Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Troubleshooting the SRX5400

Troubleshooting the SRX5400 Firewall with the Junos OS CLI

The Junos OS command-line interface (CLI) is the primary tool for controlling and troubleshooting firewall hardware, Junos OS, routing protocols, and network connectivity. CLI commands display information from routing tables, information specific to routing protocols, and information about network connectivity derived from the ping and traceroute utilities.

You enter CLI commands on one or more external management devices connected to ports on the Routing Engine.

For information about using the CLI to troubleshoot Junos OS, see the appropriate Junos OS configuration guide.

Troubleshooting the SRX5400 Firewall with Chassis and Interface Alarm Messages

When the Routing Engine detects an alarm condition, it lights the major or minor alarm LED on the craft interface as appropriate. To view a more detailed description of the alarm cause, issue the show chassis alarms CLI command:

There are two classes of alarm messages:

  • Chassis alarms—Indicate a problem with a chassis component such as the cooling system or power supplies.

  • Interface alarms—Indicate a problem with a specific network interface.

Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls

Table 1 lists the alarms that the chassis components can generate on SRX5400, SRX5600, and SRX5800 Firewalls.

Table 1: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls

Chassis Component

Alarm Condition

Remedy

Alarm Severity

Air filters

Change air filter.

Change air filter.

Yellow

Alternative media

The Firewall boots from an alternate boot device, the hard disk. The CompactFlash card is typically the primary boot device. The Routing Engine boots from the hard disk when the primary boot device fails.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Yellow

Craft interface

The craft interface has failed.

Replace failed craft interface.

Red

Interface Cards (MPC/IOC/Flex IOC)

An interface card is offline.

Check the card. Remove and reinsert the card. If this fails, replace failed card.

Yellow

An interface card has failed.

Replace failed card.

Red

An interface card has been removed.

Insert card into empty slot.

Red

Volt Sensor Fail

Reboot the specified card.

Red

Service Processing Card (SPC)

Abnormal exit in the current flow sessions of an SPU.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

CPU Digital Thermal Sensor (DTS) of the SPC reaches high or over temperature threshold.

Check the status of all fan trays.

Red

FPC airflow temperature sensors in SRX5K-SPC3 reach high or over or crosses fire temperature threshold.

Check the status of all fan trays.

Red

FPC airflow temperature sensors in SRX5K-SPC3 read/access failure.

If the alarm is present consistently, then it indicates a hardware issue.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Yellow

SRX5K-SPC3 checks for missing devices during boot and reports.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

SRX5K-SPC3 LTC Firm Ware Version Mismatch. LEDs on the front panel of the chassis indicate major alarm.

To manually upgrade the LTC Firmware Version:

  1. Issue the CLI show chassis alarm command to check which FPC slot is raising the LTC FW Version Mismatch alarm.

  2. Issue the CLI show system firmware command to check the current LTC firmware version, if a new verision of LTC firmware is available for the SRX5K-SPC3 card, and the firmware status is OK.

  3. If there is a new version of LTC firmware, issue the CLI command request system firmware upgrade pic fpc-slot x pic-slot x tag x to upgrade the LTC firmware on the SRX5K-SPC3 card.

  4. Issue the CLI command show system firmware to confirm the status of the SRX5K-SPC3 LTC firmware is UPGRADED SUCCESSFULLY.

  5. Re-boot the Firewall.

Red

Memory faults: DIMM failures and ECC errors.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

Real Time Clock battery failure.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

SSDs on the SRX5K-SPC3 missing or read/write to SSD is failing or SSD file system corrupt.

Replace the SSD.

or

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

OPMC Boot FPGA Faults

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

Voltage sensor faults

From the CLI use the command restart chassis-control to reboot the firewall.

If SPC still doesn’t come online, then remove and insert back the SPC.

Red

Fan trays

A fan tray has been removed from the chassis.

Install missing fan tray.

Red

Fan tray not working or failed.

Replace fan tray.

Red

One fan in the chassis is not spinning or is spinning below required speed.

Replace fan tray.

Red

A higher-cooling capacity fan tray is required when an MPC or high-density SPCs are installed on the chassis.

Upgrade to a high-capacity fan tray.

Yellow

Fan tray under voltage.

Reseat the Fan Tray. If problem still continues open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

Wrong fan tray installed.

Check and insert the appropriate fan tray.

Red

In SRX5800 Firewall, mix of fan trays.

Insert the appropriate fan trays.

