Re: [j-nsp] internal traffic forwarding between instances
Hi! Seems to be working now. Thanks! I knew it was something small. Matthias Am 20.03.10 00:54, schrieb Stefan Fouant: What happens if you leak interface routes between instance1 and inet.0? Stefan Fouant --Original Message-- From: Matthias Gelbhardt Sender: juniper-nsp-boun...@puck.nether.net To: juniper-nsp@puck.nether.net ReplyTo: matth...@commy.de Subject: [j-nsp] internal traffic forwarding between instances Sent: Mar 19, 2010 5:08 PM Hi! I try to accomplish the following: I have two J-Series routers in chassis cluster mode. I have two reth-interfaces, reth1 and reth2. The interfaces are connected to a switch, so I have four cables to one VLAN. I have one routing-instace instance1, which is configured, together with inet.0 running OSPF. Behind the switch is a firewall, which is also running OSPF. I have configured rib-groups, so I have copied the routing tables from inet.0 to instance1.inet.0 and instance1.inet.0 to inet.0. I see all of the routes learned from OSPF. I have also copied a static default route into instance1. Now I am killing all connections but one, which is configured to the instance1. In the routing table I see, that all the routes are destined to reth2, which is in instance1. But there seems to be no traffic forwarding. Am I lacking something? Do I have to configure something else to enable that? I use instance-type virtual-router. The forwarding has to be made internal without a physical interface. Is that possible? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp Sent from my Verizon Wireless BlackBerry ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] internal traffic forwarding between instances
Hi! I try to accomplish the following: I have two J-Series routers in chassis cluster mode. I have two reth-interfaces, reth1 and reth2. The interfaces are connected to a switch, so I have four cables to one VLAN. I have one routing-instace instance1, which is configured, together with inet.0 running OSPF. Behind the switch is a firewall, which is also running OSPF. I have configured rib-groups, so I have copied the routing tables from inet.0 to instance1.inet.0 and instance1.inet.0 to inet.0. I see all of the routes learned from OSPF. I have also copied a static default route into instance1. Now I am killing all connections but one, which is configured to the instance1. In the routing table I see, that all the routes are destined to reth2, which is in instance1. But there seems to be no traffic forwarding. Am I lacking something? Do I have to configure something else to enable that? I use instance-type virtual-router. The forwarding has to be made internal without a physical interface. Is that possible? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] software version to use?
Hi! Interesting, they are recommend 9.6R1 für the J-series. Wouldn't that be stupid, as I think Mark is right. Are old versions not so stable on J-series? On the other hand, the routers should only do routing and BGP, nothing more, nothing less. Matthias Benny Sumitro schrieb: You can use this link. Login is required for the info though. https://www.juniper.net/customers/csc/software/junos_software_versions.jsp BR, Benny On Tue, Sep 15, 2009 at 9:29 PM, Matthias Gelbhardt <mailto:matth...@commy.de>> wrote: Hi! At the moment I am configuring a bunch of Js for a customer. What will be the best practice to choose which version of JUNOS you should use? Are you using no Release until it reaches R2 or something like that? Do you prefer the even ones? Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] software version to use?
Hi! At the moment I am configuring a bunch of Js for a customer. What will be the best practice to choose which version of JUNOS you should use? Are you using no Release until it reaches R2 or something like that? Do you prefer the even ones? Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] j-flow license problem
Hi! After some waiting we finaly received a j-flow license for a J-Series router. Today I wanted to generate a license-key but get the error "Authcode enables an already existing feature or multiple authcodes enable same feature". The J-Series is running 9.3 and has the j-flow feature not enables. Do I have to update every machine to enable the j-flow since it is a feature, which is build in in future releases? Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] optimized switchover
Hi! Nothing there: zones { security-zone trust { tcp-rst; host-inbound-traffic { system-services { ping; ssh; snmp; } protocols { bfd; bgp; } } interfaces { all; } } } Regards, Matthias Sean Clarke schrieb: Most daemons would restart. What is in your log message file ? Anything in /var/tmp or /var/crash directories ? I have this running here across 2 x M10's and I don't see an issue, so maybe firewall is causing it. How are you allowing BFD traffic into the ES box ? cheers On 9/8/09 1:27 PM, Matthias Gelbhardt wrote: Hi! We are using only iBGP between our routers on different locations. There is a working BGP and data-connection between the two systems. Perhaps I can somehow restart the BFD-daemon? Maybe it crashed? Matthias Sean Clarke schrieb: Are you not using an IGP ? Can you ping between the 2 routers ? On 9/8/09 1:07 PM, Matthias Gelbhardt wrote: Hi! I see now only outgoing BFD packets... Perhaps I should better think about using an IGP for the internal communication. Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] optimized switchover
Hi! We are using only iBGP between our routers on different locations. There is a working BGP and data-connection between the two systems. Perhaps I can somehow restart the BFD-daemon? Maybe it crashed? Matthias Sean Clarke schrieb: Are you not using an IGP ? Can you ping between the 2 routers ? On 9/8/09 1:07 PM, Matthias Gelbhardt wrote: Hi! I see now only outgoing BFD packets... Perhaps I should better think about using an IGP for the internal communication. Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] optimized switchover
Hi! I see now only outgoing BFD packets... Perhaps I should better think about using an IGP for the internal communication. Matthias Matthias Gelbhardt schrieb: Hi! I do not understand why, but I do not see packets on the other router. But there is no icmp either, when I ping the other side. The ES is on one router, but in routermode. But I have explicitly allowed BFD now. Strange, I do not understand, why the tcpdump is not working correctly. Matthias Nilesh Khambal schrieb: Hi Matthias, I am no expert on J-Seris, but looking at BFD state, I feel that there is an issue sending or receiving BFD packets on your Router B. AdminDown state here may mean that no packets were ever received from Router A. If you are running a Junos Enhanced Services version on these J-Series routers, can you check if any specific policy needs to be created to allow these BFD packets (UDP/3784)? Also, check if any firewall filters blocking BFD packets. Try to run tcpdump on both routers to see if BFD packets are being received or not. Thanks, Nilesh. On 9/8/09 1:40 AM, "Matthias Gelbhardt" wrote: Hi! No, actually they are directly connected, so I do not know, why there is a multihop output. Perhaps somehow he thinks to be not directly connected and that is the problem? Both routers are J6350. Regards, Matthias Nilesh Khambal schrieb: Hi Matthias, Are these peers established over a directly connected IPs or is this an indirect session? The session shows multihop on both routers from the show output provided below. What is the router platform on both sides? Thanks, Nilesh On 9/8/09 1:25 AM, "Matthias Gelbhardt" wrote: Hi! That is the doc I have used for configuring. Both routers are Juniper routers over a Laver 2 Link directly connected. One router is 9.3R2.8 The other 9.4R2.9. Regards, Matthias Nilesh Khambal schrieb: Hi Matthias, What JUNOS version are you running on this router? Is other end router also a Juniper router? Are both peers directly connected or is this a multihop session? Try this doc link see if it can help. http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-routing/i>>>> d -13279139.html#id-13279139 Thanks, Nilesh. On 9/8/09 12:53 AM, "Matthias Gelbhardt" wrote: Has no one an idea? It seems, that I am really stuck here. Do I have to activate something on the other side (hence the AdminDown status?) Regards, Matthias Matthias Gelbhardt schrieb: Hello David, great tip. Unfortunatly BFD for BGP - though detailed documented - has no examples flying around. Perhaps I am missing something here. I have two routers connected via iBGP. I have tried to make the configuration rather simple (only the important parts, BGP session is up and running): This is the same on both sides (change in the IP-addresses of course) protocols bgp { group internal { type internal; neighbor 91.190.xxx.xxx { local-address 91.190.xxx.xxx; bfd-liveness-detection { minimum-interval 1000; multiplier 3; } } } Router A: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Init 3.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Session down time 00:00:04 Local diagnostic CtlExpire, remote diagnostic None Remote state Down, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 1.000, min RX interval 1.000, multiplier 3 Local discriminator 1, remote discriminator 1 Echo mode disabled/inactive, no-absorb, no-refresh, update-adj Multi-hop, min-recv-TTL 0, route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps Router B: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Down 0.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Local diagnostic None, remote diagnostic None Remote state AdminDown, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 0.000, min RX interval 0.000, multiplier 0 Local discriminator 1, remote discriminator 0 Echo mode disabled/inactive, no-absorb, no-refresh Multi-hop route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 0.0 pps I see the diagnostic on router A but do not understand it. I
Re: [j-nsp] optimized switchover
Hi! I do not understand why, but I do not see packets on the other router. But there is no icmp either, when I ping the other side. The ES is on one router, but in routermode. But I have explicitly allowed BFD now. Strange, I do not understand, why the tcpdump is not working correctly. Matthias Nilesh Khambal schrieb: Hi Matthias, I am no expert on J-Seris, but looking at BFD state, I feel that there is an issue sending or receiving BFD packets on your Router B. AdminDown state here may mean that no packets were ever received from Router A. If you are running a Junos Enhanced Services version on these J-Series routers, can you check if any specific policy needs to be created to allow these BFD packets (UDP/3784)? Also, check if any firewall filters blocking BFD packets. Try to run tcpdump on both routers to see if BFD packets are being received or not. Thanks, Nilesh. On 9/8/09 1:40 AM, "Matthias Gelbhardt" wrote: Hi! No, actually they are directly connected, so I do not know, why there is a multihop output. Perhaps somehow he thinks to be not directly connected and that is the problem? Both routers are J6350. Regards, Matthias Nilesh Khambal schrieb: Hi Matthias, Are these peers established over a directly connected IPs or is this an indirect session? The session shows multihop on both routers from the show output provided below. What is the router platform on both sides? Thanks, Nilesh On 9/8/09 1:25 AM, "Matthias Gelbhardt" wrote: Hi! That is the doc I have used for configuring. Both routers are Juniper routers over a Laver 2 Link directly connected. One router is 9.3R2.8 The other 9.4R2.9. Regards, Matthias Nilesh Khambal schrieb: Hi Matthias, What JUNOS version are you running on this router? Is other end router also a Juniper router? Are both peers directly connected or is this a multihop session? Try this doc link see if it can help. http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-routing/i>>>> d -13279139.html#id-13279139 Thanks, Nilesh. On 9/8/09 12:53 AM, "Matthias Gelbhardt" wrote: Has no one an idea? It seems, that I am really stuck here. Do I have to activate something on the other side (hence the AdminDown status?) Regards, Matthias Matthias Gelbhardt schrieb: Hello David, great tip. Unfortunatly BFD for BGP - though detailed documented - has no examples flying around. Perhaps I am missing something here. I have two routers connected via iBGP. I have tried to make the configuration rather simple (only the important parts, BGP session is up and running): This is the same on both sides (change in the IP-addresses of course) protocols bgp { group internal { type internal; neighbor 91.190.xxx.xxx { local-address 91.190.xxx.xxx; bfd-liveness-detection { minimum-interval 1000; multiplier 3; } } } Router A: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Init 3.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Session down time 00:00:04 Local diagnostic CtlExpire, remote diagnostic None Remote state Down, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 1.000, min RX interval 1.000, multiplier 3 Local discriminator 1, remote discriminator 1 Echo mode disabled/inactive, no-absorb, no-refresh, update-adj Multi-hop, min-recv-TTL 0, route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps Router B: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Down 0.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Local diagnostic None, remote diagnostic None Remote state AdminDown, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 0.000, min RX interval 0.000, multiplier 0 Local discriminator 1, remote discriminator 0 Echo mode disabled/inactive, no-absorb, no-refresh Multi-hop route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 0.0 pps I see the diagnostic on router A but do not understand it. I thought the minimum-interval might be too low, so I set it up to a thousand. Regards, Matthias David Ball schrieb: There are likely several answers to that, all dependant on your topol
