Re: [j-nsp] scb RT: Failed prefix delete IPv4 - x.x.x.x/24 (No memory)
Hi Matt, On Sun, Sep 27, 2009 at 6:34 PM, Matt Yaklin myak...@g4.net wrote: Hi list, I am seeing these error messages. /kernel: RT_PFE: RT msg op 2 (PREFIX DELETE) failed, err 1 (Unknown) scb RT: Failed prefix delete IPv4 - x.x.x.x scb RT: Failed prefix delete IPv4:0 - x.x.x.x/24 (jt delete failed)/24 (No memory) Besides failed prefix deletes, I am also seeing them for prefix adds. I thought this error message was rather clear cut to what the problem could be. As in the scb was running out of memory. But that does not seem to be the case based on the output below. This is an old M40 running an older JunOS release. A very old release. 5.7R2.4. (I expect a few chuckles here). u...@router show chassis scb SCB status: Temperature 26 degrees C / 78 degrees F CPU utilization 1 percent Interrupt utilization0 percent Heap utilization28 percent Buffer utilization 44 percent Total CPU DRAM 128 MB Internet Processor I Version 1, Foundry IBM, Part number 3 Start time:2005-03-22 19:43:37 UTC Uptime:1650 days, 4 hours, 11 minutes, 5 seconds u...@router show chassis routing-engine Routing Engine status: Temperature 31 degrees C / 87 degrees F DRAM 512 MB Memory utilization 50 percent CPU utilization: User 1 percent Background 0 percent Kernel 1 percent Interrupt 0 percent Idle 98 percent Model RE-1.0 Start time 2005-03-22 19:41:26 UTC Uptime 1650 days, 4 hours, 15 minutes, 30 seconds Load averages: 1 minute 5 minute 15 minute 0.07 0.06 0.02 But after some reading old of posts to this mailing list I saw this post: http://puck.nether.net/pipermail/juniper-nsp/2008-October/011550.html r...@router start shell pfe network scb SCB platform (200/266Mhz PPC 603e processor, 128MB memory, 256KB flash) SCB(router vty)# show jtree 0 memory Memory Statistics: 4194304 bytes total (4 banks) 4194304 bytes used 0 bytes free 4064 pages total 4064 pages used 0 pages free 31 max freelist size Free Blocks: Size(b)Total(b)Free TFree Alloc -- -- -- -- 8 3102208 153 0 387623 16 1092048 125 0 68128 24 48 0 0 2 32 0 0 0 0 40 0 0 0 0 48 0 0 0 0 56 0 0 0 0 64 0 0 0 0 72 0 0 0 0 80 0 0 0 0 88 0 0 0 0 96 0 0 0 0 104 0 0 0 0 Total 4194304 So I assume this is where I am out of memory? This box has been up for a long time and my question is would a reboot allow it to continue to function for many years to come or I being out of memory now will simply happen again right away? This M40 has served us well over the years. I have a M10 I have been meaning to use to replace this which is a nicer box hardware wise and I am trying to determine if this box is no longer useful on our network. Thank you for any assistance or advice. m...@g4.net ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] scb RT: Failed prefix delete IPv4 - x.x.x.x/24 (No memory)
___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bonding multiple L2 Services with OSPF
Does your carrier support aggregate links? On Tue, Aug 25, 2009 at 7:59 AM, Ben Dale bd...@comlinx.com.au wrote: Hi all, I have a couple of J-Series plugged into a VPLS service (so essentially a large layer 2 domain). I have a single subnet containing the WAN interfaces of each router, and I'm running an OSPF in order to distribute the LAN-facing subnets of each box. At one of my sites, the carrier was unable to deliver a single 1Mbps service, so instead they have delivered 2x 512Kbps circuits. I have assigned each of the interfaces on the attached router an address in the same subnet (which JUNOS warns about, but commits anyway). OSPF establishes on both interfaces, but the LAN subnet is only being learnt by other routers via one of the interfaces (presumably because the Router ID from both advertisements is the same). Are there any knobs to get around this, or alternatively is there another way to bond the two interfaces (other than advertising half the LAN out each link)? The usual per-packet forwarding ECMP options don't work here, because there aren't two prefixes being learnt by other routers. Lab config shown: ge-0/0/2 { description RegionA LAN; unit 0 { family inet { address 192.168.102.254/24; } } } ge-0/0/2 { description xxx VPLS Link 1; unit 0 { family inet { address 172.16.0.4/24; } } } ge-0/0/3 { description xxx VPLS Link 2; unit 0 { family inet { address 172.16.0.3/24; } } } protocols { ospf { export export-direct; area 0.0.0.0 { interface ge-0/0/3.0; interface ge-0/0/2.0; } } } policy-options { policy-statement export-direct { from { protocol direct; route-filter 192.168.0.0/16 prefix-length-range /24-/24; } then accept; } } bd...