OPNSense as a VPN server

I recently posted a Raspberry Pi3 as an OpenVPN server. It worked great, but I had some issues that I was still trying to fix (at least, at the time of this writing). Basically, I could not get the Internet access working. I mean it works, but I can only get access to some websites or IP addresses.

Therefore, I tried to find some other alternatives that will let me VPN-in using my laptops (MacOS or Linux) and/or mobile devices such as (iPad/iPhone or Android). I found PFsense and OPNsense firewalls. I already have a firewall, so this post is mainly for remote access VPN. Basically, the sole purpose of this OPNsense/PFsense virtual appliance is to be my SSL VPN concentrator.

I am running this VM on my HP N54L micro server just in case you are wondering.

Here is the network topology:

opnsense

Figure 1

I am assuming that you have the OPNsense/PFsense installed and you are able to access its webUI. Also, since I am going to use this for home use, so I’d use DDNS instead of using my dynamic public IP. There are DDNS that offer free accounts – I use no-ip.

Make sure that you have at least two interfaces – one for the WAN (em0) and the other (em1) for management.

This is optional – by default, the OPNsense/PFsense will create firewall rules and Outbound NAT. In this post, I will be disabling the outbound NAT, since I don’t want to NAT my VPN from the OPNsense to my network. Also, I will create my own firewall rules.

If you do not want to do what I am going to do as I mentioned in the paragraph above then you are done once you finish from the beginning to OpenVPN Server, and no need to continue at Firewall Rules and Network Address Translation part of this guide.

Make sure that you are forwarding (destination NAT) the port 1194/udp from the Internet inbound to your OPNsense/PFsense firewall. Otherwise, it is not going to work.

Dynamic DNS

Let’s get started – login to opnsense webUI.
Navigate to Services > DNS Tools > DynDNS > Add
When done click on Save. This will take a few seconds.

Enter all necessary information  – see Figure 2

opn-figure2

Figure 2

Networking

Navigate to SystemGateway All > Add gateway
Select the WAN interface
Give it a Name
Enter the default gateway IP address in the Gateway field
Check the Default Gateway
Click Save and then Apply changes

opn-figure1-2

Figure 3

Navigate to System Settings > General
Make sure that you update the timezone

opn-figure1

Figure 4

Scroll down and set the DNS servers and select Use gateway from the drop-down menu
Uncheck the Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply

opn-figure2-2

Figure 5

Navigate to Interfaces [WAN] 
Then uncheck the Block private networks
Leave the Block bogon networks checked
Set the IPv4 Configuration Type to Static IPv4

opn-figure3

Figure 6

Scroll down and give the WAN interface a static IP and select the IPv4 Upstream Gateway that was set up earlier.
Click Save when done.

opn-figure4

Figure 7

Navigate to Interfaces > [LAN]
Set the IPv4 Configuration Type to Static IPv4

opn-figure5

Figure 8

Scroll down and give the interface an static IP for management access

opn-figure6

Figure 9

OpenVPN Package

We need to download the OpenVPN package. Navigate to System Firmware Packages
Select openvpn23reinstall icon (the one that looks like a recycle icon)

opn-figure10

Figure 10

Certificates

We need to create the CA certificate and OpenVPN Server certificate. Navigate to System Trust Authorities Add or import CA
Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu.
Enter the necessary information as shown in Figure 11 and 12 then click Save

opn ca

Figure 11

Screen Shot 2017-05-28 at 10.20.46 AM

Figure 12

To create the OpenVPN server certificate, navigate to System Trust Certificates Add or import certificates

  1. Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu
  2. Under the Certificate authority’s drop-down menu, select the CA that was created earlier
  3. The Type should be Server Certificate
Screen Shot 2017-05-28 at 10.29.54 AM

Figure 13

VPN Users

Now, we need to create the vpn users.
Navigate to System > Access  > Users
Click the + symbol to add a user

Screen Shot 2017-05-28 at 11.04.33 AM

Figure 14

Enter only the following:

  • Username
  • Password
  • Expiration (optional)
  • Make sure that you put a check mark on Certificate  > Click to create a user certificate
Screen Shot 2017-05-28 at 11.41.29 AM

Figure 15

Screen Shot 2017-05-28 at 11.41.46 AM

Figure 16

Since you marked the Click to create a user certificateafter clicking Save, it will take you automatically to System > Trust > Certificates

From here, make sure that you change the Method to Create an internal certificate
It should auto-populate the rest of the fields for you.  All you need to do is click Save

Screen Shot 2017-05-28 at 11.50.06 AM.png

Figure 17

After click Save, it will bring you back to the user creation page (Figure 15 and Figure 16). From here, just click Save

OpenVPN Server

Now we need to create the OpenVPN server. Navigate to VPN OpenVPN > Servers add server

Under General Information, set the Server Mode to Remote Access (SSL/TLS). The rest of the information should be automatically populated.

