Friday, 31 October 2014

Need to make a new user's home directory manually on all SRX platforms (including Firefly Perimeter) running with Junos OS release 12.1X47-D10

Alert Type:

PSN - Product Support Notification
 
Product Affected:

All SRX platforms and Firefly Perimeter
 
Alert Description:

Due to an internal build error, if a new user is configured on any of SRX devices (including Firefly Perimeter), which is running with Junos OS 12.1X47-D10. The user's home directory will not be created automatically.



e.g.,

[edit]
root@SRX# set system login user newuser class operator authentication plain-text-password 
New password:
Retype new password:

[edit]
root@SRX# commit and-quit 
commit complete
Exiting configuration mode

root@SRX> file list detail /var/home/ | match newuser    

root@SRX>


If you try to login to the SRX device using the new login username, you can login to the device, but it shows error messages, which cannot change to home directory.
% ssh newuser@172.22.145.106
Password:
--- JUNOS 12.1X47-D10.4 built 2014-08-14 22:48:52 UTC
Could not chdir to home directory /var/home/newuser: No such file or directory
newuser@SRX> 

Solution:
The correction is included in Junos OS 12.1X47-D11 (refer to the download links below), 12.1X47-D15 (scheduled to be released in early December 2014) and above.



Workaround:
  1. After creating a new user on the CLI or J-Web, type "start shell" or "start shell user root" in Junos CLI without double quotes
  2. Create the user's home directory and change the ownership

% mkdir -p /var/home/(username)

% chown -R -P -f (userid or username):20 /var/home/(username)
e.g.,

root@SRX> start shell 
root@SRX% mkdir -p /var/home/newuser
root@SRX% chown -R -P -f newuser:20 /var/home/newuser
root@SRX% ls -al /var/home/newuser
total 8
drwxr-xr-x   2 newuser  20      512 Oct  8 21:47 .
drwxr-xr-x  34 root     wheel  1024 Oct  8 21:47 ..


OR

root@SRX% chown -R -P -f 2009:20 /var/home/newuser
root@SRX% ls -al /var/home/newuser
total 8
drwxr-xr-x   2 newuser  20      512 Oct  8 21:47 .
drwxr-xr-x  34 root     wheel  1024 Oct  8 21:47 ..


NOTE: The userid's of each login name can be verified from the configuration.
e.g.,

[edit]
root@SRX# show system login user newuser 
uid 2009;   <-- LOOK HERE (uid stands for userid)
class operator;
authentication {
    encrypted-password "$1$FyKeeKqo$XKT8V1udIJbT9f4fpw2Yc."; ## SECRET-DATA
}

Friday, 17 October 2014

SRX tcp-proxy resource exhaustion for ALG/IDP/UTM traffic with client/server communication using TCP keepalives

Product Affected:

All SRX platforms
Junos OS 11.4
Junos OS 12.1
Junos OS 12.1X44
Alert Description:
SRX tcp-proxy resources may reach device limits during processing of ALG/IDP/UTM based traffic if client/server communication use TCP keepalive mechanism, resulting in session setup failure for new ALG/IDP/UTM based traffic.

During SRX processing of ALG/IDP/UTM traffic involving TCP keepalives, upon receipt of server to client TCP keepalive, the SRX will send a TCP keepalive response back to the server on behalf of the client via tcp-proxy.  However the received keepalive is not sent to the client, resulting in client establishment of a new session with server upon client not receiving keepalive packets. The SRX session, and associated tcp-proxy resource, is not freed based upon the continued keepalives from server to client being handled by the tcp-proxy.
The process repeats and results in session build up on SRX and exhaustion of available tcp-proxy resources.  

