junos system alarms "autorecovery information needs to be saved", rescue configuration is not set

Typical alarms after deploying a JunOS based Juniper SRX router that can be simple to resolve.

2 alarms currently active
Alarm time               Class  Description
2017-01-18 23:13:16 CST  Minor  Autorecovery information needs to be saved

2017-01-18 23:13:13 CST  Minor  Rescue configuration is not set

AlarmAutorecovery information needs to be saved

"request system autorecovery state save"

Alarm: Rescue configuration is not set

"request system configuration rescue save"

The power of JunOS and its commands.

Now, I'm not sure about you, but I have been a ScreenOS firewall CLI engineer for a few years, and always loved that you can do most commands in one liner. Then I started working with JunOS, and was irritated that you had to either type very long or multiple command expressions, or go into different hierarchies to make changes.

But after maybe 3-4 months, while moving back and forth between ScreenOS and JunOS, it became more clear, that the programmers of JunOS, actually put some thought in it.

In ScreenOS you lack the good overview of the configuration unless you want to look at the set/unset commands in the actual config. in JunOS you get a fairly good overview thanks to its hierarchy view.

Together with groups and routing instances, the JunOS is quite powerful.

Though, I can still admit, that working with JunOS devices as a Firewall sucks. This is due to the WebGUI of JunOS is bad compared to ScreenOS. But if you work mostly with routing and policy statements, JunOS is the King.

I'm not going to go into details of how to configure different examples, but if you have any specific issue, don;t hesitate to comment or email me.

What I want to share with you, the most powerful commands that speaks for JunOS is the following,

[edit] show | compare  --- shows you the difference between candidate configuration and running configuration.
[edit] commit check --- verifies your candidate confing with running config to ensure there is nothing missing to get an IPSEC up, security zone interface missing etc.
[edit] commit confirmed <min>(default 10 min) --- this is the best command ever, this will commit the changes, and if you for some reason loose connection to the device, or something gets completely screwed up, the config will revert to the previous config. You can compare this with "Set timer", but you wont have to set, and then cancel in case you succeed with your config.

In ScreenOS and Cisco, when you punch a command, it takes affect directly, JunOS does not. You will work in a Candidate configuration, that you can choose to commit later, or at a certain time.

And if you are even more sure, with tested config change, you can upload a piece of configuration with SCP(SSH file transfer), and then merge the config with existing with the help of scripts. Say for example you have a new SNMP settings, but dont want to manually go into each one, and you dont have JunOS Space(Juniper mgmt software for JunOS devices). Then you can create the SNMP config in your lab router, save that portion as a file, then script to SCP it over with "commit confirmed 1 min", with expected results of "Commit succeeded", then commit again, and your done. you can push out new config to 100 devices with 1 script.

Have fun!

Searching mode and iPhone 5/5s won't activate after a reset

--------------
Problem
--------------

So out of the blue, my iPhone 5s with version release 9.2.1, went into "Searching Mode", unable to attach to my provider network (AT&T), which I'm not sure is provider specific(Missing carrier settings or similar).

Wifi was working fine all the time, and not other issues besides the fact that i couldn't call, receive calls, nor send/receive SMS( iMessage still worked).

I called AT&T support, account was fine, not blocked, they tried to send new updates and asked me to do a soft reset etc. Eventually last resort they asked was to do a complete reset of the phone. So I backed it up and went ahead and did full reset, (Erase All Content and Settings). Please ensure you do backup of your phone via iTunes or iCloud before doing any resets.

When the phone came back online and it was time to activate it, I was stuck. I could not get pass the activation screen after choosing Wifi. I tried activating via iTunes but got similar message that the "phone cannot be activated at this time".

One of my colleagues works with mobile support at my company, so she provided me with a new sim card for AT&T and we called in to get it activated, still no luck.

So eventually I googled a bit and was recalled about putting the phone in recovery mode and that worked!

--------------
Solution
--------------

So this is what I did, and its important to do it in these steps. Hopefully you have a backup in iTunes or iCloud before you had the problem, or before you try below.

1. Turn off phone.
2. plug in lighting cable into Phone, without plugging in USB port into computer.
3. Open iTunes on your computer (download from www.itunes.com, about 60mb).
4. Hold down "home" button(the button on the front. The button on the top is known as power button)
5. While holding down the home button, insert the USB cable into the computer
6. Wait for iTunes to discover the phone and suggest recovery mode, then you can release Home button.
7. Follow on-screen instructions and install a new fresh image/software.
8. After that you can choose to restore from your local backup via iTunes or via iCloud.
9. Now, I still had problem with phone not connected to the Cell network, instead of Searching mode, i had "No Service", i made a call to AT&T support again, read the ICCID nr under /Settings/General/About, and they were able to enable the new Sim Card.

------------------
Conclusion:
------------------The problem seems to have been a combination of bad sim card, and buggy software, so if you have similar problem, try get the sim card replaced first. A good way to verify it, is if you cannot see the ICCID field under Settings/General/About, then the sim card probably bad, corrosion or just worn out.

My vision was blocked. (3000) Neato Robotics.

So I had the vision 3000 error message on my Neato XV-21 vacuum robot.

After some extensive googling, some people had reached out to Neato Support, only to find out that there was not much to do if warranty expired, or follow some online instructions.

First I opened the whole Neato to clean it out, and clean all the sensors that sits on left side, and underneath until i saw the LIDAR unit. Neato Robotics has been smart enough to use same length of most screws on the unit, so its fairly easy to dismantle and put back to together. You have to use a philips screw driver, and I recommend you have some knowledge about dismantling stuff, or ask someone to help you keep track of all the screws and where they belonged before you start.

