Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Unable to send traffic logs to STRM when the outgoing interface is in a routing instance

0

0

Article ID: KB22692 KB Last Updated: 17 Feb 2015Version: 5.0
Summary:

STRM is reachable from the SRX. The ping to the STRM IP address from SRX is successful; however, even when the outgoing interface is in a routing instance, the device is unable to send traffic logs to STRM. This article describes the problem and describes a fix.


Symptoms:

STRM is reachable from the SRX. The ping to the STRM IP address from SRX is successful.

[edit]
root@100-1# run ping 192.168.100.121 routing-instance STRM
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.100.121: icmp_seq=0 ttl=64 time=0.429 ms
64 bytes from 192.168.100.121: icmp_seq=1 ttl=64 time=0.446 ms
64 bytes from 192.168.100.121: icmp_seq=2 ttl=64 time=0.552 ms
64 bytes from 192.168.100.121: icmp_seq=3 ttl=64 time=0.321 ms
64 bytes from 192.168.100.121: icmp_seq=4 ttl=64 time=0.323 ms
^C
--- 192.168.100.121 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.321/0.414/0.552/0.086 ms

Even though STRM is reachable, the traffic logs are not seen on STRM.

Cause:

When the traffic enters the firewall on an interface, which is part of the default routing instance (inet.0), the STRM IP should also be reachable from inet.0. You can see below that the ping to the STRM IP from inet.0 fails.

[edit]
root@100-1# run ping 192.168.100.121
PING 192.168.100.121 (192.168.100.121): 56 data bytes
^C
10 packets transmitted, 0 packets received, 100% packet loss

Solution:

A static route for the STRM IP address should be configured in inet.0, pointing to the STRM routing instance.

Note: The route should not be reachable through FXP0 from inet.0 routing table.

set routing-options static route 192.168.100.121/32 next-table STRM.inet.0

[edit]
root@100-1# run ping 192.168.100.121
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.100.121: icmp_seq=0 ttl=64 time=0.429 ms
64 bytes from 192.168.100.121: icmp_seq=1 ttl=64 time=0.446 ms
64 bytes from 192.168.100.121: icmp_seq=2 ttl=64 time=0.552 ms
64 bytes from 192.168.100.121: icmp_seq=3 ttl=64 time=0.321 ms
64 bytes from 192.168.100.121: icmp_seq=4 ttl=64 time=0.323 ms
^C
--- 192.168.100.121 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.321/0.414/0.552/0.086 ms

A sample configuration is provided below. Using this configuration, you can send both system logs and traffic logs to STRM from an interface (reth4 in this example), which is part of the routing instance.

Interface configuration:
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.64/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.65/24

set interfaces ge-11/0/7 gigether-options redundant-parent reth4
set interfaces ge-23/0/7 gigether-options redundant-parent reth4
set interfaces reth4 redundant-ether-options redundancy-group 1
set interfaces reth4 unit 0 family inet address 192.168.100.136/24
Routing instance configuration:
set routing-instances STRM instance-type virtual-router
set routing-instances STRM interface reth4.0
Routing options configuration:
set routing-options static route 192.168.100.121/32 next-table STRM.inet.0

Control plane and Data plane logs configuration
:
set system syslog host 192.168.100.121 any any
set system syslog host 192.168.100.121 change-log none
set system syslog host 192.168.100.121 interactive-commands none
set system syslog host 1.11.1.1 port <xxx>

Note: By default, the syslog listens on port 514. If  the STRM device listens on random ports, you can configure it by applying the above command.

set security log mode stream
set security log format sd-syslog
set security log source-address 192.168.100.136
set security log stream strm category all
set security log stream strm host 192.168.100.121
set security log stream strm host port 514

When the above configuration is used, data plane logs will have the source address of the reth4 interface. The control plane logs will have the source address of the fxp0 interface.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search