HI,

I have come across keywork target in definiting a community. As per doc, it means destination to which the route is going. So consider an expample:

set policy-option community vpn_rt members target:5:100;

set routing-instances ABC vrf-target import target:5:100
set routing-instances DEF vrf-target export target:5:100

RT is send across to remove PE as extended community anyway , isn't it ? So, why are tagging  route with RT value all over again ?

Hi Karand 

As you said, that means mgd encounters someting and then triggered to execute these two commands by root.

Thus, we should see this actions as normal. Am I correct ?

Thanks

Cloud

Hi Cloud,

Yes, that's correct!

Hi,

PIC0 is MS-PIC

You're doing interface style NAT.

Public IP is configured in interface as well.

Kindly do the following.

1. Remove inline-service from PIC0.

2. Configure public IP which is not part of interface configuration.

Regards,
Rahul

Hi Karand

Is it possible to trigger executing " request support information" by juniper process ?

As below message, root executed it after I commited.

Jan  8 18:14:50.217  xxxxxx_RE1 mgd[23203]: UI_CMDLINE_READ_LINE: User 'cloud', command 'commit '

Jan  8 18:14:50.218  xxxxxx_RE1 mgd[23203]: UI_COMMIT: User 'cloud' requested 'commit' operation (comment: none)

Jan  8 18:14:50.327  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: Obtaining lock for commit

Jan  8 18:14:50.328  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: updating commit revision

Jan  8 18:14:50.533  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: obtaining db lock on  re0

Jan  8 18:14:50.835  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: re-revision: re1-1546942383-6199, other-re-revision: re1-1546942383-6199(0)

Jan  8 18:14:50.835  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: UI extensions feature is not configured

Jan  8 18:14:50.835  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: Started running translation script

Jan  8 18:14:50.835  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: Finished running translation script

Jan  8 18:14:50.835  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: start loading commit script changes

Jan  8 18:14:50.836  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: no commit script changes

Jan  8 18:14:50.836  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: no transient commit script changes

Jan  8 18:14:50.836  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: finished loading commit script changes

Jan  8 18:14:50.836  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: No translation output from the scripts

Jan  8 18:14:50.836  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: Preparing Fast-diff post translation load

Jan  8 18:14:50.856  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: copying juniper.db to juniper.data+

Jan  8 18:14:50.905  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: finished copying juniper.db to juniper.data+

Jan  8 18:14:50.906  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: exporting juniper.conf

Jan  8 18:14:51.152  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: expanding interface-ranges

Jan  8 18:14:51.152  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: finished expanding interface-ranges

Jan  8 18:14:51.152  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: expanding groups

Jan  8 18:14:51.176  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: finished expanding groups

Jan  8 18:14:51.177  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: setup foreign files

Jan  8 18:14:51.185  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: update license counters

Jan  8 18:14:51.187  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: finish license counters

Jan  8 18:14:51.187  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: propagating foreign files

Jan  8 18:14:51.189  xxxxxx_RE1 mgd[23203]: UI_CHILD_START: Starting child '/usr/sbin/mustd'

Jan  8 18:14:51.383  xxxxxx_RE1 mgd[23203]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/mustd', PID 61820, status 0x700

Jan  8 18:14:51.384  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: cdg returns = 7(persist groups is not configured (needed for cdg))

Jan  8 18:14:51.536  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: complete foreign files

Jan  8 18:14:51.583  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: dropping unchanged foreign files

Jan  8 18:14:51.583  xxxxxx_RE1 mgd[23203]: UI_CHILD_START: Starting child '/usr/sbin/ffp'

Jan  8 18:14:51.828  xxxxxx_RE1 mgd[23203]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 61821, status 0

Jan  8 18:14:51.828  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: daemons checking new configuration

Jan  8 18:14:51.828  xxxxxx_RE1 mgd[23203]: UI_CHILD_START: Starting child '/usr/sbin/ffp'

Jan  8 18:14:52.156  xxxxxx_RE1 mgd[23203]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 61822, status 0

Jan  8 18:14:52.156  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: sending pull-configuration rpc to re0

Jan  8 18:14:52.156  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: filename /var/run/db/juniper.db-patch.sync, size 0

Jan  8 18:14:52.256  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: pull-configuration success. URL: /var/tmp/juniper.db-patch.sync

Jan  8 18:14:52.257  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: sending load-patch rpc to re0

Jan  8 18:14:52.358  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: remote load-configuration success on re0

Jan  8 18:14:52.358  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: sending file-delete rpc to re0

Jan  8 18:14:52.458  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: syncing commit db revision to  re0

Jan  8 18:14:52.458  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: asking re0 to commit

Jan  8 18:14:54.065  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: commit wrapup...

Jan  8 18:14:54.065  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: start ffp activate

Jan  8 18:14:54.065  xxxxxx_RE1 mgd[23203]: UI_CHILD_START: Starting child '/usr/sbin/ffp'

Jan  8 18:14:54.408  xxxxxx_RE1 mgd[23203]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 61830, status 0

Jan  8 18:14:54.408  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/cosd.conf'

Jan  8 18:14:54.409  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/pam.conf'

Jan  8 18:14:54.409  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/pam_radius.conf'

Jan  8 18:14:54.409  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/pam_tacplus.conf'

Jan  8 18:14:54.409  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/issue'

Jan  8 18:14:54.410  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/certs'

Jan  8 18:14:54.417  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/motd'

Jan  8 18:14:54.418  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/max-db-size-cfg'

Jan  8 18:14:54.418  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/subs-mgmt-cfg'

Jan  8 18:14:54.419  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/ephinst.conf'

Jan  8 18:14:54.419  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: executing foreign_commands

Jan  8 18:14:54.446  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: not executing ui_commit in rc.ui

Jan  8 18:14:54.469  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: finish ffp activate

Jan  8 18:14:54.470  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: copying configuration to juniper.save

Jan  8 18:14:54.539  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: db_check_constraint_ids_clear start

Jan  8 18:14:54.546  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: db_check_constraint_ids_clear done

Jan  8 18:14:54.572  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: db_groups_info_clear start

Jan  8 18:14:54.579  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: db_groups_info_clear done

Jan  8 18:14:54.579  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/run/db/juniper.data'

Jan  8 18:14:54.600  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: Rotate backup configs

Jan  8 18:14:54.911  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: signaling 'Simple Network Management Protocol process', pid 5330, signal 31, status 0 with notification errors enabled

Jan  8 18:14:54.911  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync begins

Jan  8 18:14:54.921  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync ends

Jan  8 18:14:54.922  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync begins

Jan  8 18:14:55.023  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync ends

Jan  8 18:14:55.024  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: notifying daemons of new configuration

Jan  8 18:14:55.026  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync begins

Jan  8 18:14:55.053  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync ends

Jan  8 18:14:55.153  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: commit complete

Jan  8 18:14:55.154  xxxxxx_RE1 mgd[23203]: UI_COMMIT_COMPLETED: commit complete

Jan  8 18:14:55.161  xxxxxx_RE1 mgd[23203]: UI_COMMIT_PROGRESS: Commit operation in progress: signaling 'Alarm control process', pid 5328, signal 30, status 0 with notification errors enabled

Jan  8 18:14:56.389  xxxxxx_RE1 mgd[61861]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'

Jan  8 18:14:56.390  xxxxxx_RE1 mgd[61861]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [61861], ssh-connection '', client-mode 'cli'

Jan  8 18:14:56.392  xxxxxx_RE1 mgd[61861]: UI_CMDLINE_READ_LINE: User 'root', command 'request support information '

The command was initiated from a different session ( mgd[61861]) . This may be due to the script enabled on your device or from external device (NMS?). Please check if any script is enabled or check logged in users for external session:

show configuration script

show configuration event-options

show system users

Hi Nellikka

Even I've changed root password, but still saw this event. And as I checked, it will be presented while "Core dumped" happended.

Is it possible to trigger RSI while any process ran "Core dumped" ?

==========================

Jan 8 18:14:55.888 xxxx_RE1 kernel: pid 45608 (srrd), uid 0: exited on signal 11 (core dumped)
Jan 8 18:14:56.223 xxxx_RE1 jlaunchd: sampling-route-record (PID 45608) terminated by signal number 11. Core dumped!
Jan 8 18:16:05.086 xxxx_RE1 dumpd: Core and context for srrd saved in /var/tmp/srrd.core-tarball.4.tgz

Jan  8 18:14:56.392  xxxxx_RE1 mgd[61861]: UI_CMDLINE_READ_LINE: User 'root', command 'request support information '

Jan 9 23:46:02.859 xxxx_RE1 kernel: pid 18485 (srrd), uid 0: exited on signal 11 (core dumped)
Jan 9 23:46:03.217 xxxx_RE1 jlaunchd: sampling-route-record (PID 18485) terminated by signal number 11. Core dumped!
Jan 9 23:47:05.834 xxxx_RE1 dumpd: Core and context for srrd saved in /var/tmp/srrd.core-tarball.4.tgz

Jan 9 23:46:02.859 HKG02_KATRINA_RE1 kernel: pid 18485 (srrd), uid 0: exited on signal 11 (core dumped)
Jan 9 23:46:03.217 HKG02_KATRINA_RE1 jlaunchd: sampling-route-record (PID 18485) terminated by signal number 11. Core dumped!
Jan 9 23:47:05.834 HKG02_KATRINA_RE1 dumpd: Core and context for srrd saved in /var/tmp/srrd.core-tarball.4.tgz

Please check if any script is enabled on your device. A script can take RSI automatically based on some events. By default system will not trigger RSI.

show configuration script | display inheritance

show configuration event-options | display inheritance

Hi Nellike 

As checked by your command, don't run any script on this router. So that's why I confuse.

Even have, the script will be interrupted after I changed password.

Thanks

Cloud

Script can work even if you change password. Please check for any group level configuration and for AIS script.

Hi Rohit,

the vrf-import/vrf-export are used with routing policies, which allows for addining more logic that just attaching the community to the route.

to attach the target community without a policy you can use the vrf-target command.

set routing-instances ss vrf-import ?  
Possible completions:
  <value>              Import policy for VRF instance RIBs
  (                    Open an expression
  FILTER-TED           
  MED                  
  TE                   
  [                    Open a set of values
  lb                   
  local-pref-200       
  nh-self              
[edit]

Hi Nellikka

As I figured out, our router got some scripts at this folder. But I am not sure what function it is.

Do you have any idea on this ?

:/var/db/scripts/op # ls -lh
total 0
lrwxr-xr-x 1 root wheel 67B Feb 14 2018 sdg-inservice.slax -> /packages/mnt/junos-runtime-mx/var/db/scripts/op/sdg-inservice.slax
lrwxr-xr-x 1 root wheel 61B Feb 14 2018 sdg-oos.slax -> /packages/mnt/junos-runtime-mx/var/db/scripts/op/sdg-oos.slax
lrwxr-xr-x 1 root wheel 67B Feb 14 2018 services-oids.slax -> /packages/mnt/junos-runtime-mx/var/db/scripts/op/services-oids.slax
lrwxr-xr-x 1 root wheel 64B Feb 14 2018 srd-status.slax -> /packages/mnt/junos-runtime-mx/var/db/scripts/op/srd-status.slax

Hi Cloud,

This is expected by root. Here i've manually triggered a core dump by issuing "request system core-dump <process-name> command via user called labroot. Once the core dump file is dumped, the root will collect the RSI:

 run show log interactive-commands| match request
Jan 10 13:00:13  jtac-mx960 mgd[55911]: UI_CMDLINE_READ_LINE: User 'labroot', command 'request system core-dump smg-service '
Jan 10 13:00:20  jtac-mx960 mgd[56205]: UI_CMDLINE_READ_LINE: User 'root', command 'request support information brief '

If you think some script is causing rsi to run using root user, they generally use ssh to login and run script.

You can disable it by configuring "set system services ssh root-login deny". this will not allow "root" to login via ssh or in other words, it will allow root login via console and not ssh.

Hello there,

---

 wrote:

 

 

RT is send across to remove PE as extended community anyway , isn't it ? 

 

 

---

In JUNOS, this is not fully automatic. In more detail:

1/ "vrf-target target:BLAH:BLA" statement only advertises static+direct+PE-CE BGP routes out with RT community. Other routes such as PE-CE OSPF or RIP are not picked up by "vrf-target" knob

2/ "vrf-export bLAh" requires a policy to be configured under [edit policy-options] but JUNOS does not check if the policy references a RT community, or any community at all. Example with JUNOS 18.3R1:

[edit]
regress@R2# edit routing-instances 

[edit routing-instances]
regress@R2# show 
VRF1 {
    instance-type vrf;
    route-distinguisher 198.51.100.2:7;
    vrf-target target:65007:7;
    vrf-table-label;
}
[edit routing-instances]
regress@R2# set VRF1 vrf-export VRF1-EXPORT 

[edit routing-instances]
regress@R2# top 

[edit]
regress@R2# set policy-options policy-statement VRF1-EXPORT term 1 then accept 

[edit]
regress@R2# commit check 
configuration check succeeds

Therefore, to be on the safe side, I suggest You always configure [1] RT community and [2] reference this RT community in VRF export and VRF import policies and [3] insert VRF export and VRF import policies into appropriate VRF routing-instance.

HTH

Thx

Alex

Lab Topology:  3 EX4200 devices in series connected via L3 (IP) link. JunOS 12.3R12-S7

Prod topology: Same except they are VCs and switch B is EX4600/4300.

Same results in both cases. I have done a lot of testing here.

EX switch A ----------EX switch B-----------EX Switch C

• All 3 have the master routing instance. Routing within the master instance is fine. 
• B and C have an second, common routing instance type 'virtual-router', called 'Lab'. The Lab routing-instances are linked by a vlan-tagged interface over the B to C Layer 3 connection. Routing within the Lab routing instance is fine.
• I have requirements to allow selective connectivity between the master and Lab routing-instances, so I need to move routes between the RIBs on switch B.  I first configured instance import (my preferred method) and then removed this config and used rib-groups. In both cases, the routes have appeared in the proper tables. I also added a static route on switch A for the destinations on switch C. The routes are good end to end.
• There are no firewalls or ACLs etc.

I am originating all pings and traceroutes specifying the proper instance and source address.

Here are the (interesting) test results:

• Within the master instance:
  • No connectivity issues of any kind.
• Within the Lab instance:
  • No connectivity issues of any kind.
• Between Instances
  • Switch B
    • No connectivity issues of any kind, in either instance.
  • Switches A and C
    • Can successfully ping/trace any interface or directly connected destination of switch B 
    • Switch C can not ping or trace any interface of switch A (and vice-versa)
      • The traceroute arrives at switch B via the proper link and then * * *

So, if I was to draw conclusions from this:

• If a packet arrives on a EX device with multiple instances configured and the packet needs to be routed across instances:
  • If the destinaton is local to that device, it works.
  • If the destination is not local, something breaks.

Any ideas are appreciated.

Thanks-

Hello,

---

 wrote:

 

So, if I was to draw conclusions from this:

• If a packet arrives on a EX device with multiple instances configured and the packet needs to be routed across instances

 

 

---

It's been discussed on this forum umpteen times: route leaking for directly-connected subnets is not supported on EX-series 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23027

 - and neither on QFX5K-series, I shall add.

HTH

Thx

Alex

Thanks Rahul ...

I will check it ..