Resolving Uncommitted Changes Not Shown by ‘Show | Compare’ in Juniper

juniper

There have uncommitted changes, but show | compare do not show it.

{master}[edit]                                                                  
un@HK-MX-RE0# exit                                                          
The configuration has been changed but not committed                            
Exit with uncommitted changes? [yes,no] (yes) no                                

Exit aborted                                                                    

{master}[edit]                                                                  
un@HK-MX-RE0# show | compare                                                

{master}[edit]                                                                  
un@HK-MX-RE0#

My device is Juniper MX480.

Best Answer

Try this one: show | compare rollback 1

Also this situation may rise in case when you change value(option), then in the same session revert this changed value to previous state. < This is my mention, not confirmed by the documentation.

Related Solutions

What are some workarounds / fixes for UTM/IDP on Junos 12.1X44-D10.4 for SRX Series branch devices

It appeared this was an easy fix (I also tried 12.1R6.5 and 12.1X44-D11.5, to no avail).

First, I looked at the version of the signature DB that it's trying to download (2263):

 netops> request security idp security-package download check-server    
 Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
 Version info:2263(Detector=12.6.160130325, Templates=2263)

Then, I decided that this is possibly an actual bad md5 checksum (per what Junos expects), and I downloaded the previous version, 2262:

 netops> request security idp security-package download version full-update 2262    
 Will be processed in async mode. Check the status using the status checking CLI

It worked! I've had to do something similar on Netscreen, but it's been a while. I turned off automated updates, and I can get back to studying.

 netops> request security idp security-package download status    
 Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
 Version info:2262(Tue May 14 16:27:00 2013 UTC, Detector=12.6.160130325)

Now that the download is finished, everything is installing properly:

 netops> request security idp security-package install          
 Will be processed in async mode. Check the status using the status checking CLI

 netops> request security idp security-package install status 
 In progress:performing DB update...

 netops> request security idp security-package install status    
 In progress:performing DB update for an xml (groups.xml)

 netops> request security idp security-package install status
 In progress:performing DB update for an xml (applications.xml)

 etc.

 netops> request security idp security-package install status    
 Done;Attack DB update : successful - [UpdateNumber=2262,ExportDate=Tue May 14 16:27:00   2013 UTC,Detector=12.6.160130325]
 Updating control-plane with new detector : successful
 Updating data-plane with new attack or detector : not performed
  due to no active policy configured.

I'm thinking that this is either a bug in SRX110H-VA, a combination of hardware/software release, or bad signature updates on services.netscreen.com. I'm pretty sure that I could just look through the XML, and figure out where the bad md5sum is (and fix it by hand), but I'll follow up once I hear back from Juniper.

Newest edit: I also had to manually download the policy template from Juniper, extract it with gzip -d templates.xml.gz, and place it in /var/db/idpd/sec-download/sub-download/. Once that was done, I was able to install it. The issue here is that the request security idp security-package install policy-templates command does not take a 'version', like the other idp commands. This will always be an issue when the head IDP policy has md5 errors, although I would hope that this isn't a frequent occurrence at Juniper.

 netops> request security idp security-package install policy-templates 
 Will be processed in async mode. Check the status using the status checking CLI

 netops> request security idp security-package install status              
 Done;policy-templates has been successfully updated into internal repository
 (=>/var/db/scripts/commit/templates.xsl)!

The jsrv.1 interface for

Interface jsrv.1 is always associated to IP address 128.0.0.127.

jsrv                    up    up
jsrv.1                  up    up   inet     128.0.0.127/2

An archive at SourceForge has the below command output snippet that shows a connection between 128.0.0.127 and port 6343 (sFlow port)¹:

tcpdump -v udp port 6343  -s 1500:
11:52:07.624977 IP (tos 0x0, ttl 254, id 5728, offset 0, flags [none],
 proto UDP (17), length 1484)
   10.1.1.1.60578 > collector.6343: sFlowv5, IPv4 agent 128.0.0.127,
 agent-id 17, seqnum 38496, uptime 1963373233, samples 8, length 1456
    flow sample (1), length 196,
<...snipped...>

There is a Juniper Knowledge Center (cached google link) article that indicates there are 2 separate programs supporting the sFlow function, an agent and a collector.

The sFlow monitoring system consists of an sFlow agent embedded in the EX Switch and has a centralized collector. The sFlow agent’s two main activities are random sampling and statistics gathering. It combines interface counters and flow samples and sends them across the network to the sFlow collector. The sFlow collector uses the sFlow agent’s IP address to determine the source of the sFlow data. This KB article explains how the EX Switch assigns the IP address to the sFlow agent.

The jsrv interface appears to be a built-in Juniper sFlow sub-system that allows communication between the internal collector and agent.

¹_{Note, this is the only connection to 128.0.0.127 I've been able to locate.}

Best Answer

Related Solutions

What are some workarounds / fixes for UTM/IDP on Junos 12.1X44-D10.4 for SRX Series branch devices

The jsrv.1 interface for

Related Topic