Locate tcp-proxy resource limit
     SRX Datacenter
1) Open Shell connection
     >start shell

2) Elevate to root level access (as needed)
     % su (enter in root password)

3) Locate tcp-proxy resource limit per SPC
     root@srx5800% srx-cprod.sh -s spu -c "show usp nat cp sys" | grep proxy
  usp_max_tcpproxy_connection = 10240
  usp_max_tcpproxy_connection = 10240
  usp_max_tcpproxy_connection = 10240
  usp_max_tcpproxy_connection = 10240


      SRX Branch-Campus
1) Locate deivce tcp-proxy resource limit
   >request pfe execute target fwdd command "show usp nat cp sys" | match proxy
    GOT: usp_max_tcpproxy_connection = 4096

Verify current tcp-proxy resource usage
     SRX Datacenter
1) Open Shell connection
    >start shell

2) Elevate to root level access (as needed)
    % su (enter in root password)

3) Locate current usage of tcp-proxy
    root@srx5800% srx-cprod.sh -s spu -c "show usp jsf tcpstats" | grep "flow_tcb alloc\|Start SPU" | uniq
   ======== Start SPU4.0, fpc4.pic0, spu ========
   flow_tcb alloc cnt : 0000000000 flow_tcb free cnt : 0000000000
   ======== Start SPU4.1, fpc4.pic1, spu ========
   flow_tcb alloc cnt : 0000012487 flow_tcb free cnt : 0000008741
   ======== Start SPU11.0, fpc11.pic0, spu ========
   flow_tcb alloc cnt : 0000011452 flow_tcb free cnt : 0000007930
   ======== Start SPU11.1, fpc11.pic1, spu ========
   flow_tcb alloc cnt : 0000012874 flow_tcb free cnt :
0000009016

4) For each SPC Subtract 'flow_tcb free cnt' from 'flow_tcb alloc cnt'
    fpc4.pic0           0 -      0  =      0  
    fpc4.pic1    12487 - 8741  = 3746 in use
    fpc11.pic0   11452 - 7930  = 3522 in use
    fpc11.pic1   12874 - 9016  = 3858 in use

      SRX Branch-Campus
1) Open Shell connection
  >start shell

2) Elevate to root level access (as needed)
    % su (enter in root password)

3) Locate current usage of tcp-proxy
    root@PN-STL-RTR1% cprod -A fwdd -c show usp jsf tcpstats | grep "flow_tcb alloc" | uniq
  flow_tcb alloc cnt : 0000000015 flow_tcb free cnt :
0000000012

4)Subtract 'flow_tcb free cnt' from 'flow_tcb alloc cnt'
    15 - 12 = 3 in use
Solution:
The following software releases have enhanced SRX handling of tcp-keepalive processing.
    Junos OS 12.1X45
    Junos OS 12.1X46
    Junos OS 12.1X47 and higher versions


SRX enhancement enables tcp-proxy ability to learn TCP keepalive parameters from client and server allowing SRX tcp-proxy to send TCP keepalive to both client and server as well as allowing closing of SRX session and associated tcp-proxy resource upon no response for 16 tcp-proxy keepalives.


WorkAround
Prior to reaching resource limit, close SRX sessions associated with client/server communication using TCP keepalives and freeing SRX tcp-proxy resource.

          SRX Clusters:
               Failover data redundancy groups (RG1+) to peer node
                 (triggers tcp-proxy to send packets to both client/server causing client to issue RST and closing of associated SRX session)

                       >request chassis cluster failover redundancy-group <#> node <#>

                 or

               Manually clear sessions for client/server communication that use tcp-keepalive
                      >clear security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>


          Standalone SRX:
               Manually clear sessions for client/server communication that use tcp-keepalive
                       >clear security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>

