[j-nsp] STRM query
Dear Folks, Any one who can let me know a simple thing, I have done the initial configurations on STRM (2009.2) but I am unable to open it via Web UI through Eth0 as management Interface. Even I am unable to ping that device from my laptop. Is there any tricky thing in it? awaiting for urgent response. Thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] STRM query
And further, I have no issues if ping does not work. The main problem is I am unable to access it via web UI regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Feb 17, 2011 at 4:52 PM, Fahad Khan fahad.k...@gmail.com wrote: what is the correct mode? I selected STRM Console Thanks for the quick reply regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Thu, Feb 17, 2011 at 4:50 PM, Rafal Grzeskowiak r...@man.koszalin.plwrote: Hi Fahad, In order to enable pings, you need to reconfigure iptables rules, according to the KB article: http://kb.juniper.net/InfoCenter/index?page=contentid=KB14001actp=searchsearchid=1278510708579 Are you sure that during installation process you selected the correct mode (i.e. not Qflow collector)? BR, Rafal Dear Folks, Any one who can let me know a simple thing, I have done the initial configurations on STRM (2009.2) but I am unable to open it via Web UI through Eth0 as management Interface. Even I am unable to ping that device from my laptop. Is there any tricky thing in it? awaiting for urgent response. Thanks in adv regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RE : SNMP if-mib stops responding
Hi, Thanks for the info, restarting the PFED did solve our issue. Regards, Ido. -Original Message- From: Tarique A. Nalkhande - BMC [mailto:t.nalkhande@mobily.com.sa] Sent: Tuesday, February 15, 2011 10:51 PM To: david@orange-ftgroup.com; Pekka Savola; Ido Szargel Cc: juniper-nsp@puck.nether.net Subject: RE: [j-nsp] RE : SNMP if-mib stops responding Hello, PR# NUMBER 566681 SEVERITYmajor CATEGORYsw STATE closed SYNOPSISshow interface statistics stuck, show pfe statistics traffic returns an error COMMITTED-IN RELEASE- ARRIVAL DATE2010-11-17 13:47:29 LAST MODIFIED 2011-01-27 13:51:26 CLOSE DATE 2010-12-21 10:31:39 RELEASE NOTEOn MX routers running Junos 10.2 and above, under certain conditions it is possible for command 'show interface statistics' to get stuck (i.e. not return anything and hung); 'show pfe statistics traffic' to return error: the mib-process subsystem is not responding to management requests and SNMP queries failing. If this issue is encountered, a restart of the pfed process recovers from the error. Restart PFED via root shell ps -A | grep pfed | egrep -v grep | awk '{print $1}' | xargs kill Only if running 10.2S4, where in pfed tracing got enabled by mistake, execute the below to disable pfed tracing. ps -A | grep pfed | egrep -v grep | awk '{print $1}' | xargs kill -INFO Note the kill -INFO results in a toggle action - if pfed tracing is OFF, it is truned ON and if it is enabled it is turned OFF. Thanks Regards Tarique Abbas Nalkhande -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of david@orange-ftgroup.com Sent: 15 February, 2011 10:40 PM To: Pekka Savola; Ido Szargel Cc: juniper-nsp@puck.nether.net Subject: [j-nsp] RE : SNMP if-mib stops responding Hi We encountered this issue in 10.2R3 (fixed in 10.2S6.3). Mib2d and PFED become stuck due to a bug (PR). You need to restart the pfed process (it manages PFE stats : no issue if you restart it). Kill, via the shell, the PFEd process (there is no restart via cli). it will restart then. Regards, David De : juniper-nsp-boun...@puck.nether.net [juniper-nsp-boun...@puck.nether.net] de la part de Pekka Savola [pek...@netcore.fi] Date d'envoi : mardi 15 février 2011 18:50 À : Ido Szargel Cc : juniper-nsp@puck.nether.net Objet : Re: [j-nsp] SNMP if-mib stops responding On Tue, 15 Feb 2011, Ido Szargel wrote: We have tried to restart both the mib-process and the snmp. Even with local snmpwalk we don't see any interfaces: In many cases like these, we've had to restart chassisd (chassis-control). This is service-impacting. -- Pekka Savola You each name yourselves king, yet the Netcore Oykingdom bleeds. Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp IMPORTANT. Les informations contenues dans ce message électronique y compris les fichiers attachés sont strictement confidentielles et peuvent être protégées par la loi. Ce message électronique est destiné exclusivement au(x) destinataire(s) mentionné(s) ci-dessus. Si vous avez reçu ce message par erreur ou s'il ne vous est pas destiné, veuillez immédiatement le signaler à l'expéditeur et effacer ce message et tous les fichiers éventuellement attachés. Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite. Tout message électronique est susceptible d'altération. A ce titre, le Groupe France Télécom décline toute responsabilité notamment s'il a été altéré, déformé ou falsifié. De même, il appartient au destinataire de s'assurer de l'absence de tout virus. IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure of this message is prohibited. Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp --Disclaimer-- This email and any files transmitted with are classified as confidential unless otherwise specified. This e-mail is
Re: [j-nsp] RE : SNMP if-mib stops responding