Red

In SRX5800 Firewall, wrong fan tray installed on the top.

Check and insert the appropriate fan tray.

Red

Host subsystem

A host subsystem has been removed.

Insert host subsystem into empty slot.

Yellow

A host subsystem has failed.

Replace failed host subsystem.

Red

Power supplies

A power supply has been removed from the chassis.

Insert power supply into empty slot.

Yellow

A power supply has a high temperature.

Replace failed power supply or power entry module.

Red

A power supply input has failed.

Check power supply input connection.

Red

A power supply output has failed.

Check power supply output connection.

Red

A power supply has failed.

Replace failed power supply.

Red

Invalid AC power supply configuration.

When two AC power supplies are installed, insert one power supply into an odd-numbered slot and the other power supply into an even-numbered slot.

Red

Invalid DC power supply configuration.

When two DC power supplies are installed, insert one power supply into an odd-numbered slot and the other power supply into an even-numbered slot.

Red

Mix of AC and DC power supplies.

Do not mix AC and DC power supplies. For DC power, remove the AC power supply. For AC power, remove the DC power supply.

Red

Not enough power supplies.

Install an additional power supply.

Red

Routing Engine

Excessive framing errors on console port.

An excessive framing error alarm is triggered when the default framing error threshold of 20 errors per second on a serial port is exceeded.

This might be caused by a faulty serial console port cable connected to the device.

Replace the serial cable connected to the device.

If the cable is replaced and no excessive framing errors are detected within 5 minutes from the last detected framing error, the alarm is cleared automatically.

Yellow

Error in reading or writing hard disk.

Reformat hard disk and install bootable image. If this fails, replace failed Routing Engine.

Yellow

Error in reading or writing CompactFlash card.

Reformat CompactFlash card and install bootable image. If this fails, replace failed Routing Engine.

Yellow

System booted from default backup Routing Engine. If you manually switched primary role, ignore this alarm condition.

Install bootable image on default primary Routing Engine. If this fails, replace failed Routing Engine.

Yellow

System booted from hard disk.

Install bootable image on CompactFlash card. If this fails, replace failed Routing Engine.

Yellow

CompactFlash card missing in boot list.

Replace failed Routing Engine.

Red

Hard disk missing in boot list.

Replace failed Routing Engine.

Red

Routing Engine failed to boot.

Replace failed Routing Engine.

Red

The Ethernet management interface (fxp0 or em0) on the Routing Engine is down.

  • Check the interface cable connection.

  • Reboot the system.

  • If the alarm recurs, open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States)

Red

System Control Board (SCB)

An SCB has been removed.

Insert SCB into empty slot.

Yellow

An SCB temperature sensor alarm has failed.

Replace failed SCB.

Yellow

An SCB has failed.

Replace failed SCB.

Red

An SCB throughput decreased.

  • Check fabric plane summary if all 4 fabric planes are online.

  • This alarm could be raised before all fabric planes are brought up. It will be cleared after at least 4 planes are up.

  • If all planes are up and still seeing alarms, raise a case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States)

Yellow

An SCB PMBus Device Fail

Ignore the alarm if rasied once or twice.

If the alarm is present consistently, then it indicates a hardware issue.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Yellow

Temperature

The chassis temperature has exceeded 55 degrees C (131 degrees F), the fans have been turned on to full speed, and one or more fans have failed.

  • Check room temperature.

  • Check air filter and replace it.

  • Check airflow.

  • Check fan.

Yellow

The chassis temperature has exceeded 65 degrees C (149 degrees F), and the fans have been turned on to full speed.

  • Check room temperature.

  • Check air filter and replace it.

  • Check airflow.

  • Check fan.

Yellow

The chassis temperature has exceeded 65 degrees C (149 degrees F), and a fan has failed. If this condition persists for more than 4 minutes, the Firewall shuts down.

  • Check room temperature.

  • Check air filter and replace it.

  • Check airflow.

  • Check fan.

Red

Chassis temperature has exceeded 75 degrees C (167 degrees F). If this condition persists for more than 4 minutes, the Firewall shuts down.

  • Check room temperature.

  • Check air filter and replace it.

  • Check airflow.

  • Check fan.

Red

The temperature sensor has failed.

  • Check environmental conditions and alarms on other devices.

  • Ensure that environmental factors (such as hot air blowing around the equipment) are not affecting the temperature sensor.

