Tips and Tricks)

Juniper Networks has a Day one book for 'JunOS Tips, Techniques, and Templates 2011' in Junos Fundamentals Series. To record some my own tips, I put them together in this post. Let me know if you have some more to share.

1.  Find big size files 

find . -type f -size +10000 -exec ls -lh {} \; 


root@FW% find . -type f -size +10000 -exec ls -lh {} \;
-rw-r--r--  1 930  929   134M Jan  5 17:34 ./cf/packages/junos-11.4R6.6-domestic
-rw-r--r--  1 root  wheel   139M Sep  8  2011 ./cf/var/log/junos-srxsme-11.2R2.4-domestic.tgz
-rw-r-----  1 root  wheel   4.9M Feb 11 17:12 ./cf/var/db/idpd/db/secdb_02.db
-rw-r-----  1 root  wheel   6.7M Feb 11 17:13 ./cf/var/db/idpd/db/secdb_03.db
-rw-r-----  1 root  wheel    64M Feb 11 17:13 ./cf/var/db/idpd/db/secdb_06.db
-rwxr-xr-x  1 admin  20    24M May 23 08:38 ./cf/var/db/idpd/nsm-download/SignatureUpdate.xml
-r-xr-xr-x  1 root  wheel   5.2M Jan  5 17:33 ./jail/html/dynamic-vpn/client/jam/InstallerComponentSRX.exe
-rw-r--r--  1 root  wheel   139M Sep  8  2011 ./jail/var/log/junos-srxsme-11.2R2.4-domestic.tgz
-rw-r-----  1 root  config    14M Feb  8 22:16 ./mfs/var/run/db/schema.db
-rw-r-----  1 root  wheel    10M Feb  8 22:19 ./mfs/var/sdb/log.0000000001
-r--r--r--  1 root  wheel   6.5M Jan  5 13:59 ./usr/lib/dd/libjkernel-dd.so
-r-xr-xr-x  1 root  wheel    13M Jan  5 15:39 ./usr/sbin/authd
-r-xr-xr-x  1 root  wheel   6.0M Jan  5 16:51 ./usr/sbin/chassisd
-r-xr-xr-x  1 root  wheel    27M Jan  5 13:05 ./usr/sbin/flowd_octeon
-r-xr-xr-x  1 root  wheel    34M Jan  5 13:05 ./usr/sbin/flowd_octeon_hm
-r-xr-xr-x  1 root  wheel   5.5M Jan  5 16:51 ./usr/sbin/kmd
-r-xr-xr-x  1 root  wheel    13M Jan  5 16:24 ./usr/sbin/rpd

% find / -size +100000 | xargs ls -lhS
find: /mfs/var/spool/opielocks: Permission denied
-rw-r--r--  1 930   929     142M Aug 28  2014 /cf/packages/junos-12.1X44-D40.2-domestic
-rw-r-----  1 root  wheel    84M Feb 23 21:31 /cf/var/db/idpd/db/secdb_06.db


2. Connecting to the secondary node from the primary node on an SRX cluster
On the branch SRX devices, this can be achieved by the command:
{primary:node0}
lab@host-A> request routing-engine login node 1

--- JUNOS 10.1R3.7 built 2010-011-10 04:15:10 UTC
{secondary:node1}
lab@host-B>


On the high-end SRX devices, you will need to be in the shell and run the following command:

root@host-A% rlogin -T node1

3. Juniper system software in-service-upgrade (Maintenance) for less downtime upgrade

JUNOS> request system software in-service-upgrade /var/tmp/junos-srxsme-12.1X44-D35.5-domestic.tgz no-sync no-validate 
ISSU: Validating package
WARNING: in-service-upgrade shall reboot both the nodes
         in your cluster. Please ignore any subsequent
         reboot request message
ISSU: start downloading software package on secondary node
Pushing bundle to node1
Formatting alternate root (/dev/da0s1a)...
/dev/da0s1a: 297.9MB (610028 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 74.47MB, 4766 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
 32, 152544, 305056, 457568
Installing package '/altroot/cf/packages/install-tmp/junos-12.1X44-D35.5-domestic' ...
Verified junos-boot-srxsme-12.1X44-D35.5.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X44-D35.5-domestic signed by PackageProduction_12_1_0
JUNOS 12.1X44-D35.5 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ...
ISSU: finished upgrading on secondary node node1
ISSU: start upgrading software package on primary node
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 297.9MB (610044 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 74.47MB, 4766 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
 32, 152544, 305056, 457568
Installing package '/altroot/cf/packages/install-tmp/junos-12.1X44-D35.5-domestic' ...
Verified junos-boot-srxsme-12.1X44-D35.5.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X44-D35.5-domestic signed by PackageProduction_12_1_0
JUNOS 12.1X44-D35.5 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ...
ISSU: failover all redundancy-groups 1...n to primary node
Successfully reset all redundancy-groups priority back to configured ones.
Redundancy-groups-0 will not be reset and the primaryship remains unchanged.
Successfully reset all redundancy-groups priority back to configured ones.
Redundancy-groups-0 will not be reset and the primaryship remains unchanged.
Initiated manual failover for all redundancy-groups to node0
Redundancy-groups-0 will not failover and the primaryship remains unchanged.
ISSU: rebooting Secondary Node
Shutdown NOW!
[pid 69249]



