USB Modems for Remote Management of Security Devices
Junos OS allows the use of USB modems for remote management on SRX Series Firewall. You can use Telnet or SSH to connect to the device from a remote location through two modems over a telephone network. For more information, read this topic.
USB Modem Interface Overview
Juniper Networks SRX Series Firewalls support the use of USB modems for remote management. You can use Telnet or SSH to connect to the device from a remote location through two modems over a telephone network. The USB modem is connected to the USB port on the device, and a second modem is connected to a remote management device such as a PC or laptop computer.
USB modems are no longer supported for dial backup on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices.
You can configure your device to fail over to a USB modem connection when the primary Internet connection experiences interruption.
A USB modem connects to a device through modem interfaces that you configure. The device applies its own modem AT commands to initialize the attached modem. Modem setup requires that you connect and configure the USB modem at the device and the modem at the user end of the network.
You use either the J-Web configuration editor or CLI configuration editor to configure the USB modem and its supporting dialer interfaces.
Low-latency traffic such as VoIP traffic is not supported over USB modem connections.
We recommend using a US Robotics USB 56k V.92 Modem, model number USR Model 5637.
USB Modem Interfaces
You configure two types of interfaces for USB modem connectivity:
A physical interface which uses the naming convention
umd0. The device creates this interface when a USB modem is connected to the USB port.A logical interface called the dialer interface. You use the dialer interface,
dln, to configure dialing properties for USB modem connections. The dialer interface can be configured using Point-to-Point Protocol (PPP) encapsulation. You can also configure the dialer interface to support authentication protocols—PPP Challenge Handshake (CHAP) or Password Authentication Protocol (PAP). You can configure multiple dialer interfaces for different functions on the device. After configuring the dialer interface, you must configure a backup method such as a dialer backup, a dialer filter, or a dialer watch.
The USB modem provides a dial-in remote management interface, and supports dialer interface features by sharing the same dial pool as a dialer interface. The dial pool allows the logical dialer interface and the physical interface to be bound together dynamically on a per-call basis. You can configure the USB modem to operate either as a dial-in console for management or as a dial-in WAN backup interface. Dialer pool priority has a range from 1 to 255, with 1 designating the lowest priority interfaces and 255 designating the highest priority interfaces.
Dialer Interface Rules
The following rules apply when you configure dialer interfaces for USB modem connections:
The dialer interface must be configured to use PPP encapsulation. You cannot configure Cisco High-Level Data Link Control (HDLC) or Multilink PPP (MLPPP) encapsulation on dialer interfaces.
The dialer interface cannot be configured as a constituent link in a multilink bundle.
The dialer interface can perform backup, dialer filter, and dialer watch functions, but these operations are mutually exclusive. You can configure a single dialer interface to operate in only one of the following ways:
As a backup interface—for one primary interface
As a dialer filter
As a dialer watch interface
The backup dialer interfaces are activated only when the primary interface fails. USB modem backup connectivity is supported on all interfaces except lsq-0/0/0.
The dial-on-demand routing backup method allows a USB modem connection to be activated only when network traffic configured as an “interesting packet” arrives on the network. Once the network traffic is sent, an inactivity timer is triggered and the connection is closed. You define an interesting packet using the dialer filter feature of the device. To configure dial-on-demand routing backup using a dialer filter, you first configure the dialer filter and then apply the filter to the dialer interface.
Dialer watch is a backup method that integrates backup dialing with routing capabilities and provides reliable connectivity without relying on a dialer filter to trigger outgoing USB modem connections. With dialer watch, the device monitors the existence of a specified route. If the route disappears, the dialer interface initiates the USB modem connection as a backup connection.
How the Device Initializes USB Modems
When you connect the USB modem to the USB port on the device,
the device applies the modem AT commands configured in the init-command-string command to the initialization commands on the modem.
If you do not configure modem AT commands for the init-command-string command, the device applies the following default sequence of initialization
commands to the modem: AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8
%C0. Table 1 describes the commands. For more information about these
commands, see the documentation for your modem.
