Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

After upgrading ScreenOS, the trunk interfaces are reported as DOWN via SNMP

0

0

Article ID: KB13962 KB Last Updated: 10 Aug 2011Version: 2.0
Summary:
After an upgrade to ScreenOS 6.0.0r7, the trunk interfaces on the firewall are reporting as DOWN. When the firewall was running ScreenOS 6.0.0r6, the behaviour was different.  There is a behavior change in terms of reporting SNMP interface status when using RFC MIB. The change was made to comply with RFC 2863 (3.1.13).
Symptoms:
There is a ScreenOS behaviour change to SNMP interface reporting in the following versions:
  • ScreenOS 5.4.0r12 and above
  • ScreenOS 6.0.0r7 and above
  • ScreenOS 6.0.01r2 and above
  • ScreenOS 6.2.0r2 and above

The following two objects, ifAdminStatus and ifOperStatus, in the RFC MIB are affected:

ifAdminStatus
If an administrator forces the physical interface into a down state via CLI "set int interface_name phy link-down" (for ethernet interfaces) or "set int interface_name disable" (for WAN interfaces), ifAdminStatus will always be down. For all other situations, ifAdminStatus will be determined by the following rules (this includes platforms which do not support the CLI):
  • For Layer3 interface without IP, it will be DOWN.
  • For Layer3 interface with IP, it will be UP.
  • For Layer2 interface, it will be UP if link-beat is detected, else it will be DOWN.
  • For VLAN1 interface, if any Layer2 interface's ifAdminStatus is UP, then VLAN1 will be UP, else it will be DOWN.
  • For interface in NULL zone, it will always be DOWN.
  • For interface in HA zone, it will always be UP.

ifOperStatus
If link-beat is not detected, ifOperStatus will always be down. If link-beat is detected, ifOperStatus will be determined by the following rules:
  • For Layer3 interface without IP, it will be TESTING.
  • For Layer3 interface with IP, it will be UP.
  • For Layer2 interface, it will UP.
  • For VLAN1 interface, if any Layer2 interface's ifOperStatus is UP, then VL:AN1 will be IP, else it will be DOWN.
  • For physical interface in NULL zone it will be DOWN.
  • For physical interface in HA zone, it will be UP.

There is a significant change in behaviour for the physical interface in the NULL zone.  Using the RFC MIBs to monitor interfaces such as trunk links via the ifOperStatus will result in a DOWN state on monitoring interfaces.

For example:
The cases where this usually comes into play is where there are sub-interfaces configured:

As from the above, many configurations have the physical trunk interface in the Null zone with NO IP Address. If this is the configuration and if the interface is being polled for the ifOper MIB Object for status. Then in the ScreenOS (5.4.0r12/6.0.0r7/6.1.0r2/6.2.0r2 and above) the status will now reflect a DOWN state.

For references to previous behaviour, please refer to KB9523.


Solution:
The workaround for this is to configure Zone and IP address settings on the interface OR use the NETSCREEN-INTERFACE-MIB.

For example:
  1. Set the trunk interface eth0/2 in a zone:


  2. With eth0/2 in TEST zone, the interface will show up as "testing".
    EG:
    # snmpwalk -v1 -c public 172.19.51.64 .1.3.6.1.2.1.2.2.1.8 | grep ifOperStatus.3
    IF-MIB::ifOperStatus.3 = INTEGER: testing(3)



    Then set the trunk interface eth0/2 in a zone with an IP address:


    With eth0/2 in the TEST zone and an IP 1.1.1.1/24, the interface will show up as "up".
    EG:
    # snmpwalk -v1 -c public 172.19.51.64 .1.3.6.1.2.1.2.2.1.8 | grep ifOperStatus.3
    IF-MIB::ifOperStatus.3 = INTEGER: up(1)


    OR

  3. Use the NetScreen MIBs:

  4. Use the NETSCREEN-INTERFACE-MIB to query the status of the interfaces and get the full status output:



    Note:  The NetScreen ScreenOS MIBs are located at the following link:  ScreenOS MIBs


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search