Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SNMP walk on firewall counters break with 'Request failed: General Error'

0

0

Article ID: KB37379 KB Last Updated: 08 Sep 2021Version: 1.0
Summary:

An error occurs when walking through firewall MIBs in a scenario with list filters on both inet and inet6 families (Dual Stack scenario) on the same IFL.

Symptoms:

This issue might be seen if applying a firewall filter list for different families on a logical interface (via 'input-list' or 'output-list' statement, or both, within the 'filter' stanza).

Example output:

re0> show snmp mib walk ascii 1.3.6.1.4.1.2636.3.5.2.1.5 
jnxFWCounterByteCount."xe-2/0/0.0-i"."COUNTER-xe-2/0/0.0-i".2 = 0
Request failed: General error

re0> show snmp mib walk 1.3.6.1.4.1.2636.3.5.2.1.5          
jnxFWCounterByteCount.12.120.101.45.50.47.48.47.48.46.48.45.105.20.67.79.85.78.84.69.82.45.120.101.45.50.47.48.47.48.46.48.45.105.2 = 0
Request failed: General error
Cause:

Filters attached as input-list or output-list currently have the name 'interface.unit-direction'. Refer to the technical documentation on Understanding Multiple Firewall Filters Applied as a List.

This causes an issue where filters are attached as input-list/output-list on the same interface for both IPv4 and IPv6 family since the final filter name remains the same and causes the confusion at the Jvision collector. It treats both the filter as 1 filter.

As a function, there is no issue. The CLI command, "run show firewall" shows the correct statistics for both filters lists configured for inet and inet6 families. However, this might cause SNMP walk failure.

Solution:

This issue is fixed via the following PRs:


The fix is to differentiate the filter name and counter/policer name by family added as part of the filter name via PR1514141 and an additional fix via PR1601761 to display all the counters if there are multiple counters configured under the firewall filter.

Earlier filter name format is:

<interface-name>.<unit>-<direction>  

Example: xe-0/0/0.10-i

After the fix, filter name format is:

<interface-name>.<unit>-<proto>-<direction> 

Example: xe-0/0/0.10-inet-i

Example output:

Without the fix:
re0> show snmp mib walk ascii 1.3.6.1.4.1.2636.3.5.2.1.5 
jnxFWCounterByteCount."xe-2/0/0.0-i"."COUNTER-xe-2/0/0.0-i".2 = 0
Request failed: General error

With the fix:
labroot@randy-re0> show snmp mib walk ascii 1.3.6.1.4.1.2636.3.5.2.1.5 
jnxFWCounterByteCount."xe-2/0/0.0-inet-i"."COUNTER-xe-2/0/0.0-i".2 = 0
jnxFWCounterByteCount."xe-2/0/0.0-inet6-i"."V6-Counter-xe-2/0/0.0-i".2 = 0
jnxFWCounterByteCount."__default_arp_policer__"."__default_arp_policer__".3 = 0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search