If the SRX is showing disconnected in the UI but is online locally and reachable then we can try the following steps to troubleshoot further. We will need console access to the SRX or SSH access to the SRX to check the following:
1. Make sure the SRX is on the supported version
Minimum JUNOS OS firmware versions supported for WAN Assurance:
- SRX – 300, 320, 340, 345, 380, 550M, 1500, vSRX – 19.4 & above
2. Ensure the SRX has a valid IP address
Run “ show interfaces terse”. You should see either an interface or irb having an IP address. You might see multiple irb interfaces depending on the SRX model (or in the case of HA). At least one irb interface needs to have a valid IP address.
The SRX can also connect using management IP which will be seen on fxp0 interface. Ensure either interface or fxp0 interface has a valid IP and is administratively UP. (Link status also needs to be UP)
3. Ensure that the device can reach the gateway
4. Ensure the SRX can reach the internet
root@Mist_SRX> ping inet 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=9.789 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=5.206 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=4.679 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=4.362 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=4.497 ms ^C --- 8.8.8.8 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.362/5.707/9.789/2.061 ms
5. Check if the SRX can resolve oc-term.mistsys.net
root@Mist_SRX> ping oc-term.mistsys.net PING ab847c3d0fcd311e9b3ae02d80612151-659eb20beaaa3ea3.elb.us-west-1.amazonaws.com (13.56.90.212): 56 data bytes
If it’s unable to resolve then check for DNS servers configured on the SRX:
root@Mist_SRX> show configuration | display set | grep name-server set system name-server 8.8.8.8 set system name-server 8.8.4.4
configure name server (set system name-server 8.8.8.8)
6. Ensure firewall ports are open (tcp port 2200 for oc-term.mistsys.net)
Please check your cloud environment to see which ports and hosts to enable
root@Mist_SRX> show system connections | grep 2200
tcp4 0 0 10.0.0.51.49981 54.83.93.93.2200 ESTABLISHED
7. Check if the SRX system time is correct
root@Mist_SRX> show system uptime Current time: 2021-08-23 19:39:17 UTC Time Source: LOCAL CLOCK System booted: 2021-07-14 22:40:20 UTC (5w4d 20:58 ago) Protocols started: 2021-07-14 22:45:39 UTC (5w4d 20:53 ago) Last configured: 2021-08-23 19:34:05 UTC (00:05:12 ago) by root 7:39PM up 39 days, 20:59, 2 users, load averages: 0.66, 1.07, 0.92
8. Check if ‘device-id’ is of the format ‘<org_id>.<mac_addr> in the CLI command below
root@Mist_SRX# show system services outbound-ssh
traceoptions {
file outbound-ssh.log size 64k files 5;
flag all;
}
client mist {
device-id bb2fb165-0931-49c7-a1b8-9b5814326b7d.<mac>;
secret "$9$dTwoJjHqPTzkq0BREeKJGUHkP5QFAtO6/revMXxqmP5n/0ORhylu08X-dsYn/9tu1lKM7db0BwYgaUD.P5T69uO1rKMIRNdVwg4n/9tu1cyleM8n/M8xNY2GDiq.5Qz69p0/9revMXxk.m5n/0BIhyl1IxNbs4o69CtBIhclWX7yrYgoaiH5QFntuEhrMWxhcwYoaUD9AtuIEhSrW87ApWLN-ws4aZDjqP5QF/C.mhSleW8k.mfFn9ApOIE6/0IhSeKX7-dYgjHqmPQxNs4ZGq.hSyKLxws4oZUevUjk.5TSrlvMXYgoGUHg4z369OBVwsYJGHqmf5FUDmTz39CevM8NdbwgJZjyl24aJDjk.P5T369A"; ## SECRET-DATA
keep-alive {
retry 12;
timeout 5;
}
services netconf;
oc-term-staging.mistsys.net {
port 2200;
retry 1000;
timeout 60;
}
}
9. Deactivate the outbound SSH and reactivate it
Deactivate system service outbound-ssh using the following command:
deactivate system services outbound-ssh client mist commit
Activate outbound-ssh using the following command:
activate system services outbound-ssh client mist commit
10. If you are adding the SRX for the first time:
Try releasing the SRX from the UI (delete the SW entry) and then try to readopt the SRX:
- Delete the present Mist configuration from the SRX.
- Again adopt via CLI command.
- Verify system service outbound-ssh using the following commands:
show system services outbound-ssh
and
show system connections | grep 2200