  • If the alarm recurs, open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Red

Backup Routing Engine Alarms

For Firewalls with primary and backup Routing Engines, a primary Routing Engine can generate alarms for events that occur on a backup Routing Engine. Table 2 lists chassis alarms generated for a backup Routing Engine.

Note:

Because the failure occurs on the backup Routing Engine, alarm severity for some events (such as Ethernet interface failures) is yellow instead of red.

Note:

For information about configuring redundant Routing Engines, see the Junos OS High Availability Library for Routing Devices.

Table 2: Backup Routing Engine Alarms

Chassis Component

Alarm Condition

Remedy

Alarm Severity

Alternative media

The backup Routing Engine boots from an alternate boot device, the hard disk. The CompactFlash card is typically the primary boot device. The Routing Engine boots from the hard disk when the primary boot device fails.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Yellow

Boot Device

The boot device (CompactFlash or hard disk) is missing in boot list on the backup Routing Engine.

Replace failed backup Routing Engine.

Red

Ethernet

The Ethernet management interface (fxp0 or em0) on the backup Routing Engine is down.

  • Check the interface cable connection.

  • Reboot the system.

  • If the alarm recurs, open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Yellow

FRU Offline

The backup Routing Engine has stopped communicating with the primary Routing Engine.

Open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Yellow

Hard Disk

Error in reading or writing hard disk on the backup Routing Engine.

Reformat hard disk and install bootable image. If this fails, replace failed backup Routing Engine.

Yellow

Multibit Memory ECC

The backup Routing Engine reports a multibit ECC error.

  • Reboot the system with the board reset button on the backup Routing Engine.

  • If the alarm recurs, open a support case using the Case Manager link at https://www.juniper.net/support/ or call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States).

Yellow

Troubleshooting the SRX5400 Firewall with Alarm Relay Contacts

The craft interface has two alarm relay contacts for connecting the firewall to external alarm devices. Whenever a system condition triggers either the major or minor alarm on the craft interface, the alarm relay contacts are also activated. The alarm relay contacts are located on the upper right of the craft interface.

Troubleshooting the SRX5400 Firewall with the Craft Interface LEDs

The craft interface is the panel on the front of the firewall located above the card cage that contains LEDs and buttons that allow you to troubleshoot the device.

LEDs on the craft interface include the following:

  • Alarm LEDs—One large major alarm circular LED and one large minor alarm triangular LED, located on the upper right of the craft interface, indicate two levels of alarm conditions. The circular major alarm LED lights to indicate a critical condition that can result in a system shutdown. The triangular minor alarm LED lights to indicate a less severe condition that requires monitoring or maintenance. Both LEDs can be lit simultaneously. A condition that causes an alarm LED to light also activates the corresponding alarm relay contact on the craft interface.

  • Host subsystem LEDs—Three LEDs, MASTER, ONLINE, and OFFLINE, indicate the status of the host subsystem. A green MASTER LED indicates that the host is functioning as primary. The ONLINE LED indicates the host is online. The OFFLINE LED indicates the host is offline. The host subsystem LEDs are located on the left of the craft interface and are labeled RE0 and RE1.

  • Power supply LEDs—Two LEDs (PEM) indicate the status of each power supply. Green indicates that the power supply is functioning normally. Red indicates that the power supply is not functioning normally. The power supply LEDs are located in the center craft interface, and are labeled 0 through 3.

  • Card OK/Fail LEDs—Two LEDs, OK and FAIL, indicate the status of the card in each slot in the card cage. Green indicates OK and red indicates a failure. The card OK/Fail LEDs are located along the bottom of the craft interface, and are labeled 0 through 5.

  • SCB LEDs—Two LEDs, OK and FAIL, indicate the status of the SCB. Green indicates OK and red indicates a failure. The SCB LEDs are located in the center of the craft interface along the bottom, and are labeled 0 and 1.

  • Fan LEDs—Two LEDs indicate the status of the fan. Green indicates OK and red indicates FAIL. The fan LEDs are located on the upper left of the craft interface.

Troubleshooting the SRX5400 Firewall with the Component LEDs

The following LEDs are located on various firewall components and display the status of those components:

  • Card LED—One LED labeled OK/FAIL on each card in the card cage indicates the card’s status.

  • MIC LED—One LED labeled OK/FAIL on the faceplate of each MIC installed in an MPC indicates the MIC's status.

  • SCB LEDs—Three LEDs, labeled FABRIC ACTIVE, FABRIC ONLY, and OK/FAIL , on each SCB faceplate indicate the status of the SCB. If no LEDs are lit, the primary Routing Engine might still be booting, or the SCB is not receiving power.