Screen Shot 2017-05-28 at 1.25.04 PM.png

Figure 18

Under the Cryptographic Settings, make sure to select the OpenVPN server certificate that was created earlier from the Server Certificate drop-down menu.
The rest of the fields should already auto-populated, but modify them if needed for better security as shown below

Screen Shot 2017-05-28 at 1.26.09 PM

Figure 19

Under the Tunnel Settings, do the following:

  1. IPv4 Tunnel Network this is the IP pool where the VPN users going to get their IP address
  2. IPv4 Local Network – this is the resources that the VPN users will have access to. You can add multiple subnets separated by a comma
  3. Redirect Gateway – enabling this will remove the IPv4 Local Network and it will tunnel all the traffic to the VPN tunnel
    1. You probably guessed it already. Leaving the ‘Redirect Gateway‘ disable, the VPN traffic will be set to split tunneling (this is the default)
  4. Concurrent connections – this is number of allowed connections that can connect to the VPN server
  5. Compression –  should be set to Enable with Adaptive Compression
Screen Shot 2017-05-28 at 1.28.03 PM.png

Figure 20

Under Client Settings, the mark the following: Dynamic IP, Address Pool, and TopologyMark the DNS Servers if you have a preferred DNS servers as shown in Figure 21

Screen Shot 2017-05-28 at 3.10.38 PM.png

Figure 21

Under Advanced Configuration,

Screen Shot 2017-05-28 at 4.42.15 PM.png

Figure 22

At this point, you everything is good to go. What is missing is exporting the users profile. Navigate to VPN > OpenVPN > Client Export

  1. Select the OpenVPN server you have created from the Remote Access Server drop-down menu. If you created just one server, then it should already be selected
  2. Select the DDNS that was created at the beginning of this post from the Host Name Resolution drop-down menu
  3. Leave everything as is. Scroll down at the bottom and you will see the users you have created
  4. Select the type of profile you will need for the user in the Export column

Firewall Rules and Network Address Translation

I am going to disable the outbound NAT and will create my own firewall rules. Now, before I disable my NAT, I had a static route for the OpenVPN subnet with the next-hop IP of the WAN interface of the OPNsense.

To disable source NAT (outbound NAT), navigate to Firewall NAT Outbound
Select the Disable outbound NAT rule generation then click Save

Screen Shot 2017-05-28 at 10.12.52 PM.png

Figure 23

The firewall rule is very simple. It is just an inbound to the WAN interface. Basically, what you needed is the second line. I have the third line because I created two OpenVPN servers for two different purposes.

Screen Shot 2017-05-28 at 11.27.00 PM.png

Figure 24

This is the OpenVPN firewall rules. I disabled the default ‘allow all’ rule and created several rules for specific needs

 

Screen Shot 2017-06-09 at 5.10.07 AM.png

Figure 25

 

I believe this is it. Hope you will find this helpful. Cheers!!!

Advertisements
Posted in Misc., Sec, Security, vmware | Tagged , , , , , , , , , , | Leave a comment

OpenVPN and Raspberry Pi 3 – part 1

I used to use the remote access VPN that came with my SRX100 and now SRX300. However, it is limited to two users only. I need more than two users. I thought of using the Raspberry Pi and OpenVPN since OpenVPN can be used on most platforms – Windows, MacOS (or OSX), Linux, and mobile devices such as Android, and iOS.

Another issue that I found was on the iOS devices, I could not VPN-in to my SRX via PulseSecure app. I kept getting this whenever I tried to VPN-in.

pulsesecure_ios

Figure 1

There are times that I don’t have a laptop with me. Therefore, access using my phone is important. It seems like OpenVPN meets my requirements for home VPN.

I am going to split this post into two.

  • Part 1 – configuring OpenVPN on a Raspberry Pi 3 and setting up Destination NAT on the Juniper SRX
  • Part 2 – configuring OpenVPN on the clients (Ubuntu, OSX, iOS)

Let’s get started:

The installation is pretty simple thanks to pivpn. I would highly recommend that if your public IP is dynamic, make sure you choose the Use a public DNS then enter you hostname. I used no-ip service for mine. Anyways, the script is pretty straight forward. The issue now is the Pi’s iptables. By default, OpenVPN is not allowed. This guide will help you configuring the iptables.

If you follow those two guides, you pi should be good to go. Now we need to configure the SRX to allow inbound traffic from anywhere on the Internet to the Pi via Destination NAT / port-forwarding.

SSH to the SRX, and create an application for the OpenVPN ports. OpenVPN uses 1194/udp.

Example 1

set applications application OPENVPN-APP term UDP-1194 protocol udp
set applications application OPENVPN-APP term UDP-1194 destination-port 1194

Create a destination NAT pool

Example 2

set security nat destination pool untrust_TO_PI-OPENVPN address 192.168.9.2/32
set security nat destination pool untrust_TO_PI-OPENVPN address port 1194

Then create a rule-set for inbound traffic.

Example 3

set security nat destination rule-set DST-NAT from zone untrust
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN description "OPEN VPN DESTINATION NAT"
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN match destination-address 1.1.1.1/32
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN match destination-port 1194
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN then destination-nat pool untrust_TO_PI-OPENVPN

The Destination NAT is created. We need to create a policy to allow the inbound traffic. Let’s start with creating an address-book

Example 4

set security address-book global address PI-OPENVPN-BOOK 192.168.9.2/32

Then an inbound security policy

Example 5

set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN description "INBOUND TRAFFIC FROM untrust TO PI-OPENVPN VIA PORT 1194"
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match source-address any
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match destination-address PI-OPENVPN-BOOK
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match application OPENVPN-APP
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN then permit

At this point, you should be able to VPN in. However, do not test the VPN from inside your LAN. This will not work because when you were configuring your Pi VPN, you specified you public IP or DDNS. Therefore, in your .ovpn profile, it shows the destination is you public IP. Now, if you really want to VPN from you LAN, you would need to configure the SRX with U-Turn NAT, but that’s going to be for another discussion.