4. Copy files between two Cluster Members

root@fw-2> file copy /var/tmp/junos10.3.tgz node0:/var/tmp/junos10.3.tgz

or use fxp0.0 interface ip to do file transferring:


root@fw-2>file copy /var/tmp/junos10.3.tgz 10.2.8.4:/var/tmp/junos10.3.tgz


5.  Juniper Web Tool : SRX HA Configuration Generator


6.  Monitor Commands to do flow trace without commit

monitor security flow filter incoming-filter protocol icmp destination-prefix 1.1.1.1
monitor security flow filter outgoing-filter protocol icmp source-prefix 1.1.1.1
monitor security flow file logflow.log
show monitor security flow
show log logflow.log
monitor security flow stop
clear monitor security flow filter incoming-filter
clear monitor security flow filter outgoing-filter

7. Delete Whole Configuartion

  • Delete
root@fw-1# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes
root@fw-1# set system root-authentication plain-text-password
New password:
Retype new password:

  • request services fips zeroize
  • request system zeroize
  • load factory-default
  • zeroize 

root@fw-1# request system zeroize


8. Load the Commands/Configuration through the CLI

{primary:node0}[edit]
root@fw-1# load set terminal
[Type ^D at a new line to end input]
load complete

{primary:node0}[edit]
root@fw-1# 

{primary:node0}[edit security zones]
root@fw-1# load merge relative terminal 

[Type ^D at a new line to end input]

security-zone C-Clients {
        tcp-rst;
        address-book {
            address n-10.9.20.0 10.9.20.0/24;
        }
        interfaces {
            reth1.0;
        }

    }
load complete


{primary:node0}[edit security zones]





9. Troubleshoot traffic flowing through SRX


root@fw-srx1> show configuration security flow | display set
set security flow traceoptions file flow-trace
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter f0 source-prefix 10.9.20.14/32
set security flow traceoptions packet-filter f0 destination-prefix 10.9.1.5/32
commit and quit


10. Disable Juniper SRX Clustering

{primary:node1}
user@host> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now.


11. Commands to collect logs for JTAC

  • request support information | save /var/log/rsi.node0.txt
  • file archive compress source /var/log/* destination /var/tmp/varlog.node0

12. Installs the new software package

root@fw-2> request system software add /var/tmp/junos-srxsme-12.1X44-D40.2-domestic.tgz no-validate no-copy partition
Checking for free space on /var/tmp/install
Copying package /var/tmp/junos-srxsme-12.1X44-D40.2-domestic.tgz to /var/tmp/install
Checking for basic sanity of copied package
WARNING: Installation with partition option will take several minutes to complete
WARNING: Please do not power-cycle the system till the installation is over
WARNING: A reboot is required to install the software
WARNING:     Use the 'request system reboot' command immediately

{secondary:node1}
root@fw-2> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 2098]


Note: Partition option introduced in the command in Release 10.1. of Junos OS. (Optional) Partition option will do  format and re-partition the media before installation.


13. Packet Captures on Juniper SRX

Juniper SRX packet captures
1. Configure the forwarding options and limits
configure shared

set forwarding-options packet-capture file filename JTAC.pcap files 10 size 10000

set forwarding-options packet-capture maximum-capture-size 1500



2. Create your filter

set firewall filter PCAP term capture from source-address 192.168.1.1.32

set firewall filter PCAP term capture from destination-address 10.15.61.45/32

set firewall filter PCAP term capture from protocol tcp

set firewall filter PCAP term capture from destination-port 443

set firewall filter PCAP term capture then accept

set firewall filter PCAP term allow-all-else then accept


3. Define the interface(s) that will capture the trafffic
set interfaces ge-0/0/3 unit 0 family inet filter input PCAP
commit and-quit
**** input indicated to capture packets received.  PCAP is the name of our firewall filter*****

4. Read the tcpdump file from the shell
start shell                                
cd /var/tmp
tcpdump –r pcap.ge-0.0.3


5. Cleanup 
cli
configure
delete interfaces ge-0/0/3 unit 0 family inet filter input PCAP    (stops the cap)      
delete firewall filter PCAP                                   (turns off the filter)
delete forward-options packet-capture
commit and-quit


% rm /var/tmp/pcap.ge-0.0.3.