Modem Command |
Description |
|---|---|
|
Attention. Informs the modem that a command follows. |
|
Instructs the modem to wait 45 seconds for a telecommunications service provider (carrier) signal before terminating the call. |
|
Disables the auto answer feature, whereby the modem automatically answers calls. |
|
Displays result codes as words. |
|
Disables reset of the modem when it loses the carrier signal. |
|
Disables the display on the local terminal of commands issued to the modem from the local terminal. |
|
Enables the display of result codes. |
|
Enables Microcom Networking Protocol (MNP) error control mode. |
|
Disables data compression. |
When the device applies the modem AT commands in the init-command-string command or the default sequence of initialization commands to the
modem, it compares them to the initialization commands already configured
on the modem and makes the following changes:
If the commands are the same, the device overrides existing modem values that do not match. For example, if the initialization commands on the modem include
S0=0and the device’sinit-command-stringcommand includesS0=2, the device appliesS0=2.If the initialization commands on the modem do not include a command in the device’s
init-command-stringcommand, the device adds it. For example, if theinit-command-stringcommand includes the commandL2, but the modem commands do not include it, the device addsL2to the initialization commands configured on the modem.
On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps or above), keepalives do not get exchanged, and the interface goes down. (Platform support depends on the Junos OS release in your installation.)
USB Modem Configuration Overview
USB modems are no longer supported for dial backup on SRX300, SRX320, SRX340, and SRX345 devices.
Before you begin:
Suppose you have a branch office router and a head office router each with a USB modem interface and a dialer interface. This example shows you how to establish a backup connection between the branch office and head office routers. See Table 2 for a summarized description of the procedure.
Router Location |
Configuration Requirement |
Procedure |
|---|---|---|
Branch Office |
Configure the logical dialer interface on the branch office router for USB modem dial backup. |
To configure the logical dialer interface, see Example: Configuring a USB Modem Interface. |
Configure the dialer interface
|
Configure the dialer interface using one of the following backup methods:
|
|
Head Office |
Configure dial-in on the dialer interface |
To configure dial-in on the head office router, see Example: Configuring a Dialer Interface for USB Modem Dial-In. |
If the dialer interface is configured to accept only calls from a specific caller ID, the device matches the incoming call's caller ID against the caller IDs configured on its dialer interfaces. If an exact match is not found and the incoming call's caller ID has more digits than the configured caller IDs, the device performs a right-to-left match of the incoming call's caller ID with the configured caller IDs and accepts the incoming call if a match is found. For example, if the incoming call's caller ID is 4085321091 and the caller ID configured on a dialer interface is 5321091, the incoming call is accepted. Each dialer interface accepts calls from only callers whose caller IDs are configured on it.
See Table 3 for a list of available incoming map options.
Option |
Description |
|---|---|
accept-all |
Dialer interface accepts all incoming calls. You can configure the |
caller |
Dialer interface accepts calls from a specific caller ID. You can configure a maximum of 15 caller IDs per dialer interface. The same caller ID must not be configured on different dialer interfaces. However, you can configure caller IDs with more or fewer digits on different dialer interfaces. For example, you can configure the caller IDs 14085551515, 4085551515, and 5551515 on different dialer interfaces. |
You configure dialer interfaces to support PAP. PAP allows a simple method for a peer to establish its identity using a two-way handshake during initial link establishment. After the link is established, an ID and password pair are repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated.
Example: Configuring a USB Modem Interface
This example shows how to configure a USB modem interface for dial backup.
USB modems are no longer supported for dial backup on SRX300, SRX320, SRX340, and SRX345 devices.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you create an interface called as umd0 for
USB modem connectivity and set the dialer pool priority to 25. You
also configure a modem initialization string to autoanswer after a
specified number of rings. The default modem initialization string
is AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0. The modem
command S0=0 disables the modem from autoanswering the
calls. Finally, you set the modem to act as a dial-in WAN backup interface.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following command, paste it into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the command into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces umd0 dialer-options pool usb-modem-dialer-pool priority 25 set modem-options init-command-string "ATS0=2 \n" dialin routable
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a USB modem interface for dial backup:
Create an interface.
[edit] user@host# edit interfaces umd0
Set the dialer options and priority.
[edit interfaces umd0] user@host# set dialer-options pool usb-modem-dialer-pool priority 25
Specify the modem options.
[edit interfaces umd0] user@host# set modem-options init-command-string "ATS0=2 \n"
Set the modem to act as a dial-in WAN backup interface.
[edit interfaces umd0] user@host# set modem-options dialin routable
Results
From configuration mode, confirm your configuration
by entering the show interface umd0 command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show interface umd0
modem-options {
init-command-string "ATS0=2 \n";
dialin routable;
}
dialer-options {
pool usb-modem-dialer-pool priority 25;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the Configuration
Purpose
Verify a USB modem interface for dial backup.
Action
From configuration mode, enter the show interfaces
umd0 extensive command. The output shows a summary of interface
information and displays the modem status.
Physical interface: umd0, Enabled, Physical link is Up
Interface index: 64, SNMP ifIndex: 33, Generation: 1
Type: Async-Serial, Link-level type: PPP-Subordinate, MTU: 1504,
Clocking: Unspecified, Speed: MODEM
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 21672
Output bytes : 22558
Input packets: 1782
Output packets: 1832
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards: 0,
Resource errors: 0
Output errors:
Carrier transitions: 63, Errors: 0, Drops: 0, MTU errors: 0, Resource errors: 0
MODEM status:
Modem type : LT V.92 1.0 MT5634ZBA-USB-V92 Data/Fax Modem
(Dual Config) Version 2.27m
Initialization command string : ATS0=2
Initialization status : Ok
Call status : Connected to 4085551515
Call duration : 13429 seconds
Call direction : Dialin
Baud rate : 33600 bps
Most recent error code : NO CARRIER
Logical interface umd0.0 (Index 2) (SNMP ifIndex 34) (Generation 1)
Flags: Point-To-Point SNMP-Traps Encapsulation: PPP-SubordinateExample: Configuring a Dialer Interface
This example shows how to configure a logical dialer interface for an SRX300, SRX320, SRX340, or SRX345 device.
Requirements
Before you begin:
Install device hardware and establish basic connectivity. See the Getting Started Guide for your device.
Order a US Robotics USB 56k V.92 Modem, model number USR Model 5637, from US Robotics (http://www.usr.com/).
Order a dial-up modem for the PC or laptop computer at the remote location from where you want to connect to the device.
Order a PSTN line from your telecommunications service provider. Contact your service provider.
Overview
In this example, you configure a logical dialer interface called dl0 to establish USB connectivity. You can configure multiple dialer interfaces for different functions on the device. You add a description to differentiate among different dialer interfaces. For example, this modem is called USB-modem-remote-management. Configure PPP encapsulation and set the logical unit as 0. You then specify the name of the dialer pool as usb-modem-dialer-pool and set the source and destination IP addresses as 172.20.10.2, and 172.20.10.1, respectively.
You cannot configure Cisco High-Level Data Link Control (HDLC) or Multilink PPP (MLPPP) encapsulation on dialer interfaces used in USB modem connections.
If you configure multiple dialer interfaces, ensure that the same IP subnet address is not configured on different dialer interfaces. Configuring the same IP subnet address on multiple dialer interfaces can result in inconsistency in the route and packet loss. The device might route packets through another dialer interface with the IP subnet address instead of through the dialer interface to which the USB modem call is mapped.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces dl0 description USB-modem-remote-management encapsulation ppp set interfaces dl0 unit 0 dialer-options pool usb-modem-dialer-pool set interfaces dl0 unit 0 family inet address 172.20.10.2 destination 172.20.10.1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a logical dialer interface for the device:
Create an interface.
[edit] user@host# set interfaces dl0
Add a description and configure PPP encapsulation.
[edit interfaces dl0] user@host# set description USB-modem-remote-management user@host# set encapsulation ppp
Create the logical unit.
Note:The logical unit number must be
0.[edit interfaces dl0] user@host# set unit 0
Configure the name of the dialer pool to use for USB modem connectivity.
[edit interfaces dl0 unit 0] user@host# set dialer-options pool usb-modem-dialer-pool
Configure source and destination IP addresses for the dialer interface.
[edit interfaces dl0 unit 0] user@host# set family inet address 172.20.10.2 destination 172.20.10.1
Results
From configuration mode, confirm your configuration
by entering the show interfaces dl0 command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show interfaces dl0
description USB-modem-remote-management;
encapsulation ppp;
unit 0 {
family inet {
address 172.20.10.2/32 {
destination 172.20.10.1;
}
}
dialer-options {
pool usb-modem-dialer-pool;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying a Dialer Interface
Purpose
Verify that the dialer interface has been configured.
Action
From configuration mode, enter the show interfaces
dl0 extensive command. The output shows a summary of dialer
interface information.
Physical interface: dl0, Enabled, Physical link is Up
Interface index: 128, SNMP ifIndex: 24, Generation: 129
Type: 27, Link-level type: PPP, MTU: 1504, Clocking: Unspecified, Speed: Unspecified
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Link flags : Keepalives
Physical info : Unspecified
Hold-times : Up 0 ms, Down 0 ms
Current address: Unspecified, Hardware address: Unspecified
Alternate link address: Unspecified
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards: 0,
Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors: 0
Logical interface dl0.0 (Index 70) (SNMP ifIndex 75) (Generation 146)
Description: USB-modem-remote-management
Flags: Point-To-Point SNMP-Traps 0x4000 LinkAddress 23-0 Encapsulation: PPP
Dialer:
State: Active, Dial pool: usb-modem-dialer-pool
Dial strings: 220
Subordinate interfaces: umd0 (Index 64)
Activation delay: 0, Deactivation delay: 0
Initial route check delay: 120
Redial delay: 3
Callback wait period: 5
Load threshold: 0, Load interval: 60
Bandwidth: 115200
Traffic statistics:
Input bytes : 24839
Output bytes : 17792
Input packets: 489
Output packets: 340
Local statistics:
Input bytes : 10980
Output bytes : 17792
Input packets: 172
Output packets: 340
Transit statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured,
mpls: Not-configured
CHAP state: Success
Protocol inet, MTU: 1500, Generation: 136, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.20.10.1, Local: 172.20.10.2, Broadcast: Unspecified,
Generation: 134Example: Configuring a Dialer Interface for USB Modem Dial-In
This example shows how to configure a dialer interface for USB modem dial-in.
USB modems are no longer supported for dial-in to a dialer interface on SRX300, SRX320, SRX340, and SRX345 devices.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
To enable connections to the USB modem from a remote location, you must configure the dialer interfaces set up for USB modem use to accept incoming calls. You can configure a dialer interface to accept all incoming calls or accept only calls from one or more caller IDs.
If the dialer interface is configured to accept only calls from a specific caller ID, the system matches the incoming call's caller ID against the caller IDs configured on its dialer interfaces. If an exact match is not found and the incoming call's caller ID has more digits than the configured caller IDs, the system performs a right-to-left match of the incoming call's caller ID with the configured caller IDs and accepts the incoming call if a match is found. For example, if the incoming call's caller ID is 4085550115 and the caller ID configured on a dialer interface is 5550115, the incoming call is accepted. Each dialer interface accepts calls from only callers whose caller IDs are configured on it.
You can configure the following incoming map options for the dialer interface:
accept-all—Dialer interface accepts all incoming calls.You can configure the
accept-alloption for only one of the dialer interfaces associated with a USB modem physical interface. The device uses the dialer interface with theaccept-alloption configured only if the incoming call's caller ID does not match the caller IDs configured on other dialer interfaces.caller—Dialer interface accepts calls from a specific caller ID— for example,4085550115. You can configure a maximum of 15 caller IDs per dialer interface.The same caller ID must not be configured on different dialer interfaces. However, you can configure caller IDs with more or fewer digits on different dialer interfaces. For example, you can configure the caller IDs 14085550115, 4085550115, and 5550115 on different dialer interfaces.
In this example, you configure the incoming map option as caller 4085550115 for dialer interface dl0.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following command, paste it into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set interfaces dl0 unit 0 dialer-options incoming-map caller 4085550115
Procedure
Step-by-Step Procedure
To configure a dialer interface for USB modem dial-in:
Select a dialer interface.
[edit] user@host# edit interfaces dl0
Configure the incoming map options.
[edit] user@host# edit unit 0 dialer-options incoming-map caller 4085551515
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show interface dl0 command.
Configuring a Dial-Up Modem Connection Remotely
To remotely connect to the USB modem connected to the USB port on the device, you must configure a dial-up modem connection on the PC or laptop computer at your remote location. Configure the dial-up modem connection properties to disable IP header compression.
To configure a dial-up modem connection remotely:
Connecting to the Device Remotely
To remotely connect to the device through a USB modem connected to the USB port on the device:
Modifying USB Modem Initialization Commands
These instructions use Hayes-compatible modem commands to configure the modem. If your modem is not Hayes-compatible, see the documentation for your modem and enter equivalent modem commands. Applies to SRX300, SRX320, SRX340, SRX345 devices.
You can use the CLI configuration editor to override the value of an initialization command configured on the USB modem or configure additional commands for initializing USB modems.
If you modify modem initialization commands when a call is in progress, the new initialization sequence is applied on the modem only when the call ends.
You can configure the following modem AT commands to initialize the USB modem:
The command
S0=2configures the modem to automatically answer calls on the second ring.The command
L2configures medium speaker volume on the modem.
You can insert spaces between commands.
When you configure modem commands in the CLI configuration editor, you must follow these conventions:
Use the newline character
\nto indicate the end of a command sequence.Enclose the command string in double quotation marks.
You can override the value of the S0=0 command in
the initialization sequence configured on the modem and add the L2 command.
To modify the initialization commands on a USB modem:
Resetting USB Modems
For SRX300, SRX320, SRX340, and SRX345 devices, if the USB modem does not respond, you can reset the modem.
If you reset the modem when a call is in progress, the call is terminated.
To reset the USB modem, in operational mode, enter the following command:
user@host> request interface modem reset umd0