@regionb# run show ospf neighbor Address Interface State ID Pri Dead 172.16.0.1 ge-0/0/2.0 Full 10.0.0.238 128 36 172.16.0.2 ge-0/0/2.0 Full 10.0.0.237 128 35 172.16.0.1 ge-0/0/3.0 Full 10.0.0.238 128 36 172.16.0.2 ge-0/0/3.0 Full 10.0.0.237 128 35 ... bd...@dcregion show ospf route Topology default Route Table: Prefix Path Route NH Metric NextHop Nexthop Type TypeType Interface addr/label 10.0.0.236 Intra AS BR IP1 ge-0/0/3.0172.16.0.4 10.0.0.238 Intra AS BR IP1 ge-0/0/3.0172.16.0.1 172.16.0.0/24 Intra Network IP1 ge-0/0/3.0 192.168.100.0/24 Ext2 Network IP0 ge-0/0/3.0 172.16.0.1 192.168.102.0/24 Ext2 Network IP0 ge-0/0/3.0 172.16.0.4 Cheers, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPv6 on DPC-X cards
Hi Marlon, According to the following link it supports IPV6 but not BGP. http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/dpc-mx-series-ethernet-services-features.html On Tue, Aug 25, 2009 at 12:39 PM, Marlon Duksa mdu...@gmail.com wrote: Hi - does anyone know if IPv6 is supported on DPC-X version of MX cards? Thanks, Marlon ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Fwd: AS path loop detection from IBGP peer
Hi Jana, I think I may have found a better solution. There is another option, which is to pass the iBGP information of your customer transparently across the VPN network. i.e. the routes on the customer side will not see the AS(es) that are used on the VPN network. You can do this by configuring a VRF such that: routing-options { autonomous-system *customer AS* *independent-domain*; } protocols { bgp { group ibgp { type *internal*; neighbor peer IP; } } } This will instruct the PE to transport the customer network BGP attributes transparently over the VPN infrastructure. The protocol extension is documented in draft-marques-l3vpn-ibgp-01. On Thu, Aug 20, 2009 at 1:48 PM, janardhan madabattula janardhan...@gmail.com wrote: Hi Steve, This is not working in IBGP case, I mean the command itself is not taking affect. Do you expect this to work in IBGP peers (PEs).? = } policy-statement loopback1 { from { route-filter 6.6.6.6/32 exact; } then accept; } policy-statement spoke3-EX { from protocol [ static direct bgp ]; then { community add spoke3-comm1; accept; } } policy-statement spoke3-IMP { from { protocol bgp; community spoke3-comm2; } then accept; } community vpn1-comm members target:1:6500; community spoke3-comm1 members target:1:1100; community spoke3-comm2 members target:1:1000; } routing-instances { vpn1 { instance-type vrf; interface ge-0/0/6.1; route-distinguisher 1.1.1.4:6500; vrf-import vpn1-IMP; vrf-export vpn1-EX; routing-options { rib vpn1.inet6.0 { static { route 210::/64 next-hop 3ffe::21:1; } } } protocols { bgp { family inet6 { unicast; } group to-N2X { peer-as 1000; local-as 1; neighbor 200::1; } } } } spoke3 { instance-type vrf; interface ge-0/0/6.2; route-distinguisher 1.1.1.4:1100; vrf-import spoke3-IMP; vrf-export spoke3-EX; routing-options { rib spoke3.inet6.0 { static { route 155::/64 next-hop 150::1; } } } } } routing-options { autonomous-system loops 2; } [edit groups MPBN logical-systems jana] t...@systest-m320# commit check [edit logical-systems jana routing-options] 'autonomous-system' Missing mandatory statement: as_number error: configuration check-out failed: (missing mandatory statements) [edit groups MPBN logical-systems jana] t...@systest-m320# set routing-options autonomous-system loops 2 1 [edit groups MPBN logical-systems jana] t...@systest-m320# commit check [edit groups MPBN logical-systems jana protocols bgp group PE1] 'local-as' Invalid loop count configured error: configuration check-out failed [edit groups MPBN logical-systems jana] t...@systest-m320# == THanks, Janardhan On Tue, Aug 18, 2009 at 4:45 PM, Steven Brenchley breste...