[j-nsp] WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

Duane Grant duaneogrant at gmail.com
Tue Mar 25 16:51:43 EDT 2014


newer versions of junos can be configured to automatically recover the
primary partiion via "auto-snapshot".

on older versions of code, you can put in the slax script to fix your issue:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25758

relevant bits:

set event-options policy boot-chk events system
set event-options policy boot-chk attributes-match system.message matches
"Host 0 Boot from backup root"
set event-options policy boot-chk then execute-commands commands "request
system snapshot slice alternate"

you might need to play with the match above for some of the platforms, but
it shouldn't be too difficult to get going.

Regards,
                     --Duane

On Tue, Mar 25, 2014 at 12:00 PM, <juniper-nsp-request at puck.nether.net>wrote:

> Send juniper-nsp mailing list submissions to
>         juniper-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://puck.nether.net/mailman/listinfo/juniper-nsp
> or, via email, send a message with subject or body 'help' to
>         juniper-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
>         juniper-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of juniper-nsp digest..."
>
>
> Today's Topics:
>
>    1. Re: WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS
>       IMAGE (Victor Sudakov)
>    2. Re: WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS
>       IMAGE (Aaron Dewell)
>    3. Re: Dynamic VPN with Pulse, AD Integration and more
>       (Louis Kowolowski)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 25 Mar 2014 11:04:15 +0700
> From: Victor Sudakov <vas at mpeks.tomsk.su>
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP
>         JUNOS IMAGE
> Message-ID: <20140325040415.GA44247 at admin.sibptus.tomsk.ru>
> Content-Type: text/plain; charset=us-ascii
>
> Dear Masood,
>
> Thanks for the link to the KB article.
>
> However, being an old FreeBSD admin, I don't quite understand why and
> when a switch considers a partition "corrupted". It may be left in the
> dirty state due to a power loss, but this does not cause any
> corruption, especially when there were no writes during the power
> loss. The system just runs fsck and the partition should be as good
> as new.
>
> Masood Ahmad Shah wrote:
> > Perhaps the file system became corrupted, most likely due to a sudden
> power
> > loss, or ungraceful shutdown. I would not worry, as long as both of the
> > partitions are healthy, then no issue with running switch on either of
> > them.
> >
> > Just make sure that both of the partitions are healthy, so that fail over
> > can be done when needed. The following URL will point you how to recover
> > from this sort of condition. Just start from "Step-by-step recovery
> > procedure for this situation:" http://goo.gl/BoUUlA
> >
> > Cheers,
> > Masood
> >
> > On Fri, Mar 21, 2014 at 5:23 PM, Victor Sudakov <vas at mpeks.tomsk.su>
> wrote:
> >
> > > Colleagues,
> > >
> > > What could be the reason that an EX4200-24T occasionally boots from the
> > > secondary copy?
> > >
> > > If I "request system reboot slice alternate media internal", it will
> > > boot from the Active Partition all right. This means the Active
> > > Partition is operational, isn't it?
> > >
> > > But sometimes, one day, the switch will eventually boot from the
> > > Backup Partition again.
> > >
> > > What gives?
> > >
> > > TIA for any ideas.
> > >
> > > --
> > > Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> > > sip:sudakov at sibptus.tomsk.ru
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 24 Mar 2014 23:14:20 -0500
> From: Aaron Dewell <aaron.dewell at gmail.com>
> To: Victor Sudakov <vas at mpeks.tomsk.su>
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP
>         JUNOS   IMAGE
> Message-ID: <B28892F9-EBC6-431F-9E23-C888EAE45B00 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> fsck is run automatically every boot.  If the automatic fsck fails, it
> throws it to the backup partition.  So yes, you are correct, but the
> situation observed is when that system fails.
>
> On Mar 24, 2014, at 11:04 PM, Victor Sudakov wrote:
> > Dear Masood,
> >
> > Thanks for the link to the KB article.
> >
