Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure SRX high end chassis cluster J-flow version 9 when traffic interfaces are in a routing instance or Flow Collector is reachable via routing instance only

0

0

Article ID: KB28116 KB Last Updated: 20 Jun 2020Version: 3.0
Summary:

This article describes how to configure a SRX high end J-flow version 9 in chassis cluster and routing-instance.

Symptoms:

Customer wants to configure SRX high end chassis cluster J-flow version 9 when traffic interfaces are in a routing instance.

Here is the topology:

                                                             Trust: reth0 10.13.1.150/24
Jflow-server(10.11.11.1) -------(jflow: reth2 10.11.11.2) SRX3600-node0 SRX3600-node1 
                                                             Untrust: reth1 10.24.1.150/24

Traffic flows from untrust zone to trust zone with src-ip 10.24.1.100 and dst-ip 10.13.1.200.

Solution:

SRX high end supports this scenario. The testing version is Junos OS 12.1X45-D10. Here is the configuration:

root@SRX3600-B# show 
## Last changed: 2013-09-10 03:16:15 UTC
version 12.1X45;
interfaces {
    ge-0/0/0 {
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-0/0/1 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-0/0/2 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    ge-13/0/0 {                         
        gigether-options {
            redundant-parent reth0;
        }
    }
    ge-13/0/1 {
        gigether-options {
            redundant-parent reth2;
        }
    }
    ge-13/0/2 {
        gigether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                ge-0/0/6;
                ge-0/0/7;
            }
        }
    }
    fab1 {                              
        fabric-options {
            member-interfaces {
                ge-13/0/6;
                ge-13/0/7;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                sampling {
                    output;
                }
                address 10.13.1.150/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;         
        }
        unit 0 {
            family inet {
                address 10.24.1.150/24;
            }
        }
    }
    reth2 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 10.11.11.2/24;
            }
        }
    }
}
forwarding-options {
    sampling {
        instance {
            test-instance {
                input {                 
                    rate 100;   <<< Note: An aggressive rate of < 10 may lead to incorrect "Flow Creation Failures".
                    run-length 0;
                }
                family inet {
                    output {
                        flow-server 10.11.11.1 {
                            port 2222;
                            version9 {
                                template {
                                    test;
                                }
                            }
                        }
                        inline-jflow {
                            source-address 10.11.11.2;
                        }
                    }
                }
            }
        }
    }
}
security {                              
    policies {
        from-zone trust to-zone untrust {
            policy p1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }                       
            }
            interfaces {
                reth1.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone jflow {
            host-inbound-traffic {
                system-services {
                    all;
                }                       
                protocols {
                    all;
                }
            }
            interfaces {
                reth2.0;
            }
        }
    }
}
routing-instances {
    test {
        instance-type virtual-router;
        interface reth0.0;
        interface reth1.0;
    }
}
services {
    flow-monitoring {
        version9 {
            template test {
                ipv4-template;
            }                           
        }
    }
}

Please note that the interface which is responsible for sending J-flow packets should be in root VR.
Note: To check about flow creation failures:

SRX> show services accounting errors inline-jflow | no-more
Error information
FPC Slot: 0
Flow Creation Failures: 77495
Route Record Lookup Failures: 0, AS Lookup Failures: 0
Export Packet Failures: 0
Memory Overload: No, Memory Alloc Fail Count: 0
Modification History:
2020-06-20: Changed the sampling rate value from 1 to 100 as 1 is not a recommended value.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search