Re: [j-nsp] optimized switchover
Hi! No, actually they are directly connected, so I do not know, why there is a multihop output. Perhaps somehow he thinks to be not directly connected and that is the problem? Both routers are J6350. Regards, Matthias Nilesh Khambal schrieb: Hi Matthias, Are these peers established over a directly connected IPs or is this an indirect session? The session shows multihop on both routers from the show output provided below. What is the router platform on both sides? Thanks, Nilesh On 9/8/09 1:25 AM, "Matthias Gelbhardt" wrote: Hi! That is the doc I have used for configuring. Both routers are Juniper routers over a Laver 2 Link directly connected. One router is 9.3R2.8 The other 9.4R2.9. Regards, Matthias Nilesh Khambal schrieb: Hi Matthias, What JUNOS version are you running on this router? Is other end router also a Juniper router? Are both peers directly connected or is this a multihop session? Try this doc link see if it can help. http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-routing/id -13279139.html#id-13279139 Thanks, Nilesh. On 9/8/09 12:53 AM, "Matthias Gelbhardt" wrote: Has no one an idea? It seems, that I am really stuck here. Do I have to activate something on the other side (hence the AdminDown status?) Regards, Matthias Matthias Gelbhardt schrieb: Hello David, great tip. Unfortunatly BFD for BGP - though detailed documented - has no examples flying around. Perhaps I am missing something here. I have two routers connected via iBGP. I have tried to make the configuration rather simple (only the important parts, BGP session is up and running): This is the same on both sides (change in the IP-addresses of course) protocols bgp { group internal { type internal; neighbor 91.190.xxx.xxx { local-address 91.190.xxx.xxx; bfd-liveness-detection { minimum-interval 1000; multiplier 3; } } } Router A: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Init 3.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Session down time 00:00:04 Local diagnostic CtlExpire, remote diagnostic None Remote state Down, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 1.000, min RX interval 1.000, multiplier 3 Local discriminator 1, remote discriminator 1 Echo mode disabled/inactive, no-absorb, no-refresh, update-adj Multi-hop, min-recv-TTL 0, route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps Router B: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Down 0.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Local diagnostic None, remote diagnostic None Remote state AdminDown, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 0.000, min RX interval 0.000, multiplier 0 Local discriminator 1, remote discriminator 0 Echo mode disabled/inactive, no-absorb, no-refresh Multi-hop route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 0.0 pps I see the diagnostic on router A but do not understand it. I thought the minimum-interval might be too low, so I set it up to a thousand. Regards, Matthias David Ball schrieb: There are likely several answers to that, all dependant on your topology and protocol use. But, a good place to start would be BFD (bidirectional forwarding detection). Juniper has decent support for it working with other protocols (OSPF, ISIS, BGP, RIP), notifying them that something may be wrong, allowing them to then make a decision (support may differ from protocol to protocol). That may be a good start point. http://www.juniper.net/techpubs/software/junos/junos95/swconfig-routing/sw co nfig-routing-IX.html#B David B 2009/9/6 Matthias Gelbhardt : Hi! I wonder what the best practices for optimized switchovers would be? I mean fast comprehension of failed BGP connections? A fibre cut or something like that, how can I be sure, that my routers are detecting the failed session as soon as possible? What would be the best practices fpr that? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/
Re: [j-nsp] optimized switchover
Hi! That is the doc I have used for configuring. Both routers are Juniper routers over a Laver 2 Link directly connected. One router is 9.3R2.8 The other 9.4R2.9. Regards, Matthias Nilesh Khambal schrieb: Hi Matthias, What JUNOS version are you running on this router? Is other end router also a Juniper router? Are both peers directly connected or is this a multihop session? Try this doc link see if it can help. http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-routing/id -13279139.html#id-13279139 Thanks, Nilesh. On 9/8/09 12:53 AM, "Matthias Gelbhardt" wrote: Has no one an idea? It seems, that I am really stuck here. Do I have to activate something on the other side (hence the AdminDown status?) Regards, Matthias Matthias Gelbhardt schrieb: Hello David, great tip. Unfortunatly BFD for BGP - though detailed documented - has no examples flying around. Perhaps I am missing something here. I have two routers connected via iBGP. I have tried to make the configuration rather simple (only the important parts, BGP session is up and running): This is the same on both sides (change in the IP-addresses of course) protocols bgp { group internal { type internal; neighbor 91.190.xxx.xxx { local-address 91.190.xxx.xxx; bfd-liveness-detection { minimum-interval 1000; multiplier 3; } } } Router A: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Init 3.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Session down time 00:00:04 Local diagnostic CtlExpire, remote diagnostic None Remote state Down, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 1.000, min RX interval 1.000, multiplier 3 Local discriminator 1, remote discriminator 1 Echo mode disabled/inactive, no-absorb, no-refresh, update-adj Multi-hop, min-recv-TTL 0, route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps Router B: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Down 0.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Local diagnostic None, remote diagnostic None Remote state AdminDown, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 0.000, min RX interval 0.000, multiplier 0 Local discriminator 1, remote discriminator 0 Echo mode disabled/inactive, no-absorb, no-refresh Multi-hop route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 0.0 pps I see the diagnostic on router A but do not understand it. I thought the minimum-interval might be too low, so I set it up to a thousand. Regards, Matthias David Ball schrieb: There are likely several answers to that, all dependant on your topology and protocol use. But, a good place to start would be BFD (bidirectional forwarding detection). Juniper has decent support for it working with other protocols (OSPF, ISIS, BGP, RIP), notifying them that something may be wrong, allowing them to then make a decision (support may differ from protocol to protocol). That may be a good start point. http://www.juniper.net/techpubs/software/junos/junos95/swconfig-routing/swco nfig-routing-IX.html#B David B 2009/9/6 Matthias Gelbhardt : Hi! I wonder what the best practices for optimized switchovers would be? I mean fast comprehension of failed BGP connections? A fibre cut or something like that, how can I be sure, that my routers are detecting the failed session as soon as possible? What would be the best practices fpr that? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] optimized switchover
Has no one an idea? It seems, that I am really stuck here. Do I have to activate something on the other side (hence the AdminDown status?) Regards, Matthias Matthias Gelbhardt schrieb: Hello David, great tip. Unfortunatly BFD for BGP - though detailed documented - has no examples flying around. Perhaps I am missing something here. I have two routers connected via iBGP. I have tried to make the configuration rather simple (only the important parts, BGP session is up and running): This is the same on both sides (change in the IP-addresses of course) protocols bgp { group internal { type internal; neighbor 91.190.xxx.xxx { local-address 91.190.xxx.xxx; bfd-liveness-detection { minimum-interval 1000; multiplier 3; } } } Router A: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Init 3.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Session down time 00:00:04 Local diagnostic CtlExpire, remote diagnostic None Remote state Down, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 1.000, min RX interval 1.000, multiplier 3 Local discriminator 1, remote discriminator 1 Echo mode disabled/inactive, no-absorb, no-refresh, update-adj Multi-hop, min-recv-TTL 0, route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps Router B: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Down 0.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Local diagnostic None, remote diagnostic None Remote state AdminDown, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 0.000, min RX interval 0.000, multiplier 0 Local discriminator 1, remote discriminator 0 Echo mode disabled/inactive, no-absorb, no-refresh Multi-hop route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 0.0 pps I see the diagnostic on router A but do not understand it. I thought the minimum-interval might be too low, so I set it up to a thousand. Regards, Matthias David Ball schrieb: There are likely several answers to that, all dependant on your topology and protocol use. But, a good place to start would be BFD (bidirectional forwarding detection). Juniper has decent support for it working with other protocols (OSPF, ISIS, BGP, RIP), notifying them that something may be wrong, allowing them to then make a decision (support may differ from protocol to protocol). That may be a good start point. http://www.juniper.net/techpubs/software/junos/junos95/swconfig-routing/swconfig-routing-IX.html#B David B 2009/9/6 Matthias Gelbhardt : Hi! I wonder what the best practices for optimized switchovers would be? I mean fast comprehension of failed BGP connections? A fibre cut or something like that, how can I be sure, that my routers are detecting the failed session as soon as possible? What would be the best practices fpr that? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] optimized switchover
Hello David, great tip. Unfortunatly BFD for BGP - though detailed documented - has no examples flying around. Perhaps I am missing something here. I have two routers connected via iBGP. I have tried to make the configuration rather simple (only the important parts, BGP session is up and running): This is the same on both sides (change in the IP-addresses of course) protocols bgp { group internal { type internal; neighbor 91.190.xxx.xxx { local-address 91.190.xxx.xxx; bfd-liveness-detection { minimum-interval 1000; multiplier 3; } } } Router A: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Init 3.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Session down time 00:00:04 Local diagnostic CtlExpire, remote diagnostic None Remote state Down, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 1.000, min RX interval 1.000, multiplier 3 Local discriminator 1, remote discriminator 1 Echo mode disabled/inactive, no-absorb, no-refresh, update-adj Multi-hop, min-recv-TTL 0, route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps Router B: show bfd session extensive Detect Transmit Address State Interface Time Interval Multiplier 91.190.xxx.xxx Down 0.000 1.000 3 Client BGP, TX interval 1.000, RX interval 1.000 Local diagnostic None, remote diagnostic None Remote state AdminDown, version 1 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 0.000, min RX interval 0.000, multiplier 0 Local discriminator 1, remote discriminator 0 Echo mode disabled/inactive, no-absorb, no-refresh Multi-hop route table 0, local-address 91.190.xxx.xxx 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 0.0 pps I see the diagnostic on router A but do not understand it. I thought the minimum-interval might be too low, so I set it up to a thousand. Regards, Matthias David Ball schrieb: There are likely several answers to that, all dependant on your topology and protocol use. But, a good place to start would be BFD (bidirectional forwarding detection). Juniper has decent support for it working with other protocols (OSPF, ISIS, BGP, RIP), notifying them that something may be wrong, allowing them to then make a decision (support may differ from protocol to protocol). That may be a good start point. http://www.juniper.net/techpubs/software/junos/junos95/swconfig-routing/swconfig-routing-IX.html#B David B 2009/9/6 Matthias Gelbhardt : Hi! I wonder what the best practices for optimized switchovers would be? I mean fast comprehension of failed BGP connections? A fibre cut or something like that, how can I be sure, that my routers are detecting the failed session as soon as possible? What would be the best practices fpr that? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] optimized switchover
Hi! I wonder what the best practices for optimized switchovers would be? I mean fast comprehension of failed BGP connections? A fibre cut or something like that, how can I be sure, that my routers are detecting the failed session as soon as possible? What would be the best practices fpr that? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] which memory show commands are important?
