Category Archives: junos

MTU and PMTU on JunOS

I would like to talk about couple of things in this post about MTU on JunOS;

  • Why do we have two different MTU settings i.e at interface and logical level?
  • What is the meaning of path mtu discovery on a junos box
  • How MTU is important for OSPF?

Actually all started with my OSPF tests in my lab. I was connected to one SRX device in my home network and playing with MTU settings at interface level and unit level to see the differences and all of a sudden I lost my connection. To be honest I like doing non-destructive mistakes as they teach me a lot. Now I recall again how MTU is an important piece in OSPF messages. Lets start from beginning again;

Continue reading

GRE tunnel configuration in SRX

I will configure GRE (Generic Routing Encapsulation) between two Juniper SRX firewal devices. If you want to learn more about the protocol see RFC2784. I will just demonstrate how two networks can be connected to each other via a tunnel. I will also show how SRX security policy should be configured in order to pass the traffic through. Here is my topology;


1) Configure GRE interfaces on both sides

Interface configuration is pretty obvious if you have a look at my topology.
source address is the real interface address facing towards the remote device.
destination address is the real interface address accepting the packets.

Documentation says that gre interface IP address e.g isn’t mandatory i.e unnumbered GRE is possible but what I have seen is that if you leave it unassigned, routes that you forward to this interface as next-hop won’t be installed into the routing table.

Note: According to feedback from blog reader kroozo, setting “family inet” is sufficient for route to be installed.

Continue reading

SRX reset button for factory/rescue configuration

I will briefly write about Branch SRX alarm led and reset button in this post.

1) Alarm led

Today when I deleted my rescue configuration via;

> request system configuration rescue delete

command, then minutes later I noticed that alarm led on the front panel turned to amber.
First I couldn’t guess that alarm is raised because of rescue config. Then I checked chassis and
system alarms

It seems alarm can also be raised with Minor category for a non-existing rescue configuration.
Once the rescue config is set;

>request system configuration rescue save

Alarm is cleared. Good to learn this feature.

2) Reset button

What I used to know was that reset button returns the config to factory default config now I know that it can also return to rescue config.
If you have rescue config saved and press the reset button and then release it immediately ;

SRX commits the rescue configuration which is really a handy feature.

If you press the button more than 15 seconds, then you return to the factory default configuration.

Good thing is that you can also change this behavior via the configuration mode command;

monitor traffic doesn’t show any icmp traffic

If you want to capture some icmp traffic destined for a Junos router by using “monitor traffic“, you must re-think what you are doing. For example you issued the following command and you started ping from another host towards this Junos router.

Unfortunately you won’t get any icmp request on this capture. The underlying reason that I know is that ICMP responses are handled by the data plane (PFE) instead of the control plane. In other words, you don’t really receive this traffic and PFE responds to this ICMP.

What I do usually is to create a sample TCP traffic (e.g SSH request) towards the RE to see some packet traffic.

Archiving junos configurations

There is a very handy feature in junos which you may find very useful if you have lots of junos devices. JunOS can send your active configuration after every commit to a configured remote destination server by using scp,http or ftp protocols. A small configuration is sufficient to achieve this. For example with the configuration below, my SRX device’s configuration is sent to within the specified interval.

If you list the files on the remote server you will see the files transferred after commit;

Simple shell script

When I was looking at one of my earlier posts, I noticed that sometimes I do repeat cli commands manually instead of scripting. Life is short! If you can’t find any other shell, junos has also C shell and following is a simple loop which generates several commands following a similar pattern. For example I would like to delete all ethernet-switching families
in one go in an SRX210 device. Then write the following lines into a file named when you are in shell prompt then run it like below;

Then just paste the output under configuration command and commit!

SRX DHCP Configuration

DHCP configuration is very straight forward in junos. However if you are like me, you can even forget that gateway address must be within the advertised pool. Here is a simple config

Once this config is in place, make sure you allow DHCP service on gateway interface e.g

Note that you are able to allow dhcp service specifically in an interface not in a zone. For example if you type “set security zones security-zone trust host-inbound-traffic system-services” you will see that there is no option for dhcp.

After committing, you can see the bindings via;

Other commands for troubleshooting;

Recovering primary JUNOS image

When I booted my SRX device I saw the following output on the console;

This had not happened before. According to junos documentation I can either install a new junos image to be on the safe side or copy the backup partition to the primary. As you can see my current partition is backup. Once I snapshot the backup to active partition and then
reboot after a while, I could boot from the primary one.

SRX password reset/recovery

Here are some basic steps to reset the password on an SRX firewall.

Note: If you are looking for a default password, there is no default password in SRX.
A new SRX out of the box has the root user with no password.

1) Reboot the box and press SPACE when you see the following screen to get to the loader prompt.

2) Type “boot -s” in this prompt

3) After a while you will see a screen like below. Type “recovery” to continue

NOTE: If you don’t see this prompt for recovery but instead “Enter root password”, then password recovery must have been disabled via the configuration “set system ports console insecure” which means you can’t recover the password via this method.

4) In the end you will see that you will drop to the shell without any password. Once you type configure and followed by the “set system root-authentication plain-text-password”, you will have the new password assigned. Don’t forget to commit