Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
somehow I can't really find the right OIDs to query the ammount of allocated sessions on my SRX650 as well as the CPU-load. Anyone who could give me a hint?
jnxOperatingTable contains OIDs for components CPUs
And I seem to recall that the "SRX total session count" issue has been discussed before on this forum.
In short, this can be done by a XSLT/SLAX script periodically iterating thru all policies, executing "show security policies <policy-name> detail" printouts and summing up all "active sessions" counters, then inserting the total into Utility MIB
Did I understand right, that I have to build some custom XSLT/SLAX-Script, the hogs periodicaly my box and writes the total amount into a custom MIB just to get the number of active sessions? WTF, on my SSG550 this is a single OID that I just have to query... I can't really imagine, that this value is so hard to get, especialy as it is also displayed on the dashboard in the WebUI.
Querying every single policy and maintaining this in a script is also out of scope, we have >150 policies and growing, as we use our box in a datacenter as shared firewall. So policies get deleted as well as new ones will be created all the time.
Regarding CPU: somehow I'm blind... I can't really figure out where to find the OIDs...
I think dashboard session count is the same as displayed by "show security flow statistics" CLI command. In that case You can write a script which executes only this command and populates Utility MIB, no need to iterate thru policies.
@packermann wrote: Regarding CPU: somehow I'm blind... I can't really figure out where to find the OIDs...
Just do "show snmp mib walk jnxoperatingTable | grep CPU" to have the OIDs displayed for You and "show snmp mib walk jnxOperatingTable | grep descr" to output descriptions for these OIDs.
With "show security flow session summary" I get the summary:
Now I have to find out, how to get this in this utility MIB.
Regarding CPU, I just get nothing back, no error but also nothing else. Do I have to activate something in the configuration to get it running? I'm running 10.1R1 on a SRX650 Cluster.
@packermann wrote: Regarding CPU, I just get nothing back, no error but also nothing else. Do I have to activate something in the configuration to get it running? I'm running 10.1R1 on a SRX650 Cluster.
Sorry, there is a typo in my previous post: jnxOperatingTable with capital O and capital T.
Apologies for that
I did exactly that... what I get is this:
OK, after some digging the SPU CPU and sessions-per-SPU can be found in JUNIPER-SRX5000-SPU-MONITORING-MIB. Despite the name saying SRX5000, it is also present on SRX650:
root@srx650> show snmp mib walk jnxJsSPUMonitoringObjectsTable
jnxJsSPUMonitoringFPCIndex.0 = 0
jnxJsSPUMonitoringFPCIndex.18 = 0
jnxJsSPUMonitoringSPUIndex.0 = 0
jnxJsSPUMonitoringSPUIndex.18 = 0
jnxJsSPUMonitoringCPUUsage.0 = 0
jnxJsSPUMonitoringCPUUsage.18 = 0
jnxJsSPUMonitoringMemoryUsage.0 = 54
jnxJsSPUMonitoringMemoryUsage.18 = 54
jnxJsSPUMonitoringCurrentFlowSession.0 = 0
jnxJsSPUMonitoringCurrentFlowSession.18 = 0
jnxJsSPUMonitoringMaxFlowSession.0 = 262144
jnxJsSPUMonitoringMaxFlowSession.18 = 262144
jnxJsSPUMonitoringCurrentCPSession.0 = 0
jnxJsSPUMonitoringCurrentCPSession.18 = 0
jnxJsSPUMonitoringMaxCPSession.0 = 0
jnxJsSPUMonitoringMaxCPSession.18 = 0
jnxJsSPUMonitoringNodeIndex.0 = 0
jnxJsSPUMonitoringNodeIndex.18 = 1
jnxJsSPUMonitoringNodeDescr.0 = node0
jnxJsSPUMonitoringNodeDescr.18 = node1
So in addition to SLAX script approach You can poll jnxJsSPUMonitoringCurrentFlowSession and jnxJsSPUMonitoringCurrentCPSession OIDs and sum up all of them to make a total, but this will require some intelligence on Your NMS platform.
Weirdly enough, my SRX650 also does not have jnxOperatingTable populated 😞
Thanks a lot for your effort. This is exactly what I was looking for...
It appears that it's not just jnxOperatingTable that's not being populated on the 650; it appears to be the entire jnxBoxAnatomy from mib-jnx-chassis that is missing - this means jnxRedundancyTable is also missing, which I would also find very useful to monitor.
Can anyone verify whether this is missing only on 650 clusters, or if it's also affecting standalone 650's? Both jnxBoxAnatomy and jnxOperatingTable below it are populated on the 2 SRX100's I have in production, but both are empty on my 650 cluster. I unfortunately don't currently have any other hardware to compare.
All of my hardware is on 10.0R3.10.
FWIW I've taken this to JTAC with nothing useful as of yet - case 2040-0513-0679 if anyone else wants to reference.
Quick FYI for anyone still trying to monitor a cluster via SNMP.
PR 448885 assigned for the missing jnxBoxAnatomy MIB's when running a cluster. Verified present in all current 10.0 and 10.1 releases, not commitment yet for a fix.
Bump to the top. Any update on this?
I'm looking for a definitive guide on monitoring SRX devices via SNMP when they are clustered.
No update as of yet. I've shot an email off to my account team to see if they can get an update on the PR and see if it's at least on the roadmap for a fix, or has a targeted release.
This particular issue is terribly frustrating since it essentially breaks all monitoring functionality for the boxes, aside from interface throughput. All the goodies you might want to watch are under that jnxBoxAnatomy mib, including the chassis cluster status, and all the other good utilization stuff. I can't understand how something this (seemingly) simple and basic has gone unfixed through so many releases.
As far as a definitive guide, without those MIBS, I don't think one exists. We use nagios for monitoring and from time to time I've written some pretty nasty scripts to log in to the box, issue a show command, and parse out specific values I wanted to watch - terribly inefficient and inelegant, and not something I would use for any extended period of time.
I'll reply back to this thread when I get an update from my account team, hopefully we'll find something useful (fingers crossed for a target of 10.4.....)
HI Guys , do you know if PR 448885 wil laffect 10.2 & 10.3 as well ?
As far as I was told when I last spoke w/ ATAC, this PR affects all current releases (at the time up to 10.3r1) and had no target release for resolution.
I have my account team following up to get an update and see if anything has changed. I'll report back here when I receive any further information.
Has anyone managed to get any updates at all on this issue from Juniper ?
We are still having this issue with CPU, Memory, Disk, and Temperature on our SRX 650 clusters.
I can monitor these just fine on a SRX 3600 cluster we have though.
Anyone hear anything?
Bump to the top.
Any update on this? I would love to monitor my cpu and memory
Just to give you an update about this: the above mentioned PR448885 has been fixed in 10.2R3, 10.3R2 , 10.4R1 and higher releases.
Basically it fixed an SNMP issue in HA cluster mode on SRX650.
Now these commands work in cluster as well:
show snmp mib walk jnxOperatingCPU
show snmp mib walk jnxBoxAnatomy