Hi! Something that is bothering me for some time now. What do the several memory statistics say, i.e. which are important to see how my box does? Which values are important to look at? You can give the memory for show chassis routing-engine / show task memory / and on the shell top. On a box, right here, they all give vastly different values for the amount of used and free memory. Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP session is not coming up
Hi! I get an error message: Jul 22 14:53:48.164226 BGP RECV Notification code 2 (Open Message Error) subcode 5 (authentication failure) And I think that explains itself. I have reconfigured the box so many times now, that I am certain, that the problem is not on our side. The MD5 key is the one, we have agreed upon. On the other side is a provider, so we are unable to get a hold on the remote side. Regards, Matthias Am 22.07.2009 um 09:32 schrieb Hendrik Kahmann: Hello Matthias, the log tells me, that there is a missing md5 key for this connection. In your config this part is "inactive". Maybe you should compare the eBGP-Config on both machines to check if md5 authentication is needed on one side. Why did you deactivate the authentication key in here? Did you specifiy your local AS in the config? Kind regards from Oldenburg, Hendrik -Ursprüngliche Nachricht- Von: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] Im Auftrag von Matthias Gelbhardt Gesendet: Mittwoch, 22. Juli 2009 08:56 An: juniper-nsp Betreff: [j-nsp] BGP session is not coming up Hi! We have a problem with a BGP session. The session is not coming up, and I dont know why. It is a eBGP session: Log: Jul 22 08:30:08 muenster /kernel: tcp_auth_ok: Packet from x.x.x.x: 179 missing MD5 digest tracelog: Jul 22 08:50:16.426122 bgp_connect_complete: error connecting to x.x.x.x (External AS x): Socket is not connected tcpdump; 08:49:07.632649 Out IP x.x.x.x.60582 > x.x.x.x.179: S 594093001:594093001(0) win 16384 config: group external { type external; neighbor xx { description uplink_; local-address xx; import import_bgp_; inactive: authentication-key "$9$u-xxx"; ## SECRET-DATA export [ export_prepend export_bgp_external ]; peer-as xx; } } Any ideas? Leaving the MD5 does not work, I even have restartet the routing process with no luck. Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BGP session is not coming up
Hi! After deleting the local-address (and testing with multihop) I get Jul 22 09:13:41.322465 advertising receiving-speaker only capabilty to neighbor x.x.x.x (External AS xx) Jul 22 09:13:41.323342 bgp_send: sending 59 bytes to x.x.x.x (External AS xx) Jul 22 09:13:41.323954 Jul 22 09:13:41.323954 BGP SEND x.x.x.x+52277 -> x.x.x.x+179 Jul 22 09:13:41.325172 BGP SEND message type 1 (Open) length 59 Jul 22 09:13:41.327835 Jul 22 09:13:41.327835 BGP RECV x.x.x.x+179 -> x.x.x.x+52277 Jul 22 09:13:41.329110 BGP RECV message type 1 (Open) length 29 Jul 22 09:13:41.329866 Jul 22 09:13:41.329866 BGP RECV x.x.x.x+179 -> x.x.x.x+52277 Jul 22 09:13:41.331374 BGP RECV message type 3 (Notification) length 21 The strange thing: That has stopped working out of the blue. As this is a provider, we are unable to get the other side. Matthias Am 22.07.2009 um 09:04 schrieb Muhammad Aamir: Dear matthias, Have u tried this with "multihop", Because you have used local- address in your ebgp config. If local address is your loopback interface then you need to configure multihop. Also please share the remote end config as well if possible. Regards. Aamir On Wed, Jul 22, 2009 at 12:55 PM, Matthias Gelbhardt > wrote: Hi! We have a problem with a BGP session. The session is not coming up, and I dont know why. It is a eBGP session: Log: Jul 22 08:30:08 muenster /kernel: tcp_auth_ok: Packet from x.x.x.x: 179 missing MD5 digest tracelog: Jul 22 08:50:16.426122 bgp_connect_complete: error connecting to x.x.x.x (External AS x): Socket is not connected tcpdump; 08:49:07.632649 Out IP x.x.x.x.60582 > x.x.x.x.179: S 594093001:594093001(0) win 16384 0,nop,nop,timestamp[|tcp]> config: group external { type external; neighbor xx { description uplink_; local-address xx; import import_bgp_; inactive: authentication-key "$9$u-xxx"; ## SECRET-DATA export [ export_prepend export_bgp_external ]; peer-as xx; } } Any ideas? Leaving the MD5 does not work, I even have restartet the routing process with no luck. Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] BGP session is not coming up
Hi! We have a problem with a BGP session. The session is not coming up, and I dont know why. It is a eBGP session: Log: Jul 22 08:30:08 muenster /kernel: tcp_auth_ok: Packet from x.x.x.x: 179 missing MD5 digest tracelog: Jul 22 08:50:16.426122 bgp_connect_complete: error connecting to x.x.x.x (External AS x): Socket is not connected tcpdump; 08:49:07.632649 Out IP x.x.x.x.60582 > x.x.x.x.179: S 594093001:594093001(0) win 16384 0,nop,nop,timestamp[|tcp]> config: group external { type external; neighbor xx { description uplink_; local-address xx; import import_bgp_; inactive: authentication-key "$9$u-xxx"; ## SECRET-DATA export [ export_prepend export_bgp_external ]; peer-as xx; } } Any ideas? Leaving the MD5 does not work, I even have restartet the routing process with no luck. Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] compatible compact flash J6350
Hi! As the recommended compact flash cards are nearly impossible to get in Germany, I would like to know, if you have some other tips for compatible CF cards? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] braodcast domain between two ports
Hi! We would like to achieve the following. At the moment we get an uplink over one VLAN tagged port, where also other communication flows. We are now getting another uplink, which will be a point to point connection, which should be in the same VLAN as the first uplink as we need a broadcast domain to enable a fully meshed bgp network. At the moment the initial uplink goes through a switch, so it would be a solution to connect the second uplink to it. But then we have a single point of failure. I would like to have the second uplink connected to physical ports on our routers and let them switch in the same VLAN over two ports. How can I achieve that? Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 best practice
Hi! Perhaps the great advantage we have, is that our network is rather small at the moment. So this might be the perfect time to start the use of IPv6 apart from starting to using it right from the beginning. In the meantime I have run a few tests, and it seems to be very easy to set up a parallel IPv6 network. Anyway, we are just starting to understand the concepts, so apologize for any "dumb questions" I have. But here is another one: I read about, that several tunnel techniques do not work in juniper. Is it today possible, to give a customer only IPv6 access (for example a FTTH link), to let him access the whole internet? Are there any conversions available on Juniper, that can do that? Maybe I first should get our prefix announced, before getting to the complex questions ;) Regards, Matthias Am 26.05.2009 um 07:17 schrieb Truman Boyes: Hi, Congrats! If you have MPLS in your backbone, you can continue to use IPv4 as the transport for your MPLS signaling. With this approach you can run 6VPE and build a VPN for your inet6 traffic. This is a common approach for "getting things going". All v6 stuff just rides across MPLS and your core doesn't know the difference. If you plan to carry inet6 routes in a non-ipvpn topology, you can get your core "dual stack"; if you run OSPFv2 today you will need to consider OSPFv3 or ISIS to carry IPv6 in your IGP. You can have all your ipv4 configuration coexist with ipv6. You can also use logical routers / virtual routers / etc, if you want separation at that level. Kind regards, Truman On 25/05/2009, at 10:32 PM, Matthias Gelbhardt wrote: Hi! Today we received our IPv6 prefix from RIPE. There are many projects in the pipeline, so we would like to enable our network with IPv6 and would like to start new projects with default deployment in IPv6. What would be the best practice to bring our backbone to IPv6? Would one use a virtual router for this? Or is it doable to configure IPv6 in parallel to my other configuration? Do I have special memory requirements for a virtual router, like a VM on VMware? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] IPv6 best practice
Hi! Today we received our IPv6 prefix from RIPE. There are many projects in the pipeline, so we would like to enable our network with IPv6 and would like to start new projects with default deployment in IPv6. What would be the best practice to bring our backbone to IPv6? Would one use a virtual router for this? Or is it doable to configure IPv6 in parallel to my other configuration? Do I have special memory requirements for a virtual router, like a VM on VMware? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DOS attack?
Hi! I may open a JTAC case, when I understand for which problem I should open one. The following has happened: The system (J6350) is running under 9.3R2.8, so we decided to update to 9.4R2.8. That was a desaster, and I hope you can help also in this matter. After upgrading the systems, both thought they are VRRP master. The problem is obvious, two sstems thinking to be the same appliance. Was there a change in VRRP configuration? Because this was not working, we made a rollback. Now we have the same memory problems again. Starting the shell, bam Low memory, show bgp summary, los memory. Each event has consequences: disabling a BGP session. The system has 1 GB of DRAM. What are the memory intensive processes? The BGP sessions? We have a J6350 at the AMS-IX where are a lot more BGP sessions. The VRRP processes? The rpd process has a significant higher memory consumption than on the AMS-IX router for example. Before opening a JTAC ticket, you may be saying "get 1 GB of memory, your problems will disappear". Regards, Matthias Am 17.05.2009 um 14:54 schrieb Richard A Steenbergen: On Sun, May 17, 2009 at 02:19:56AM -0700, Robert Raszuk wrote: Hi Matthias, I wonder now, which is the event, that triggered this behavious? The numer of ssh-logins at that time or this zbexpected EOF? I would with good deal of assurance conclude that the cause were ssh-login attack which apparently starved the poor box to it's memory limits. When even your kernel spins a panic message on the low of memory due to such attack control plane can exhibit quite unexpected behavior. In my opinion end-of-frame BGP message is just a consequence of this. The advice would be to: * open a case with jtac to find out why subsequent ssh-logins cause a memory leak * reduce to very max rate-limiting for the ssh logins It's probably more likely that the box was always getting floods of SSH connection attempts (because thats what happens to anything you leave on the Internet with port 22 open), and the low memory condition was coincidental or 99% caused by something else. The openssh people would be shitting bricks if there was actually a memory leak from multiple connection attempts. Filter thy lo0 (*), but my money is on a leak somewhere else (or someone running a 256mb RE :P). (*) I always found it weird that JUNOS lacks a software filter for access to things like SSH, like a line vty access-class on Crisco. Obviously a proper lo0 firewall filter is "better", but there have been a few occasions where this has been problematic over the years (logical-routers pre-firewall split where the integration with policy was tricky, EX for the first year of its life where lo0 filters didn't work, etc). Something as simple as a prefix-list dumping to hosts.allow would probably be sufficient. Also being able to change the listen port to something other than 22 might help the people who for whatever reason aren't able to do a strict IP based filter (simple option under system services ssh to pass to sshd). -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DOS attack?