Now, you would need to create a security policy to allow the VPN users to reach the internal destination.

Example 6

set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN description "ALLOW DYNAMIC VPN TO REACH THE TRUST ZONE RESOURCES"
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match source-address any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match destination-address any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match application any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN then permit

The last part is to tell SRX that you have a new network 10.8.0.0/24. By default, OpenVPN uses 10.8.0.0/24 for the VPN users. You may be able to send traffic to your destination, but the SRX does not know how to get to 10.8.0.0/24. Add a static route with the next-hop is the Pi.

Example 7

set routing-options static route 10.8.0.0/24 next-hop 192.168.9.2

That’s about it.

Cheers

 

Posted in CCNA Security, Juniper, Linux, Misc., Sec, Security | Tagged , , , , , , | Leave a comment

ExpressVPN on Linux

I tried to install ExpressVPN on my Ubuntu Gnome, and I was following the “how to” guide by ExpressVPN, and got some issues. Luckily I found this thread https://ubuntuforums.org/showthread.php?t=2342534

To view the server list, simply enter the following in terminal: expressvpn list

netshinobi@netshinobiug:~$ expressvpn list | less
ALIAS   COUNTRY                                  LOCATION                         RECOMMENDED
-----   ---------------                          ------------------------------   -----------
smart   Smart Location                           USA - New York                   Y
usny    United States (US)                       USA - New York                   Y
usla                                             USA - Los Angeles                Y
usch                                             USA - Chicago                    Y
usny2                                            USA - New York - 2 
...
...

Once you selected your server, to connect enter the following: expressvpn connect <server-alias>

Let’s say that I want to connect to Atlanta

netshinobi@netshinobiug:~$ expressvpn connect usat
Connecting to USA - Atlanta... 100.0%
Connected.
netshinobi@netshinobiug:~$

To check the status of the vpn, type-in: expressvpn status

netshinobi@netshinobiug:~$ expressvpn status
Connected to USA - Atlanta
netshinobi@netshinobiug:

To disconnect, just type in expressvpn disconnect

netshinobi@netshinobiug:~$ expressvpn disconnect 
Disconnecting...
Disconnected.
netshinobi@netshinobiug:~$

Or you can check the man page: man expressvpn

Cheers!

Posted in Misc. | Tagged , , | Leave a comment

EIGRP with the same Router ID – part 2

This is the continuation from part 1. We are still going to be using the same topology – see Figure 1. We are going to lab scenario two where R1 and R3 will have both the same eigrp router ID.

eigrp-rid-topo

Figure 1

I have removed the router-id 1.1.1.1 on R2 using the command no eigrp router-id 1.1.1.1. R3 has full neighbor relationship with R2 and R3 is receiving routes from R2. After fixing the router ID of R2. R2 is now accepting routes from R1 and R2 is advertising the routes to R3. Example 1 shows R3 route table.

Example 1

R3#show ip route
...
      10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
D       10.0.1.0/24 [90/435200] via 10.0.23.2, 00:00:14, Ethernet1/1
D       10.0.2.0/24 [90/409600] via 10.0.23.2, 00:00:14, Ethernet1/1
C       10.0.3.0/24 is directly connected, Loopback0
L       10.0.3.1/32 is directly connected, Loopback0
D EX    10.0.10.0/24 [170/309760] via 10.0.23.2, 00:00:14, Ethernet1/1
D       10.0.12.0/24 [90/307200] via 10.0.23.2, 00:00:14, Ethernet1/1
D       10.0.20.0/24 [90/409600] via 10.0.23.2, 00:00:14, Ethernet1/1
C       10.0.23.0/24 is directly connected, Ethernet1/1
L       10.0.23.3/32 is directly connected, Ethernet1/1
C       10.0.30.0/24 is directly connected, Loopback1
L       10.0.30.1/32 is directly connected, Loopback1
R3#

As you can see, R3 is receiving the routes 10.0.1.0/24 and 10.0.10.0/24 from R1. R1 is also receiving R3 routes as shown in Example 2.

Example 2

R1#show ip route
...
     10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
C      10.0.1.0/24 is directly connected, Loopback0
L      10.0.1.1/32 is directly connected, Loopback0
D      10.0.2.0/24 [90/409600] via 10.0.12.2, 00:01:11, Ethernet1/0
D      10.0.3.0/24 [90/435200] via 10.0.12.2, 00:01:11, Ethernet1/0
C      10.0.10.0/24 is directly connected, Loopback1
L      10.0.10.1/32 is directly connected, Loopback1
C      10.0.12.0/24 is directly connected, Ethernet1/0
L      10.0.12.1/32 is directly connected, Ethernet1/0
D      10.0.20.0/24 [90/409600] via 10.0.12.2, 00:01:11, Ethernet1/0
D      10.0.23.0/24 [90/307200] via 10.0.12.2, 00:01:11, Ethernet1/0
D      10.0.30.0/24 [90/435200] via 10.0.12.2, 00:01:11, Ethernet1/0
R1#

I am going to change the router ID of R3 to 1.1.1.1, and let’s see what’s going to happen. In Example 3

Example 3

R3#show run | sec router
router eigrp 1
 network 0.0.0.0
 eigrp router-id 1.1.1.1
R3#

In Example 4, R2 shows that it is still has a neighbor relationship to both R1 and R2 despite that both routers have the same RID.