> > However, being an old FreeBSD admin, I don't quite understand why and
> > when a switch considers a partition "corrupted". It may be left in the
> > dirty state due to a power loss, but this does not cause any
> > corruption, especially when there were no writes during the power
> > loss. The system just runs fsck and the partition should be as good
> > as new.
> >
> > Masood Ahmad Shah wrote:
> >> Perhaps the file system became corrupted, most likely due to a sudden
> power
> >> loss, or ungraceful shutdown. I would not worry, as long as both of the
> >> partitions are healthy, then no issue with running switch on either of
> >> them.
> >>
> >> Just make sure that both of the partitions are healthy, so that fail
> over
> >> can be done when needed. The following URL will point you how to recover
> >> from this sort of condition. Just start from "Step-by-step recovery
> >> procedure for this situation:" http://goo.gl/BoUUlA
> >>
> >> Cheers,
> >> Masood
> >>
> >> On Fri, Mar 21, 2014 at 5:23 PM, Victor Sudakov <vas at mpeks.tomsk.su>
> wrote:
> >>
> >>> Colleagues,
> >>>
> >>> What could be the reason that an EX4200-24T occasionally boots from the
> >>> secondary copy?
> >>>
> >>> If I "request system reboot slice alternate media internal", it will
> >>> boot from the Active Partition all right. This means the Active
> >>> Partition is operational, isn't it?
> >>>
> >>> But sometimes, one day, the switch will eventually boot from the
> >>> Backup Partition again.
> >>>
> >>> What gives?
> >>>
> >>> TIA for any ideas.
> >>>
> >>> --
> >>> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> >>> sip:sudakov at sibptus.tomsk.ru
> >>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >
> > --
> > Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> > sip:sudakov at sibptus.tomsk.ru
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 24 Mar 2014 21:32:40 -0700
> From: Louis Kowolowski <louisk at cryptomonkeys.org>
> To: Skeeve Stevens <skeeve+junipernsp at eintellegonetworks.com>
> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] Dynamic VPN with Pulse, AD Integration and more
> Message-ID: <BACD3C2F-3AB4-4B18-98D9-71DA75B4878D at cryptomonkeys.org>
> Content-Type: text/plain; charset="windows-1252"
>
> Briefly, but I didn?t put much effort into it (I already had a working
> solution with vpntracker). I?ve thought about circling back and trying
> again, but I haven?t gotten there yet.
>
>
> On Mar 24, 2014, at 6:22 PM, Skeeve Stevens <
> skeeve+junipernsp at eintellegonetworks.com> wrote:
>
> > Have you tried with the built-in client?
> >
> >
> > ...Skeeve
> >
> > Skeeve Stevens - eintellego Networks Pty Ltd
> > skeeve at eintellegonetworks.com ; www.eintellegonetworks.com
> > Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> > facebook.com/eintellegonetworks ; linkedin.com/in/skeeve
> > twitter.com/theispguy ; blog: www.theispguy.com
> >
> > The Experts Who The Experts Call
> > Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
> >
> >
> > On Tue, Mar 25, 2014 at 12:18 PM, Louis Kowolowski <
> louisk at cryptomonkeys.org> wrote:
> > I have osx connecting to an srx over ipsec using vpntracker. It works
> quite well.
> > junos 12.1X46-D10.2
> > osx 10.9.x
> > vpntracker 7
> >
> >
> > On Mar 24, 2014, at 3:57 PM, Skeeve Stevens <
> skeeve+junipernsp at eintellegonetworks.com> wrote:
> >
> >> Any other way to get OSX/mobile devices, etc to connect to an SRX VPN?
> >> PPTP? IPSEC?
> >>
> >>
> >> ...Skeeve
> >>
> >> *Skeeve Stevens - *eintellego Networks Pty Ltd
> >> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com
> >>
> >> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> >>
> >> facebook.com/eintellegonetworks ;  <http://twitter.com/networkceoau>
> >> linkedin.com/in/skeeve
> >>
> >> twitter.com/theispguy ; blog: www.theispguy.com
> >>
> >>
> >> The Experts Who The Experts Call
> >> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
> >>
> >>
> >> On Tue, Mar 25, 2014 at 9:54 AM, Andrew Jones <aj at jonesy.com.au> wrote:
> >>
> >>> I've been told that they have no plans to support OSX on Dynamic VPN. I
> >>> got the impression that Juniper weren't investing in the Dynamic VPN
> >>> product and were pushing people toward MAG etc.
> >>>
> >>> From http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436
