Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] [QFX] Example - Configuring PFE Logs to display on CLI

0

0

Article ID: KB31991 KB Last Updated: 01 Aug 2018Version: 1.0
Summary:

Packet Forwarding Engine (PFE) error logs are, by default, not populated onto the Command Line Interface (CLI) or console. In order to be aware of such errors, users must either be logged in to PFE or use the show log messages command, which makes issue detection and troubleshooting less efficient.

This article explains how PFE error logging can be configured to display on the command line.

 

Cause:

PFE log messages are, by default, configured not to appear in CLI.

Example

When some firewall filters are applied and the changes are committed, the following PFE error may be logged due to TCAM space having exceeded the maximum limit. 

Jul 10 15:34:10  la-core-001 dc-pfe: DFWE ERROR DFW: Cannot program filter "protect-routing-engine-nopolicer" (type IRACL) - TCAM has 732 free entries and the filter requires 744 free entries

Jul 10 15:34:10  la-core-001 fpc0 ERROR (dfw): First INGRESS ifd:6 entry added to ifd list

Jul 10 15:34:10  la-core-001 fpc0 DFWE ERROR DFW: Cannot program filter "protect-routing-engine-nopolicer" (type IRACL) - TCAM has 732 free entries and the filter requires 744 free entries

Due to the default setting, these messages are not displayed on the command line. To see these errors, the show log messages command must be executed, which would involve more commands. In fact, the errors may not be known at all unless traffic is affected and the PFE logs are checked.

 

Solution:

Use the following command to adjust the logging level of the console log to ensure that PFE error logs (if any) are displayed on the command line after changes are committed.

{master:0}[edit system]
root@la-core-001# set syslog console pfe error 
 

Output of syslog configuration

{master:0}[edit system]
root@la-core-001# show syslog 
<Output Truncated>
console {
    pfe error;
}
 

Using the same example above, after applying some firewall filters that exceed TCAM space and committing the change, the following is displayed on the command line:

{master:0}[edit]
root@la-core-001# commit
configuration check succeeds
commit complete

{master:0}[edit]
root@la-core-001#

Message from syslogd@la-core-001 at Jul 10 15:34:10  ...

la-core-001 dc-pfe: DFWE ERROR DFW: Cannot program filter "protect-routing-engine-nopolicer" (type IRACL) - TCAM has 732 free entries and the filter requires 744 free entries

Jul 10 15:34:10  la-core-001 fpc0 ERROR (dfw): First INGRESS ifd:6 entry added to ifd list

Jul 10 15:34:10  la-core-001 fpc0 DFWE ERROR DFW: Cannot program filter "protect-routing-engine-nopolicer" (type IRACL) - TCAM has 732 free entries and the filter requires 744 free entries

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search