Juniper SRX (Junos OS) SRX100/SRX210 關於恢復出廠配置會亮紅燈的問題

 Juniper SRX (Junos OS) SRX100/SRX210 關於恢復出廠配置會亮紅燈的問題

當有下列情況發生時,SRX210(SRX100)的前面板Alarm會亮起紅燈:
1、       剛購買的新產品。
2、       Reset Config按鈕將設備恢復出廠設定之後。
3、       在進行JUNOS作業系統更新時加入或勾選partition選項,例如:
root@srx100> request system software add <filename.tgz> no-copy no-validate reboot partition
4、       bootloader進行JUNOS作業系統更新之後,例如:
loader> install tftp://192.168.1.11/junos-srxsme-12.1X46-D65.4-domestic.tgz

我們趕緊上網google,發現原來是autorecovery惹的禍。

當我們恢復出廠設定之後,Juniper SRX100/210的前面板status會亮紅燈,這時候只要我們輸入了下列命令,立馬就能解決我們的問題,讓status變成綠燈。
root@srx100> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
root@srx100>

從訊息中我們可以瞭解到它儲存了configlicensesBSD label三種類型的還原資訊。
那麼request system autorecovery state save 這個命令的作用為何呢?
原來是JUNOS OS為了保護重要的檔案而強制我們去執行的命令,否則設備就會一直亮紅燈給你看。
而作用我們已經知道了,就是當您誤刪保護中的檔案之後,在設備重開機的過程中它又會給您還原回來了。

指令說明:
保存目前的磁碟分割、系統配置和軟體授權許可證的狀態,用來在每次重開機時檢查並自動恢復異動。
僅在執行request system autorecovery state save命令時備份資料。
執行命令時會生成新的救援配置(rescue configuration)。任何現有的救援配置都將被覆蓋。
執行中的JUNOS OS配置會被保存為JUNOS的救援配置,在此之後,每次重開機將恢復保存救援配置、許可證和磁碟分割資訊。
在稍後階段執行的任何恢復都將將資料還原到執行 save 命令時的狀態。


要查看autorecovery state狀態請執行命令: root> show system autorecovery state
要解除autorecovery state設定請執行命令: root> request system autorecovery state clear
要恢復autorecovery state設定請執行命令: root> request system autorecovery state recover


在還沒執行過request system autorecovery state save命令之前:
而又有哪些檔案被它保護呢?我們可以下達這個命令來查看:
root@srx100> show system autorecovery state | no-more
Configuration:
  File             Recovery Information    Integrity Check    Action / Status
  rescue.conf.gz   Not Saved               Not checked        Requires save
Licenses:
  File             Recovery Information    Integrity Check    Action / Status
  JUNOS221719.lic  Not Saved               Not checked        Requires save
  JUNOS333336.lic  Not Saved               Not checked        Requires save
  JUNOS333337.lic  Not Saved               Not checked        Requires save
  JUNOS333338.lic  Not Saved               Not checked        Requires save
  JUNOS333339.lic  Not Saved               Not checked        Requires save
  JUNOS333340.lic  Not Saved               Not checked        Requires save
  JUNOS372087.lic  Not Saved               Not checked        Requires save
  JUNOS372088.lic  Not Saved               Not checked        Requires save
  JUNOS985375.lic  Not Saved               Not checked        Requires save
  JUNOS985376.lic  Not Saved               Not checked        Requires save
  JUNOS985377.lic  Not Saved               Not checked        Requires save
  JUNOS985378.lic  Not Saved               Not checked        Requires save
  JUNOS985379.lic  Not Saved               Not checked        Requires save
  JUNOS985380.lic  Not Saved               Not checked        Requires save
  JUNOS985381.lic  Not Saved               Not checked        Requires save
BSD Labels:
  Slice            Recovery Information    Integrity Check    Action / Status
  s1               Not Saved               Not checked        Requires save
  s2               Not Saved               Not checked        Requires save
  s3               Not Saved               Not checked        Requires save
  s4               Not Saved               Not checked        Requires save
root@srx100>