Hi! Last night we had a mysterious behaviour on our router. On a BGP connection with Cogent we received an unexpected EOF. There were also a great number of SSH logins (we do not have FW rules in place, but we have a rate limit, Shortly after the router complained about low memory and a few BGP sessions drop down (oviosly the one, which are memory exhausting), I wonder now, which is the event, that triggered this behavious? The numer of ssh-logins at that time or this zbexpected EOF? The log of that time: May 17 04:29:24 emsdetten1 inetd[4291]: ssh from 82.165.235.170 exceeded counts/min (limit 10/min) May 17 04:29:25 emsdetten1 last message repeated 7 times May 17 04:29:36 emsdetten1 rpd[4303]: bgp_listen_accept: Connection attempt from unconfigured neighbor: 91.190.xxx.xxx+40432 May 17 04:29:52 emsdetten1 rpd[4303]: bgp_recv: peer 149.6.xxx.xxx (External AS 174): received unexpected EOF May 17 04:30:06 emsdetten1 rpd[4303]: bgp_listen_accept: Connection attempt from unconfigured neighbor: 91.190.xxx.xxx+43119 May 17 04:31:00 emsdetten1 /kernel: KERNEL_MEMORY_CRITICAL: System low on free memory, notifying init (#2). May 17 04:31:00 emsdetten1 cron[49326]: (root) CMD (adjkerntz -a) May 17 04:31:01 emsdetten1 rpd[4303]: Received low-memory signal: BGP Write active, 422 free pages May 17 04:31:01 emsdetten1 rpd[4303]: Processing low memory signal May 17 04:31:14 emsdetten1 rpd[4303]: bgp_listen_accept: Connection attempt from unconfigured neighbor: 193.108.xxx.xxx+52139 May 17 04:31:34 emsdetten1 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 91.190.xxx.xxx from 00:00:1a:19:c1:0f to 00:00:1a: 19:c1:10 May 17 04:31:34 emsdetten1 sshd[49329]: Failed password for root from 82.165.235.170 port 56403 ssh2 May 17 04:31:34 emsdetten1 inetd[4291]: /usr/sbin/sshd[49329]: exited, status 255 May 17 04:31:35 emsdetten1 sshd[49331]: Failed password for root from 82.165.235.170 port 47707 ssh2 May 17 04:31:35 emsdetten1 inetd[4291]: /usr/sbin/sshd[49331]: exited, status 255 May 17 04:31:36 emsdetten1 sshd[49337]: Failed password for root from 82.165.235.170 port 57612 ssh2 May 17 04:31:36 emsdetten1 inetd[4291]: /usr/sbin/sshd[49337]: exited, status 255 May 17 04:31:36 emsdetten1 sshd[49339]: Failed password for root from 82.165.235.170 port 49046 ssh2 May 17 04:31:36 emsdetten1 rpd[4303]: bgp_listen_accept: Connection attempt from unconfigured neighbor: 91.190.xxx.xxx+47675 May 17 04:31:36 emsdetten1 inetd[4291]: /usr/sbin/sshd[49339]: exited, status 255 May 17 04:31:38 emsdetten1 sshd[49335]: Failed password for root from 82.165.235.170 port 38441 ssh2 May 17 04:31:38 emsdetten1 inetd[4291]: /usr/sbin/sshd[49335]: exited, status 255 May 17 04:31:39 emsdetten1 sshd[49330]: Failed password for root from 82.165.235.170 port 37700 ssh2 May 17 04:31:39 emsdetten1 inetd[4291]: /usr/sbin/sshd[49330]: exited, status 255 May 17 04:31:39 emsdetten1 sshd[49345]: Failed password for root from 82.165.235.170 port 40019 ssh2 May 17 04:31:39 emsdetten1 inetd[4291]: ssh from 82.165.235.170 exceeded counts/min (limit 10/min) May 17 04:31:40 emsdetten1 sshd[49343]: Failed password for root from 82.165.235.170 port 49411 ssh2 May 17 04:31:40 emsdetten1 inetd[4291]: /usr/sbin/sshd[49345]: exited, status 255 May 17 04:31:40 emsdetten1 inetd[4291]: ssh from 82.165.235.170 exceeded counts/min (limit 10/min) May 17 04:31:41 emsdetten1 sshd[49341]: Failed password for root from 82.165.235.170 port 57987 ssh2 May 17 04:31:41 emsdetten1 inetd[4291]: /usr/sbin/sshd[49341]: exited, status 255 May 17 04:31:41 emsdetten1 inetd[4291]: ssh from 82.165.235.170 exceeded counts/min (limit 10/min) May 17 04:31:41 emsdetten1 sshd[49347]: Failed password for root from 82.165.235.170 port 60041 ssh2 May 17 04:31:41 emsdetten1 inetd[4291]: /usr/sbin/sshd[49343]: exited, status 255 May 17 04:31:41 emsdetten1 inetd[4291]: /usr/sbin/sshd[49347]: exited, status 255 May 17 04:31:41 emsdetten1 inetd[4291]: ssh from 82.165.235.170 exceeded counts/min (limit 10/min) May 17 04:31:41 emsdetten1 last message repeated 6 times May 17 04:31:43 emsdetten1 rpd[4303]: bgp_listen_accept: Connection attempt from unconfigured neighbor: 193.108.xxx.xxx+49573 May 17 04:31:47 emsdetten1 inetd[4291]: ssh from 82.165.235.170 exceeded counts/min (limit 10/min) May 17 04:31:51 emsdetten1 sshd[49349]: Failed password for root from 218.26.118.106 port 49903 ssh2 May 17 04:31:52 emsdetten1 inetd[4291]: /usr/sbin/sshd[49349]: exited, status 255 May 17 04:31:52 emsdetten1 sshd[49351]: Failed password for root from 218.26.118.106 port 49931 ssh2 May 17 04:31:52 emsdetten1 inetd[4291]: /usr/sbin/sshd[49351]: exited, status 255 May 17 04:31:53 emsdetten1 inetd[4291]: ssh from 82.165.235.170 exceeded counts/min (limit 10/min) May 17 04:31:53 emsdetten1 last message repeated 2 times May 17 04:31:53 emsdetten1 rpd[4303]: Received low-memor
[j-nsp] M7i as LNS
Hi! At the moment I am trying to get a M7i as LNS working to terminate DSL lines. At the moment it seems, that the tunnel is trying to build, but could not be established, due to a dead tunnel 6 pic. I understand, that I have one of these, but do I have to switch it alive somehow? the logs: Apr 2 12:59:55 jnp_l2tp_fsm_tr_wait: New packet from 213.148.133.62:1701: 139 bytes Apr 2 12:59:55 jnp_l2tp_avp_decode_message_type: Message Type SCCRQ (1) Apr 2 12:59:55 jnp_l2tp_avp_decode_protocol_version: Protocol Version 1.0 Apr 2 12:59:55 jnp_l2tp_avp_decode_firmware_revision: Firmware Revision 0x1130 Apr 2 12:59:55 jnp_l2tp_avp_decode_host_name: Host Name: QSC_DLR2 Apr 2 12:59:55 jnp_l2tp_avp_decode_vendor_name: Vendor Name: Cisco Systems, Inc. Apr 2 12:59:55 jnp_l2tp_avp_decode_receive_window_size: Limiting receive window size to configured maximum: 32 vs requested 20050 Apr 2 12:59:55 jnp_l2tp_avp_decode_receive_window_size: Receive Window Size 32 Apr 2 12:59:55 jnp_l2tp_avp_decode_challenge: Challenge: Apr 2 12:59:55 : 13cd 6460 e212 e119 d19f ff42 c428 507e ..d`...B.(P~ Apr 2 12:59:55 jnp_l2tp_avp_decode_assigned_tunnel_id: Assigned Tunnel ID 15766 Apr 2 12:59:55 jnp_l2tp_avp_decode_framing_capabilities: Framing Capabilities 0x Apr 2 12:59:55 jnp_l2tp_avp_decode_bearer_capabilities: Bearer Capabilities 0x Apr 2 12:59:55 jnp_l2tp_decode_packet: Unrecognized AVP: vendor_id=9, attribute_type=110, reserved_set=0, mandatory=0 Apr 2 12:59:55 jnp_l2tp_tunnel_id_alloc: Allocated Tunnel ID 41230 Apr 2 12:59:55 Tnl 41230 L2TP: I tunnel from QSC_DLR2 213.148.133.62:1701 local x.x.x.x:1701 Apr 2 12:59:55 Tnl 41230 L2TP: tunnel_info max_sessions_per_tunnel = 0 local_chap = 0, lcp_renegotiaton = 0, auth_order LOCAL Apr 2 12:59:55 Tnl 41230 L2TP: I tunnel pic 6 not alive Apr 2 12:59:55 jnp_l2tp_fsm_cc_responder_reject_new: New control connection establishment rejected Apr 2 12:59:55 Tnl 41230 L2TP: Open failed Apr 2 12:59:55 Tnl 41230 L2TP: result 4 error 0) Apr 2 12:59:55 jnp_l2tp_tunnel_terminated: Cancel hello timer for 41230 Apr 2 12:59:55 jnp_l2tp_tunnel_terminated: cancel no session timer for 41230 Apr 2 12:59:55 jnp_l2tp_fsm_tr_wait: Freeing tunnel 41230 Apr 2 12:59:55 jnp_l2tp_fsm_tr_wait: Cancel all timers for 41230 Apr 2 12:59:59 jnp_l2tp_fsm_tr_wait: New packet from 213.148.133.62:1701: 66 bytes Apr 2 12:59:59 jnp_l2tp_avp_decode_message_type: Message Type StopCCN (4) Apr 2 12:59:59 jnp_l2tp_avp_decode_result_code: Result Code `General error - A generic vendor-specific error occurred in the LAC' (2 6) Apr 2 12:59:59 jnp_l2tp_avp_decode_result_code: Error Message: Too many retransmits Apr 2 12:59:59 jnp_l2tp_decode_packet: Unrecognized AVP: vendor_id=9, attribute_type=105, reserved_set=0, mandatory=0 Apr 2 12:59:59 jnp_l2tp_avp_decode_assigned_tunnel_id: Assigned Tunnel ID 15766 Apr 2 13:00:03 jnp_l2tp_fsm_tr_wait: New packet from 213.148.133.62:1701: 66 bytes Apr 2 13:00:03 jnp_l2tp_avp_decode_message_type: Message Type StopCCN (4) Apr 2 13:00:03 jnp_l2tp_avp_decode_result_code: Result Code `General error - A generic vendor-specific error occurred in the LAC' (2 6) Apr 2 13:00:03 jnp_l2tp_avp_decode_result_code: Error Message: Too many retransmits Apr 2 13:00:03 jnp_l2tp_decode_packet: Unrecognized AVP: vendor_id=9, attribute_type=105, reserved_set=0, mandatory=0 Apr 2 13:00:03 jnp_l2tp_avp_decode_assigned_tunnel_id: Assigned Tunnel ID 15766 the config: sp-1/2/0 { unit 0 { family inet; } unit 1 { dial-options { l2tp-interface-id lns; dedicated; } family inet; } unit 2 { dial-options { l2tp-interface-id lns; dedicated; } family inet; } } lo0 { unit 0 { family inet { address x.x.x.x; } } } ccess { profile lns_tunnel { authentication-order password; client QSC_DLR2 { l2tp { interface-id lns; ppp-authentication chap; shared-secret "xxx"; ## SECRET-DATA ppp-profile lns_user; } } } profile lns_user { client "gelbha...@dsl.dlrz.net" { # hier kann ich mich nicht entscheiden chap-secret "xx"; ## SECRET-DATA pap-password "xx"; ## SECRET-DATA ppp { idle-timeout 0; primary-dns x.x.x.x; framed-ip-address x.x.x.x; } } } } services { l2tp { tunnel-group lns { l2tp-access-profile lns_tunnel; ppp-access-profile lns_user; local-gateway { address x.x.x.x; # <- lo0 Adresse } service-interface sp-1/2/0; } } } ___
Re: [j-nsp] traffic accounting
Yes, minimum I need is source - target IP address and bytes. Regards, Matthias Am 10.03.2009 um 16:38 schrieb Patrik Olsson: Hello! When it comes to "real" flow data (v5 and v8), they will be free from JUNOS 9.5 for J series, i.e. you dont need a JFlow license. Other ways to get flowdata out of the box I dont know of. Just accounting data as packets and bytes etc passed on a logical interface is of course accessible via SNMP. But on your question it actually sounds like you are looking for "real" flowdata? Cheers Patrik Hi! I am looking for an accounting solution with several J-series. Is there any way to get flows out of the J to write them in a database or something without getting the accounting licence? Someone said to me, that the juniper has build in a similar solution as ciscos ( I remember from my former employee, that we got the accounting data out of the system every five minutes or so). Any ideas? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- //Patrik Webkom http://www.webkom.se +46 (0)709 35 22 99 +46 (0)8 559 26 488 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] traffic accounting
Hi! I am looking for an accounting solution with several J-series. Is there any way to get flows out of the J to write them in a database or something without getting the accounting licence? Someone said to me, that the juniper has build in a similar solution as ciscos ( I remember from my former employee, that we got the accounting data out of the system every five minutes or so). Any ideas? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Update failed on J-Series