@gmail.comwrote: I've never set it up with IPV6 and the doc's don't say one way or another but I would think it wouldn't make a difference . If this is in a routing instance then you'll need to apply it in the routing instance? # set routing-instances vpn routing-options autonomous-system loops 2 On Tue, Aug 18, 2009 at 7:03 PM, janardhan madabattula janardhan...@gmail.com wrote: Hi, Does this work in 6VPE environment ? Still, I am seeing the IBGP peer is not installing those routes with its own AS in AS-PATH list. THanks, Jana On Tue, Aug 18, 2009 at 3:47 PM, Steven Brenchley breste...@gmail.com wrote: Hi Janardhan, There is no way to disable AS loop detection but you can make the router accept an AS loop up to 10 times. Use the following command. # set routing-options autonomous-system loops 10 On Tue, Aug 18, 2009 at 5:01 PM, janardhan madabattula janardhan...@gmail.com wrote: Hi, Is there any way to disable AS path loop detection when it recieve route update from IBGP peer. Thanks, Janardhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. -- Steven Brenchley - There are 10 types of people in the world those who understand
Re: [j-nsp] meaning/cause of syslog messages
Hi Dave, Are you seeing any issues that correlate with this message or is it more of an annoyance? Two other resources you can also check is to run bug searches and the 'help syslog' command at the CLI. I ran through both and wasn't able to find anything on these messages. I think it's time to open a ticket with jtac. On Wed, Aug 19, 2009 at 8:32 AM, Dave Kruger dave.kru...@mtnbusiness.co.zawrote: Hi List I just want to find out what you use to determine the cause of obscure syslog messages. Is there a juniper equivalent to cisco's error message decoder somewhere on juniper.net that I cant find? For instance - we have a M120 that barfs about: /kernel: if_pfe_peek_peer_info: PFE_MSG_PEER_INFO_CMD_IDL IDR decode failed /kernel: pfe_listener_connect: conn established: tnpaddr=0x5 once every minute. A google search for PFE_MSG_PEER_INFO_CMD_IDL yields nothing, and I also see nothing about PFE_MSG or IDL or IDR on system log message reference for my version http://www.juniper.net/techpubs/software/junos/junos93/syslog-messages/noframes-expandedTOC.html Just want to make sure I've pursued all possible avenues before bothering jtac thanks Dave ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] AS path loop detection from IBGP peer
Hi Janardhan, There is no way to disable AS loop detection but you can make the router accept an AS loop up to 10 times. Use the following command. # set routing-options autonomous-system loops 10 On Tue, Aug 18, 2009 at 5:01 PM, janardhan madabattula janardhan...@gmail.com wrote: Hi, Is there any way to disable AS path loop detection when it recieve route update from IBGP peer. Thanks, Janardhan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper (M20) - GRe Tunnel - Cisco(7206)
PR55687 was fixed a long time ago, unless your running ancient code you should be fine. It was fixed in 7.3 and later codes. On Sat, Jul 11, 2009 at 5:22 PM, raymondh (NSP) raymondh@gmail.comwrote: Hi Simon, Based on your config, I assumed you do have an AS / MS PIC (only the AS or MS PIC supports key). Without those PIC(s) you'll most probably receive /kernel: gre doesn't support key option hence you'll need to remove the key option. what's your junos version and verify the output of show log messages (most probably you'll get most of your answers from there before enabling any flags in traceoptions). Out of curiosity, do you have any CoS on the GRE interface on your M20. (If no, then you're fine but if yes, do take a look at PR55687 - For your info.) --raymondh on your ios based equipment On Jul 11, 2009, at 9:05 PM, mas...