  • Routing Engine LEDs—Four LEDs, labeled MASTER, HDD, ONLINE, and FAIL on the Routing Engine faceplate indicate the status of the Routing Engine and hard disk drive.

  • Power supply LEDs—Three or four LEDs on each power supply faceplate indicate the status of that power supply.

Troubleshooting the SRX5400 Firewall Cooling System

Problem

Description

The fans in a fan tray are not functioning normally.

Solution

Follow these guidelines to troubleshoot the fans:

  • Check the fan LEDs and alarm LEDs on the craft interface.

  • If the major alarm LED on the craft interface lights, use the CLI to get information about the source of an alarm condition: user@host> show chassis alarms.

    If the CLI output lists only one fan failure, and the other fans are functioning normally, the fan is most likely faulty and you must replace the fan tray.

  • Place your hand near the exhaust vents at the side of the chassis to determine whether the fans are pushing air out of the chassis.

  • If the fan tray is removed, a minor alarm and a major alarm occur.

  • The following conditions automatically cause the fans to run at full speed and also trigger the indicated alarm:

    • A fan fails (major alarm).

    • The firewall temperature exceeds the “temperature warm” threshold (minor alarm).

    • The temperature of the firewall exceeds the maximum (“temperature hot”) threshold (major alarm and automatic shutdown of the power supplies).

Troubleshooting SRX5400 Firewall MPCs

Problem

Description

The MPCs are not functioning normally.

Solution

  • Monitor the green LED labeled OK on the craft interface corresponding to the slot as soon as an MPC is seated in an operating firewall.

    The Routing Engine downloads the MPC software to it under two conditions: the MPC is present when the Routing Engine boots Junos OS, and the MPC is installed and requested online through the CLI or push button on the front panel. The MPC then runs diagnostics, during which the OK LED blinks. When the MPC is online and functioning normally, the OK LED lights green steadily.

  • Make sure the MPC is properly seated in the midplane. Check that each ejector handle has been turned clockwise and is tight.

  • Check the OK/FAIL LED on the MPC and OK and FAIL LEDs for the slot on the craft interface. When the MPC is online and functioning normally, the OK LED lights green steadily.

  • Issue the CLI show chassis fpc command to check the status of installed MPC. As shown in the sample output, the value Online in the column labeled State indicates that the MPC is functioning normally:

    For more detailed output, add the detail option. The following example does not specify a slot number, which is optional:

    For further description of the output from the command, see Junos OS System Basics and Services Command Reference at www.juniper.net/documentation/.

Troubleshooting SRX5400 Firewall MICs

Problem

Description

The MICs are not functioning normally.

Solution

  • Check the status of each port on a MIC by looking at the LED located on the MIC faceplate.

  • Check the status of a port module by issuing the show chassis fpc pic-status CLI command. The MIC slots in the MPC are numbered from 0 through 1:

    For further description of the output from the command, see Junos OS System Basics and Services Command Reference at www.juniper.net/documentation/.

Troubleshooting SRX5400 Firewall SPCs

Problem

Description

A Services Processing Card (SPC) is not functioning normally.

Solution

  • Make sure the SPC is properly seated in the midplane. Check that each ejector handle has been turned clockwise and is tight.

  • Issue the CLI show chassis fpc command to check the status of installed SPCs. As shown in the sample output, the value Online in the column labeled State indicates that the SPC is functioning normally:

    For more detailed output, add the detail option. The following example does not specify a slot number, which is optional:

    For further description of the output from the command, see Junos OS System Basics and Services Command Reference at www.juniper.net/documentation/.

Troubleshooting the SRX5400 Firewall Power System

Problem

Description

The power system is not functioning normally.

Solution

  • Check the LEDs on each power supply faceplate.

    • If an AC power supply is correctly installed and functioning normally, the AC OK and DC OK LEDs light steadily, and the PS FAIL LED is not lit.

    • If a DC power supply is correctly installed and functioning normally, the PWR OK, BREAKER ON, and INPUT OK LEDs light steadily.

  • Issue the CLI show chassis environment pem command to check the status of installed power supplies. As shown in the sample output, the value Online in the rows labeled State indicates that each of the power supply is functioning normally:

If a power supply is not functioning normally, perform the following steps to diagnose and correct the problem:

  • If a major alarm condition occurs, issue the show chassis alarms command to determine the source of the problem.

