Рабочий черновик: августа 2015

20150830

Насильно применить конфигурацию на развалившемся кластере состоящим из двух Juniper SRX.

Предположим что есть кластер на нодах которого, в результате неудачного обновления, стоят разные версии Junos (ну и там еще data-link порвали).

{primary:node0}[edit]
root@srx-n0# run show system software
node0:
--------------------------------------------------------------------------
Information for junos:

Comment:
JUNOS Software Release [12.1X46-D35.1]

node1:
--------------------------------------------------------------------------
Information for junos:

Comment:
JUNOS Software Release [12.1X47-D25.4]

Обе RG работают на node0.
{primary:node0}[edit]
root@srx-n0# run show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring

Cluster ID: 3
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 1 secondary no no None

Redundancy group: 1 , Failover count: 1
node0 0 primary no no IF CS
node1 0 secondary no no IF CS

Применить какие-либо изменения в конфигурации нельзя - srx ругается:

{primary:node0}[edit]
root@srx-n0# commit check
node0:
configuration check succeeds
error: error communicating with
error: remote commit-configuration failed on node1
error: configuration check-out failed
error:
Connection to node1 has been broken
error: remote unlock-configuration failed on node1

{primary:node0}[edit]

root@srx-n0# commit

node0:

configuration check succeeds

error:

Connection to node1 has been broken

warning: pull configuration failed, fallback to push configuration method

error: remote load-configuration failed on node1

error: remote unlock-configuration failed on node1

Поиск по подобным ошибкам выводит на команду "commit synchronize force".
В моем случае она не сработала.

{primary:node0}[edit]
root@srx-n0# commit synchronize force
node0:
configuration check succeeds
error:
Connection to node1 has been broken
warning: pull configuration failed, fallback to push configuration method
error: remote load-configuration failed on node1
error: remote unlock-configuration failed on node1

Для меня решением была скрытая команда "commit force", конфигурация применилась только на одной ноде.
{primary:node0}[edit]
root@msk-02-srx3-n0# commit fo
^
syntax error.
root@msk-02-srx3-n0# commit force
node0:

commit complete

Вот.

20150827

Процесс установки сигнатур application-identification на кластер из srx.

В отличии от лицензий все действия с сигнатурами можно делать только на основной ноде.

Скачиваем сигнатуры.
{primary:node0}
root@srx-n0> request services application-identification download
Please use command
"request services application-identification download status" to check download status

{primary:node0}
root@srx-n0> request services application-identification download status
Fetching/Uncompressing https://signatures.juniper.net/xmlupdate/226/Libqmprotocols/2528/libqmprotocols.tgz

{primary:node0}

root@srx-n0> request services application-identification download status

Downloading application package 2528 succeed.

Инсталируем сигнатуры.

{primary:node0}

root@srx-n0> request services application-identification install

node0:

--------------------------------------------------------------------------

Please use command

"request services application-identification install status" to check install status

node1:

--------------------------------------------------------------------------

Please use command

"request services application-identification install status" to check install status

Следим за процессом.

{primary:node0}

root@srx-n0> request services application-identification install status

node0:

--------------------------------------------------------------------------

Checking compatibility of application package version 2528 ...

node1:

--------------------------------------------------------------------------

Checking compatibility of application package version 2528 ...

{primary:node0}

root@srx-n0> request services application-identification install status

node0:

--------------------------------------------------------------------------

Installed Application package (2528) successfully in RE,

Application package and Protocol bundle installation in pfe is in progress

node1:

--------------------------------------------------------------------------

Cleaning up legacy configurations in Junos configuration ...

{primary:node0}

root@srx-n0> request services application-identification install status

node0:

--------------------------------------------------------------------------

Installed Application package (2528) successfully in RE,

Application package and Protocol bundle installation in pfe is in progress

node1:

--------------------------------------------------------------------------

Installed Application package (2528) successfully in RE,

Application package and Protocol bundle installation in pfe is in progress

{primary:node0}

root@srx-n0> request services application-identification install status

node0:

--------------------------------------------------------------------------

Installed

Application package (2528) and Protocol bundle successfully

node1:

--------------------------------------------------------------------------

Installed Application package (2528) successfully in RE,

Application package and Protocol bundle installation in pfe is in progress

{primary:node0}

root@srx-n0> request services application-identification install status

node0:

--------------------------------------------------------------------------

Installed

Application package (2528) and Protocol bundle successfully

node1:

--------------------------------------------------------------------------

Installed

Application package (2528) and Protocol bundle successfully

Проверяем версии.

{primary:node0}

root@srx-n0> show services application-identification version

node0:

--------------------------------------------------------------------------

Application package version: 2528

node1:

--------------------------------------------------------------------------

Application package version: 2528

Смотрим на группы сигнатур.