在執行過request system autorecovery state save命令之後:
root> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information

root@srx100> show system autorecovery state | no-more
Configuration:
  File             Recovery Information    Integrity Check    Action / Status
  rescue.conf.gz   Saved                   Passed             None
Licenses:
  File             Recovery Information    Integrity Check    Action / Status
  JUNOS221719.lic  Saved                   Passed             None
  JUNOS333336.lic  Saved                   Passed             None
  JUNOS333337.lic  Saved                   Passed             None
  JUNOS333338.lic  Saved                   Passed             None
  JUNOS333339.lic  Saved                   Passed             None
  JUNOS333340.lic  Saved                   Passed             None
  JUNOS372087.lic  Saved                   Passed             None
  JUNOS372088.lic  Saved                   Passed             None
  JUNOS985375.lic  Saved                   Passed             None
  JUNOS985376.lic  Saved                   Passed             None
  JUNOS985377.lic  Saved                   Passed             None
  JUNOS985378.lic  Saved                   Passed             None
  JUNOS985379.lic  Saved                   Passed             None
  JUNOS985380.lic  Saved                   Passed             None
  JUNOS985381.lic  Saved                   Passed             None
BSD Labels:
  Slice            Recovery Information    Integrity Check    Action / Status
  s1               Saved                   Passed             None
  s2               Saved                   Passed             None
  s3               Saved                   Passed             None
  s4               Saved                   Passed             None
root@srx100>






以下為request system autorecovery state命令的應用示範:


如何刪除過期的SRX Kaspersky AV Licenses病毒防護授權
過期的付費軟體授權如下圖紅框之中的授權:


付費軟體授權過期後,系統就會不斷的在系統日誌中顯示以下之訊息:
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333336" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333337" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333338" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333339" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333340" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS372087" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS372088" has expired.
在煩不勝煩的狀況下,只好忍痛動手刪除它(如圖所示)




原本以為這樣就完成了,可是隔天開機後系統日誌又出現了同樣的訊息!!??趕快查看Licenses訊息,結果發現已經刪除的授權又回來了,本著實驗的精神,又給他刪了一遍,重開機後已經刪除的授權又回來了,再以不屈不撓的精神再刪一次,重開機之後結果還是一樣,只是我們在開機過程中在console發現了下列訊息:
Checking integrity of licenses:
  JUNOS221719.lic: Passed
  JUNOS333336.lic: Failed
  JUNOS333336.lic: Performing recovery
  JUNOS333336.lic: Recovered
  JUNOS333337.lic: Failed
  JUNOS333337.lic: Performing recovery
  JUNOS333337.lic: Recovered
  JUNOS333338.lic: Failed
  JUNOS333338.lic: Performing recovery
  JUNOS333338.lic: Recovered
  JUNOS333339.lic: Failed
  JUNOS333339.lic: Performing recovery
  JUNOS333339.lic: Recovered
  JUNOS333340.lic: Failed
  JUNOS333340.lic: Performing recovery
  JUNOS333340.lic: Recovered
  JUNOS372087.lic: Failed
  JUNOS372087.lic: Performing recovery
  JUNOS372087.lic: Recovered
  JUNOS372088.lic: Failed
  JUNOS372088.lic: Performing recovery
  JUNOS372088.lic: Recovered
  JUNOS985375.lic: Passed
  JUNOS985376.lic: Passed
  JUNOS985377.lic: Passed
  JUNOS985378.lic: Passed
  JUNOS985379.lic: Passed
  JUNOS985380.lic: Passed
  JUNOS985381.lic: Passed
Checking integrity of configuration:
  rescue.conf.gz: Passed
我們似乎找到原因了! 趕緊上網一查,原來是autorecovery惹的禍。
當我們恢復出廠設定之後,Juniper SRX100/210的前面板status會亮紅燈,這時候只要我們輸入了下列命令,立馬就能解決我們的問題,讓status變成綠燈。
root@srx100> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
root@srx100>
從訊息中我們可以了解到它儲存了configlicensesBSD label三種類型的還原資訊。
那這個命令的作用為何呢?
原來是JUNOS OS為了保護重要的檔案而強制我們去執行的命令,否則設備就會一直亮紅燈給你看。而作用我們已經知道了,就是當您誤刪保護中的檔案之後,在設備重開機的過程中它又會給您還原回來了。
而又有哪些檔案被它保護呢?我們可以下達這個命令:
root@srx100> show system autorecovery state | no-more
Configuration:
  File             Recovery Information    Integrity Check    Action / Status
  rescue.conf.gz   Saved                   Passed             None
Licenses:
  File             Recovery Information    Integrity Check    Action / Status
  JUNOS221719.lic  Saved                   Passed             None
  JUNOS333336.lic  Saved                   Passed             None
  JUNOS333337.lic  Saved                   Passed             None
  JUNOS333338.lic  Saved                   Passed             None
  JUNOS333339.lic  Saved                   Passed             None
  JUNOS333340.lic  Saved                   Passed             None
  JUNOS372087.lic  Saved                   Passed             None
  JUNOS372088.lic  Saved                   Passed             None
  JUNOS985375.lic  Saved                   Passed             None
  JUNOS985376.lic  Saved                   Passed             None
  JUNOS985377.lic  Saved                   Passed             None
  JUNOS985378.lic  Saved                   Passed             None
  JUNOS985379.lic  Saved                   Passed             None
  JUNOS985380.lic  Saved                   Passed             None
  JUNOS985381.lic  Saved                   Passed             None
BSD Labels:
  Slice            Recovery Information    Integrity Check    Action / Status
  s1               Saved                   Passed             None
  s2               Saved                   Passed             None
  s3               Saved                   Passed             None
  s4               Saved                   Passed             None
root@srx100>