Example 4

R2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address             Interface       Hold Uptime     SRTT    RTO  Q   Seq
                                        (sec)           (ms)         Cnt Num
1   10.0.23.3           Et1/1             14 00:00:57     16    100   0   17
0   10.0.12.1           Et1/0             11 00:06:45     12    100   0   13
R2#

Example 5 shows R1, R2 and R3 route tables. As you noticed, R1 lost all the routes (10.0.3.0/24 and 10.0.30.0/24) from R3 and R3 lost R1’s routes (10.0.1.0.24 and 10.0.10.0/24). However, R2 is still has the all the routes.

Example 5

R1#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D      10.0.2.0/24 [90/409600] via 10.0.12.2, 00:19:15, Ethernet1/0
D      10.0.20.0/24 [90/409600] via 10.0.12.2, 00:19:15, Ethernet1/0
D      10.0.23.0/24 [90/307200] via 10.0.12.2, 00:19:15, Ethernet1/0
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
D      10.0.1.0/24 [90/409600] via 10.0.12.1, 00:19:39, Ethernet1/0
D      10.0.3.0/24 [90/409600] via 10.0.23.3, 00:13:52, Ethernet1/1
D EX   10.0.10.0/24 [170/284160] via 10.0.12.1, 00:19:39, Ethernet1/0
D      10.0.30.0/24 [90/409600] via 10.0.23.3, 00:13:52, Ethernet1/1
R2#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R3#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D      10.0.2.0/24 [90/409600] via 10.0.23.2, 00:13:38, Ethernet1/1
D      10.0.12.0/24 [90/307200] via 10.0.23.2, 00:13:38, Ethernet1/1
D      10.0.20.0/24 [90/409600] via 10.0.23.2, 00:13:38, Ethernet1/1
R3#

Even though there is a router in the middle of R1 and R3, eigrp behaves the same way as it was in part 1. When the router sees its router ID in an update, it will not accept the update because it thinks that there is a loop in the network.

I removed the router ID 1.1.1.1 on R3, and put the router ID 1.1.1.1 back on R2. By doing this R1 lost R2 routes, but kept R3 routes. See Example 6 for R1, R2 and R3 route tables.

Example 6

R1#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
D      10.0.3.0/24 [90/435200] via 10.0.12.2, 00:07:07, Ethernet1/0
D      10.0.30.0/24 [90/435200] via 10.0.12.2, 00:07:07, Ethernet1/0
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
D      10.0.3.0/24 [90/409600] via 10.0.23.3, 00:07:40, Ethernet1/1
D      10.0.30.0/24 [90/409600] via 10.0.23.3, 00:07:40, Ethernet1/1
R2#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[
R3#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D     10.0.2.0/24 [90/409600] via 10.0.23.2, 00:08:07, Ethernet1/1
D     10.0.12.0/24 [90/307200] via 10.0.23.2, 00:08:07, Ethernet1/1
D     10.0.20.0/24 [90/409600] via 10.0.23.2, 00:08:07, Ethernet1/1
R3#

R1 accepted the routes (10.0.3.0/24 and 10.0.30.0/24) from R3 which is being advertised my R2 to R1. The reason R1 accepted this routes is because the updates generated by R3 does not have 1.1.1.1 RID in it; therefore, R1 accepted the routes from R3, but ignores the route update from R2 because of duplicated RID.

R3 does not have R1 routes because R2 thinks R1 updates would cause a routing loop. Therefore, R2 will not install R1 updates to its route table and it will not pass it along to R3.

There you have it.

Posted in CCIE, CCNP, EIGRP, GNS3 | Tagged , , , , , , , , , , | Leave a comment

EIGRP with the Same Router ID – part 1

What could possibly go wrong with routers with the same EIGRP router ID (RID)?

Figure 1 is the topology for this lab. See figure below.

eigrp-rid-topo

Figure 1

I am going to run two different scenarios. The first one is going to be a point-to-point between R1 and R2. The second scenario would be R1 and R3 will both have the same RID. We are going to examine what is going to happen if two routers in the topology have the same RID.

Let’s tackle scenario one. The Example 1 below is the routing table of R1. At this point, everything is configured correctly. Example 2 is the EIGRP and interfaces config of R1.

Example 1

R1(config-if)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
 
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C       10.0.1.0/24 is directly connected, Loopback0
L       10.0.1.1/32 is directly connected, Loopback0
D       10.0.2.0/24 [90/409600] via 10.0.12.2, 00:02:11, Ethernet1/0
C       10.0.10.0/24 is directly connected, Loopback1
L       10.0.10.1/32 is directly connected, Loopback1
C       10.0.12.0/24 is directly connected, Ethernet1/0
L       10.0.12.1/32 is directly connected, Ethernet1/0
D       10.0.20.0/24 [90/409600] via 10.0.12.2, 00:02:02, Ethernet1/0
D       10.0.23.0/24 [90/307200] via 10.0.12.2, 00:02:17, Ethernet1/0
R1(config-if)#

Example 2

R1(config-if)#do show run | section router
router eigrp 1
 network 10.0.0.0
R1(config-if)#do show run int e1/0
!
interface Ethernet1/0
 ip address 10.0.12.1 255.255.255.0
 duplex full
end

R1(config-if)#do show run int lo0 
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.0
end

R1(config-if)#do show run int lo1
!
interface Loopback1
 ip address 10.0.10.1 255.255.255.0
end

Example 3 is the routing table of R2, and Example 4 is the EIGRP config and interfaces config of R2.

Example 3

R2#show ip route
Codes:   L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
         + - replicated route, % - next hop override

Gateway of last resort is not set

       10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
D        10.0.1.0/24 [90/409600] via 10.0.12.1, 00:11:38, Ethernet1/0
C        10.0.2.0/24 is directly connected, Loopback0
L        10.0.2.1/32 is directly connected, Loopback0
D        10.0.10.0/24 [90/409600] via 10.0.12.1, 00:11:30, Ethernet1/0
C        10.0.12.0/24 is directly connected, Ethernet1/0
L        10.0.12.2/32 is directly connected, Ethernet1/0
C        10.0.20.0/24 is directly connected, Loopback1
L        10.0.20.1/32 is directly connected, Loopback1
C        10.0.23.0/24 is directly connected, Ethernet1/1
L        10.0.23.2/32 is directly connected, Ethernet1/1
R2#

Example 4

R2#show run | section router
router eigrp 1
 network 0.0.0.0
R2#show run int eth1/0
!
interface Ethernet1/0
 ip address 10.0.12.2 255.255.255.0
 duplex full
end

R2#show run int lo0 
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.0
end

R2#show run int lo1
!
interface Loopback1
 ip address 10.0.20.1 255.255.255.0
end

R2#

Right now, the EIGRP between R1 and R2 is working correctly and the eigrp neighbor relationship look fine as shown in Example 5 and Example 6.

Example 5

R1#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.2    Et1/0         11 00:18:43      45       270     0     57
R1#

Example 6

R2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.1    Et1/0         10 00:19:05      54       324     0     25
R2#

Now, I am going to manually change the RID of both routers to 1.1.1.1.

Example 7

R1#show run | sec router
router eigrp 1
 network 10.0.0.0
 eigrp router-id 1.1.1.1
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show run | sec router
router eigrp 1
 network 0.0.0.0
 eigrp router-id 1.1.1.1
R2#

Right after I changed both routers’ RID, R1’s route table drops all eigrp routes from R2. R2 did the same thing. Example 8 shows the route table for both routers.

Example 8

R1#show ip route
...
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C      10.0.1.0/24 is directly connected, Loopback0
L      10.0.1.1/32 is directly connected, Loopback0
C      10.0.10.0/24 is directly connected, Loopback1
L      10.0.10.1/32 is directly connected, Loopback1
C      10.0.12.0/24 is directly connected, Ethernet1/0
L      10.0.12.1/32 is directly connected, Ethernet1/0
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip route
...
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C      10.0.2.0/24 is directly connected, Loopback0
L      10.0.2.1/32 is directly connected, Loopback0
C      10.0.12.0/24 is directly connected, Ethernet1/0
L      10.0.12.2/32 is directly connected, Ethernet1/0
C      10.0.20.0/24 is directly connected, Loopback1
L      10.0.20.1/32 is directly connected, Loopback1
C      10.0.23.0/24 is directly connected, Ethernet1/1
L      10.0.23.2/32 is directly connected, Ethernet1/1
R2#

Here are the show eigrp iprotocols for both routers. Here you can see their router IDs.

Example 9

R1#show eigrp protocols 
EIGRP-IPv4 Protocol for AS(1)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 1.1.1.1
  Topology : 0 (base) 
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1

R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show eigrp protocols 
EIGRP-IPv4 Protocol for AS(1)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 1.1.1.1
  Topology : 0 (base) 
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1

R2#

At this point, R1 has lost the routes that R2’s advertising and vice versa.

R1#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.2    Et1/0         14 00:14:10      58       378     0     69
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H     Address     Interface     Hold Uptime      SRTT     RTO     Q     Seq
                                (sec)            (ms)             Cnt   Num
0    10.0.12.1    Et1/0         14 00:14:03      56       504     0     37
R2#

Despite both routers have the same RID, the neighbor relationship is still up. Let’s fix R1’s network statement to be more specific and let’s advertise R1’s loopback1 via redistribution. Let’s see what’s going to happen.

Example 10

R1#show run | sec router
router eigrp 1
 network 10.0.1.0 0.0.0.255
 network 10.0.12.0 0.0.0.255
 redistribute connected metric 10000 10 255 1 1500
 eigrp router-id 1.1.1.1
R1#

R2 is still not accepting any eigrp routes from R1. Example 11 is R2’s route table

Example 11

R2#show ip route
...
    10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C     10.0.2.0/24 is directly connected, Loopback0
L     10.0.2.1/32 is directly connected, Loopback0
C     10.0.12.0/24 is directly connected, Ethernet1/0
L     10.0.12.2/32 is directly connected, Ethernet1/0
C     10.0.20.0/24 is directly connected, Loopback1
L     10.0.20.1/32 is directly connected, Loopback1
C     10.0.23.0/24 is directly connected, Ethernet1/1
L     10.0.23.2/32 is directly connected, Ethernet1/1
R2#

What is happening now is the eigrp loop prevention. If an eigrp router receives an eigrp advertisement, it will check the RID of who advertised the route. Now, if it sees its RID, then the router will not install the routes because it thinks that there is a routing loop. If the topology is loop free, the router should not receive an advertised route with its RID in the eigrp update packet.

Now, let’s turn on R3 and see its routing table

Example 12

R3#show ip route
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D      10.0.2.0/24 [90/409600] via 10.0.23.2, 00:00:26, Ethernet1/1
C      10.0.3.0/24 is directly connected, Loopback0
L      10.0.3.1/32 is directly connected, Loopback0
D      10.0.12.0/24 [90/307200] via 10.0.23.2, 00:00:26, Ethernet1/1
D      10.0.20.0/24 [90/409600] via 10.0.23.2, 00:00:26, Ethernet1/1
C      10.0.23.0/24 is directly connected, Ethernet1/1
L      10.0.23.3/32 is directly connected, Ethernet1/1
C      10.0.30.0/24 is directly connected, Loopback1
L      10.0.30.1/32 is directly connected, Loopback1
R3#

As you can see, routes from R1 is not getting to R3 because R2 is not installing the routes into its topology table; therefore, R2 will not forward the route to R3.

We will tackle scenario two on my next post.

Posted in CCIE, CCNP, Cisco, EIGRP, Misc. | Tagged , , , , , , , , | Leave a comment

WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

When you get this banner after logging into your Juniper device

***********************************************************************
** **
** WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE **
** **
** It is possible that the primary copy of JUNOS failed to boot up **
** properly, and so this device has booted from the backup copy. **
** **
** Please re-install JUNOS to recover the primary copy in case **
** it has been corrupted. **
** **
***********************************************************************

This simply means that the switch/firewall/router booted from the backup partition. It is very likely that the file system got corrupted because of power loss.
We can verify this by using some of the show commands.

karlo@exswitch> show chassis alarms 
2 alarms currently active
Alarm time Class Description
2016-11-20 16:01:08 UTC Minor Host 0 Boot from backup root

karlo@exswitch> show system alarms 
3 alarms currently active
Alarm time Class Description
2016-11-20 16:01:08 UTC Minor Host 0 Boot from backup root

karlo@exswitch> show system storage partitions 
fpc0:
--------------------------------------------------------------------------
Boot Media: internal (da0)
Active Partition: da0s1a
Backup Partition: da0s2a
Currently booted from: backup (da0s2a)

Partitions information:
Partition Size Mountpoint
s1a 183M altroot 
s2a 184M / 
s3d 369M /var/tmp 
s3e 123M /var 
s4d 62M /config 
 
karlo@exswitch> show system snapshot media internal 
fpc0:
--------------------------------------------------------------------------
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Jun 14 21:42:33 2013
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Jun 14 21:46:16 2013
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5

{master:0}
karlo@exswitch>

To fix this, we would need to copy the Junos image from the backup partition to the primary and backup partitions.
To do so, use the command below: request system snapshot media internal slice alternate
The slice seems to be a hidden command; therefore, you would have to type it in manually.

karlo@exswitch> request system snapshot media internal slice alternate 
fpc0:
--------------------------------------------------------------------------
Formatting alternate root (/dev/da0s1a)...
Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes)
The following filesystems were archived: /

Verify the snapshots

karlo@exswitch> show system snapshot media internal 
fpc0:
--------------------------------------------------------------------------
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Dec 27 15:37:20 2016
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Jun 14 21:46:16 2013
JUNOS version on snapshot:
jbase : ex-12.1R6.5
jcrypto-ex: 12.1R6.5
jdocs-ex: 12.1R6.5
jroute-ex: 12.1R6.5
jswitch-ex: 12.1R6.5
jweb-ex: 12.1R6.5

Then issue the command request system reboot slice alternate media internal. This will reboot from the primary partition.

Now, if you are upgrading your Junos device, and it keeps booting from the backup, use the command request system software rollback then reboot the system. Once it rebooted, you would be able to upgrade your device.

Cheers

Posted in Juniper, layer 2, Misc., troubleshoot | Tagged , , , , , , | Leave a comment

Palo Alto Firewalls HA Pair Upgrade

I upgraded my Palo Alto firewalls from version 6.1.12 to 7.1.1 recently. It is pretty much a straight forward upgrade but might as well write about it. Also, this is for the firewalls that do not have Internet access via their management (oob) interface.

I am going to do this via CLI since I have never used the GUI. To get started, do the following

  • Download all the PANOS you will need to upgrade your PAN firewalls
  • Check the checksum of the firmware
  • Backup your config
  • Schedule a network maintenance window. There should not be a downtime if you have an HA pair, but it is always better to have a dedicated maintenance window
  • If you still have a support contract, make sure that you let your PAN engineer to be on standby because calling their number is a pain

Since I am upgrading to version 7.1.1 from 6.1.12, I would need to follow an upgrade path. The upgrade path for PAN goes like this: If I were to go to 6.1.14 from 6.1.12, then I can go upgrade to 6.1.13 directly because 6.1.14 is in the same base firmware as 6.1.12 – the base version 6.1.0; however, if I were to upgrade to 7.0.10, then I would need to upgrade to the base firmware which is 7.0.1 (there is no 7.0.0) then upgrade directly to 7.0.10.

The thing is when you upgrade, you would need to restart the firewall (just like any firewall) for the upgrade to take effect. The cool thing about the PAN, once you installed the base firmware, you can install the next version right away without restarting the firewall. This is only true if you’re going to the version that is on the same base firmware. Otherwise, you will need to restart the firewall.

To make this simple here is a visual representation of how PAN upgrade is done. The red ones are the base firmware for a specific version.
From 6.1.12
To 6.1.14
6.1.12 > 6.1.14 then restart > done

From 6.1.12
To 7.1.1
6.1.12 > 7.0.1 then restart > 7.1.0 > 7.1.1 then restart > done

From 5.0.20
To 7.1.5
5.0.20 > 6.0.0 then restart 6.1.0 then restart 7.0.1 then restart 7.1.0 > 7.1.5 then restart > done

You get the idea.

Before we begin, here are some recommended commands that need to be disabled when upgrading an HA pair. These commands are done in configuration mode.

  • set deviceconfig setting session tcp-reject-non-syn no
  • set deviceconfig high-availability group <value> election-option preemptive no

Starting from here, all the commands below are done in operational mode.

Let’s get started. The first thing is ssh or console into the active device.You can do ssh or console into the passive device, but to test the failover, you would need to start at the active device. Once you are connected to the active device, the device needs to be suspended first. The device status will change from being active (or passive) to suspended as shown below

admin@PAN01(active)> request high-availability state suspeneded

Successfully changed HA state to suspended
admin@PAN01(suspended)>

Once the firewall in suspended mode, you can import the firmware. In my case, it will import the 7.0.1 base firmware via scp. The command syntax is

scp import software from <username>@<server-ip>:<path>
admin@PAN01(suspended)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.0.1 
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
RSA key fingerprint is ba:ee:8c:a4:75:90:b4:c4:81:ed:36:37:9c:32:46:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (RSA) to the list of known hosts.
root@10.0.5.10's password: 
PanOS_3000-7.0.1 100%                                                     602MB 22.3MB/s 00:27

PanOS_3000-7.0.1 saved

Once the import is completed, the next step is to install the firmware.

admin@PAN01(suspended)> request system software install file PanOS_3000-7.0.1 
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 163. Run 'show jobs id 163' to monitor its status. Please reboot the device after the installation is done.
163

admin@PAN01(suspended)>

As you can see, we can use the command show jobs id <job-id> to view the installation process. The installation takes about a few minutes.

admin@PAN01(suspended)> show jobs id 163

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:01:35         163       SWInstall       ACT   PEND       66%
Warnings:
Details:

admin@PAN01(suspended)> show jobs id 163

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:01:35         163       SWInstall       ACT   PEND       99%
Warnings:
Details:

admin@PAN01(suspended)> show jobs id 163

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:01:35         163       SWInstall       FIN     OK 22:06:16
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN01(suspended)>

Since I am upgrading to 7.1.1, and I just installed 7.0.1, I would need to restart the device.

admin@PAN01(suspended)> request restart system 
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Broadcast message from root (pts/0) (Fri Oct 28 22:08:15 2016):

The system is going down for reboot NOW!

Connection closed by foreign host.

Disconnected from remote host(PAN01) at 18:15:14.

Once the device boots up, check the software version

admin@PAN01(passive)> show system info | match sw
sw-version: 7.0.1

Once you confirmed the version, import the another base firmware

admin@PAN01(passive)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
ECDSA key fingerprint is 88:8f:77:fc:88:b0:dc:ef:34:31:24:68:ef:0a:72:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (ECDSA) to the list of known hosts.
root@10.0.5.10's password: 
PanOS_3000-7.1.0 100% 699MB 25.9MB/s 00:27

PanOS_3000-7.1.0 saved

Then install the firmware after importing the base firmware. However, this time the syntax has changed. The file option is not available anymore.

admin@PAN01(passive)> request system software install 
+ load-config Configuration to use for booting new software
> version     Upgrade to a software package by version

admin@PAN01(passive)> request system software install version 
7.1.0   7.1.0
<value> Upgrade to a software package by version

admin@PAN01(passive)> request system software install version 7.1.0 
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) 

Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.

Always check the status of the installation

admin@PAN01(passive)> show jobs id 2

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:23:02           2       SWInstall       ACT   PEND       84%
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager

admin@PAN01(passive)> show jobs id 2

Enqueued                     ID            Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:23:02           2       SWInstall       FIN     OK 22:27:34
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager
Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN01(passive)>

At this point, since we are going to 7.1.1 and we just installed 7.1.0, we do not need to restart the device. We can install the 7.1.1 first then we can restart.

admin@PAN01(passive)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1.1
root@10.0.5.10's password: 
PanOS_3000-7.1.1 100% 252MB 28.0MB/s 00:09

PanOS_3000-7.1.1 saved

Install the 7.1.1

admin@PAN01(passive)> request system software install version 7.1.1

Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)
Software install job enqueued with jobid 3. Run 'show jobs id 3' to monitor its status. Please reboot the device after the installation is done.
3

admin@PAN01(passive)> show jobs id 3

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:31:46           3       SWInstall       ACT   PEND       81%
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager

admin@PAN01(passive)> show jobs id 3

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 22:31:46           3       SWInstall       FIN     OK 22:35:48
Warnings:
Details:Loading into software manager
Succesfully loaded image into software manager
Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN01(passive)>

Once the installation is done, restart the device

admin@PAN01(passive)> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Broadcast message from root (pts/0) (Fri Oct 28 22:36:48 2016):

The system is going down for reboot NOW!

Connection closed by foreign host.

Disconnected from remote host(PAN01) at 18:36:51.

Once the firewall restarted, the device will be stuck in suspended mode. The reason is, the current active firewall version is in 6.1.12, and the upgraded firewall is on 7.1.1. The two version are not compatible with regards to high-availability pairing.

Let’s work with the second firewall. Here is a caveat. Since the newer version is not compatible, the one I upgraded will not become either active or passive until its pair gets to the compatible version. 

However, if the software is compatible, the HA state will turn to <passive>. It may take ~1 minute or 2, so I would recommend to wait for it. If the software base version is the same, then it they are compatible; therefore, wait for the HA to reestablish. 

Now, if you are upgrading this via SSH, I would highly recommend that keep the current active device as active because once you lost your connection, that device is not going to become active until you use the command request high-availability state functional. If you are connected via SSH, you won’t be able to execute this command. Therefore, we want the active firewall to boot up as an active device not suspended.

I am doing this via SSH, so I am not going to suspend the firewall. Just like the first firewall, I am going to import the firmware.

admin@PAN02(active)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.0.1
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
RSA key fingerprint is ba:ee:8c:a4:75:90:1c:c4:81:ed:36:cb:9c:32:78:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (RSA) to the list of known hosts.
root@10.0.5,10's password:
PanOS_3000-7.0.1                                             100% 602MB 11.2MB/s   00:54  

PanOS_3000-7.0.1 saved

admin@PAN02(active)>

Once imported, install the firmware.

admin@PAN02(active)> request system software install file PanOS_3000-7.0.1
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 144. Run 'show jobs id 144' to monitor its status. Please reboot the device after the installation is done.
144

admin@PAN02(active)> show jobs id 144

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 23:44:34         144       SWInstall       ACT   PEND       86%
Warnings:
Details:

port22@P07101EF01(active)> show jobs id 144

Enqueued                     ID             Type   Status Result Completed
--------------------------------------------------------------------------
2016/10/28 23:44:34         144       SWInstall       FIN     OK 23:48:28
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.

admin@PAN02(active)>

Restart the device

admin@PAN02(active)> request restart system 
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Connection closed by foreign host.

Disconnected from remote host(PAN02) at 19:35:23.

After the reboot, verify the version of the firmware

admin@PAN02(suspended)> show system info | match sw
sw-version: 7.0.1

Now, import the base firmware then install it

admin@PAN02(suspended)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1.0
The authenticity of host '10.0.5.10 (10.0.5.10)' can't be established.
ECDSA key fingerprint is 88:8f:09:3c:88:b0:dc:11:34:31:24:68:ef:0a:9d:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.5.10' (ECDSA) to the list of known hosts.
root@10.0.5.10's password: 
PanOS_3000-7.1.0 100%                                                       699MB 11.1MB/s 01:03

PanOS_3000-7.1.0 saved

Install the firmware

admin@PAN02(suspended)> request system software install version 7.1.0 
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 3. Run 'show jobs id 3' to monitor its status. Please reboot the device after the installation is done.
3

admin@PAN02(suspended)>

Once the firmware is installed, do not restart the firewall yet. We will need to install the desire firmware. Import the firmware then install.

admin@PAN02(suspended)> scp import software from root@10.0.5.10:/root/pan/PanOS_3000-7.1.1
root@10.0.5.10's password: 
PanOS_3000-7.1.1                                                     100% 252MB 28.0MB/s 00:09

PanOS_3000-7.1.1 saved

admin@PAN02(suspended)> request system software install version 7.1.1
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n)

Software install job enqueued with jobid 4. Run 'show jobs id 4' to monitor its status. Please reboot the device after the installation is done.
4

admin@PAN02(suspended)>

 

Restart the device

admin@PAN02(suspended)> request restart system 
Executing this command will disconnect the current session. Do you want to continue? (y or n)

Broadcast message from root (pts/0) (Fri Oct 28 23:58:03 2016):

The system is going down for reboot NOW!

Connection closed by foreign host.

Disconnected from remote host(PA02) at 19:58:06.

After it reboots, login again and check  the system software version

port22@P07101EF01> show system info | match sw
sw-version: 7.1.1

Also, login to both device and check if the device is in suspend mode. If either one of them is in suspended mode, then use this command

request high-availability state functional

That should do it.

 

Cheers!

Posted in Misc. | Leave a comment