Routing

Expand all | Collapse all

CGNAT Syslog

Jump to Best Answer
  • 1.  CGNAT Syslog

    Posted 05-21-2020 08:35

    Hi, I set up sending nat event logs to an external server, here is my config:

    service-set NAT {
        syslog {
            host 1.1.1.1 {
                services any;
                class {
                    session-logs {
                        open;
                    }
                    nat-logs;
                }
                source-address 172.31.255.1;
            }
        }
        nat-rules FIRST_RULE;
        next-hop-service {
            inside-service-interface ms-0/2/0.4090;
            outside-service-interface ms-0/2/0.4091;
        }
    }

    but on the server I see only a few messages in 15 minutes, while in the output of the command there are a lot more messages:

    Interface: ms-0/2/0
      Service-set: NAT
        Host: 1.1.1.1
          Sent: 1106614
          Dropped: 868159
          Session open logs:
            Sent: 694117
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          Session close logs:
            Sent: 0
            Dropped: 692504 (low priority: 0, none severity: 0, no class set: 692504, above rate limit: 0)
          Packet logs:
            Sent: 0
            Dropped: 175655 (low priority: 0, none severity: 0, no class set: 175655, above rate limit: 0)
          Stateful firewall logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          ALG logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          NAT logs:
            Sent: 412497
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          IDS logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP MAP logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP protocol logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP protocol error logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP debug logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          HA open sync logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          HA close sync logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          DET_NAT_CONFIG logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          URL Filtering logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          Other logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)

     

    test@TEST> show configuration interfaces ms-0/2/0 
    unit 0 {
        family inet {
            address 172.31.255.1/32;
        }
    }

    which I do wrong ?



  • 2.  RE: CGNAT Syslog

    Posted 05-21-2020 08:59

    Hello,

     

    Is the 1.1.1.1 the actual address You are using in Your network for CGNAT syslog server, or is it an attempt to sanitize config?

    If the former then it is a bad choice because it belongs to Cloudflare public DNS server.

    So, if You are running a full table and also configured 1.1.1.1 somewhere in Your network, then You are bumping into well-known duplicate IP problem when all sorts of weird things can happen.

    HTH

    Thx

    Alex 



  • 3.  RE: CGNAT Syslog

    Posted 05-22-2020 01:23

    @aarseniev wrote:

    Hello,

     

    Is the 1.1.1.1 the actual address You are using in Your network for CGNAT syslog server, or is it an attempt to sanitize config?

    If the former then it is a bad choice because it belongs to Cloudflare public DNS server.

    So, if You are running a full table and also configured 1.1.1.1 somewhere in Your network, then You are bumping into well-known duplicate IP problem when all sorts of weird things can happen.

    HTH

    Thx

    Alex 



    Of course not. I replaced my real address for hiding



  • 4.  RE: CGNAT Syslog
    Best Answer

    Posted 05-22-2020 03:40

    Hello,

     


    @xamza1412 wrote:


    Of course not. I replaced my real address for hiding


     

     

    Ok fine.

    Is there a firewall between MX and syslog server? If yes have You checked it for alleged "UDP flood attack" events coming from 172.31.255.1 src.IP and disabled UDP flood detection for 172.31.255.1 address?

     

    HTH

    Thx

    Alex

     

     



  • 5.  RE: CGNAT Syslog

    Posted 05-22-2020 03:47

    @aarseniev wrote:

    Hello,

     


    @xamza1412 wrote:


    Of course not. I replaced my real address for hiding


     

     

    Ok fine.

    Is there a firewall between MX and syslog server? If yes have You checked it for alleged "UDP flood attack" events coming from 172.31.255.1 src.IP and disabled UDP flood detection for 172.31.255.1 address?

     

    HTH

    Thx

    Alex

     

     


     

    Oooo, my friend) this is my jamb, firewall Smiley LOL

     
     
     
     


  • 6.  RE: CGNAT Syslog

    Posted 05-22-2020 01:28

    @xamza1412 wrote:

    Hi, I set up sending nat event logs to an external server, here is my config:

    service-set NAT {
        syslog {
            host 1.1.1.1 {
                services any;
                class {
                    session-logs {
                        open;
                    }
                    nat-logs;
                }
                source-address 172.31.255.1;
            }
        }
        nat-rules FIRST_RULE;
        next-hop-service {
            inside-service-interface ms-0/2/0.4090;
            outside-service-interface ms-0/2/0.4091;
        }
    }

    but on the server I see only a few messages in 15 minutes, while in the output of the command there are a lot more messages:

    Interface: ms-0/2/0
      Service-set: NAT
        Host: 1.1.1.1
          Sent: 1106614
          Dropped: 868159
          Session open logs:
            Sent: 694117
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          Session close logs:
            Sent: 0
            Dropped: 692504 (low priority: 0, none severity: 0, no class set: 692504, above rate limit: 0)
          Packet logs:
            Sent: 0
            Dropped: 175655 (low priority: 0, none severity: 0, no class set: 175655, above rate limit: 0)
          Stateful firewall logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          ALG logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          NAT logs:
            Sent: 412497
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          IDS logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP MAP logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP protocol logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP protocol error logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          PCP debug logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          HA open sync logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          HA close sync logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          DET_NAT_CONFIG logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          URL Filtering logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
          Other logs:
            Sent: 0
            Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)

     

    test@TEST> show configuration interfaces ms-0/2/0 
    unit 0 {
        family inet {
            address 172.31.255.1/32;
        }
    }

    which I do wrong ?


    for the whole night on the syslog only about 20 messages, on the BRAS there are 400 subscribers