Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configuring event-options to trigger config change based on RPM probe results

1

1

Article ID: KB36515 KB Last Updated: 15 Mar 2021Version: 1.0
Summary:
 

This article demonstrates how to configure event-options to trigger configuration change based on RPM probe results. In this example, we deactivate an OSPF export policy when RPM fails to reach the target address and reactivate the OSPF export policy when the link is up.

 

Symptoms:
 

In this scenario, any routes learned on the SRX device should not be re-distributed on OSPF when the target address (3.2.2.2) is not reachable.

 

Solution:
 

To achieve this requirement, we monitor the target address (3.2.2.2) by configuring an RPM probe.

With the help of the RPM probe results, we then configure event-options to deactivate OSPF so that the routes are not exported to the internal server.

Configuration

  • RPM probe configuration to monitor target address (3.2.2.2)

set services rpm probe Failover test probe-ge probe-type icmp-ping

set services rpm probe Failover test probe-ge target address 3.2.2.2
set services rpm probe Failover test probe-ge probe-count 3
set services rpm probe Failover test probe-ge probe-interval 3
set services rpm probe Failover test probe-ge test-interval 3
set services rpm probe Failover test probe-ge thresholds successive-loss 3
set services rpm probe Failover test probe-ge thresholds total-loss 3
set services rpm probe Failover test probe-ge source-address 10.219.19.96
  • event-options configuration to deactivate OSPF export when the probe fails: 

set event-options policy SLA_MONITOR events ping_probe_failed
set event-options policy SLA_MONITOR attributes-match ping_probe_failed.test-owner matches Failover
set event-options policy SLA_MONITOR attributes-match ping_probe_failed.test-name matches probe-ge
set event-options policy SLA_MONITOR then change-configuration commands "deactivate protocols ospf export Static_OSPF"
set event-options policy SLA_MONITOR then change-configuration commands "activate event-options policy MONITOR_EVENT"
  • event-options configuration to activate OSPF export when the destination is reachable

set event-options policy MONITOR_EVENT events ping_test_completed
set event-options policy MONITOR_EVENT attributes-match ping_test_completed.test-owner matches Failover
set event-options policy MONITOR_EVENT attributes-match ping_test_completed.test-name matches probe-ge
set event-options policy MONITOR_EVENT then change-configuration commands "activate protocols ospf export Static_OSPF"
set event-options policy MONITOR_EVENT then change-configuration commands "deactivate event-options policy MONITOR_EVENT"

How it Works

When the ping is successful, the event-options policy MONITOR_EVENT is triggered. If the ping is successful, the OSPF export policy is activated, which enables the routes to be redistributed. 

After the OSPF export policy is activated, the event-options policy then changes the configuration to deactivate itself. 

Note: In the above configuration, it is very important to include the lines highlighted in blue. If MONITOR_EVENT is not deactivated, then as long as the link is up/the ping is successful, event-options will continue to execute itself and change the configuration to activate OSPF recursively, which will increase CPU utilization by the eventd and mgd processes. If this continues, it would have a considerable impact on the Routing Engine's CPU. Hence it is important to deactivate the event-options policy MONITOR_EVENT and activate it only when the link is down.

When the link is down, the probe to the target address fails. Following this event, the event-options policy SLA_MONITOR is triggered, which deactivates the OSPF export policy to stop route redistribution to the internal router.

After deactivating the OSPF, we enable/activate the event-options policy MONITOR_EVENT so that when the link is up again, MONITOR_EVENT activates the OSPF export policy.

Results Verification

  1. When the ping is successful:

root@jtac-srx340-r2016> ping 3.2.2.2  
PING 3.2.2.2 (3.2.2.2): 56 data bytes
64 bytes from 3.2.2.2: icmp_seq=0 ttl=64 time=12.314 ms
64 bytes from 3.2.2.2: icmp_seq=1 ttl=64 time=7.593 ms
64 bytes from 3.2.2.2: icmp_seq=2 ttl=64 time=6.588 ms
^C
--- 3.2.2.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.588/8.832/12.314/2.496 ms

root@jtac-srx340-r2016> show configuration event-options         
policy SLA_MONITOR {
    events ping_probe_failed;
    attributes-match {
        ping_probe_failed.test-owner matches Failover;
        ping_probe_failed.test-name matches probe-ge;
    }
    then {
        change-configuration {
            commands {
                "deactivate protocols ospf export Static_OSPF";
                "activate event-options policy MONITOR_EVENT";
            }
        }
    }
}
inactive: policy MONITOR_EVENT {
    events ping_test_completed;
    attributes-match {
        ping_test_completed.test-owner matches Failover;
        ping_test_completed.test-name matches probe-ge;
    }
    then {
        change-configuration {
            commands {                  
                "activate protocols ospf export Static_OSPF";
                "deactivate event-options policy MONITOR_EVENT";
            }
        }
    }
}

root@jtac-srx340-r2016> show configuration protocols ospf export | display set    
set protocols ospf export Static_OSPF
  1. When the probe fails:

root@jtac-srx340-r2016> ping 3.2.2.2                        
PING 3.2.2.2 (3.2.2.2): 56 data bytes
^C
--- 3.2.2.2 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@jtac-srx340-r2016> show configuration event-options         
policy SLA_MONITOR {
    events ping_probe_failed;
    attributes-match {
        ping_probe_failed.test-owner matches Failover;
        ping_probe_failed.test-name matches probe-ge;
    }
    then {
        change-configuration {
            commands {
                "deactivate protocols ospf export Static_OSPF";
                "activate event-options policy MONITOR_EVENT";
            }
        }
    }
}
policy MONITOR_EVENT {
    events ping_test_completed;
    attributes-match {
        ping_test_completed.test-owner matches Failover;
        ping_test_completed.test-name matches probe-ge;
    }
    then {
        change-configuration {
            commands {                  
                "activate protocols ospf export Static_OSPF";
                "deactivate event-options policy MONITOR_EVENT";
            }
        }
    }
}

root@jtac-srx340-r2016> show configuration protocols ospf export | display set    
deactivate protocols ospf export Static_OSPF

root@jtac-srx340-r2016> show log messages | match eventd                      
Jan 14 jtac-srx340-r2016 eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change successful: while executing policy SLA_MONITOR with user root privileges
Jan 14 jtac-srx340-r2016 eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change successful: while executing policy SLA_MONITOR with user root privileges
Jan 14 jtac-srx340-r2016 eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change successful: while executing policy SLA_MONITOR with user root privileges
Jan 14 jtac-srx340-r2016 eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change successful: while executing policy SLA_MONITOR with user root privileges
Jan 14 jtac-srx340-r2016 eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change successful: while executing policy SLA_MONITOR with user root privileges
Jan 14 jtac-srx340-r2016 eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change successful: while executing policy SLA_MONITOR with user root privileges

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search