Hi! But why. I just saw in the Release notes, that the minimum flash required is 256, maximum ist 512. Regards, Matthias Am 08.03.2009 um 20:40 schrieb Patrik Olsson: Then that is the problem. cheers patrik Matthias Gelbhardt wrote: Hi! Perhaps the problem? The disk is 256 MB Regards, Matthias Am 08.03.2009 um 13:11 schrieb Patrik Olsson: You need to make sure you have the new larger flash to go 9.X. Whats your flashdisk size? Cheers Patrik Matthias Gelbhardt wrote: Hi! Yesterday I tried to upgrade a J-Series from 8.5 to 9.3R2. Shortly after the reboot I got a segmentation fault, every time the forwarding daemon started. When I try to start the daemon manualy, the segmentation fault also occur. A rollback was successfully, to the system runs stable under 8.5 for now. The log: Mar 6 23:50:52 nordhorn2 /kernel: BAD_PAGE_FAULT: pid 4288 (fwdd), uid 0: pc 0x80c0af3 got a write fault at 0x0, x86 fault flags = 0x6 Mar 6 23:50:52 nordhorn2 /kernel: Trapframe Register Dump: Mar 6 23:50:52 nordhorn2 /kernel: eax: ecx: edx: ebx: 000c Mar 6 23:50:52 nordhorn2 /kernel: esp: 4b4b0670ebp: 4b4b0758esi: 4c67198cedi: 4c6bcfa8 Mar 6 23:50:52 nordhorn2 /kernel: eip: 080c0af3eflags: 00013206 Mar 6 23:50:52 nordhorn2 /kernel: cs: 0033ss: 003bds: 4b4b003bes: b003b Mar 6 23:50:52 nordhorn2 /kernel: fs: 4b4b003btrapno: 000cerr: 0006 Mar 6 23:50:52 nordhorn2 /kernel: Page table info for PC address 0x80c0af3: PDE = 0x30440067, PTE = 38491625 Mar 6 23:50:52 nordhorn2 /kernel: Dumping 16 bytes starting at PC address 0x80c0af3: Mar 6 23:50:52 nordhorn2 /kernel: 89 04 8a ff 45 a8 8b 5d 98 81 c6 b0 00 00 00 39 Mar 6 23:50:52 nordhorn2 fwdd[4288]: -- Mar 6 23:50:52 nordhorn2 fwdd[4288]: Segmentation Fault! Mar 6 23:50:52 nordhorn2 fwdd[4288]: Registers: Mar 6 23:50:52 nordhorn2 fwdd[4288]: eip: 0x080c0af3 eflags: 0x00013206trapno: 12 Mar 6 23:50:52 nordhorn2 fwdd[4288]: eax: 0xebx: 0x000cecx: 0xedx: 0x Mar 6 23:50:52 nordhorn2 fwdd[4288]: esi: 0x4c67198cedi: 0x4c6bcfa8esp: 0x4b4b0670ebp: 0x4b4b0758 Mar 6 23:50:52 nordhorn2 fwdd[4288]: cs: 0x0033 ds: 0x4b4b003b es: 0xb003b fs: 0x4b4b003b gs: 0x001b ss: 0x003b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Traceback: Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 0: sp = 0x4b4b0758, pc = 0x828d08b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 1: sp = 0x4b4b0838, pc = 0x828b502 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 2: sp = 0x4b4b08a8, pc = 0x82856ef Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 3: sp = 0x4b4b08e8, pc = 0x8266a07 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 4: sp = 0x4b4b0948, pc = 0x81e1532 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 5: sp = 0x4b4b0998, pc = 0x81e1d08 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 6: sp = 0x4b4b0a38, pc = 0x81df84a Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 7: sp = 0x4b4b0a78, pc = 0x81c615b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 8: sp = 0x4b4b0aa8, pc = 0x81c62a9 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 9: sp = 0x4b4b0ac8, pc = 0x81c313b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 10: sp = 0x4b4b0b08, pc = 0x81c3621 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 11: sp = 0x4b4b0b38, pc = 0x81c5340 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 12: sp = 0x4b4b0b68, pc = 0x804cb60 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 13: sp = 0x4b4b0b70, pc = 0x0 Mar 6 23:50:53 nordhorn2 pfed: SNMP_NS_LOG_INFO: NET-SNMP version 5.3.1 AgentX subagent connected Mar 6 23:50:59 nordhorn2 /kernel: pid 4288 (fwdd), uid 0: exited on signal 11 (core dumped) Mar 6 23:50:59 nordhorn2 /kernel: peer_inputs: soreceive() error 0 Mar 6 23:50:59 nordhorn2 /kernel: pfe_listener_disconnect: conn dropped: listener idx=0, tnpaddr=0x1, reason: socket error Mar 6 23:50:59 nordhorn2 /kernel: pfe_peer_update_mgmt_state: type 10, index 0, old state Online new state Closed mastership 1 Mar 6 23:50:59 nordhorn2 chassisd[4277]: CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 0 offline: Error Mar 6 23:50:59 nordhorn2 chassisd[4277]: CHASSISD_IFDEV_DETACH_FPC: ifdev_detach(0) This error is reproducable under 9.3R2. Finally the chassid is taking down the interfaces. Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- //Patrik Webkom http://www.webkom.se +46 (0)709 35 22 99 +46 (0)8 559 26 488 -- //Patrik Webkom http://www.webkom.se +46 (0)709 35 22 99 +46 (0)8 559 26 488 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Update failed on J-Series
Hi! Perhaps the problem? The disk is 256 MB Regards, Matthias Am 08.03.2009 um 13:11 schrieb Patrik Olsson: You need to make sure you have the new larger flash to go 9.X. Whats your flashdisk size? Cheers Patrik Matthias Gelbhardt wrote: Hi! Yesterday I tried to upgrade a J-Series from 8.5 to 9.3R2. Shortly after the reboot I got a segmentation fault, every time the forwarding daemon started. When I try to start the daemon manualy, the segmentation fault also occur. A rollback was successfully, to the system runs stable under 8.5 for now. The log: Mar 6 23:50:52 nordhorn2 /kernel: BAD_PAGE_FAULT: pid 4288 (fwdd), uid 0: pc 0x80c0af3 got a write fault at 0x0, x86 fault flags = 0x6 Mar 6 23:50:52 nordhorn2 /kernel: Trapframe Register Dump: Mar 6 23:50:52 nordhorn2 /kernel: eax: ecx: edx: ebx: 000c Mar 6 23:50:52 nordhorn2 /kernel: esp: 4b4b0670ebp: 4b4b0758esi: 4c67198cedi: 4c6bcfa8 Mar 6 23:50:52 nordhorn2 /kernel: eip: 080c0af3eflags: 00013206 Mar 6 23:50:52 nordhorn2 /kernel: cs: 0033ss: 003bds: 4b4b003bes: b003b Mar 6 23:50:52 nordhorn2 /kernel: fs: 4b4b003btrapno: 000cerr: 0006 Mar 6 23:50:52 nordhorn2 /kernel: Page table info for PC address 0x80c0af3: PDE = 0x30440067, PTE = 38491625 Mar 6 23:50:52 nordhorn2 /kernel: Dumping 16 bytes starting at PC address 0x80c0af3: Mar 6 23:50:52 nordhorn2 /kernel: 89 04 8a ff 45 a8 8b 5d 98 81 c6 b0 00 00 00 39 Mar 6 23:50:52 nordhorn2 fwdd[4288]: -- Mar 6 23:50:52 nordhorn2 fwdd[4288]: Segmentation Fault! Mar 6 23:50:52 nordhorn2 fwdd[4288]: Registers: Mar 6 23:50:52 nordhorn2 fwdd[4288]: eip: 0x080c0af3 eflags: 0x00013206trapno: 12 Mar 6 23:50:52 nordhorn2 fwdd[4288]: eax: 0xebx: 0x000cecx: 0xedx: 0x Mar 6 23:50:52 nordhorn2 fwdd[4288]: esi: 0x4c67198cedi: 0x4c6bcfa8esp: 0x4b4b0670ebp: 0x4b4b0758 Mar 6 23:50:52 nordhorn2 fwdd[4288]: cs: 0x0033 ds: 0x4b4b003b es: 0xb003b fs: 0x4b4b003b gs: 0x001b ss: 0x003b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Traceback: Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 0: sp = 0x4b4b0758, pc = 0x828d08b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 1: sp = 0x4b4b0838, pc = 0x828b502 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 2: sp = 0x4b4b08a8, pc = 0x82856ef Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 3: sp = 0x4b4b08e8, pc = 0x8266a07 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 4: sp = 0x4b4b0948, pc = 0x81e1532 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 5: sp = 0x4b4b0998, pc = 0x81e1d08 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 6: sp = 0x4b4b0a38, pc = 0x81df84a Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 7: sp = 0x4b4b0a78, pc = 0x81c615b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 8: sp = 0x4b4b0aa8, pc = 0x81c62a9 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 9: sp = 0x4b4b0ac8, pc = 0x81c313b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 10: sp = 0x4b4b0b08, pc = 0x81c3621 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 11: sp = 0x4b4b0b38, pc = 0x81c5340 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 12: sp = 0x4b4b0b68, pc = 0x804cb60 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 13: sp = 0x4b4b0b70, pc = 0x0 Mar 6 23:50:53 nordhorn2 pfed: SNMP_NS_LOG_INFO: NET-SNMP version 5.3.1 AgentX subagent connected Mar 6 23:50:59 nordhorn2 /kernel: pid 4288 (fwdd), uid 0: exited on signal 11 (core dumped) Mar 6 23:50:59 nordhorn2 /kernel: peer_inputs: soreceive() error 0 Mar 6 23:50:59 nordhorn2 /kernel: pfe_listener_disconnect: conn dropped: listener idx=0, tnpaddr=0x1, reason: socket error Mar 6 23:50:59 nordhorn2 /kernel: pfe_peer_update_mgmt_state: type 10, index 0, old state Online new state Closed mastership 1 Mar 6 23:50:59 nordhorn2 chassisd[4277]: CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 0 offline: Error Mar 6 23:50:59 nordhorn2 chassisd[4277]: CHASSISD_IFDEV_DETACH_FPC: ifdev_detach(0) This error is reproducable under 9.3R2. Finally the chassid is taking down the interfaces. Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- //Patrik Webkom http://www.webkom.se +46 (0)709 35 22 99 +46 (0)8 559 26 488 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] New flash card in M7i
Hi! So, i have tried it today. I failed. I had put in a formatted compact flash, and I think that that was my failure, as the boot sequence was stuck on the compact flash medium. So the compact flash must not be formatted, it has to be blank, i.e. no partitions on it? Regards, Matthias Am 03.03.2009 um 16:39 schrieb David Ball: Once installed, your router won't boot from it, since it's blank, so will boot from HD as normal. Then you should be able to issue 'request system snapshot partition' (ie. copy main contents of hard disk to flash drive). From that point on, the CF will be your primary boot medium. Any code upgrades from then on will occur on the CF card, so to back up that code and config in the future, you'd issue 'request system snapshot' to copy them to the HD, which is now your 'alternative' boot medium. David 2009/3/3 Matthias Gelbhardt : Hi! I would like to add a new 1 GB CF card in a M7i. I assume, there is none in that device at the moment: Filesystem Size Used Avail Capacity Mounted on /dev/ad1s1a 217M98M 102M 49% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /dev/ /dev/md0 23M23M 0B 100% /packages/mnt/jbase /dev/md1 80M80M 0B 100% /packages/mnt/jkernel-8.5R3.4 /dev/md28.8M 8.8M 0B 100% /packages/mnt/jpfe-M7i-8.5R3.4 /dev/md33.5M 3.5M 0B 100% /packages/mnt/jdocs-8.5R3.4 /dev/md4 28M28M 0B 100% /packages/mnt/jroute-8.5R3.4 /dev/md58.8M 8.8M 0B 100% /packages/mnt/jcrypto-8.5R3.4 /dev/md6 37M37M 0B 100% /packages/mnt/jpfe-common-8.5R3.4 /dev/md7504M 8.0K 463M0% /tmp /dev/md8504M 470K 463M0% /mfs /dev/ad1s1e 24M20K22M0% /config procfs 4.0K 4.0K 0B 100% /proc /dev/ad1s1f 18G 542M16G3% /var So I need one to update to 9.3R2. Do I have to prepare the CF before injecting it into the router? Does it have to be formatted? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Update failed on J-Series
Hi! Yesterday I tried to upgrade a J-Series from 8.5 to 9.3R2. Shortly after the reboot I got a segmentation fault, every time the forwarding daemon started. When I try to start the daemon manualy, the segmentation fault also occur. A rollback was successfully, to the system runs stable under 8.5 for now. The log: Mar 6 23:50:52 nordhorn2 /kernel: BAD_PAGE_FAULT: pid 4288 (fwdd), uid 0: pc 0x80c0af3 got a write fault at 0x0, x86 fault flags = 0x6 Mar 6 23:50:52 nordhorn2 /kernel: Trapframe Register Dump: Mar 6 23:50:52 nordhorn2 /kernel: eax: ecx: edx: ebx: 000c Mar 6 23:50:52 nordhorn2 /kernel: esp: 4b4b0670 ebp: 4b4b0758 esi: 4c67198c edi: 4c6bcfa8 Mar 6 23:50:52 nordhorn2 /kernel: eip: 080c0af3 eflags: 00013206 Mar 6 23:50:52 nordhorn2 /kernel: cs: 0033 ss: 003b ds: 4b4b003b es: b003b Mar 6 23:50:52 nordhorn2 /kernel: fs: 4b4b003b trapno: 000c err: 0006 Mar 6 23:50:52 nordhorn2 /kernel: Page table info for PC address 0x80c0af3: PDE = 0x30440067, PTE = 38491625 Mar 6 23:50:52 nordhorn2 /kernel: Dumping 16 bytes starting at PC address 0x80c0af3: Mar 6 23:50:52 nordhorn2 /kernel: 89 04 8a ff 45 a8 8b 5d 98 81 c6 b0 00 00 00 39 Mar 6 23:50:52 nordhorn2 fwdd[4288]: -- Mar 6 23:50:52 nordhorn2 fwdd[4288]: Segmentation Fault! Mar 6 23:50:52 nordhorn2 fwdd[4288]: Registers: Mar 6 23:50:52 nordhorn2 fwdd[4288]: eip: 0x080c0af3 eflags: 0x00013206trapno: 12 Mar 6 23:50:52 nordhorn2 fwdd[4288]: eax: 0xebx: 0x000cecx: 0xedx: 0x Mar 6 23:50:52 nordhorn2 fwdd[4288]: esi: 0x4c67198cedi: 0x4c6bcfa8esp: 0x4b4b0670ebp: 0x4b4b0758 Mar 6 23:50:52 nordhorn2 fwdd[4288]: cs: 0x0033 ds: 0x4b4b003b es: 0xb003b fs: 0x4b4b003b gs: 0x001b ss: 0x003b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Traceback: Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 0: sp = 0x4b4b0758, pc = 0x828d08b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 1: sp = 0x4b4b0838, pc = 0x828b502 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 2: sp = 0x4b4b08a8, pc = 0x82856ef Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 3: sp = 0x4b4b08e8, pc = 0x8266a07 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 4: sp = 0x4b4b0948, pc = 0x81e1532 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 5: sp = 0x4b4b0998, pc = 0x81e1d08 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 6: sp = 0x4b4b0a38, pc = 0x81df84a Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 7: sp = 0x4b4b0a78, pc = 0x81c615b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 8: sp = 0x4b4b0aa8, pc = 0x81c62a9 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 9: sp = 0x4b4b0ac8, pc = 0x81c313b Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 10: sp = 0x4b4b0b08, pc = 0x81c3621 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 11: sp = 0x4b4b0b38, pc = 0x81c5340 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 12: sp = 0x4b4b0b68, pc = 0x804cb60 Mar 6 23:50:52 nordhorn2 fwdd[4288]: Frame 13: sp = 0x4b4b0b70, pc = 0x0 Mar 6 23:50:53 nordhorn2 pfed: SNMP_NS_LOG_INFO: NET-SNMP version 5.3.1 AgentX subagent connected Mar 6 23:50:59 nordhorn2 /kernel: pid 4288 (fwdd), uid 0: exited on signal 11 (core dumped) Mar 6 23:50:59 nordhorn2 /kernel: peer_inputs: soreceive() error 0 Mar 6 23:50:59 nordhorn2 /kernel: pfe_listener_disconnect: conn dropped: listener idx=0, tnpaddr=0x1, reason: socket error Mar 6 23:50:59 nordhorn2 /kernel: pfe_peer_update_mgmt_state: type 10, index 0, old state Online new state Closed mastership 1 Mar 6 23:50:59 nordhorn2 chassisd[4277]: CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 0 offline: Error Mar 6 23:50:59 nordhorn2 chassisd[4277]: CHASSISD_IFDEV_DETACH_FPC: ifdev_detach(0) This error is reproducable under 9.3R2. Finally the chassid is taking down the interfaces. Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Traffic Information