Interesting. Were you doing VRRP on IRB, or just plain IRB? On Thu, Feb 17, 2011 at 03:37:27PM +0300, Ruslan Magomedov wrote: Hello, IRB interface stopped working at all on MX with Trio, at least in my environment, after upgrading from 10.2R3 to 10.4R2, fortunately that is not causing many problems for me Best regards, Ruslan -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Richard A Steenbergen Sent: Wednesday, February 16, 2011 8:17 PM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] RE : SNMP if-mib stops responding On Wed, Feb 16, 2011 at 08:51:01AM -0500, Chuck Anderson wrote: 10.4R2 is even better for MX Trio I'm told...I plan on upgrading to it soon. We were planning on going to 10.3R3, but it seems to be eternally delayed, and 10.3R2 definitely has some known nasty bugs. We haven't had a chance to do much testing on 10.4 w/Trio yet, so anything interesting that people encounter with it please share. :) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX IPSEC VPN dynamic-to-static
Hi For what ever reason I can't find documentation on this anywhere. (I'm just hoping my google-foo is lacking and that it's not an unsupported feature) I have 2 x SRX-210's, one with a static public IP and another behind a dynamic ADSL account. I'm trying to get an IPSEC session established from the dynamic site to the static site. But I can't get a combination of config options to work. Does anyone know how to get this done or point me in the right direction? Kind Regards, Mauritz ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RE : SNMP if-mib stops responding
Hi Chuck, No VRRP, we had just one IRB interface configured in one of few bridge-domains Bridge-domains are working fine itself magp...@rt.mr.msk show configuration bridge-domains domain-name domain-type bridge; vlan-id 13; interface xe-0/0/2.13; interface xe-11/2/1.13; inactive: interface ae3.13; interface ae5.13; routing-interface irb.13; magp...@rt.mr.msk show configuration interfaces irb unit 13 { family inet { rpf-check; mtu 1500; no-redirects; address 192.168.1.241/24; } } I just looked in logs one more time and noticed messages with something about rpf in it. Deactivating rpf-check resolved that issue eb 17 10:45:00.073 RT.MR.MSK fpc9 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.250 nh 971 rpf 142 Feb 17 10:45:00.073 RT.MR.MSK fpc2 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.250 nh 971 rpf 142 Feb 17 10:45:00.084 RT.MR.MSK fpc11 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.250 nh 971 rpf 142 Feb 17 12:18:33.480 RT.MR.MSK fpc4 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.0 nh 972 rpf 142 Feb 17 12:18:33.484 RT.MR.MSK fpc11 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.0 nh 972 rpf 142 Feb 17 12:18:33.486 RT.MR.MSK fpc2 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.0 nh 972 rpf 142 Feb 17 12:18:33.487 RT.MR.MSK fpc7 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.0 nh 972 rpf 142 Feb 17 12:18:33.490 RT.MR.MSK fpc9 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.0 nh 972 rpf 142 Feb 17 12:18:33.491 RT.MR.MSK fpc0 RT-HAL,rt_entry_add_msg_check,1120: unknown rpf lst id, proto ipv4, rtt index 8 prefixlen 32 prefix 192.168.1.0 nh 972 rp Best regards, Ruslan 2011/2/17 Chuck Anderson c...@wpi.edu: Interesting. Were you doing VRRP on IRB, or just plain IRB? On Thu, Feb 17, 2011 at 03:37:27PM +0300, Ruslan Magomedov wrote: Hello, IRB interface stopped working at all on MX with Trio, at least in my environment, after upgrading from 10.2R3 to 10.4R2, fortunately that is not causing many problems for me Best regards, Ruslan -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Richard A Steenbergen Sent: Wednesday, February 16, 2011 8:17 PM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] RE : SNMP if-mib stops responding On Wed, Feb 16, 2011 at 08:51:01AM -0500, Chuck Anderson wrote: 10.4R2 is even better for MX Trio I'm told...I plan on upgrading to it soon. We were planning on going to 10.3R3, but it seems to be eternally delayed, and 10.3R2 definitely has some known nasty bugs. We haven't had a chance to do much testing on 10.4 w/Trio yet, so anything interesting that people encounter with it please share. :) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Monitoring Connectivity Out Multiple Links
A number of people emailed me asking to let them know if I found a solution or made any progress on this. I've had some time to work on it and think I have the RPM stuff figured out. Now I just need to actually use what RPM tracks in some event-options to actually have the system respond autonomously. For more details and configuration code, see the my thread at the J-Net Forums, http://forums.juniper.net/t5/SRX-Services-Gateway/Dual-ISP-Failover-via-RPM/m-p/72700/highlight/false#M8459 On 1/24/2011 at 8:54 PM, Crist Clark crist.cl...@globalstar.com wrote: I've got a site with multiple Internet links. I want to continuously monitor Internet connectivity across all links although I only plan to use one at a time for production traffic. This is fail over only, not load balancing. Just routing by link up or down is not sufficient. All of the links terminate as Ethernet on the device, an SRX 240H, with switches between it and the CPE. I found the Real Time Monitoring (RPM) features in JUNOS, and it seemed perfect. I could set up a few ICMP pings and HTTP GETs to some reliable locations and then only fail over when the preferred ISP has more failures than the backup(s). But I'm having problems getting this to work. I thought I could set up a routing instance with the default route out each ISP then set up a RPM test associated with each routing instance, after all, the knobs seem to be in place to do this, but it does not work. From the research I've done, it seems that a forwarding routing instance won't actually affect the packets originating on the host itself? So what is the right way to do this? Am I on the right track? BTW, this is running 10.0, but upgrading is definitely an option. -- Crist Clark Network Security Specialist, Information Systems Globalstar 408 933 4387 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Matching multiple communities in a policy-statement
