What does the log message ‘root@130.16.0.1 as root: cmd=’rcp -p -f /config/juniper.conf+.gz’ mean?

This article addresses the following message seen in logs:

What does the log message ‘root@130.16.0.1 as root: cmd=’rcp -p -f /config/juniper.conf+.gz’ mean? Is this a security issue?

When any operation requires one node to access files on another node, RCP messages to or from 129.x.0.1 and/or 130.x.0.1 may be seen.

This is expected behavior when one node must access files on another node. A common operation that triggers this is a commit command. When a commit is done on Node0, Node0 will have to get the configuration file from Node1. It does this by logging into Node1 over the HA control ports.
Here is an example of this portion of a commit operation:

By default, the SRX uses 129.x.0.1/2 on the em0 and em1 control ports on Node0 and 130.x.0.1/2 on the control ports on Node1. The second octet is a multiple of 16 of the cluster id.  ClusterID 3 = 129.48.0.1. For hardware that supports cluster IDs 16 and above, the same IPs are re-used and it is required that if other clusters are in the same L2 broadcast they must be separated by VLANn. However, the optimal configuration in all situations is for all HA ports, control and fabric, to be directly connected.

Note: Although these addresses are not rfc1918 addressing, they are what the SRX uses for the HA links.
Additional security can be added by enabling HA port encryption.

About the author

James Palmer

Leave a Comment