Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Sampling output interface in logical system not supported for inline flow

0

1

Article ID: KB31772 KB Last Updated: 11 Jun 2020Version: 2.0
Summary:

This article indicates that a sampling output interface in the logical system is not supported for inline flow, and that for it to work, a sampling instance configuration must be present in the main system. 

 

Symptoms:

If a sampling output interface is included in the logical system as seen below:

logical-systems {
    ls1 {
        interfaces {
            ge-1/0/7 {
                unit 0 {
                    family inet {
                        sampling {
                            input;
                            output; <<<<<<<<
                        }
                        address 10.90.0.2/30;
                    }

User will not be able to see the flow packets in the output direction from the flow server.

 

Cause:

Inline JFLOW is not supported under the logical system. A sampling instance configuration should be present under the main system for this to work.

If you put only an interface on which sampling is enabled to the logical system, flow records will be created/updated/exported without any issue. But the exported flow record cannot report correct SRC_MASK/DST_MASK/SRC_AS/DST_AS/GW_ADDR/OIF information. This is because the sampler module on the Packet Forwarding Engine (PFE) does not download routes of the logical system in the sampling route record database.

 

Solution:

Put the sample output interface in the global master instance, or configure the sampling input/output in the main master instance for consistency and accuracy of flows. Check the following configuration:

lab@mx480-a-re0> show configuration forwarding-options
sampling {
    input {
        rate 1; <<<< This is for version 5 sampling, which is not supported under the logical system either so sampling in/out must be configured in the main master instance. Also consider a rate of "1" aggressive for RE mode sapling.
}
instance {
    jflow {
        input {
            rate 1;
            run-length 0;
        }
family inet {
    output {
        flow-server 1.1.1.2 {
            port 2055;
            autonomous-system-type peer;
            version-ipfix {
                template {
                    v4_template;
                }
            }
        }
inline-jflow {
    source-address 1.1.1.1;
}
    }
    }
}
}
}
lab@mx480-a-re0> show configuration services
flow-monitoring {
    version9 {
        template v4_template {
            flow-active-timeout 10;
            flow-inactive-timeout 10;
            template-refresh-rate {
                packets 480000;
                seconds 10;
            }
option-refresh-rate {
    packets 480000;
    seconds 10;
}
ipv4-template;
        }
    }
version-ipfix {
    template v4_template {
        flow-active-timeout 10;
        flow-inactive-timeout 10;
        template-refresh-rate {
            packets 480000;
            seconds 10;
        }
option-refresh-rate {
    packets 480000;
    seconds 10;
}
ipv4-template;
    }
}
}
lab@mx480-a-re0> show configuration chassis
fpc 2 {
    pic 0 {
        tunnel-services {
            bandwidth 1g;
        }
    }
sampling-instance jflow;
}

Information Displayed on the Flow Server Side

lab@mx480-a-re0> monitor traffic interface xe-2/1/1.2 no-resolve matching udp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on xe-2/1/1.2, capture size 96 bytes

05:06:49.208250 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 92
05:06:54.636557 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 104
05:06:54.636565 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 104
05:06:54.636567 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 104
05:06:54.636569 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 104
05:06:54.636572 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 48
05:06:54.636574 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 40
05:06:54.636576 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 48
05:06:54.636579 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 40
05:06:54.636581 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 48
05:06:54.636583 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 40
05:06:54.636585 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 48
05:06:54.636587 In IP 1.1.1.1.60424 > 1.1.1.2.2055: UDP, length 40
05:06:59.061836 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 92
05:06:59.150834 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 92
05:06:59.248829 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 92
05:06:59.293817 In IP 1.1.1.1.33018 > 1.1.1.2.2055: UDP, length 92

 

Modification History:

2020-06-11: Article solution improved and simplified; article checked for accuracy

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search