Hi all, I am trying to find a way to match 2 communities on a policy-statement (both of them must exist), any ideas on how to achieve that? I couldn't find any community-list or such configuration available, we are using MX routers. Thanks, Ido. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Matching multiple communities in a policy-statement
When you create a community with two values inside square brackets it's an and operation. When specify multiple community names in a policy it's an or operation. Regards Amos On Feb 17, 2011, at 10:31 PM, Ido Szargel wrote: Hi all, I am trying to find a way to match 2 communities on a policy-statement (both of them must exist), any ideas on how to achieve that? I couldn't find any community-list or such configuration available, we are using MX routers. Thanks, Ido. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VPLS questions and also lt interface questions...
All: When you configure 'no-tunnel-services' under VPLS, does the router still steal bandwidth from the PFEs in various line cards to support VPLS? It seems to me it does. A show interface terse shows logical interfaces dedicated to VPLS. From the PFE shell, these are ifls created for VPLS lsis: ### ADPC2(TL-MX240-A vty)# show xeth-pic 0 PIC Information pic name : XETH(2/0) port count : 10 ifd count : 10 debug flags : 0x0 mac db instance id : 1 num of dest filters : 3 macdb isr invoke count : 1636 link isr invoke count : 21 periodic poll : TRUE mac poll : TRUE num vpls lsi ifls : 1 num mf entries : 0 separate l2-l3 scheduler : FALSE Not the num vpls lsi ifls. On a 40 port 10/100/1000 blade if we fully populate the 10 ports associated with this PFE, then adding VPLS ifls on top of that means we are effectively oversubscribing the PFE, correct? 2. In the MX solution guide there is an example where you can connect L2 instances with L3 instances using lt interfaces. You need to enable tunnel-services on the PIC to do this, and in that configuration you specify a bandwidth of 1G on the 40 port 10/100/1000 card. The documentation says this is a reservation. What does this mean? That traffic tied to tunnel services is guaranteed 1G of bandwidth on the PFE but can use more if available? Or does it mean tunnel-services traffic will be policed at 1G? 3. (a) If I use no-tunnel-services in VPLS and I also decided to connect an L2 instance to an L3 instance using an lt interface pair and (b) the VPLS lsi ifl happens to be on the same PFE as the lt interface pair, does that mean traffic could potentially hit the same PFE twice? Thanks! ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Third Edition of Minei Lucek MPLS-Enabled Applications
I see that there is now a new edition of Ina Minei's and Julian Lucek's _MPLS-Enabled Applications: Emerging Developments and New Technologies_ out now. http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470665459 I have read much of the second edition and it is probably the best one-stop text on MPLS protocols and theory that I have come across. I only wish there were JUNOS configuration and debugging cross-references to go along with it to make it more practical. Anyway, I was wondering if anyone on the list has read the new third edition yet. I'd be curious to know if it would worth getting over and above the second edition. Thanks. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Third Edition of Minei Lucek MPLS-Enabled Applications
Here's a summary of what the preface says: -three new chapters (advanced topics in multicast in L3VPNs, advanced protection schemes for the LSP tail end, ovreview of MPLS-TP. - additional material added and updated throughout the book. Chapter 16 has new sections describing the seamless MPLS architecture. New material covering live-live and live-standby schemes for multicast resilience, point-to-multipoint pseudowires, pseudowire redundancy, and VPLS interprovider Option E. The book is now 593 pages. Aviva In message alpine.gso.2.00.1102171638500.19...@stat.wm.eduyou write: I see that there is now a new edition of Ina Minei's and Julian Lucek's _MPLS-Enabled Applications: Emerging Developments and New Technologies_ out now. http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Com munications/dp/0470665459 I have read much of the second edition and it is probably the best one-stop text on MPLS protocols and theory that I have come across. I only wish there were JUNOS configuration and debugging cross-references to go along with it to make it more practical. Anyway, I was wondering if anyone on the list has read the new third edition yet. I'd be curious to know if it would worth getting over and above the second edition. Thanks. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 100-GigE interoperability
Hello all, Anyone actually tried to connect a CRS-3 to a T1600 over 100-Gigabit Ethernet? I am not thinking of interface compatibility. Thanks, Mihai Dumitru ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp