[j-nsp] Juniper support vs. Cisco TAC - experiences?
Richard A Steenbergen
ras at e-gerbil.net
Wed Jul 9 23:46:35 EDT 2008
On Wed, Jul 09, 2008 at 06:25:07PM -0600, David Ball wrote:
> Another thing which I (and surely most of you) try to do is inundate
> them with data when opening a case right at the get-go, in hopes of
> avoiding the mundane questions Richard alluded to. Not just a 'req
> sup info', but attach any core files (/var/crash I think), many of the
> log files found in /var/log/ (not just 'messages'), the 'traceoptions'
> log for the problem/protocol/interface you're working on, a network
> diagram, and a rediculously detailed explanation of precisely what
> you're seeing, what else you've tried during troubleshooting, and what
> those results were. It will take much longer to open the ticket, but
> in my experience it shaves days off the resolution time. I've even
> had a JTAC person reply with 'wow, thanks for all the great
> information when opening the ticket...I'm escalating to ATAC now' when
> they realized the issue was clearly out of their comfort zone.
I have an op script which helps with some of this monotony by uploading
log files to the FTP site (*), but there are a few nagging software issues
which keep it from being a "good" solution. For example, there is no
scriptable command to MKDIR on an ftp site, nor is there a way to run a
CLI command and save the results to a temp file (in non-XML format) so you
can upload it. Why do you need this? For example, "show config | display
omit | display inheritence | display commit", since 99% of regular JTAC is
completely incapable of understanding commit scripts, group inheritence,
or apply-flags omit. At best you get to run a few commands manually, save
them to temp files in known locations, and then use the script to automate
a few upload commands.
This particular issue is actually my primary example of why having such
wonderful op script functionality can sometimes be a bad thing. I've been
trying to submit a feature request to get a built in method to securely
upload support information for literally years now, and with the addition
of op scripts the universal cop-out is "we don't need to do this, you can
do it yourself with op scripts". Sounds great in theory, except that you
can't actually do most of the work required due to a few missing commands.
Requiring an op script also puts the functionality beyond the reach of the
vast majority of users, who don't happen to be reading this list or
browsing juniper.cluepon.net. But even more importantly, I wonder how many
people actually stop to think about the security of the data they are
transmitting over the wire. Not only are you uploadig the entire contents
of your router's configuration in plain-text, but often times you are
trasmitting the entire contents of your memory as part of core dumps. If
someone wanted to do some industrial espionage its hard to think of a
better place to start than by intercepting some packets going to
ftp.juniper.net. A proper JUNOS implementation, in addition to being able
to upload all kinds of things that you can't do with op scripts, would
distribute the public key cert file for Juniper's ftp server as part of
JUNOS, then sftp the data securely.
Op scripts are great things, but sometimes they aren't a substitute for
the real thing, and this would be so simple to implement and beneficial
for users that it absolutely boggles the mind why it keeps getting
rejected.
At any rate, here is the not-really-working-well version of the script if
anyone wants to play with it. FYI the point of the temp file is so that
you can grab files off of any RE, including the "other RE" which might not
have connectivity to anythig except the active RE via TNP. Another good
addition would be the uploading of an arbitrary file, or the uploading of
the results of arbitrary pfe commands, incase you need to gather more data
than the default log files. I thought I had uploaded this to
juniper.cluepon.net but I must have been waiting until I could get it
fixed. :)
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
template upload($file, $dest) {
var $filename = jcs:regex("[^\/]+$", $file)[1];
var $destfile = $hostname _ "." _ $filename;
var $tmpfile = "/tmp/" _ $filename _ "XXXFIXMEWITHREALTMPNAME";
/* Copy specified file to a temporary local location */
var $copy_temp = {
<file-copy> {
<source> $file;
<destination> $tmpfile;
}
}
var $results_temp = jcs:invoke($copy_temp);
<output> $results_temp;
/* Upload file from temp location to the remote server */
var $copy_upload = {
<file-copy> {
<source> $tmpfile;
<destination> $dest _ "/" _ $destfile;
}
}
<output> "Uploading " _ $filename _ " to " _ $dest;
var $results_upload = jcs:invoke($copy_upload);
<output> $results_upload;
/* Clean up the mess left behind */
var $delete = {
<file-delete> {
<path> $tmpfile;
}
}
var $results_delete = jcs:invoke($delete);
}
/* Requires JUNOS 8.4+, and still doesn't work right */
template save($data, $file) {
var $put = {
<file-put> {
<filename> $file;
<encoding> "ascii";
<file-contents> $data;
}
}
var $results_put = jcs:invoke($put);
<output> "Debug: " _ $results_put;
}
var $arguments = {
<argument> {
<name> "destination";
<description> "Destination Path";
}
<argument> {
<name> "case";
<description> "Juniper Support Case Number";
}
<argument> {
<name> "routing-engine";
<description> "Routing Engine";
}
}
param $case;
param $destination;
param $routing-engine;
/* Set defaults for some arguments */
var $dest = jcs:first-of($destination, "ftp://ftp.juniper.net/pub/incoming/");
/* XXX Fix this with "which RE am I" code */
var $re = jcs:first-of($routing-engine, "re0");
match / {
<op-script-results> {
if ($case) {
<output> "Automated version currently unsupported, run these first:";
<output> "request support information | save /tmp/support";
<output> "show config | display omit | display commit | save /tmp/config";
/*
var $support = jcs:invoke('get-support-information');
var $config = jcs:invoke('get-configuration');
call save($support, "/tmp/support");
call save($config, "/tmp/config");
*/
call upload($file = $re _ ":/tmp/support", $dest = $dest _ $case);
call upload($file = $re _ ":/tmp/config", $dest = $dest _ $case);
call upload($file = $re _ ":/var/log/messages", $dest = $dest _ $case);
call upload($file = $re _ ":/var/log/chassisd", $dest = $dest _ $case);
} else {
<xnm:error> {
<message> "Juniper Support Case Number argument required.";
}
}
}
}
(*) If you can even get them to look at the FTP site. I still run into
JTAC people who don't know it exists, don't know how to check it, or
insist that you copy and paste everything into an email attachment or
webpage upload form anyways. Also beware of large file handlig, I know for
certain that whatever method they use to access the FTP site contents
doesn't handle un-tgz'ing a kernel coredump from an RE with 4GB of ram
(well that and regular JTAC doesn't know what a .tgz is, but I'll stop
complaining about them for today :P).
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list