Hi! I think this is the right topic to ask this. I am on CeBIT tomorrow and I have the mission to get information about Flow accounting. So does anyone know of any companies I could pay a visit there? Have found Wildpackets for example. Any further tips? Regards, Matthias Am 04.03.2009 um 06:59 schrieb Stefan Fouant: On Tue, Mar 3, 2009 at 9:45 PM, Brendan Mannella wrote: Wondering what the best/preferred method of capturing network traffic for analysis is. Using a mirrored port or actually sending the flows directly to a collector. Looking for pros and cons of each approach. Also if you can give me some examples of whats used as a collector. I have been looking at ntop on the open source side and inmon traffic sentinel on the commercial side. The best/preferred method is to use both methods, if you can :) Sending flows directly to a collector definately has it's benefits - it usually scales a lot better and there are many tools out there that provide for excellent statistical analysis using sampling ratios as low as 1/100 or even 1/1000 - however unless your using some of the latest flow collection mechanisms, like Netflow v9 coupled with templates, most flow collection mechanisms are relegated to strictly Layer 3 and Layer 4 data. Often times this provides more than enough data, especially when dealing with your general run of the mill SYN/UDP/ICMP DoS flooding attacks. However, other times Layer 3/4 data just simply doesn't provide enough usable information for the network operator to properly understand what is happening on the network. This is where having a box running tcpdump sitting on a mirrored or span'd port comes in handy. Usually, most operators rely on their flow analysis tools to trigger some type of alert based on statistical analysis of baseline activity to inform them of an anomaly which requires more active investigation. From there, the network operator can run tcpdump or their tool of choice in order to more fully understand the nature of the traffic. The point is there are no golden arrows or singular technology which is going to provide you with what you need, and you are going to want to have a wide variety of tools in your arsenal. In terms of commercial applications for Netflow collection and analysis - if you're only dealing with a small number of flows, something like Netflow Analyzer by Manage Engine or even Orion from Solarwinds would probably do. If you are dealing with a large number of flows throughout your network and need intelligent functions like data de-duplication and factoring of things like the sampling ratio in use on your devices then opt for something like Peakflow X or SP from Arbor. Regards, -- Stefan Fouant Windows XP crashed. I am the Blue Screen of Death. No one hears your screams. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] New flash card in M7i
So what is the reason, that the flash card as primary boot device is now obligatory? Regards, Matthias Am 03.03.2009 um 16:39 schrieb David Ball: Once installed, your router won't boot from it, since it's blank, so will boot from HD as normal. Then you should be able to issue 'request system snapshot partition' (ie. copy main contents of hard disk to flash drive). From that point on, the CF will be your primary boot medium. Any code upgrades from then on will occur on the CF card, so to back up that code and config in the future, you'd issue 'request system snapshot' to copy them to the HD, which is now your 'alternative' boot medium. David 2009/3/3 Matthias Gelbhardt : Hi! I would like to add a new 1 GB CF card in a M7i. I assume, there is none in that device at the moment: Filesystem Size Used Avail Capacity Mounted on /dev/ad1s1a 217M98M 102M 49% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /dev/ /dev/md0 23M23M 0B 100% /packages/mnt/jbase /dev/md1 80M80M 0B 100% /packages/mnt/jkernel-8.5R3.4 /dev/md28.8M 8.8M 0B 100% /packages/mnt/jpfe-M7i-8.5R3.4 /dev/md33.5M 3.5M 0B 100% /packages/mnt/jdocs-8.5R3.4 /dev/md4 28M28M 0B 100% /packages/mnt/jroute-8.5R3.4 /dev/md58.8M 8.8M 0B 100% /packages/mnt/jcrypto-8.5R3.4 /dev/md6 37M37M 0B 100% /packages/mnt/jpfe-common-8.5R3.4 /dev/md7504M 8.0K 463M0% /tmp /dev/md8504M 470K 463M0% /mfs /dev/ad1s1e 24M20K22M0% /config procfs 4.0K 4.0K 0B 100% /proc /dev/ad1s1f 18G 542M16G3% /var So I need one to update to 9.3R2. Do I have to prepare the CF before injecting it into the router? Does it have to be formatted? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] New flash card in M7i
Hi! I would like to add a new 1 GB CF card in a M7i. I assume, there is none in that device at the moment: Filesystem Size Used Avail Capacity Mounted on /dev/ad1s1a 217M98M 102M 49% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /dev/ /dev/md0 23M23M 0B 100% / packages/mnt/jbase /dev/md1 80M80M 0B 100% / packages/mnt/jkernel-8.5R3.4 /dev/md28.8M 8.8M 0B 100% / packages/mnt/jpfe-M7i-8.5R3.4 /dev/md33.5M 3.5M 0B 100% / packages/mnt/jdocs-8.5R3.4 /dev/md4 28M28M 0B 100% / packages/mnt/jroute-8.5R3.4 /dev/md58.8M 8.8M 0B 100% / packages/mnt/jcrypto-8.5R3.4 /dev/md6 37M37M 0B 100% / packages/mnt/jpfe-common-8.5R3.4 /dev/md7504M 8.0K 463M0% /tmp /dev/md8504M 470K 463M0% /mfs /dev/ad1s1e 24M20K22M0% /config procfs 4.0K 4.0K 0B 100% /proc /dev/ad1s1f 18G 542M16G3% /var So I need one to update to 9.3R2. Do I have to prepare the CF before injecting it into the router? Does it have to be formatted? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] network engineering
Hi! To clarify my problem, I have found another example: www.snom.de Trace from our core: HOST: lyta.local Loss% Snt Last Avg Best Wrst StDev 1. 192.168.6.1 0.0%100.3 0.4 0.3 0.6 0.1 2. ge-00.cr1.ems.dlrz.net0.0%10 20.2 54.9 4.2 371.3 111.4 3. fe-00-508.ms.dlrz.net 0.0%102.2 2.0 1.8 2.6 0.2 4. ulm1ip1-s-5-6-0.versatel.de 0.0%10 29.4 17.3 2.2 89.1 28.1 5. 62.214.108.1410.0%10 155.7 42.5 1.8 155.7 61.7 6. 62.214.108.1530.0%103.7 3.8 3.3 4.3 0.3 7. 10g-8-1.dor002isp006.versate 0.0%103.4 3.7 3.2 4.6 0.5 8. 10g-7-1.fra020isp006.versate 0.0%107.8 9.3 7.5 19.7 3.7 9. ??? 100.0100.0 0.0 0.0 0.0 0.0 10. ??? 100.0100.0 0.0 0.0 0.0 0.0 11. ??? 100.0100.0 0.0 0.0 0.0 0.0 12. w08.rzone.de 0.0%10 13.2 13.1 12.3 13.8 0.4 From home-dsl: 1. ??? 100.0100.0 0.0 0.0 0.0 0.0 2. bsn2.mun.qsc.de 0.0%10 319.2 211.2 24.7 320.7 110.3 3. core1.mun.qsc.de 0.0%10 328.4 211.4 23.9 328.4 115.0 4. core4.dus.qsc.de 0.0%10 330.5 219.5 32.2 330.5 111.0 5. core1.dus.qsc.de 0.0%10 365.3 232.1 32.3 365.3 118.6 6. core1.fra.qsc.de 0.0%10 331.2 224.5 33.4 337.7 110.3 7. core2.fra.qsc.de 0.0%10 330.1 237.1 33.5 330.1 113.7 8. atuin.rzone.de0.0%10 324.7 247.3 33.6 324.7 86.4 9. 85.214.1.249 10.0%10 338.5 261.2 183.0 338.5 49.6 10. 81.169.146.6610.0%10 333.0 263.5 177.2 333.0 52.1 11. w08.rzone.de 10.0%10 319.1 255.5 165.3 338.9 60.2 And the trace, that lets me suspect, this has something to to with asymmetric routing: From Telecity 2 in Amsterdam, where the packets use a different carrier to be sent out: 1. ge-1-0.3406.core3.ams1.nl.in 0.0%101.1 1.7 0.7 3.1 0.8 2. tge-2-1.bbr1.fra3.de.inetbon 0.0%108.4 10.2 8.1 20.2 3.6 3. atuin.rzone.de0.0%109.1 9.6 9.1 11.3 0.9 4. 85.214.1.249 0.0%10 10.2 13.4 10.2 30.4 6.2 5. 81.169.146.70 0.0%10 10.2 10.8 10.1 11.2 0.5 6. w08.rzone.de 0.0%10 11.3 11.6 11.2 15.2 1.2 There seems to be a black hole on the way to the target, when I am tracing from the office... I never had experienced something like that on my home-dsl line or when using only one upstream. Regards, Matthias Am 28.02.2009 um 08:42 schrieb Richard A Steenbergen: On Sat, Feb 28, 2009 at 12:21:26AM +0100, Matthias Gelbhardt wrote: Hi! Sorry for bringing this up again, but something bothers me. On several targets the traceroute or mtr is not going through clean, whereas on my home dsl line it is. I thought about, that every target where we have asymmetric routing is behaving like this, but if you say, asymmetric routing is something completely normal, than the reason, why the mtr is not going through clean, has to be something different? In your first example (I don't see any other working vs non-working comparisons of the same path), the dropped hop is a RFC1918 address. In all likelihood someone has a packet filter blocking the RFC1918 sourced return packet from making it back to you, thus breaking your traceroute on this hop. This is a common side effect of uRPF loose filtering, which can also block public exchange points (which use IP blocks that are typically not found in the global routing table), but it could just be some paranoid person with an unnecessary hatred for RFC1918 packets. In practice it is typically a better idea to rate limit these packets rather than block them completely, so as not to disturb traceroute (and thus incite people to send a lot of annoying emails about it). -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] network engineering