What I noticed, which also some forums stated, is that the LIDAR stopped rotating. The LIDAR for your info is the unit that reads the room setup before starting to clean. You can see it by looking into that opening on the back top of the Neato, see picture below.

Some smart guys figured out that the LIDAR(Laser Radar) had issues, and to order one of those new. But a whole LIDAR set is about 150 USD so why not order a new Neator with warranty instead then.

Then I found a post that suggested to maybe only order the motor. When you dismantle the unit, and find the LIDAR, you find a small motor attached to it with a "rubber band". So I tried that first, ordered it off ebay for 15USD. And to my surprise it worked! So instead of ordering a new LIDAR unit or a new Neato, the motor replacment worked for me.

You have to pull off the black wheel to see 2 screws holding the motor to the LIDAR unit.

I bought my motor from ebay user roomba_parts_1946. But the user only had a few units, so not sure if the user will get more spare parts, or hopefully you will find another sells of these motors.

Good Luck!

Install snmpwalk snmpget on CentOS

How to install SNMPWALK and SNMPGET into CentOS

Step 1: First try this command to ensure if you have SNMPWALK


[root@localhost ~]# snmpwalk
-bash: snmpwalk: command not found
[root@localhost ~]#

Step 2: Install snmpwalk and snmpget

[root@usevlx08-almighty ~]# yum install net-snmp-utils
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: centos.someimage.com
 * extras: bay.uchicago.edu
 * updates: centos.mirror.constant.com
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package net-snmp-utils.x86_64 1:5.5-49.el6_5.3 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================
 Package                          Arch                     Version                            Repository                 Size
==============================================================================================================================
Installing:
 net-snmp-utils                   x86_64                   1:5.5-49.el6_5.3                   updates                   174 k

Transaction Summary
==============================================================================================================================
Install       1 Package(s)

Total download size: 174 k
Installed size: 362 k
Is this ok [y/N]: y
Downloading Packages:
net-snmp-utils-5.5-49.el6_5.3.x86_64.rpm                                                               | 174 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 1:net-snmp-utils-5.5-49.el6_5.3.x86_64                                                                     1/1
  Verifying  : 1:net-snmp-utils-5.5-49.el6_5.3.x86_64                                                                     1/1

Installed:
  net-snmp-utils.x86_64 1:5.5-49.el6_5.3                                                                                     

Complete!

This Device has booted from the the backup Junos Image

When i booted a Juniper SRX240 after shipment to other country I experienced this error message.

!!!

WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

It is possible that the primary copy of JUNOS failed to boot up

properly, and so this device has booted from the backup copy.

Please re-install JUNOS to recover the primary copy in case

it has been corrupted

!!!

So you panic and wonder if there is any hardware problem. But before panicking, try these things. If below still not helps, then you should contact Juniper TAC if you have a support agreement.

1. Since the system has booted on the backup junos image, we know its up and running, so we want to copy existing backup image to the primary image, also known to snapshot backup to primary.

To prove that you are actually running on the backup image

root@SRX240> show system storage partitions

Boot Media: internal (da0)

Active Partition: da0s2a

Backup Partition: da0s1a

Currently booted from: backup (da0s1a)

Partitions information:

Partition Size Mountpoint

s1a 292M /

s2a 293M altroot

s3e 24M /config

s3f 342M /var

s4a 30M recovery

As you can see, its booted from Backup. Now execute the below command to do a snapshot

root@srx1> request system snapshot slice alternate

Formatting alternate root (/dev/da0s2a)…

Copying ‘/dev/da0s1a’ to ‘/dev/da0s2a’ .. (this may take a few minutes)

The following filesystems were archived: /

You can now reboot "request system reboot" After reboot, you can use "show system storage partitions" to verify that you are booted from the "active" partition.

When that is done, you can upgrade your primary partiion as usual. for more info for that. check this Juniper KB, http://kb.juniper.net/InfoCenter/index?page=content&id=KB16652

VPN between Netscreen and Checkpoint 1 kept failing from Checkpoint side

VPN between Netscreen ScreenOS and Checkpoint-1.

We have all been in the situation when a project, a Solution architect, a partner or customer wont listen to our recommendation to NOT mix products when setting up VPN.

In this situation it was a customer to my enterprise company that refused to accept us sending active equipment to be placed on their premises, and the customer of course did not want to put active equipment on our side. We strongly recommend to do either or, to have a clear, and more manageable demarcation point. And when i say demarcation point, i mean, sharing responsibility in the easiest way without any doubts of where the fault might be. Port-Cable-Port, within the same Rack if possible.

That left us with setting up an IPSEC tunnel over Internet between 2 different products, Checkpoint and Netscreen.

Checkpoint uses policy vpn, and Netscreen is more prune to Route based.

Im not debating on which Firewall/VPN Concentrator is the best etc, ill let others do that. But in general, most network companies dont follow the various RFC down to the spot. They all make some small adjustment as they find fitting for their need.

The problem we faced was that traffic initiated from the Checkpoint side when the VPN was down, didnt seem to bite, with that I mean it seems that the Phase1 from checkponit was not compatible what the Netscreen expected.

VPN would always go up if traffic was initiated from Netscreen to Checkpoint.

But since traffic was not always initiated from our side, we had a problem

Solution:
The solution was to enable monitor and rekey on the netscreen, ensuring VPN was re-negotiated without the need of traffic. We can still monitor the VPN by doing a simple IP-monitor on the other side.

In netscreen we have to use proxy-ids to match the Policy vpn configuration in Checkpoint, and ontop of that, have "monitor rekey" enabled.

set vpn "<vpn name>" monitor rekey

set vpn "<vpn name>" proxy-id local-ip 192.168.1.1&32 remote-ip 172.16.1.1&32 "ANY"


If you have any questions of the actual config, let me know.