Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] How to determine if config objects are pushed from config node to vrouter through all intermediate components

0

0

Article ID: KB36118 KB Last Updated: 29 Sep 2020Version: 1.0
Summary:

There are several instances where the config objects present in vrouter config appears to be different from that of the config node.

This article can be used to browse through each intermediate component until it reaches the vrouter. 

Note: This article also discusses IFMAP server as it exists in releases prior to 4.x

Solution:

Example

Allowed traffic is being blocked with an action "D" (Drop) in the flow which indicates that it is being dropped due to "SG"(Security Group). The user would like see the config.

Directly check the vrouter introspects and see whether the correct "SG" is applied. In many instances, it is also useful to compare with the object in the config node. Trace the config for VMI and see if the security group is applied as selected on the compute node.
 
  1. Check the configuration as per the config node.

    a. Identify the VMI name and UUID

    In this example, the VMI ID is 755f37d6-38d8-4111-b61e-9db4252c2a3e 

    b. Navigate to config editor under the settings menu

    c. Click on virtual machine interfaces

    d. Click on "href link" of the VMI with the ID 755f37d6-38d8-4111-b61e-9db4252c2a3e

    e. Scroll down to the section where the security group ID is mentioned and confirm if this is the one that should exist on this VMI

    f. If required, click the URL provided for security group to see more details, such as the rules, created date, modified, etc.

    The security group named "SG_KB_TEST" should be applied on the VMI. Check on the control node if the same is observed there too.
  2. Access the introspect page of the control node using the <control node IP>:8083

    This opens up a page with links for various introspect options of the control node. Each link provides more sub-options of data that we requested for.

    a. Click ifmap_server_show.xml link

    b. Click the Send button below IFMapNodeTableListShowReq

    The next screen should display a list of table to query. Click the table depending on the object that you want to verify.

    c. Click virtual-machine-interface as we are trying to trace the SG config of a VMI

    d. Find the interface either using the ID or uuid.

    e. Verify the security group mentioned in the neighbors list if SG_KB_TEST

    Optional:

    f. Navigate back to the previous page 

    g. Click the security-group table link


    h. Verify if the security exists and if the rules for the security SG_KB_TEST are correct.

    Alternatively, query the introspect for VMI:

    curl http://10.219.95.55:8083/Snh_IFMapTableShowReq?x=virtual-machine-interface | python -c 'import sys;import xml.dom.minidom;s=sys.stdin.read();print xml.dom.minidom.parseString(s).toprettyxml()' | egrep -A30 755f37d6-38d8-4111-b61e-9db4252c2a3e | grep security-group

    Here the original query is curl http://10.219.95.55:8083/Snh_IFMapTableShowReq?x=virtual-machine-interface

    To pretty print the XML output, use python -c 'import sys;import xml.dom.minidom;s=sys.stdin.read();print xml.dom.minidom.parseString(s).toprettyxml()'

    First, egrep to find the VMI from the list and print only the next 30 lines. Fine tune if the security group cannot be seen in the first 30 lines of the output.

    Second, grep is filter for the security group from the VMI output.

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 24973  100 24973    0     0  3427k      0 --:--:-- --:--:-- --:--:-- 4064k
    <element>security-group:default-domain:Dayone:SG_KB_TEST</element>  <-- The VMI has SG_KB_TEST as one of the security group as per control node.
    <element>security-group:default-domain:Dayone:default</element>

    Find out if the security group has the rules that was seen in config node using the query:

    curl http://10.219.95.55:8083/Snh_IFMapTableShowReq?x=security-group | python -c 'import sys;import xml.dom.minidom;s=sys.stdin.read();print xml.dom.minidom.parseString(s).toprettyxml()'  | egrep -A150 SG_KB_TEST | egrep -A63 policy-rule
     
