Skip to main content

Juniper SRX Firewall: Console To Secondary Node From The Primary Node

In remote management, upstream or downstream interfaces of a network device are configured to accept the console connection such Telnet or SSH. The management traffic flows along with other transiting data traffic thru same interface.
There may be instances where due to some connectivity issues, we are unable to remotely login into the secondary node of an network device in cluster. In such situation we have to obtain Out-Of-Band connection to device thru:
  1.  KVM or Dial in port, which are only available at datacenters or a major location having significant network equipment's but not readily available at remote or branch location due to feasibility and cost involved.
  2. The ultimate and traditional method is to engage local site service person (having at least basic technical skills which is rarest phenomenon), console cable and laptop with internet connections. This option is highly time consuming and frustrating during emergency situations.
It appears that many device manufacturers have overlooked this shortfall to introduce a provision to connect secondary node from primary node but Juniper seems to support this natively, Even though Juniper is not that user friendly but contains powerful features embedded into their base code which are out of the scope of this topic.

With Juniper SRX firewall, in the absence of a console connection to the secondary, it is still possible to log into the secondary node from the primary node and run CLI commands without having to dispatch a technician to the site.

Please note enter the complete command


On the branch SRX devices, this can be achieved by the command:

 {primary:node0}
lab@host-At> request routing-engine login node 1

--- JUNOS 10.1R3.7 built 2010-011-10 04:15:10 UTC
{secondary:node1}
lab@host-B>


On the high-end SRX devices, you will need to be in the shell and run the following command:


root@host-A% rlogin -T node1

--- JUNOS 10.1R3.7 built 2010-011-10 04:15:10 UTC
{secondary:node1}
lab@host-B%




Please Note:

1. Remember that these command is hidden in Junos 11.4. I don't know whether intentionally. so try to type it whole every letter without using tab, use just space.
2. You need to be in SHELL prompt for high end device.
3. the OS version also impact.

request routing-engine login node <0|1> !! Branch SRX devices (Pre-11.4R1.6).
rlogin -Jk -T <node0|node1> !! High-end and Branch SRX devices (11.4R1.6+ for Branch models) from the shell

Comments

Popular posts from this blog

MTBF MTTR MTTD

Juniper SRX : Proxy ARP on Juniper SRX

Proxy ARP ( Address Resolution Protocol ) is a technique by which a intermediate network device like router replies to ARP request for a given IP address that is not part of local network.  The router acts as a proxy for the destination device to which the host wants to communicate and provides its own MAC address as the reply. Note: Proxy ARP can help devices on a network reach remote subnets without the need to configure routing or a default gateway. Disadvantages of Proxy ARP Proxy ARP can lead to security and performance issues on the network.  It poses a security risk by making the network vulnerable to ARP spoofinf attack. In attacks, malicious devices can impersonate proxies. Intercept or modify traffic between devices. It may introduce inconsistency into the network’s topology. Addressing scheme by concealing device locations and identities. Let see when and how proxy ARP is configured in Juniper by answering below questions which often comes to our mind ...