14. Delete IDP database for System Software Upgrade

Some old SRX series does not have enough storage space to hold the new software release if enabled some other features, such as IDP. IDP database will easily hold 180M space on your system. Based on the information from http://jsrx.juniperwiki.com/index.php?title=IDP#Troubleshooting, to upgrade srx system without enough space, we can delete everything in the idp database, then add your new image and reboot:



root@fw-m-test-1>  start shell 
root@fw-m-test-1% cd /var/db/idpd/db/
root@fw-m-test-1% rm -rfv * 





root@fw-m-test-1% cli

{primary:node0}
root@fw-m-test-1> 

{primary:node0}
root@fw-m-test-1> request system storage cleanup 

List of files to delete:

         Size Date         Name
  4403B Mar 22 15:54 /cf/var/log/default-log-messages.0.gz
    66B Feb  2 21:31 /cf/var/log/idpd_err.20170202
    88B Mar 22 01:38 /cf/var/log/idpd_err.20170322
   152B Mar 22 15:54 /cf/var/log/interactive-commands.0.gz
  9712B Mar 22 15:54 /cf/var/log/messages.0.gz
  35.9K Mar 19 12:45 /cf/var/log/messages.1.gz
   146B Mar 22 15:54 /cf/var/log/traffic-create.0.gz
   144B Mar 22 15:54 /cf/var/log/traffic-deny.0.gz
   143B Mar 22 15:54 /cf/var/log/traffic-log.0.gz
  28.9K Mar 22 15:53 /cf/var/log/wtmp.0.gz
  34.1K Feb 24 20:32 /cf/var/log/wtmp.1.gz
    52B Jan 25 21:06 /cf/var/log/wtmp.2.gz
    60B Mar 15 00:32 /cf/var/tmp/policy_status
     0B Feb 13 21:17 /cf/var/tmp/spu_kmd_init
Delete these files ? [yes,no] (no) yes 


{primary:node0}
root@fw-m-test-1> show version 
node0:
--------------------------------------------------------------------------
Hostname: fw-m-test-1
Model: srx240h
JUNOS Software Release [12.1X44-D40.2]

node1:
--------------------------------------------------------------------------
Hostname: fw-m-test-2
Model: srx240h
JUNOS Software Release [12.1X44-D40.2]

{primary:node0}
root@fw-m-test-1> exit 

root@fw-m-test-1% du -sh /cf/var/db/
187M    /cf/var/db/
root@fw-m-test-1% du -sh /cf/var/db/idpd
167M    /cf/var/db/idpd


root@fw-m-test-1% cd /var/db/idpd/db/
root@fw-m-test-1% ls
__db.register   secdb_01.db     secdb_03.db     secdb_05.db     secdb_07.db     secdb_09.db     secdb_12.db     secdb_14.db     secdb_16.db     secdb_18.db
dfa_cache       secdb_02.db     secdb_04.db     secdb_06.db     secdb_08.db     secdb_10.db     secdb_13.db     secdb_15.db     secdb_17.db
root@fw-m-test-1% rm -rfv * 
__db.register
dfa_cache/rexp_grp_cache.db
dfa_cache/rexp_cache.db
dfa_cache/pcre_cache.db
dfa_cache
secdb_01.db
secdb_02.db
secdb_03.db
secdb_04.db
secdb_05.db
secdb_06.db
secdb_07.db
secdb_08.db
secdb_09.db
secdb_10.db
secdb_12.db
secdb_13.db
secdb_14.db
secdb_15.db
secdb_16.db
secdb_17.db
secdb_18.db
root@fw-m-test-1% cli
{primary:node0}
root@fw-m-test-1> show system storage 
node0:
--------------------------------------------------------------------------
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/da0s1a             293M       148M       121M       55%  /
devfs                   1.0K       1.0K         0B      100%  /dev
/dev/md0                390M       390M         0B      100%  /junos
/cf                     293M       148M       121M       55%  /junos/cf
devfs                   1.0K       1.0K         0B      100%  /junos/dev/
procfs                  4.0K       4.0K         0B      100%  /proc
/dev/bo0s3e              24M       194K        22M        1%  /config
/dev/bo0s3f             342M       167M       148M       53%  /cf/var
/dev/md1                168M        19M       135M       12%  /mfs
/cf/var/jail            342M       167M       148M       53%  /jail/var
/cf/var/log             342M       167M       148M       53%  /jail/var/log
devfs                   1.0K       1.0K         0B      100%  /jail/dev
/dev/md2                 39M       4.0K        36M        0%  /mfs/var/run/utm
/dev/md3                1.8M       4.0K       1.7M        0%  /jail/mfs