Saturday, 4 October 2014

Junos Dates & Milestones

ProductFRS DateEnd of EngineeringEnd of Support
Junos 14.1 06/13/2014 06/13/2016 12/13/2016
Junos 13.31 01/22/2014 01/22/2017 07/22/2017
Junos 13.2 08/29/2013 08/29/2015 02/29/2016
Junos 13.1 03/15/2013 03/15/2015 09/15/2015
Junos 12.3X544 07/18/2014 07/18/2016 01/18/2017
Junos 12.3X524 08/23/2013 08/23/2015 02/23/2016
Junos 12.3X514 03/15/2013 03/15/2015 09/15/2015
Junos 12.31 01/31/2013 01/31/2016 07/31/2016
Junos 12.2 09/05/2012 09/05/2014 03/05/2015
Junos 12.1X472 08/18/2014 08/18/2016 02/18/2017
Junos 12.1X46123 12/30/2013 12/30/2016 06/30/2017
Junos 12.1X452 07/17/2013 07/17/2014 01/17/2015
Junos 12.1X4412 01/18/2013 01/18/2016 07/18/2016
Junos 12.1 03/28/2012 03/28/2014 09/28/2014
Junos 11.41 12/21/2011 12/21/2014 06/21/2015
Junos 11.3 08/15/2011 07/15/2012 03/15/2013
Junos 11.2 08/03/2011 06/15/2012 02/15/2013
Junos 11.1 03/29/2011 11/15/2011 05/15/2012
Junos 10.41 12/08/2010 12/08/2013 06/08/2014
Junos 10.3 08/15/2010 08/03/2011 12/21/2011
Junos 10.2 05/28/2010 05/15/2011 11/15/2011
Junos 10.1 02/15/2010 11/15/2010 05/15/2011
Junos 10.01 11/04/2009 11/15/2012 05/15/2013
Junos 9.6 08/06/2009 05/06/2010 11/06/2010
Junos 9.5 04/14/2009 02/15/2010 08/15/2010
Junos 9.4 02/11/2009 11/11/2009 05/11/2010
Junos 9.31 11/14/2008 11/15/2011 05/15/2012
Junos 9.2 08/12/2008 05/12/2009 11/12/2009
Junos 9.1 04/28/2008 01/28/2009 07/28/2009
Junos 9.0 02/15/2008 11/15/2008 05/15/2009
Junos 8.51 11/16/2007 11/16/2010 05/16/2011
Junos 8.4 08/09/2007 05/09/2008 11/09/2008
Junos 8.3 04/18/2007 01/18/2008 07/18/2008
Junos 8.2 02/15/2007 11/15/2007 05/15/2008
Junos 8.11 11/06/2006 11/06/2009 05/06/2010
Junos 8.0 08/15/2006 05/15/2007 11/15/2007
Junos 7.6 05/15/2006 02/15/2007 08/15/2007
Junos 7.5 02/08/2006 11/08/2006 05/08/2007
Junos 7.4 11/15/2005 08/15/2006 02/15/2007
Junos 7.3 08/16/2005 05/16/2006 11/16/2006
Junos 7.2 05/14/2005 02/14/2006 08/14/2006
Junos 7.1 02/14/2005 11/14/2005 05/14/2006
Junos 7.0 11/15/2004 08/15/2005 02/15/2006
Junos 6.4 08/12/2004 05/12/2005 11/12/2005
Junos 6.3 05/15/2004 02/15/2005 08/15/2005
Junos 6.2 02/15/2004 11/15/2004 05/15/2005
Junos 6.1 11/15/2003 08/15/2004 02/15/2005
Junos 6.0 08/15/2003 05/15/2004 11/15/2004
Junos 5.7 05/15/2003 02/15/2004 08/15/2004
Junos 5.6 02/15/2003 11/15/2003 05/15/2004
Junos 5.5 11/15/2002 08/15/2003 02/15/2004
Junos 5.4 08/12/2002 05/15/2003 11/15/2003
Junos 5.3 05/12/2002 02/15/2003 08/15/2003
Junos 5.2 02/12/2002 11/12/2002 05/15/2003
Junos 5.1 11/07/2001 08/12/2002 02/15/2003
Junos 5.0 08/17/2001 05/15/2002 11/15/2002
Junos 4.4 04/30/2001 02/12/2002 08/15/2002
Junos 4.3 01/31/2001 11/12/2001 05/15/2002
Junos 4.2 10/16/2000 08/13/2001 02/15/2002
Junos 4.1 08/15/2000 05/14/2001 11/15/2001
Junos 4.0 03/31/2000 02/12/2001 08/15/2001

Pre-12.1 Releases (other than EEOL Releases):
EOE date: The earlier of (i) the date eighteen (18) months from first general availability or (ii) two (2) subsequent releases of such software.
EOL/EOS date: The earlier of (i) the date twelve (12) months after the EOE date or (ii) two (2) subsequent releases of such software.
Release 12.1 and following (other than EEOL Releases):
EOE date: The date twenty four (24) months after the first general availability date.
EOL/EOS date: The date six (6) months after the EOE date.
loading...