  • Check that the AC input switch () or DC circuit breaker (|) is in the on position and that the power supply is receiving power.

  • Verify that the source circuit breaker has the proper current rating. Each power supply must be connected to a separate source circuit breaker.

  • Verify that the AC power cord or DC power cables from the power source to the firewall are not damaged. If the insulation is cracked or broken, immediately replace the cord or cable.

  • Connect the power supply to a different power source with a new power cord or power cables. If the power supply status LEDs indicate that the power supply is not operating normally, the power supply is the source of the problem. Replace the power supply with a spare.

  • If all power supplies have failed, the system temperature might have exceeded the threshold, causing the system to shut down.

    Note:

    If the system temperature exceeds the threshold, Junos OS shuts down all power supplies so that no status is displayed.

    Junos OS also can shut down one of the power supplies for other reasons. In this case, the remaining power supplies provide power to the firewall, and you can still view the system status through the CLI or display.

    To restart a high-capacity AC power supply after a shut down due to an over-temperature situation:

    1. Move the power switch on the power supply to the off (o) position.

    2. Turn off power to where the AC line goes into the power distribution module (PDM) area.

    3. Wait for the power supply LEDs to fade out and for the fans inside the power supply to shutdown. This can take up to 10 seconds.

      CAUTION:

      Do not attempt to power-on the power supply if the LED is still lit and the fan is still running. If you do, the firewall will not reboot.

    4. Turn on power to where the AC line goes into the power distribution module (PDM) area.

    5. Move the power switch on the power supply to the on (|) position.

    6. Verify that the LEDs on the power supply faceplate are properly lit.

    7. Issue the CLI show chassis environment pem command and verify the State is ONLINE and the Temperature is OK.

    To restart a high-capacity DC power supply after a shut down due to an over-temperature situation:

    1. Switch off the circuit breaker(s) on the DC distribution panel to remove power to the chassis and power supplies.

    2. Switch on the circuit breaker(s) on the distribution panel to power up the chassis and power supplies.

      Note:

      The power switch on the power supplies is not part of the outer or inner DC circuits and therefore does not need to be switched off when restarting the chassis.

Behavior of the SRX5400, SRX5600, and SRX5800 Firewalls When the SRX5K-SCBE and SRX5K-RE-1800X4 in a Chassis Cluster Fail

It is important to understand the behavior of the SRX5400, SRX5600, and SRX5800 Firewalls when the Switch Control Board (SRX5K-SCBE) and Routing Engine (SRX5K-RE-1800X4) in the chassis cluster fail.

Note:

This procedure is also applicable for SCB3 except that SCB3 redundancy is supported.

Note:

We strongly recommend that you perform the ISHU during a maintenance window, or during the lowest possible traffic as the secondary node is not available at this time.

Note:

The SRX5K-SCBE and SRX5K-RE-1800X4 are not hot-swappable.

Note:

Four fabric planes must be active at any time in a chassis cluster. If fewer than four fabric planes are active, then the Redundancy Group (RG1+) will fail over to the secondary node.

Table 3 shows the minimum fabric plane requirements for the SCB.

Table 3: Expected Device Behavior and Minimum SRX5K-SCBE and Fabric Plane Requirements

Platform

Number of SRX5K-SCBs

Active Planes

Redundant Planes

Expected Behavior After the SCB and Routing Engine are Removed

SRX5400

1

4 (virtual)

0 (virtual)

If the SCB in the primary node fails, the device will fail over to the secondary node as the primary node powers off.

SRX5600

2

4 (virtual)

4 (virtual)

If the active SCB in the primary node fails, the behavior of the device does not change as the redundant SCB becomes active provided all four fabric planes are in good condition.

If the second SCB in the primary node fails, the device will fail over to the secondary node as the primary node powers off.

SRX5800

3

4

2

This device supports one SCB for two fabric planes, providing a redundancy of three SCBs. If the active SCB fails, the device behavior does not change as the remaining two SCBs fulfill the requirement to have four fabric planes.

If the second SCB also fails, no spare planes are available in the chassis triggering inter-chassis redundancy. Therefore, RG1+ will fail over to the secondary node.

Note:

In SRX5600 and SRX5800 Firewalls, failover does not happen when the secondary Routing Engine in slot 1 fails, while the SCB in slot 1 is inactive.

For detailed information about chassis cluster, see the Chassis Cluster User Guide for SRX Series Devices at www.juniper.net/documentation/.