Hi! That seens to be not working (From datacenter, from home dsl that works)q: traceroute to amazon.de (87.238.81.130), 30 hops max, 40 byte packets 1 91.190.227.17 (91.190.227.17) 0.160 ms 0.279 ms * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 www.amazon.de (87.238.81.130) 32.351 ms 32.317 ms 32.283 ms Regards, Matthias Am 28.02.2009 um 02:31 schrieb Ben Steele: Hi, re: www.stern.de It is a miracle your home DSL traceroute actually responds to all hops, the one you see that is timing out is an RFC1918 private address and will normally be filtered by your provider/yourself on your border links, this is intended behavior. re: amazon.de There is a hop before the actual amazon webserver that doesn't respond to icmp/udp traceroute and you are probably just finding different hop lengths from your 2 comparisons there, so still quite normal. What I recommend is you get a utility called tcptraceroute - this will allow you to perform the traceroute on a port you know is open (ie tcp 80) and you will get something like this: server ~ # tcptraceroute amazon.de 80 Selected device eth0, address x.x.x.x, port 58312 for outgoing packets Tracing the path to amazon.de (87.238.81.130) on TCP port 80 (http), 30 hops max Hops 1-6 removed... 7 ge-6-20.car3.SanJose1.Level3.net (4.71.112.85) 189.897 ms 189.846 ms 189.848 ms 8 vlan79.csw2.SanJose1.Level3.net (4.68.18.126) 229.882 ms 231.807 ms 234.861 ms 9 ae-74-74.ebr4.SanJose1.Level3.net (4.69.134.245) 189.781 ms 196.520 ms 198.752 ms 10 ae-2.ebr4.NewYork1.Level3.net (4.69.135.186) 259.765 ms 269.592 ms 257.743 ms 11 ae-64-64.csw1.NewYork1.Level3.net (4.69.134.114) 258.778 ms 268.645 ms 270.720 ms 12 ae-61-61.ebr1.NewYork1.Level3.net (4.69.134.65) 258.779 ms 258.460 ms 258.737 ms 13 ae-41-41.ebr2.London1.Level3.net (4.69.137.65) 337.749 ms 340.710 ms 328.349 ms 14 ae-1-100.ebr1.London1.Level3.net (4.69.132.117) 334.649 ms 340.685 ms 328.743 ms 15 ae-5-5.car1.Dublin1.Level3.net (4.69.136.89) 372.728 ms 372.684 ms 372.727 ms 16 213.242.106.86 372.749 ms 372.125 ms 371.732 ms 17 87.238.85.13 340.757 ms 342.057 ms 341.750 ms 18 www.amazon.de (87.238.81.130) [open] 339.757 ms 340.700 ms 341.700 ms Cheers, Ben On Sat, Feb 28, 2009 at 9:51 AM, Matthias Gelbhardt wrote: Hi! Sorry for bringing this up again, but something bothers me. On several targets the traceroute or mtr is not going through clean, whereas on my home dsl line it is. I thought about, that every target where we have asymmetric routing is behaving like this, but if you say, asymmetric routing is something completely normal, than the reason, why the mtr is not going through clean, has to be something different? For example a trace to www.stern.de (german newspaper) from our datacenter 1. 91.190.227.17 0.0% 50.3 0.6 0.2 1.9 0.7 2. ge-00.cr1.ems.dlrz.net0.0% 5 19.2 23.3 19.2 27.7 3.9 3. ge-00-508.tc2.ams.dlrz.net0.0% 54.6 4.8 4.5 5.5 0.4 4. dus002isp005.versatel.de 0.0% 56.5 6.5 6.2 7.1 0.4 5. 10g-9-3.dor002isp006.versate 0.0% 57.0 6.8 6.6 7.0 0.1 6. 10ge-9-4.dor002isp005.versat 0.0% 57.8 10.7 6.4 26.0 8.6 7. 10g-8-4.hhb002isp005.versate 0.0% 5 16.4 13.3 12.3 16.4 1.7 8. hhb2guj.versatel.de 0.0% 5 12.3 12.7 12.3 13.0 0.3 9. ??? 100.0 50.0 0.0 0.0 0.0 0.0 10. lb-guj-www-04-6.net-hh.guj.d 0.0% 5 12.2 13.0 12.2 13.9 0.6 11. www.stern.de 0.0% 5 12.6 13.0 12.6 13.5 0.4 and from my home dsl line 1. port-87-193-164-97.static.qs 0.0% 50.3 0.3 0.3 0.4 0.1 2. bsn2.mun.qsc.de 0.0% 5 24.5 25.1 24.5 26.6 0.8 3. core1.mun.qsc.de 0.0% 5 25.4 26.0 25.4 26.9 0.6 4. core4.dus.qsc.de 0.0% 5 29.6 29.5 28.6 30.3 0.6 5. core1.dus.qsc.de 0.0% 5 38.5 35.8 28.8 53.6 10.8 6. core2.dus.qsc.de 0.0% 5 31.0 29.2 28.1 31.0 1.2 7. peergw2-hansenet.dus.qsc.de 0.0% 5 29.0 29.1 28.6 30.4 0.7 8. ae0-101.cr02.dus.de.hansenet 0.0% 5 28.1 33.7 28.1 52.4 10.5 9. so-1-0-0-0.cr02.weham.de.han 0.0% 5 35.3 35.3 34.5 36.4 0.8 10. gi0-0-0.er03.asham.de.hansen 0.0% 5 34.6 34.8 33.6 37.7 1.7 11. 62.109.127.1290.0% 5 33.9 35.7 33.9 37.9 1.7 12. 10.200.100.18 0.0% 5 34.5 35.3 34.5 36.6 0.8 13. lb-guj-www-04-4.net-hh.guj.d 0.0% 5 41.5 36.8 35.2 41.5 2.7 14. www.stern.de 0.0% 5 35.4 35.0 34.5 35.4 0.4 Out of the datacenter, there is a hole at position 9. And that is something, we habe rather often: To amaz
Re: [j-nsp] network engineering
Hi! Sorry for bringing this up again, but something bothers me. On several targets the traceroute or mtr is not going through clean, whereas on my home dsl line it is. I thought about, that every target where we have asymmetric routing is behaving like this, but if you say, asymmetric routing is something completely normal, than the reason, why the mtr is not going through clean, has to be something different? For example a trace to www.stern.de (german newspaper) from our datacenter 1. 91.190.227.17 0.0% 50.3 0.6 0.2 1.9 0.7 2. ge-00.cr1.ems.dlrz.net0.0% 5 19.2 23.3 19.2 27.7 3.9 3. ge-00-508.tc2.ams.dlrz.net0.0% 54.6 4.8 4.5 5.5 0.4 4. dus002isp005.versatel.de 0.0% 56.5 6.5 6.2 7.1 0.4 5. 10g-9-3.dor002isp006.versate 0.0% 57.0 6.8 6.6 7.0 0.1 6. 10ge-9-4.dor002isp005.versat 0.0% 57.8 10.7 6.4 26.0 8.6 7. 10g-8-4.hhb002isp005.versate 0.0% 5 16.4 13.3 12.3 16.4 1.7 8. hhb2guj.versatel.de 0.0% 5 12.3 12.7 12.3 13.0 0.3 9. ??? 100.0 50.0 0.0 0.0 0.0 0.0 10. lb-guj-www-04-6.net-hh.guj.d 0.0% 5 12.2 13.0 12.2 13.9 0.6 11. www.stern.de 0.0% 5 12.6 13.0 12.6 13.5 0.4 and from my home dsl line 1. port-87-193-164-97.static.qs 0.0% 50.3 0.3 0.3 0.4 0.1 2. bsn2.mun.qsc.de 0.0% 5 24.5 25.1 24.5 26.6 0.8 3. core1.mun.qsc.de 0.0% 5 25.4 26.0 25.4 26.9 0.6 4. core4.dus.qsc.de 0.0% 5 29.6 29.5 28.6 30.3 0.6 5. core1.dus.qsc.de 0.0% 5 38.5 35.8 28.8 53.6 10.8 6. core2.dus.qsc.de 0.0% 5 31.0 29.2 28.1 31.0 1.2 7. peergw2-hansenet.dus.qsc.de 0.0% 5 29.0 29.1 28.6 30.4 0.7 8. ae0-101.cr02.dus.de.hansenet 0.0% 5 28.1 33.7 28.1 52.4 10.5 9. so-1-0-0-0.cr02.weham.de.han 0.0% 5 35.3 35.3 34.5 36.4 0.8 10. gi0-0-0.er03.asham.de.hansen 0.0% 5 34.6 34.8 33.6 37.7 1.7 11. 62.109.127.1290.0% 5 33.9 35.7 33.9 37.9 1.7 12. 10.200.100.18 0.0% 5 34.5 35.3 34.5 36.6 0.8 13. lb-guj-www-04-4.net-hh.guj.d 0.0% 5 41.5 36.8 35.2 41.5 2.7 14. www.stern.de 0.0% 5 35.4 35.0 34.5 35.4 0.4 Out of the datacenter, there is a hole at position 9. And that is something, we habe rather often: To amazon.de from datacenter: 1. 91.190.227.17 0.0% 50.3 0.7 0.3 1.9 0.7 2. ge-00.cr1.ems.dlrz.net0.0% 5 26.9 24.7 21.7 28.8 3.1 3. gi9-47.228.ccr01.dus01.atlas 0.0% 53.9 3.8 3.6 4.0 0.2 4. te7-2.mpd02.fra03.atlas.coge 0.0% 57.5 8.4 7.3 11.9 2.0 5. vl3491.mpd01.fra03.atlas.cog 0.0% 5 18.9 9.5 6.9 18.9 5.2 6. ??? 100.0 50.0 0.0 0.0 0.0 0.0 from dsl: 1. port-87-193-164-97.static.qs 0.0% 50.2 0.4 0.2 0.7 0.2 2. bsn2.mun.qsc.de 0.0% 5 25.6 31.9 24.9 55.0 13.0 3. core1.mun.qsc.de 0.0% 5 25.2 24.8 24.3 25.4 0.5 4. core4.dus.qsc.de 0.0% 5 29.7 31.9 29.5 41.0 5.1 5. core1.dus.qsc.de 0.0% 5 28.4 35.1 28.1 61.5 14.8 6. 212.162.17.1690.0% 5 30.3 28.9 27.9 30.3 0.9 7. ae-32-56.ebr2.Dusseldorf1.Le 0.0% 5 43.9 38.0 33.1 43.9 4.4 8. ae-42.ebr1.Amsterdam1.Level3 0.0% 5 44.8 39.4 32.7 44.8 5.1 9. ae-45-105.ebr2.Amsterdam1.Le 0.0% 5 36.7 36.4 32.2 45.4 5.4 10. ae-2.ebr2.London1.Level3.net 0.0% 5 40.2 43.7 39.7 50.0 4.9 11. ae-1-100.ebr1.London1.Level3 0.0% 5 51.6 49.6 43.1 58.2 6.1 12. ae-5-5.car1.Dublin1.Level3.n 0.0% 5 50.9 53.0 50.8 61.3 4.6 13. ??? 100.0 50.0 0.0 0.0 0.0 0.0 What is happening here? (The fact, that amazon is blocking packets is not the issue. It is, that I am lacking a network, that the packets are going through). At the moment we have 4 transits and a router facing the AMS-IX. At the moment, we have configured our routers rather open. So packets may received on one transit and are send out on another. Regards, Matthias Am 06.02.2009 um 11:29 schrieb Mark Tinka: On Friday 06 February 2009 05:09:30 pm Matthias Gelbhardt wrote: We have asymmetric routing in several cases. I would like to know, how you would deal against that? The moment you're multi-homed to the Internet, asymmetric routing is a fact of life; and it's not really a bad thing. How traffic leaves or enters a network is a function of best path dynamics vs. cost and bandwidth available
[j-nsp] network engineering
Hi! I have a little network engineering question and I would like to know the best practice for that. We have asymmetric routing in several cases. I would like to know, how you would deal against that? Is there a simple way to send the packets out of the same interface, they are received? But on the other hand, many packets are send out by us, and we do not know, where the other side is sending their packets into our network. Is there a way to get an information, on which interface, better on which BGP session the reverse path is coming in? Yes, there are traceroute sites and looking glasses, but not for every network we deal with. The way I see it, the only way is to get the information, on which interface the packets coming in (either by using a tool on the box or by asking the network operator itself) ans then setting a local prefernce to send the packet out of the same interface. Any better ideas? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Update on M7
Hi! I just saw, that my answer from a few days ago did not got to the list... That should clarify the firewall rules, I am talking about: Hi! I assume there hast to be a proven Juniper CF card and I am not been able to use one out of the free market? Maybe I see my problem here. We have a bunch of J6350s and I have upgraded them to 9.2 ES which seems to be not available for the M- Series. I think with ES I have this "forced" security section in the configuration, which has come to the configuration somewhere between 8.5 and 9.2. Regards, Matthias Am 22.01.2009 um 16:05 schrieb David Ball: 1GB of flash requirement is indeed just the Flash memory, so yes, you'd need to upgrade to a 1GB flash. You CAN still run 9.x with less than a gig of flash (discussed and provden previously on this list), but it's not recommended by Juniper, and could make it tough to upgrade code later. As for the firewall rules you alluded to, I'm not sure which ones you're talking about. I don't recall implementing anything special when we went to 9.x. David On 22/01/2009, Matthias Gelbhardt wrote: Hi there, we have a M7i with 756 MB Ram here. At the moment the router has Junos 8.5 on it, but we would like to update it to 9.2. But obviously I need to match some requirements. There is the Flash space which has to be 1 GB of space. Unfortunatly I do not have a compact flash space, but a hard disk. Is the 20 GB of hard disk space also meant by the 1 GB space requirement or do I have to plug in a 1 GB compact flash card? Then I have learnt, that somewhere between 8.5 and 9.2 some firewall rules are needed in the router. Until now I have upgraded the system and then put in the needed commands manually or have used the router config file which does some kind of factory reset. Is there a secure way to enable these rules and also keep the custom configuration, ie. updating the software and have the system configured as router from the firewall side? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Update on M7
Hi there, we have a M7i with 756 MB Ram here. At the moment the router has Junos 8.5 on it, but we would like to update it to 9.2. But obviously I need to match some requirements. There is the Flash space which has to be 1 GB of space. Unfortunatly I do not have a compact flash space, but a hard disk. Is the 20 GB of hard disk space also meant by the 1 GB space requirement or do I have to plug in a 1 GB compact flash card? Then I have learnt, that somewhere between 8.5 and 9.2 some firewall rules are needed in the router. Until now I have upgraded the system and then put in the needed commands manually or have used the router config file which does some kind of factory reset. Is there a secure way to enable these rules and also keep the custom configuration, ie. updating the software and have the system configured as router from the firewall side? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VPDN equivalent on juniper
Hi! We would like to offer DSL lines to our customers and have a provider of these lines on hand. They use a VPDN over a L2TP tunnel for the DSL lines. I was searching which is the equivalent of VPDN on the juniper side, as there examples are all cisco examples. Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] security features on Junos-ES
Hi! At the moment I am configuring a J6350 for use on the AMS-IX. The router has 9.1 with Enhanced Services installed. I never came across firewall policies before, so I seem to have a bit of a trouble to configure that. I think it is a good idea to have some security to manage the ingoing packets. But should I use this on an internet exchange? Can I disable the whole security concept or just enable it for communication regarding the router (i.e. the ids-features) Ragards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DRAM for M7 / crash of M7