node1:
--------------------------------------------------------------------------
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/da0s1a             293M       148M       121M       55%  /
devfs                   1.0K       1.0K         0B      100%  /dev
/dev/md0                390M       390M         0B      100%  /junos
/cf                     293M       148M       121M       55%  /junos/cf
devfs                   1.0K       1.0K         0B      100%  /junos/dev/
procfs                  4.0K       4.0K         0B      100%  /proc
/dev/bo0s3e              24M       196K        22M        1%  /config
/dev/bo0s3f             342M       160M       156M       51%  /cf/var
/dev/md1                168M        19M       135M       12%  /mfs
/cf/var/jail            342M       160M       156M       51%  /jail/var
/cf/var/log             342M       160M       156M       51%  /jail/var/log
devfs                   1.0K       1.0K         0B      100%  /jail/dev
/dev/md2                 39M       4.0K        36M        0%  /mfs/var/run/utm
/dev/md3                1.8M       4.0K       1.7M        0%  /jail/mfs

{primary:node0}

root@fw-m-test-1> request system software add no-copy validate /var/tmp/junos-srxsme-12.1X46-D55.3-domestic.tgz 
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 298.0MB (610284 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 74.50MB, 4768 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
 32, 152608, 305184, 457760
Extracting /var/tmp/junos-srxsme-12.1X46-D55.3-domestic.tgz ...
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1X44-D40.2-domestic signed by PackageProduction_12_1_0
Using junos-12.1X46-D55.3-domestic from /altroot/cf/packages/install-tmp/junos-12.1X46-D55.3-domestic
Copying package ...
Verified manifest signed by PackageProductionRSA_2016
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Usage: license-check -f "<features>" -m -p -q -M -u -U -V
  -V verify if release based licenses are present
rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg residx: expected 98 got 0,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg unknown: expected 98 got 0,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg residx: expected 98 got 0,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg unknown: expected 98 got 0,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg residx: expected 98 got 0,a reboot or software upgrade may be required

rtslib: WARNING version mismatch for msg unknown: expected 98 got 0,a reboot or software upgrade may be required


Unified access control daemon: [edit services unified-access-control]
Unified access control daemon:   'infranet-controller ic4500'
Unified access control daemon:     warning: We recommend that you configure the ca-profile to verify infranet controller's certificate in order to prevent a man-in-the-middle attack
Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg residx: expected 98 got 0,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg unknown: expected 98 got 0,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: commit complete
Validation succeeded
Validating against /config/rescue.conf.gz
Unified access control daemon: [edit services unified-access-control]
Unified access control daemon:   'infranet-controller ic4500'
Unified access control daemon:     warning: We recommend that you configure the ca-profile to verify infranet controller's certificate in order to prevent a man-in-the-middle attack
Connectivity fault management process: rtslib: WARNING version mismatch for msg notify msg: expected 0 got 98,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg residx: expected 98 got 0,a reboot or software upgrade may be required
Connectivity fault management process:
Connectivity fault management process: rtslib: WARNING version mismatch for msg unknown: expected 98 got 0,a reboot or software upgrade may be required
Connectivity fault management process:
mgd: commit complete
Validation succeeded
rm: /cf/var/validate/chroot/mfs/var/etc/pam.conf: Operation not permitted
rm: /cf/var/validate/chroot/mfs/var/etc: Directory not empty
rm: /cf/var/validate/chroot/mfs/var: Directory not empty
rm: /cf/var/validate/chroot/mfs: Directory not empty
rm: /cf/var/validate/chroot: Directory not empty
Installing package '/altroot/cf/packages/install-tmp/junos-12.1X46-D55.3-domestic' ...
Verified junos-boot-srxsme-12.1X46-D55.3.tgz signed by PackageProductionRSA_2016
Verified junos-srxsme-12.1X46-D55.3-domestic signed by PackageProductionRSA_2016
JUNOS 12.1X46-D55.3 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete


{primary:node0}
root@fw-m-test-1> request system reboot 
Reboot the system ? [yes,no] (no) yes 

Shutdown NOW!
[pid 29172]

{primary:node0}
root@fw-m-test-1>                                                                                
*** FINAL System shutdown message from root@fw-m-test-1 ***               

System going down IMMEDIATELY                                                  
                                                                               
The semaphore timeout period has expired.

--- JUNOS 12.1X46-D55.3 built 2016-07-08 18:46:54 UTC


References:

1. Day One: Junos Tips, Techniques, and Templates 2011 
2. Junos tips and tricks from My work help blog

1 comment: