Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA/SRX] Unable to send traffic logs to JSA when the outgoing interface is in a routing instance

0

0

Article ID: KB22692 KB Last Updated: 01 Feb 2021Version: 6.0
Summary:

JSA is reachable from the SRX device. The ping to the JSA IP address from the SRX device is successful; however, even when the outgoing interface is in a routing instance, the device is unable to send traffic logs to JSA. This article describes the problem and describes a fix.

 

Symptoms:

JSA is reachable from the SRX device. The ping to the JSA IP address from the SRX device is successful.

[edit]
root@100-1# run ping 192.168.100.121 routing-instance JSA
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.100.121: icmp_seq=0 ttl=64 time=0.429 ms
64 bytes from 192.168.100.121: icmp_seq=1 ttl=64 time=0.446 ms
64 bytes from 192.168.100.121: icmp_seq=2 ttl=64 time=0.552 ms
64 bytes from 192.168.100.121: icmp_seq=3 ttl=64 time=0.321 ms
64 bytes from 192.168.100.121: icmp_seq=4 ttl=64 time=0.323 ms
^C
--- 192.168.100.121 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.321/0.414/0.552/0.086 ms

Even though JSA is reachable, the traffic logs are not seen on JSA.

 

Cause:

When traffic enters the firewall on an interface, which is part of the default routing instance (inet.0), the JSA IP address should also be reachable from inet.0. You can see below that the ping to the JSA IP address from inet.0 fails.

[edit]
root@100-1# run ping 192.168.100.121
PING 192.168.100.121 (192.168.100.121): 56 data bytes
^C
10 packets transmitted, 0 packets received, 100% packet loss

 

Solution:

A static route for the JSA IP address should be configured in inet.0, pointing to the JSA routing instance.

Note: The route should not be reachable through FXP0 from inet.0 routing table.

set routing-options static route 192.168.100.121/32 next-table JSA.inet.0

[edit]
root@100-1# run ping 192.168.100.121
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.100.121: icmp_seq=0 ttl=64 time=0.429 ms
64 bytes from 192.168.100.121: icmp_seq=1 ttl=64 time=0.446 ms
64 bytes from 192.168.100.121: icmp_seq=2 ttl=64 time=0.552 ms
64 bytes from 192.168.100.121: icmp_seq=3 ttl=64 time=0.321 ms
64 bytes from 192.168.100.121: icmp_seq=4 ttl=64 time=0.323 ms
^C
--- 192.168.100.121 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.321/0.414/0.552/0.086 ms

A sample configuration is provided below. Using this configuration, you can send both system logs and traffic logs to JSA from an interface (reth4 in this example), which is part of the routing instance.

Interface configuration:

set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.64/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.65/24

set interfaces ge-11/0/7 gigether-options redundant-parent reth4
set interfaces ge-23/0/7 gigether-options redundant-parent reth4
set interfaces reth4 redundant-ether-options redundancy-group 1
set interfaces reth4 unit 0 family inet address 192.168.100.136/24

Routing instance configuration:

set routing-instances JSA instance-type virtual-router
set routing-instances JSA interface reth4.0

Routing options configuration:

set routing-options static route 192.168.100.121/32 next-table JSA.inet.0

Control plane and Data plane logs configuration:

set system syslog host 192.168.100.121 any any
set system syslog host 192.168.100.121 change-log none
set system syslog host 192.168.100.121 interactive-commands none
set system syslog host 1.11.1.1 port <xxx>

Note: By default, the syslog listens on port 514. If the JSA device listens on random ports, you can configure it by applying the above command.

set security log mode stream
set security log format sd-syslog
set security log source-address 192.168.100.136
set security log stream JSA category all
set security log stream JSA host 192.168.100.121
set security log stream JSA host port 514

When the above configuration is used, data plane logs will have the source address of the reth4 interface. The control plane logs will have the source address of the fxp0 interface.

 

Modification History:

2021-02-01: Minor changes for product name and grouping made

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search