> >>>
> >>> The Dynamic VPN feature (Pulse or Juniper Access Manager) is not
> supported
> >>> on the following Operating Systems:
> >>> * Linux
> >>> * Macintosh Desktop Systems including Pulse 3.0 (for more information,
> >>> refer to KB23960 - [SRX] Junos Pulse 3.0 installed on a Mac OS X system
> >>> fails to connect to a SRX device with the dynamic VPN feature).
> >>> * Windows Server
> >>> * iPad/iPhone
> >>> * Android OS
> >>>
> >>>
> >>> On 25.03.2014 09:46, Skeeve Stevens wrote:
> >>>
> >>>> What THE HELL?!
> >>>>
> >>>> Documentation on this?
> >>>>
> >>>> Thanks Chris.
> >>>>
> >>>>
> >>>> ...Skeeve
> >>>>
> >>>> *Skeeve Stevens - *eintellego Networks Pty Ltd
> >>>> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com
> >>>>
> >>>> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> >>>>
> >>>> facebook.com/eintellegonetworks ;  <http://twitter.com/networkceoau>
> >>>> linkedin.com/in/skeeve
> >>>>
> >>>> twitter.com/theispguy ; blog: www.theispguy.com
> >>>>
> >>>>
> >>>> The Experts Who The Experts Call
> >>>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
> >>>>
> >>>>
> >>>> On Tue, Mar 25, 2014 at 5:36 AM, Chris Jones <ipv6freely at gmail.com>
> >>>> wrote:
> >>>>
> >>>> I don't know if this matters to you, but Pulse does not work in OSX or
> >>>>> iOS/Android when connecting to a SRX with Dynamic VPN. It only works
> in
> >>>>> Windows. Just a caveat if you weren't already aware.
> >>>>>
> >>>>>
> >>>>> On Mon, Mar 24, 2014 at 12:21 AM, Skeeve Stevens <
> >>>>> skeeve+junipernsp at eintellegonetworks.com> wrote:
> >>>>>
> >>>>> Hey all,
> >>>>>>
> >>>>>> I am setting up an SRX with Dynamic VPN with Pulse clients..... I
> know
> >>>>>> some
> >>>>>> don't like it, but it is what we're doing (customer choice).
> >>>>>>
> >>>>>> One thing I am looking for is if anyone has seen any docs on how to
> >>>>>> integrate the Dynamic VPN auth with Active Directory.
> >>>>>>
> >>>>>> Also, does anyone know what flexibility we have with the VPN on a
> per
> >>>>>> use
> >>>>>> basis... such as different IP ranges, different VRF's, firewall
> filters,
> >>>>>> etc etc based against those AD groups.
> >>>>>>
> >>>>>> While this is for a specific rollout, it would be nice to know these
> >>>>>> capabilities across the board for other solutions.
> >>>>>>
> >>>>>> Any pointers to any docs would be fantastic.  I've tried googling,
> but
> >>>>>> came
> >>>>>> up blah.
> >>>>>>
> >>>>>> ...Skeeve
> >>>>>>
> >>>>>> *Skeeve Stevens - *eintellego Networks Pty Ltd
> >>>>>> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com
> >>>>>>
> >>>>>> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> >>>>>>
> >>>>>> facebook.com/eintellegonetworks ;  <http://twitter.com/networkceoau
> >
> >>>>>> linkedin.com/in/skeeve
> >>>>>>
> >>>>>> twitter.com/theispguy ; blog: www.theispguy.com
> >>>>>>
> >>>>>>
> >>>>>> The Experts Who The Experts Call
> >>>>>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
> >>>>>> _______________________________________________
> >>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Chris Jones
> >>>>> JNCIE-ENT #272
> >>>>> CCIE# 25655 (R&S)
> >>>>>
> >>>>> _______________________________________________
> >>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>>
> >>>
> >>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> > --
> > Louis Kowolowski                                louisk at cryptomonkeys.org
> > Cryptomonkeys:
> http://www.cryptomonkeys.com/
> >
> > Making life more interesting for people since 1977
> >
> >
>
>
> --
> Louis Kowolowski                                louisk at cryptomonkeys.org
> Cryptomonkeys:
> http://www.cryptomonkeys.com/
>
> Making life more interesting for people since 1977
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 630 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: <
> https://puck.nether.net/pipermail/juniper-nsp/attachments/20140324/1c8cd860/attachment-0001.sig
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> juniper-nsp mailing list
> juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ------------------------------
>
> End of juniper-nsp Digest, Vol 136, Issue 35
> ********************************************
>


More information about the juniper-nsp mailing list