Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Error message seen during ACL changes

0

0

Article ID: KB36886 KB Last Updated: 04 May 2021Version: 1.0
Summary:

The following error message is seen on Junos 14.1 while making configuration changes related to firewall filters:

mib2d[30812]: %DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: fw_async_stat_timer_handler: failed in get_fw_list_async PROTECTRE-FILTER(0,0): 10 (Operation timed out)
Symptoms:

Errors like these may appear for a few minutes, even up to 20-30 minutes after performing firewall filter configuration changes on a device.  The errors appear for any existing firewall filter configured on the device even though the configuration changes being committed at the time of the errors are NOT directly related to the same filter:

mib2d[30812]: %DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: fw_async_stat_timer_handler: failed in get_fw_list_async PROTECTRE-FILTER(0,0): 10 (Operation timed out)
Cause:

In Junos 14.1 and higher, firewall filter updates are, by design in "async" manner and prior to that, it was "sync", while learning filters and counters.  Hence, if kernel/PFE does not respond in time (max 10sec), then these messages will appear because of mib2d. But eventually, mib2d will retry and learn all filters and counters.

Solution:

These messages are harmless, especially if seen during reboot or during configuration updates.  Eventually, mib2d will learn all filters and counters. This can be compared by doing snmpwalk on firewall table and running 'show firewall' in parallel. 

The reason for the log message is due to "async" mode of implementing SNMP updates. For example, if for any reason, mib2d does not receive a response from PFE (such as busy PFE), then system will continue without waiting for a response.  In the case if FPC is busy, mib2d will get a timeout error then retry again, then the above mentioned log messages are seen.  Eventually, mib2d will get all the firewall filter entries from PFE with retry.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search