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 47966  100 47966    0     0  6856k      0 --:--:-- --:--:-- --:--:-- 7806k
                    &lt;policy-rule&gt;
                            &lt;rule-sequence&gt;
                                    &lt;major&gt;0&lt;/major&gt;
                                    &lt;minor&gt;0&lt;/minor&gt;
                            &lt;/rule-sequence&gt;
                            &lt;rule-uuid&gt;40791a81-e8fd-4636-94d7-75ab960c9b28&lt;/rule-uuid&gt;
                            &lt;direction&gt;&amp;gt;&lt;/direction&gt;
                            &lt;protocol&gt;any&lt;/protocol&gt;
                            &lt;src-addresses&gt;
                                    &lt;subnet&gt;
                                            &lt;ip-prefix&gt;&lt;/ip-prefix&gt;
                                            &lt;ip-prefix-len&gt;0&lt;/ip-prefix-len&gt;
                                    &lt;/subnet&gt;
                                    &lt;virtual-network&gt;&lt;/virtual-network&gt;
                                    &lt;security-group&gt;local&lt;/security-group&gt;
                                    &lt;network-policy&gt;&lt;/network-policy&gt;
                            &lt;/src-addresses&gt;
                            &lt;src-ports&gt;
                                    &lt;start-port&gt;0&lt;/start-port&gt;
                                    &lt;end-port&gt;65535&lt;/end-port&gt;
                            &lt;/src-ports&gt;
                            &lt;dst-addresses&gt;
                                    &lt;subnet&gt;
                                            &lt;ip-prefix&gt;0.0.0.0&lt;/ip-prefix&gt;
                                            &lt;ip-prefix-len&gt;0&lt;/ip-prefix-len&gt;
                                    &lt;/subnet&gt;
                                    &lt;virtual-network&gt;&lt;/virtual-network&gt;
                                    &lt;security-group&gt;&lt;/security-group&gt;
                                    &lt;network-policy&gt;&lt;/network-policy&gt;
                            &lt;/dst-addresses&gt;
                            &lt;dst-ports&gt;
                                    &lt;start-port&gt;0&lt;/start-port&gt;
                                    &lt;end-port&gt;65535&lt;/end-port&gt;
                            &lt;/dst-ports&gt;
                            &lt;action-list&gt;
                                    &lt;simple-action&gt;&lt;/simple-action&gt;
                                    &lt;gateway-name&gt;&lt;/gateway-name&gt;
                                    &lt;mirror-to&gt;
                                            &lt;analyzer-name&gt;&lt;/analyzer-name&gt;
                                            &lt;encapsulation&gt;&lt;/encapsulation&gt;
                                            &lt;analyzer-ip-address&gt;&lt;/analyzer-ip-address&gt;
                                            &lt;analyzer-mac-address&gt;&lt;/analyzer-mac-address&gt;
                                            &lt;routing-instance&gt;&lt;/routing-instance&gt;
                                            &lt;udp-port&gt;0&lt;/udp-port&gt;
                                            &lt;juniper-header&gt;true&lt;/juniper-header&gt;
                                            &lt;nh-mode&gt;&lt;/nh-mode&gt;
                                            &lt;static-nh-header&gt;
                                                    &lt;vtep-dst-ip-address&gt;&lt;/vtep-dst-ip-address&gt;
                                                    &lt;vtep-dst-mac-address&gt;&lt;/vtep-dst-mac-address&gt;
                                                    &lt;vni&gt;0&lt;/vni&gt;
                                            &lt;/static-nh-header&gt;
                                            &lt;nic-assisted-mirroring&gt;false&lt;/nic-assisted-mirroring&gt;
                                            &lt;nic-assisted-mirroring-vlan&gt;0&lt;/nic-assisted-mirroring-vlan&gt;
                                    &lt;/mirror-to&gt;
                                    &lt;assign-routing-instance&gt;&lt;/assign-routing-instance&gt;
                                    &lt;log&gt;false&lt;/log&gt;
                                    &lt;alert&gt;false&lt;/alert&gt;
                                    &lt;qos-action&gt;&lt;/qos-action&gt;
                                    &lt;host-based-service&gt;false&lt;/host-based-service&gt;
                            &lt;/action-list&gt;
                            &lt;ethertype&gt;IPv4&lt;/ethertype&gt;
                            &lt;created&gt;1970-01-01T00:00:00&lt;/created&gt;
                            &lt;last-modified&gt;1970-01-01T00:00:00&lt;/last-modified&gt;
                    &lt;/policy-rule&gt;
                    &lt;policy-rule&gt;
                            &lt;rule-sequence&gt;
                                    &lt;major&gt;0&lt;/major&gt;
                                    &lt;minor&gt;0&lt;/minor&gt;
                            &lt;/rule-sequence&gt;
                            &lt;rule-uuid&gt;610ddaff-14da-4de4-a941-722337188e01&lt;/rule-uuid&gt;
                            &lt;direction&gt;&amp;gt;&lt;/direction&gt;
                            &lt;protocol&gt;any&lt;/protocol&gt;
                            &lt;src-addresses&gt;
                                    &lt;subnet&gt;
                                            &lt;ip-prefix&gt;0.0.0.0&lt;/ip-prefix&gt;
                                            &lt;ip-prefix-len&gt;0&lt;/ip-prefix-len&gt;
                                    &lt;/subnet&gt;
                                    &lt;virtual-network&gt;&lt;/virtual-network&gt;
                                    &lt;security-group&gt;&lt;/security-group&gt;
                                    &lt;network-policy&gt;&lt;/network-policy&gt;
                            &lt;/src-addresses&gt;
                            &lt;src-ports&gt;
                                    &lt;start-port&gt;0&lt;/start-port&gt;
                                    &lt;end-port&gt;65535&lt;/end-port&gt;
                            &lt;/src-ports&gt;
                            &lt;dst-addresses&gt;
                                    &lt;subnet&gt;
                                            &lt;ip-prefix&gt;&lt;/ip-prefix&gt;
                                            &lt;ip-prefix-len&gt;0&lt;/ip-prefix-len&gt;
                                    &lt;/subnet&gt;
                                    &lt;virtual-network&gt;&lt;/virtual-network&gt;
                                    &lt;security-group&gt;local&lt;/security-group&gt;
                                    &lt;network-policy&gt;&lt;/network-policy&gt;
                            &lt;/dst-addresses&gt;
                            &lt;dst-ports&gt;
                                    &lt;start-port&gt;0&lt;/start-port&gt;
                                    &lt;end-port&gt;65535&lt;/end-port&gt;
                            &lt;/dst-ports&gt;
                            &lt;action-list&gt;
                                    &lt;simple-action&gt;&lt;/simple-action&gt;
                                    &lt;gateway-name&gt;&lt;/gateway-name&gt;
                                    &lt;mirror-to&gt;
                                            &lt;analyzer-name&gt;&lt;/analyzer-name&gt;
                                            &lt;encapsulation&gt;&lt;/encapsulation&gt;
                                            &lt;analyzer-ip-address&gt;&lt;/analyzer-ip-address&gt;
                                            &lt;analyzer-mac-address&gt;&lt;/analyzer-mac-address&gt;
                                            &lt;routing-instance&gt;&lt;/routing-instance&gt;
                                            &lt;udp-port&gt;0&lt;/udp-port&gt;
                                            &lt;juniper-header&gt;true&lt;/juniper-header&gt;
                                            &lt;nh-mode&gt;&lt;/nh-mode&gt;
                                            &lt;static-nh-header&gt;
                                                    &lt;vtep-dst-ip-address&gt;&lt;/vtep-dst-ip-address&gt;
                                                    &lt;vtep-dst-mac-address&gt;&lt;/vtep-dst-mac-address&gt;
                                                    &lt;vni&gt;0&lt;/vni&gt;
                                            &lt;/static-nh-header&gt;
                                            &lt;nic-assisted-mirroring&gt;false&lt;/nic-assisted-mirroring&gt;
                                            &lt;nic-assisted-mirroring-vlan&gt;0&lt;/nic-assisted-mirroring-vlan&gt;
                                    &lt;/mirror-to&gt;
                                    &lt;assign-routing-instance&gt;&lt;/assign-routing-instance&gt;
                                    &lt;log&gt;false&lt;/log&gt;
                                    &lt;alert&gt;false&lt;/alert&gt;
                                    &lt;qos-action&gt;&lt;/qos-action&gt;
                                    &lt;host-based-service&gt;false&lt;/host-based-service&gt;
                            &lt;/action-list&gt;
                            &lt;ethertype&gt;IPv4&lt;/ethertype&gt;
                            &lt;created&gt;1970-01-01T00:00:00&lt;/created&gt;
                            &lt;last-modified&gt;1970-01-01T00:00:00&lt;/last-modified&gt;
                    &lt;/policy-rule&gt;  
     

    Verify the compute node to see the same configuration is present.

  3. Access the vrouter agent introspect port using the URL <compute IP>:8085

    a. Click the ifmap_agent.xml

    b. Click the Send button below ShowIFMapAgentReq

    This opens a new page with all the config details that the agent has downloaded from the controller.

    Note: The introspect outputs can span across multiple pages, click 'more' for navigating to the next page.

    c. Using browser search option, find the config object that we were tracing. As per this example, we are trying to find the security group for a VMI.




    Based on the output, the VMI is configured with the correct SG and SG has all the appropriate rules.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search