Rescuing a Juniper SRX550

Notthing more greate than getting a call from HQ 30 minutes after closing hours. Never the less i decided to take the call. Network problem onsite at customer…. After getting green light from women in charge, i got in the car an when on to the customer.

Connection with the USB cable to the SRX console port i got a weird boot sequence. Just like the following:

Either the Junos partition was corrupt or the disk inside of the unit was fried. Decided to try and install Junos again just see if that would help. Went to juniper.net and downloaded the oldest Junos version available, junos-srxsme-12.3X48-D10.3-domestic.tgz. Found a USB drive and put the .tgz file on it and plugged it in the SRX. From the console i broke the bootloader while its was trying to find kernel and issued the following command.

I began to install Junos, but when it tried to create partitions on the card, it died with DMA errors. Great!

Since a SRX550 is not something you find everyday and spareparts a hard to get (support was also expired) i decided to take the srx apart. happily to find a CF card inside and luckily i found a kingstone CF card in my bag (I knew that would come in handy someday). Swapped the card and put it together again.

Power on and issued the install command again. This time with success.

The install of Junos take sometime, a long time 20 minutes. But then you also get a very nice login prompt. logged in with root and no password. Went into cli configuration mode and did a “delete” to wipe the factory config. then loaded the backup configuration with

Pasted the 55kb JSON config into the console and finished with a ctrl+d followed by a commit. commit success and all network was suddenly alive again.

just to make all the LEDs green on the SRX i did wrote the config to rescue config. This is in operational mode.

A happy consumer and hopefully a new Juniper SRX1500 firewall on its way to relive the SRX550 off its duties.


PowerCLI – View host HA status

Had a minor problem with a host that was not able to configure HA agent after a vCenter update, 6.5 build 15000 to build 21000. It was the only host in the cluster that had the error.

– set the host in and out of maintenance mode and to move the host out and in of the cluster. Did not help.
– disable and enable of HA on cluster level work for all the other host, but not my stubborn one.

Reading a VMware 2056299 told me to manuel uninstall the HA vib (vmware-fdm) with

After successfully uninstall i took the host out of maintenance and did a Disable/enable HA on cluster level, and volia it now works.

GUI is always a bit slow to update, but with PowerCLI you get current status.


Import certificate to NSX Edge

Normally when I get a certificate from a customer I often get it in PFX format, but NSX Edge wants it in PEM format. What often is confusing here is that the when converting the PFX the private key gets out in the PKCS8 format but Edge wants the private key in PKCS1 format.

Here is a write-up of the conversion. You will need OpenSSL on the machine that you work on windows, UNIX or macros doesn’t matter.

First, we will need to spit the PFX into .crt and .key with these two commands

Now we need to convert the private.key from PKCS8 to PKCS1 format with this command

Now you can go to your NSX Edge and import the certificate with .crt and pricate_pkcs1.key files

Later on, I have found that I need to import the certificate with the intermediate certificate of the signing 3. party. In my case its GoDaddy.
To do this we convert the certificates to .PEM and afterward.

Then we can convert the cert to pem and put the two certificates in the same file.

Now you can paste this into the load balancer. There must be an easier way to do it, if you find one then please ping me.

Edit: Found a couple of other OpenSSL commands that I from time to time struggle to find.