@nexlinx.net.pk wrote: You know each packet entering the tunnel is encapsulated wtih gre key value. each packet exiting the tunnel is verified by the gre tunnel key value and de-encapsulated. the AS pic drops packets tht don't match the configured key value. Since GRE doesn't provide encryption. This is like a simple clear-text password with no encryption. You can enable debug on Cisco box and see if you can catch the key; do the same thing on Juniper box (traceoption is your friend there) Regards, Masood -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of simon teh Sent: Saturday, July 11, 2009 10:55 AM To: juniper-nsp Subject: [j-nsp] Juniper (M20) - GRe Tunnel - Cisco(7206) Hi all, I have a question over here and have tried to find out the answer from the forum thread, but failed to get the answer. Did anyone experience this type of problem before: Juniper(M20) GRE tunnel---Cisco(7206) Juniper Configuration show configuration interfaces gr-0/1/0 unit 0 { tunnel { source 219.93.2.1; destination 219.93.2.2; key 123456; } family inet { mtu 1514; address 192.168.1.1/30; } } Cisco Configuration interface Tunnel0 ip address 192.168.1.2 255.255.255.252 no ip unreachables no ip proxy-arp ip mtu 1514 tunnel source 219.93.2.2 tunnel destination 219.93.2.1 tunnel key 123456 The problem I had was if I configured both router WITHOUT the tunnel key, everything looks FINE. However once I include the tunnel key, then both tunnel UNABLE to ping (interface still up, up). Does anyone has any idea about the tunnel key between Juniper and Cisco. I am confident that other configuration is good, it is the problem with the key. Any suggestion? Thank you very much. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J4300 can not start-up system
Looks to be an issue with the CF if you have another J-4300/6300 you can take the compact flash and insertit into the front slot then run the following command request system snapshot partition as-primary This will partition and copy junos onto the CF. After that just put it in the orignal box(in back) and it should boot. If it continues to give you problems try a new CF. On 9/27/07, nan.li.juniper [EMAIL PROTECTED] wrote: Hi group, Warning:Latest reset caused by 4 sec override(Norm) Trying to boot from Primary Compact Flash... Trying to boot from Primary Compact Flash (Recovery Partition)... Trying to boot from Removable Compact FlashBoot Failure: System Halted I am very confused why I can not start-up system during I power up and long time no reponed after this message, This is compact flash card error problem or others ? Thanks DD.N ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper firewall chain behavior
For Firewall filters there it is an implicit discard at the end of the chain for policys it depends on the protocol such as BGP has an implicit accept. I don't recall what it is for the other protocols but it's mentioned in the jncia and/or jncis study guides. On 4/3/07, Richard A Steenbergen [EMAIL PROTECTED] wrote: On Tue, Apr 03, 2007 at 08:20:40PM -0700, Kevin Oberman wrote: If any filter in the chain reaches an explicit 'accept' or 'deny', that is the end of the processing for the entire chain. Of course, there is an implicit accept at the end of the chain. Funny, in normal firewall use there is an implicit discard at the end of the chain. I wouldn't have expected such a major change in behavior, especially if you might ever be expected to mix a filter in a chained and non-chained role. So, to test this out I tried to do the following: firewall { filter BORDER { some generic border-wide filters and rate-limits here; } filter SAMPLE { term SAMPLE { then sample; } } } interfaces { xe-0/1/0 { unit 0 { family inet { filter { input-list [ BORDER ... ]; output-list [ BORDER SAMPLE ... ]; } } } } } At first I noticed that it didn't seem to be sampling anything, so I tried to reorder it to [ SAMPLE BORDER ]. In this configuration, it sampled, but never processed BORDER. So for the same of testing I did this: filter SAMPLE { term SAMPLE { then { count sampled; } } } filter DISCARD { term DISCARD { then { count discarded; discard; } } } And tried applying it as [ SAMPLE DISCARD ]. The results: Filter: xe-0/1/0.50-o sample-xe-0/1/0.50-o 143293516958 I get per-interface matches on the counter from my first filter, but the counter for the second filter isn't even created, and no packets are discarded. The only explanation for this would be that then sample and then count act as terminating actions, which would seem exceedingly lame. Combine with the lack of next filter and what is the point? The whole thing becomes about as useful as route-map without continue. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Steven Brenchley - There are 10 types of people in the world those who understand binary and those who don't. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp