Juniper SRX 240H Bootable USB Backup - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, February 24, 2012

Juniper SRX 240H Bootable USB Backup

Juniper 10800 KB has good explanation regarding how to format and mount a USB flash drive on a J-series router, but not too much info for DRP process such as using snapshot stored on USB flash drive. Spent some time trying to make a bootable USB flash drive and here are some my own experience sharing.

Note: I am using SRX240H



Step 1: Insert your USB disk into USB0

Step 2: Find out Dev name for your USB
a. Through /dev folder. You have to carefully compare the difference after you inserted your USB

root@M-Prod% ls /dev
altroot         bpf11           bpf24           bpf37           cuau0           da0s4           kmem            pass1           ttyp1
ata             bpf12           bpf25           bpf38           cuau0.init      da0s4a          log             pci             ttyp2
bo0s1a          bpf13           bpf26           bpf39           cuau0.lock      da0s4c          md0             ptyp0           ttyp3
bo0s1c          bpf14           bpf27           bpf4            da0             da1             md1             ptyp1           ttyu0
bo0s2a          bpf15           bpf28           bpf40           da0s1           da1s1           md2             ptyp2           ttyu0.init
bo0s2c          bpf16           bpf29           bpf5            da0s1a          devctl          md3             ptyp3           ttyu0.lock
bo0s3c          bpf17           bpf3            bpf6            da0s1c          devstat         md4             random          urandom
bo0s3e          bpf18           bpf30           bpf7            da0s2           fd              mdctl           root            usb
bo0s3f          bpf19           bpf31           bpf8            da0s2a          fido            mem             rtfifo          usb0
bo0s4a          bpf2            bpf32           bpf9            da0s2c          fileassoc       nfs4            smb             usb1
bo0s4c          bpf20           bpf33           cfi0            da0s3           gblmem          nfslock         stderr          veriexec
bpf0            bpf21           bpf34           console         da0s3c          geom.ctl        null            stdin           xpt0
bpf1            bpf22           bpf35           cpld            da0s3e          gpio            octpkt          stdout          zero
bpf10           bpf23           bpf36           ctty            da0s3f          klog            pass0           ttyp0


b. Another better way is show your log messages
root@M-Prod> show log messages
Feb 18 12:25:44 M-Prod newsyslog[11050]: logfile turned over due to -F request
Feb 23 20:45:01  M-Prod sshd[56519]: subsystem request for netconf by user root
Feb 23 20:59:16  M-Prod /kernel: umass1: JetFlash Mass Storage Device, rev 2.00/1.00, addr 4
Feb 23 20:59:16  M-Prod /kernel: da1 at umass-sim1 bus 1 target 0 lun 0
Feb 23 20:59:16  M-Prod /kernel: da1: <JetFlash TS2GJFV30 8.01> Removable Direct Access SCSI-2 device
Feb 23 20:59:16  M-Prod /kernel: da1: 40.000MB/s transfers
Feb 23 20:59:16  M-Prod /kernel: da1: 1938MB (3969024 512 byte sectors: 255H 63S/T 247C)

Step 3: Format USB and Label it

root@M-Prod% dd if=/dev/zero of=/dev/da1 bs=128k
dd: /dev/da1: end of device
15505+0 records in
15504+0 records out
2032140288 bytes transferred in 413.039683 secs (4919964 bytes/sec)

root@M-Prod% disklabel -R -w da1 auto

Step 4: Create File System

root@M-Prod% newfs -U /dev/da1
/dev/da1: 1938.0MB (3969020 sectors) block size 16384, fragment size 2048
        using 11 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.
        with soft updates
super-block backups (for fsck -b #) at:
 32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544, 3384608, 3760672
root@M-Prod%

Step 5: Create snapshot and partition

root@M-Prod> request system snapshot media usb partition
node0:
--------------------------------------------------------------------------
Clearing current label...
Partitioning usb media (/dev/da1) ...

Step 6: Boot Off USB
 request system reboot media usb

Step 7: Restore the Junos Configuration:

request system snapshot media internal

If there is  no access to CLI, follow this procedure to do recovery:
            http://kb.juniper.net/KB10386


---------------------------------------------

Some useful commands when doing backup and restoring:
request routing-engine login node1

file copy node0:/var/jail/junos-srxsme-11.2R2.4-domestic.tgz node1:/var/jail/

root@SRX% md5 jinstall-ex-4200-10.4R1.9-domestic-signed.tgz
MD5 (jinstall-ex-4200-10.4R1.9-domestic-signed.tgz) = 38032c0e237a65b4cbc86a9c6ab06552

root@SRX> file checksum md5 /var/tmp/jinstall-ex-4200-10.4R1.9-domestic-signed.tgz
MD5 (/var/tmp/jinstall-ex-4200-10.4R1.9-domestic-signed.tgz) = 38032c0e237a65b4cbc86a9c6ab06552



---------------------------------------------------------
upgrade error I met during upgrade SRX from 10.4 to 11.2:


root@SRX-Prod> request system software add /cf/var/jail/junos-srxsme-11.2R2.4-domestic.tgz no-copy no-validate
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 298.0MB (610284 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 74.50MB, 4768 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
 32, 152608, 305184, 457760

gzip: stdin: invalid compressed data--format violated
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
Installing package '/altroot/cf/packages/install-tmp/junos-11.2R2.4-domestic' ...
verify-sig: cannot validate junos-boot-srxsme-11.2R2.4.tgz.sig
subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageCA/[email protected]

Installation failed for package '/altroot/cf/packages/install-tmp/junos-11.2R2.4-domestic'

--------------------------------------------------------------

Upgrade successful
root@SRX-Prod> request system software add no-copy no-validate /cf/var/jail/junos-srxsme-11.2R2.4-domestic.tgz
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 298.0MB (610284 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 74.50MB, 4768 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
 32, 152608, 305184, 457760
Installing package '/altroot/cf/packages/install-tmp/junos-11.2R2.4-domestic' ...
Verified junos-boot-srxsme-11.2R2.4.tgz signed by PackageProduction_11_2_0
Verified junos-srxsme-11.2R2.4-domestic signed by PackageProduction_11_2_0
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-11.2R2.4.tgz
JUNOS 11.2R2.4 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ...

--------------------------------------------------------------

12 dropped packets during rebooting second SRX cluster member after frist SRX rebooted:

Reply from 10.94.200.14: bytes=32 time<1ms TTL=126
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.94.200.14: bytes=32 time=1ms TTL=126



No comments:

Post a Comment