那我們又要如何來刪除過期付費軟體授權呢?我們先執行下列命令:
root@srx100> request system autorecovery state ?
Possible completions:
  clear                Delete previously saved autorecovery state
  recover              Check for problems and recover state if needed
  save                 Save autorecovery state
root@srx100>
原來除了save之外,它還有clearrecover共三種選項。我們先執行clear選項:
root@srx100> request system autorecovery state clear
Clearing config recovery information
Clearing license recovery information
Clearing bsdlabel recovery information
root@srx100>
我們再查看一下狀態:
root@srx100> show system autorecovery state | no-more
Configuration:
  File             Recovery Information    Integrity Check    Action / Status
  rescue.conf.gz   Not Saved               Not checked        Requires save
Licenses:
  File             Recovery Information    Integrity Check    Action / Status
  JUNOS221719.lic  Not Saved               Not checked        Requires save
  JUNOS333336.lic  Not Saved               Not checked        Requires save
  JUNOS333337.lic  Not Saved               Not checked        Requires save
  JUNOS333338.lic  Not Saved               Not checked        Requires save
  JUNOS333339.lic  Not Saved               Not checked        Requires save
  JUNOS333340.lic  Not Saved               Not checked        Requires save
  JUNOS372087.lic  Not Saved               Not checked        Requires save
  JUNOS372088.lic  Not Saved               Not checked        Requires save
  JUNOS985375.lic  Not Saved               Not checked        Requires save
  JUNOS985376.lic  Not Saved               Not checked        Requires save
  JUNOS985377.lic  Not Saved               Not checked        Requires save
  JUNOS985378.lic  Not Saved               Not checked        Requires save
  JUNOS985379.lic  Not Saved               Not checked        Requires save
  JUNOS985380.lic  Not Saved               Not checked        Requires save
  JUNOS985381.lic  Not Saved               Not checked        Requires save
BSD Labels:
  Slice            Recovery Information    Integrity Check    Action / Status
  s1               Not Saved               Not checked        Requires save
  s2               Not Saved               Not checked        Requires save
  s3               Not Saved               Not checked        Requires save
  s4               Not Saved               Not checked        Requires save
root@srx100>