Hi! The reason I wrote is, that we have a M7 with 256 MB DRAM. Yesterday I configured three iBGP sessions and one eBGP session. In total I got around 60 routes from which 26 were active. The receiving and advertising process was finished also the best path determination. After a few minutes I checked back on the router which is located in a datacenter, but I got no reaction from it, also no ping or trace reaction. After a reboot in the morning, I was able to analyse the logs: Aug 25 18:05:56 muenster rpd[4195]: RPD_OS_MEMHIGH: Using 215998 KB of memory, 144 percent of available I think this clearly states, that the 256 MB of memory are not enough. So we are now trying to upgrade it. I am surprised, that 60 routes are obviously too much for this router. Will 786 MB do the trick also for a higher count of routes? Regards, Matthias Am 25.08.2008 um 22:06 schrieb John T. Yocum: Hi Matthias, JuniperClue has a list of modules that people have used, http://juniper.cluepon.net/index.php/Route_Engine_DRAM_Compatibility#RE-5.0_Generic_DRAM --John Matthias Gelbhardt wrote: Hello! What kind of RAM modules can I use for the M7? Do I have to use Juniper RAM or can I use alternate modules? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DRAM for M7
Hello! What kind of RAM modules can I use for the M7? Do I have to use Juniper RAM or can I use alternate modules? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp-reflextion license
Hello! I have the problem, that we will have 5 sites with eBGP by the end of the year. A fully meshed network will be possible, but perhaps it is now the best time to think about other solutions. Would a route server with quagga be the perfect solution? does anyhone has some experiences about that? Regards, Matthias Am 23.08.2008 um 17:34 schrieb xinyu zeng: Hi Matthias, The BGP RR feature on J series requires a JX-BGP-ADV-LTU license. If you didn't buy something, sure u can't ask support of it. Till now the license is still soft license, which means you can run it but there is warning message for it. No one can be sure when it will become a 'hard' license:) Regards, Zeng, Xinyu On Sat, Aug 23, 2008 at 4:15 AM, Matthias Gelbhardt <[EMAIL PROTECTED]> wrote: Hi! Today I configured the "cluster" statement to enable the route reflection feature of a J6350, as it would solve a problem I have. I would be able to make a full mesh and probably I will do so, but at the moment I am unable to make a direct connection between two sites. So I would like to let the router in the middle advertise the routes to the other site and vice versa. Anyway, the config states now: Warning: requires 'bgp-reflection' license which is a clear warning, that I have to enable this feature due to an additinal license. But obviously the feature worls. License usage: Licenses LicensesLicenses Feature name usedinstalled needed bgp-reflection 10 1 This states also, that I need a license. The question is now, is there a timebomb, that the feature will stop working? Will we lose any support from juniper? Why is this feature working, when I do not have a license code? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] bgp-reflextion license
Hi! Today I configured the "cluster" statement to enable the route reflection feature of a J6350, as it would solve a problem I have. I would be able to make a full mesh and probably I will do so, but at the moment I am unable to make a direct connection between two sites. So I would like to let the router in the middle advertise the routes to the other site and vice versa. Anyway, the config states now: Warning: requires 'bgp-reflection' license which is a clear warning, that I have to enable this feature due to an additinal license. But obviously the feature worls. License usage: Licenses LicensesLicenses Feature name usedinstalled needed bgp-reflection 10 1 This states also, that I need a license. The question is now, is there a timebomb, that the feature will stop working? Will we lose any support from juniper? Why is this feature working, when I do not have a license code? Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] router for IX
I think we will start small and will use a J6350. Then when it will be needed we will upgrade to the advanced license. We will just have a small throughput in the beginning, so a M7i or greater would not be needed in the first place. Matthias Am 20.08.2008 um 08:37 schrieb Mark Tinka: On Tuesday 19 August 2008 16:41:24 Matthias Gelbhardt wrote: Unfortunatly on the other datasheets of the other routers we do not see any information about the maximum number of peers. Is anyone here who can me give an information? I think the next smaller router would be the M7i. I think the number of BGP sessions you can have is subjective, and depends a lot on the environment. I would imagine having more than 90 BGP session if you were receiving no more than a couple of routes from each of the peers. At my previous employer, we once had a C box that carried 99 sessions, most were a couple of hundred to a few thousand routes, with two or three carrying full feeds - and this was with a processor that I can say is not as powerful as the Intel ones running on the J-series today, both being software platforms and all. The M7i would still handle BGP in software, since that's a control plane feature. So it comes down to how many routes you'll be receiving from each of your peers, how optimized your BGP configuration will be, how late the code you'll be running is and how (un)stable those peers are likely to get. Cheers, Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] router for IX
Hi! At the moment it looks like we will be starting small by deploying a J6350 and if we need it, upgrading to an advanced license, which will set the peer maximum to 600. Matthias Am 19.08.2008 um 23:39 schrieb [EMAIL PROTECTED]: It also depends on the usage. For example I've seen M5's doing l3vpns with less than 20 peers crash after a peering bounces. If you are just doing vanilla E-BGP with the IX members you should be fine with the M7i. I'd limit your maximum prefixes where possible though. P Think before you print CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/19/2008 11:39 AM To <[EMAIL PROTECTED]>, cc Subject Re: [j-nsp] router for IX Hi Matthias I don't know where you could find the limit on the M7i but like you said it's the next smallest router after the Jseries, but it has a big difference which is it's an hardware based router opposed to the Jserie. I have on one of my customer's network some M7i with about 65 peers , 7 external BGP and 58 internal working fine. These router are not connected to he Internet but are exchanging up to 13000 routes with peers. I think that this router will do the job for you but more precisely you will need to have a look of the throughput you would like to have globally on your router (globally the M7i will be about 7Gig of throughput, well in fact you can connect 5 Giga interfaces fully loaded without problem). Hope this help Regards Alain -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] De la part de Matthias Gelbhardt Envoyé : mardi 19 août 2008 10:41 À : juniper-nsp Objet : [j-nsp] router for IX Hello! We would like to connect to an internet connection point (IX). Unfortunatly I have seen in the datasheet of the J-Series, which we use at the moment, that that system can only handle a maximum of 40 bgp peers, which is of course unsufficient, if we will use it to connect to an IX, where we thing to get at least 80 peers. Unfortunatly on the other datasheets of the other routers we do not see any information about the maximum number of peers. Is anyone here who can me give an information? I think the next smaller router would be the M7i. Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] router for IX
Hello! We would like to connect to an internet connection point (IX). Unfortunatly I have seen in the datasheet of the J-Series, which we use at the moment, that that system can only handle a maximum of 40 bgp peers, which is of course unsufficient, if we will use it to connect to an IX, where we thing to get at least 80 peers. Unfortunatly on the other datasheets of the other routers we do not see any information about the maximum number of peers. Is anyone here who can me give an information? I think the next smaller router would be the M7i. Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] redundant scenario
Are there any debug possibilities for IPsec? Am 26.07.2008 um 23:06 schrieb GIULIANO (UOL): Matthias, JUNOS 9.1R2.1 does not need IPSec VPN License. It came as a default feature. There is some configuration example: http://www.wztech.com.br/config/junos-ipsec-config For 2320 and 2350 you add the hardware acceleration module: JXH-HC2-S J2320, J2350 Hardware Crytographic Acceleration Module I think J-4350 and J-6350 will NOT have any problems with IPSec processing. Att, Giuliano Hi! I presume GRE would be less cpu intensive? I think when the link goes down a somewhat slower interconnectivity would be sufficient. At the moment we have 100 Mbit links to the internet on both sides, so it would be great to have that bandwidth also over the tunnel. As far as I know, these are blank boxes, without additional VPN licenses, so I presume IPsec would not be the right decision. But if it is possible to use an IPsec tunnel to build an iBGP session, I will play with it ;) Am 26.07.2008 um 20:49 schrieb GIULIANO (UOL): You can use an IPSec or a GRE Tunnel. IPSec will work just fine for that. Hi Mathias, If your J6350 run JUNOS with enhanced services, you can setup JSRP (Juniper Network Stateful Redudancy Protocol). But I'm not really sure if this is the solution you're looking for. Still a newbie though >.< Regards, Stevanus Matthias Gelbhardt wrote: Hi! I am hoping you can give me some tips for implementing this scenario. I have two locations each with two J6350 routers. The locations are connected via a fiber network with each other. On each location the J's do have at least one eBGP session to different carriers. The boxes speak iBGP over the fiberlink with each other. We have split our PA space, so that we can announce different prefixes on each location. The prefixes which are not originating on one location will be received through iBGP from the originating one. How could I implement a redundant scenario? At first I had thought about getting the other prefixes via eBGP, but that is something, which seams to be no "clean" solution. Furthermore our carriers seam to be not happy with announcing prefixes with our AS in the path back to us. The more clean solution could be establishing a tunnel between the location over the internet and speak iBGP with a low priority over it. Unfortunatly I am a bit lost, which type of tunnel I should use for this scenario, as the J's are unable to implement a L2TP tunnel for example. Would be great to get an idea and help implementing this! Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.6/1574 - Release Date: 25/07/2008 16:27 No virus found in this incoming message. Checked by AVG - http://www.avg.comVersion: 8.0.138 / Virus Database: 270.5.6/1574 - Release Date: 25/07/2008 16:27 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] redundant scenario
Hi! I am hoping you can give me some tips for implementing this scenario. I have two locations each with two J6350 routers. The locations are connected via a fiber network with each other. On each location the J's do have at least one eBGP session to different carriers. The boxes speak iBGP over the fiberlink with each other. We have split our PA space, so that we can announce different prefixes on each location. The prefixes which are not originating on one location will be received through iBGP from the originating one. How could I implement a redundant scenario? At first I had thought about getting the other prefixes via eBGP, but that is something, which seams to be no "clean" solution. Furthermore our carriers seam to be not happy with announcing prefixes with our AS in the path back to us. The more clean solution could be establishing a tunnel between the location over the internet and speak iBGP with a low priority over it. Unfortunatly I am a bit lost, which type of tunnel I should use for this scenario, as the J's are unable to implement a L2TP tunnel for example. Would be great to get an idea and help implementing this! Regards, Matthias ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp