Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Sky Enterprise] Device cannot connect to Sky Enterprise

0

0

Article ID: KB32978 KB Last Updated: 24 Feb 2020Version: 2.0
Summary:

This article explains what must be done when a device (in this example SRX 300) does not connect to Sky Enterprise after being configured.

Note: The article applies to any supported Juniper network device that needs to connect with the Sky Enterprise server.

 

Symptoms:

Sky Enterprise is already configured on the device (in this example, SRX 300). Port 22 is open and port 4087 on the firewall is also open, which are requirements to connect to the Sky Enterprise server.

 
system {
    services {
        outbound-ssh {
            client skyenterprise-ncd01 {
                device-id fw01.abc.def;
                secret “$ABC123"; ## SECRET-DATA
                keep-alive {
                    retry 3;
                    timeout 5;
                }
                services netconf;
                host1.juniper.net {
                    port 4087;
                    retry 1000;
                    timeout 60;
                }
            }
            client skyenterprise-ncd02 {
                device-id fw01.abc.def;
                secret “$ABC123"; ## SECRET-DATA
                keep-alive {
                    retry 3;
                    timeout 5;
                }
                services netconf;
                skyent-ncd02.juniper.net {
                    port 4087;
                    retry 1000;
                    timeout 60;
                }
            }
        }
    }  
}
 

The device is able to ping by using the IP address of host1.juniper.net but is not able to ping the hostname (that is, host1.juniper.net).

Telnet from the device to "telnet host1.juniper.net port 4087" does not work either.

 
admin@fw01.abc.def> ping 10.10.48.108
PING 10.10.48.108 (10.10.48.108): 56 data bytes
64 bytes from 10.10.48.108: icmp_seq=0 ttl=49 time=140.109 ms
^C
--- 10.10.48.108 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 140.109/140.109/140.109/0.000 ms

admin@fw01.abc.def> telnet 10.10.48.108 port 4087
Trying 10.10.48.108…
telnet: connect to address 10.10.48.108: Connection refused
telnet: Unable to connect to remote host

 

Solution:

If a device is added to Sky Enterprise and it is not appearing online, follow these steps to ensure that the path from the device to Sky Enterprise is working:

  • Make sure that the device connects to the “outside world." Try to ping to an external IP address.

  • Make sure that the device has DNS to resolve the Sky Enterprise hosts, or static host mappings.

  • Make sure that the device can connect to the Sky Enterprise connector servers by using TCP port 4087.

In the example case, the issue was caused due to DNS not being able to resolve the Sky Enterprise hosts and missing entries in the static host mapping for the SRX device.

Typically, a device needs to learn how to contact Sky Enterprise by using DNS servers. In some situations, the device might not have name servers configured or available for use. In such a case, use the Junos OS static host mapping feature to configure the name servers.

To configure mappings for the Sky Enterprise Netconf Connect Daemon (NCD) servers, use the following configuration:

 
user@host> configure
user@host# set system static-host-mapping ncd01.skyenterprise.com inet 10.10.48.108
user@host# set system static-host-mapping ncd02.skyenterprise.com inet 10.10.15.10
user@host# commit and-quit
 

To add the name server to the device, which is then able to resolve the Sky Enterprise server, use the following configuration:

 
admin@fw01.abc.def# show system name-server
8.8.8.8;
1.1.1.66;
1.1.1.67;
 

When the missing configuration is added to the device, the above issue is resolved and the device will appear online.

To confirm that the device is indeed online, telnet to the hostname in port 4087. The attempt should now be successful.

 

admin@fw01.abc.def> telnet 10.10.48.108 port 4087
Trying 10.10.48.108…
Connected to ncd01.skyenterprise.com.
Escape character is ‘^]’.

 

Modification History:

2020-02-23: Changed encrypted password to “$ABC123".

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search