SRX

Expand all | Collapse all

SRX300-series with routing-instance is not sending flow-related syslog

Jump to Best Answer
  • 1.  SRX300-series with routing-instance is not sending flow-related syslog

    Posted 08-24-2020 00:52

    Hi,

    I have a SRX300, configued the same way as older SRX 2XX-devices. The major difference is that this one is running the newer JunOS version.

    The syslog-server is hosted remote. The controller logs from the platform is showing up, but nothing related to the traffic.

    I have a custom routing-instance, that has the knowledge or the network. 

    There is forwarding (next-table) between the default instance and the custom vr. So the routing between them looks fine, both ways.

    show configuration security log | display set
    set security log mode stream
    set security log format sd-syslog
    set security log source-address 172.22.1.7
    set security log stream JSA format sd-syslog
    set security log stream JSA category all
    set security log stream JSA host 172.25.2.1
    set security log stream JSA host port 514
    set security log stream JSA host routing-instance client_VR

     

    Any good ideas if there is any basic stuff i missed? - Or any ideas of troubleshooting?

    I can see this logs at the JSA (checking via TCPdump)

    set system syslog user * any emergency
    set system syslog host 172.25.2.1 any any
    set system syslog host 172.25.2.1 match "!.(Failed to connect to the server after 0 retries)|(!.*Time since last watchdog strob.*)"
    set system syslog host 172.25.2.1 structured-data

     

    Thanks in advance!

    //Rob



  • 2.  RE: SRX300-series with routing-instance is not sending flow-related syslog

     
    Posted 08-25-2020 02:45
    Some recommendation:

    Make sure logs are being forwarded through revenue (transit) interfaces and not via the management fxp0 interface.

    Make sure your security policies are configured with atleast log at session close, but logging at session init is a plus.

    The syslog related traffic is usually sourced from the master routing instance of the firewall. So, if the Syslog server is not reachable via the master instance, but only reachable via an interface on the custom VR, there has to be a static route configured in the master instance with destination belonging to the Syslog server, using the next table of the custom VR (eg. custom-vr.inet.0).

    This config ( set security log stream JSA host routing-instance client_VR) might not be required. As stated earlier syslog traffic has to be sourced from the master instance, although the source of Syslog traffic can be a transit interface on the custom VR.

    Verify end to end reachability between the firewall and syslog server. If there are any intermediate firewall between the path, ensure that syslog communication is allowed.

    Just to confirm the source addres (172.22.1.7) belongs to a transit interface on the custom VR correct?




  • 3.  RE: SRX300-series with routing-instance is not sending flow-related syslog

     
    Posted 08-25-2020 02:50
    If the above doesn’t help, please share the o/p of the show route 172.22.1.7 | no-more command from the firewall.


  • 4.  RE: SRX300-series with routing-instance is not sending flow-related syslog
    Best Answer

    Posted 08-26-2020 00:55

    Hello Rob,

     

    I would suggest you to follow the below checks to resolve this issue.

     

    1. If the ping is allowed on your Syslog server, test the reachability of the server from the SRX's routing instance. e.g. user@host> ping 172.25.2.1 routing-instance client_VR
    2. Check the routing table and forwarding table to determine whether the routes are active. e.g. user@host> show route 172.25.2.1 and user@host> show route forwarding-table 172.25.2.1
    3. Please note that only for the security policies which was configured with session_init or session_cloe or both, the streams will be generated and sent out to your server. Check whether you have configured the logging under security policy. 
    4. If the logging is configured under security policy, check-in the security flow sessions whether traffic is hitting that policy where we have configured the logging.  
    5. I assume you haven't configured any firewall filter in the outbound direction blocking the port 514 in loopback or the egress interface.
    6. Finally, if all of the above are properly set, then I would suggest you to configure the packet captures in the SRX to determine whether the stream logs are sent out. Follow this link for configuring PCAP - https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709&actp=METADATA
    7. If you are seeing SRX sending the logs out then the problem resides with a next-hop device or the Syslog server itself.
    8. If you don't see SRX sending the logs out in the packet captures, just deactivate and activate the security logs once.

    e.g.

    user@host# deactivate security log

    user@host# commit

    user@host# activate security log

    user@host# commit



  • 5.  RE: SRX300-series with routing-instance is not sending flow-related syslog

    Posted 08-31-2020 01:25

    Hi, 

    Thanks for the troubleshooting-lineup.

    The last step solved (!!!!!), so i did a, deactivate security log, then commit confirmed 1. 

    The log started to flow from the box as expected.

     

    ...so much time spend on solving this, and it came down to that!

     

    Thanks!

     

    //Rob