{primary:node0}

root@srx-n0> show services application-identification group summary

node0:

--------------------------------------------------------------------------

Application Group(s): 90

Application Groups Disabled ID

junos:behavioral No 92

junos:unassigned No 91

junos:web:proxy No 48

junos:remote-access:interactive-desktop No 34

junos:infrastructure:mobile No 57

junos:web:wiki No 54

...

node1:

--------------------------------------------------------------------------

Application Group(s): 90

Application Groups Disabled ID

junos:behavioral No 92

junos:unassigned No 91

junos:web:proxy No 48

junos:remote-access:interactive-desktop No 34

junos:infrastructure:mobile No 57

junos:web:wiki No 54

...

Ставим триальную лицензию на кластер из srx.

Лицензии надо ставить на каждой ноде отдельно.

Сначала будем ставить лицензии на node0 которая является главной нодой для RG0 (там, где RE крутится).
root@srx-n0> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring

Cluster ID: 3
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 3
node0 100 primary no no None
node1 1 secondary no no None

Redundancy group: 1 , Failover count: 1
node0 100 primary no no None
node1 0 secondary no no IF

Запрашиваем лицензии.
{primary:node0}
root@srx-n0> request system license update trial

Trying to update trial license keys from https://ae1.juniper.net, use 'show system license' to check status.

Смотрим лицензии.

{primary:node0}

root@srx-n0> show system license

License usage:

Licenses Licenses Licenses Expiry

Feature name used installed needed

av_key_kaspersky_engine 0 1 0 2015-09-26 03:00:00 GMT-3

anti_spam_key_sbl 0 1 0 2015-09-26 03:00:00 GMT-3

wf_key_surfcontrol_cpa 0 1 0 2015-09-26 03:00:00 GMT-3

idp-sig 0 1 0 2015-09-26 03:00:00 GMT-3

dynamic-vpn 0 2 0 permanent

ax411-wlan-ap 0 2 0 permanent

appid-sig 0 1 0 2015-09-26 03:00:00 GMT-3

av_key_sophos_engine 0 1 0 2015-09-26 03:00:00 GMT-3

wf_key_websense_ewf 0 1 0 2015-09-26 03:00:00 GMT-3

Licenses installed:

....

Все хорошо.

Руками переключаемся на node1.

{primary:node0}

root@srx-n0> request chassis cluster failover redundancy-group 0 node 1

node1:

--------------------------------------------------------------------------

Initiated manual failover for redundancy group 0

Переключилось.

root@srx-n1> show chassis cluster status

Monitor Failure codes:

CS Cold Sync monitoring FL Fabric Connection monitoring

GR GRES monitoring HW Hardware monitoring

IF Interface monitoring IP IP monitoring

LB Loopback monitoring MB Mbuf monitoring

NH Nexthop monitoring NP NPC monitoring

SP SPU monitoring SM Schedule monitoring

CF Config Sync monitoring

Cluster ID: 3

Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1

node0 100 secondary no yes None

node1 255 primary no yes None

Redundancy group: 1 , Failover count: 0

node0 100 primary no no None

node1 0 secondary no no IF

Запрашивем лицензии на node1.

{primary:node1}

root@srx-n1> request system license update trial

Trying to update trial license keys from https://ae1.juniper.net, use 'show system license' to check status.

Все загрузилось.

{primary:node1}

root@msk-02-srx3-n1> show system license

License usage:

Licenses Licenses Licenses Expiry

Feature name used installed needed

av_key_kaspersky_engine 0 1 0 2015-09-26 03:00:00 GMT-3

anti_spam_key_sbl 0 1 0 2015-09-26 03:00:00 GMT-3

wf_key_surfcontrol_cpa 0 1 0 2015-09-26 03:00:00 GMT-3

idp-sig 0 1 0 2015-09-26 03:00:00 GMT-3

dynamic-vpn 0 2 0 permanent

ax411-wlan-ap 0 2 0 permanent

appid-sig 0 1 0 2015-09-26 03:00:00 GMT-3

av_key_sophos_engine 0 1 0 2015-09-26 03:00:00 GMT-3

wf_key_websense_ewf 0 1 0 2015-09-26 03:00:00 GMT-3

Licenses installed:

...

Все.

20150810

Быстрые заметки по Huawei

1. Посмотреть серийный номер коммутатора.
<s5328>display elabel
...
[Board Properties]
BoardType=CX77XC
BarCode=21023516101234567890
Item=02351300
Description=Quidway S5328C-EI,CX7Z128CM,S5328C-EI Mainframe(24 10/100/1000Base-T,Chassis,Dual Slots of power,Without Flexible Card and Power Module)
Manufactured=2012-10-07
VendorName=Huawei
IssueNumber=00
CLEICode=

BOM=

Серийник указан в поле BarCode.

Большая дока с указанием где искать серийные номера на оборудовании huawei:
http://huaweienterpriseusa.com/system/files/resources/How%20to%20collect%20SN.pdf?nid=797