看來辦法似乎可行,我們趕緊把不要的授權刪除(請參考本段開頭的圖示)
root@PayDay# run show system license    <--This will give you the information regarding licenses
License usage:
Licenses Licenses Licenses
Expiry
Feature name used installed needed
j-flow 0 1 0
permanent
bgp-reflection 0 1 0
permanent

Licenses installed:
License identifier: JUNOS201481 <--This is the license identifier
License version: 2
Valid for device: JN10E8E75ADD
Features:
bgp-reflection - Border Gateway Protocol route reflection
permanent
j-flow - J-FLOW traffic analysis (CFLOW reporting)
permanent

root@PayDay> request system license delete JUNOS201481    <--This will remove the license

刪除之後再查看一下狀態:
root@srx100> show system autorecovery state | no-more
Configuration:
  File             Recovery Information    Integrity Check    Action / Status
  rescue.conf.gz   Not Saved               Not checked        Requires save
Licenses:
  File             Recovery Information    Integrity Check    Action / Status
  JUNOS221719.lic  Not Saved               Not checked        Requires save
  JUNOS985375.lic  Not Saved               Not checked        Requires save
  JUNOS985376.lic  Not Saved               Not checked        Requires save
  JUNOS985377.lic  Not Saved               Not checked        Requires save
  JUNOS985378.lic  Not Saved               Not checked        Requires save
  JUNOS985379.lic  Not Saved               Not checked        Requires save
  JUNOS985380.lic  Not Saved               Not checked        Requires save
  JUNOS985381.lic  Not Saved               Not checked        Requires save
BSD Labels:
  Slice            Recovery Information    Integrity Check    Action / Status
  s1               Not Saved               Not checked        Requires save
  s2               Not Saved               Not checked        Requires save
  s3               Not Saved               Not checked        Requires save
  s4               Not Saved               Not checked        Requires save
root@srx100>

最後我們再執行save命令選項:
root@srx100> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
root@srx100>

最後經過數次的重開機測試,發現經過上述步驟所刪除的過期授權不再回來了,著實令小弟萬分的感動.........

關於如何刪除過期的license key我們可以參考以下之網路連結:

我們可以將刪除過期付費軟體授權的步驟整理如下:
show system license
show system autorecovery state
request system autorecovery state clear
request system license delete JUNOS201481
show system autorecovery state
request system autorecovery state save
show system autorecovery state
show system license

但是此刻卻發現系統面板仍然亮紅燈??於是我們執行以下之指令:
root@srx100> show system alarms
2 alarms currently active
Alarm time               Class  Description
2018-04-01 12:44:21 UTC  Minor  Anti-Spam usage requires a license
2018-04-01 12:44:13 UTC  Minor  Kaspersky AV usage requires a license
root@srx100>

檢查之下發現系統配置檔關於Kaspersky AV 等的UTM命令還在,如下:
security {
    utm {
        feature-profile {
            anti-virus {
                type kaspersky-lab-engine;
                kaspersky-lab-engine {
                    pattern-update {
                        email-notify {
                            admin-email "admin@juniper.net";
                            custom-message "Pattern UPDATE Done";
                            custom-message-subject "AV UPDATE COMPLETE";
                        }
                        url http://update.juniper-updates.net/AV/SRX240;
                        interval 120;
                    }
                }
            }
        }
        utm-policy custom-utm-policy {
            anti-virus {
                http-profile junos-av-defaults;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy web-access {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        application-services {
                            utm-policy custom-utm-policy;
                        }
                    }
                }
            }
        }
    }
}

於是執行下列命令來刪除
root@srx100# delete security utm
root@srx100# delete security policies from-zone trust to-zone untrust policy web-access
root@srx100# commit
最後終於系統面板恢復正常,亮綠燈了!

大功告成!



這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