SRX

We tried sending logs with TCP tranport and observing the same behavior but we were able to collect the following errors if its helpful:

Aug  6 16:21:46 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/116 Dest_Syslog_IP/514 
Aug  6 16:30:06 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/118 Dest_Syslog_IP/514 
Aug  6 16:30:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK status: 0, Error code: major 3 minor 5 code 500, description:TCP connection closed by unknown reason 
Aug  6 16:30:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK Error code: major 3 minor 5 code 500, description:TCP connection closed by unknown reason 
Aug  6 16:30:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK Com 117 abort 
Aug  6 16:38:33 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/121 Dest_Syslog_IP/514 
Aug  6 16:38:33 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/120 Dest_Syslog_IP/514 
Aug  6 16:38:33 SRX4100-FW RT_SYSTEM Connection error SPLUNK connection in busy state ESTABLISHED for 30 seconds,abort 
Aug  6 17:00:02 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/123 Dest_Syslog_IP/514 
Aug  6 17:06:08 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/125 Dest_Syslog_IP/514 
Aug  6 17:06:08 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/124 Dest_Syslog_IP/514 
Aug  6 17:06:08 SRX4100-FW RT_SYSTEM Connection error SPLUNK connection in busy state ESTABLISHED for 30 seconds,abort 
Aug  6 17:30:02 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/127 Dest_Syslog_IP/514 
Aug  6 17:40:08 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/131 Dest_Syslog_IP/514 
Aug  6 17:40:08 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/130 Dest_Syslog_IP/514 
Aug  6 17:40:08 SRX4100-FW RT_SYSTEM Connection error SPLUNK connection in busy state ESTABLISHED for 30 seconds,abort 
Aug  6 18:00:02 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/132 Dest_Syslog_IP/514 
Aug  6 18:07:06 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/135 Dest_Syslog_IP/514 
Aug  6 18:07:06 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/134 Dest_Syslog_IP/514 
Aug  6 18:07:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK connection in busy state ESTABLISHED for 30 seconds,abort 
Aug  6 18:12:05 SRX4100-FW RT_SYSTEM Connection close junosspaceSD TCP FW_SRC_IP/78 172.31.237.38/514 
Aug  6 18:12:05 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/137 Dest_Syslog_IP/514 
Aug  6 18:12:07 SRX4100-FW RT_SYSTEM Connection established junosspaceSD TCP FW_SRC_IP/139 172.31.237.38/514 
Aug  6 18:12:07 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/138 Dest_Syslog_IP/514 
Aug  6 18:22:22 SRX4100-FW RT_SYSTEM Connection close junosspaceSD TCP FW_SRC_IP/139 172.31.237.38/514 
Aug  6 18:22:22 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/138 Dest_Syslog_IP/514 
Aug  6 18:22:24 SRX4100-FW RT_SYSTEM Connection established junosspaceSD TCP FW_SRC_IP/141 172.31.237.38/514 
Aug  6 18:22:24 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/140 Dest_Syslog_IP/514 
Aug  6 18:23:27 SRX4100-FW RT_SYSTEM Connection close junosspaceSD TCP FW_SRC_IP/141 172.31.237.38/514 
Aug  6 18:23:27 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/140 Dest_Syslog_IP/514 
Aug  6 18:23:28 SRX4100-FW RT_SYSTEM Connection established junosspaceSD TCP FW_SRC_IP/143 172.31.237.38/514 
Aug  6 18:23:28 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/142 Dest_Syslog_IP/514 
Aug  6 18:30:06 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/145 Dest_Syslog_IP/514 
Aug  6 18:30:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK status: 0, Error code: major 3 minor 5 code 500, description:TCP connection closed by unknown reason 
Aug  6 18:30:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK Error code: major 3 minor 5 code 500, description:TCP connection closed by unknown reason 
Aug  6 18:30:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK Com 144 abort 
Aug  6 18:37:28 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/148 Dest_Syslog_IP/514 
Aug  6 18:39:46 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/149 Dest_Syslog_IP/514 
Aug  6 18:39:46 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/148 Dest_Syslog_IP/514 
Aug  6 18:39:46 SRX4100-FW RT_SYSTEM Connection error SPLUNK connection in busy state ESTABLISHED for 30 seconds,abort 
Aug  6 19:00:06 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/153 Dest_Syslog_IP/514 
Aug  6 19:00:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK status: 0, Error code: major 3 minor 5 code 500, description:TCP connection closed by unknown reason 
Aug  6 19:00:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK Error code: major 3 minor 5 code 500, description:TCP connection closed by unknown reason 
Aug  6 19:00:06 SRX4100-FW RT_SYSTEM Connection error SPLUNK Com 152 abort 
Aug  6 19:10:20 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/157 Dest_Syslog_IP/514 
Aug  6 19:10:20 SRX4100-FW RT_SYSTEM Connection close SPLUNK TCP FW_SRC_IP/156 Dest_Syslog_IP/514 
Aug  6 19:10:20 SRX4100-FW RT_SYSTEM Connection error SPLUNK connection in busy state ESTABLISHED for 30 seconds,abort 
Aug  6 19:30:04 SRX4100-FW RT_SYSTEM Connection established SPLUNK TCP FW_SRC_IP/158 Dest_Syslog_IP/514 

------------------------------
Fawad Saleem
------------------------------

Looking at the graph, while the green blocks are not exactly evenly spaced, they do seem to be evenly sized.

I'm wondering if it's maybe some sort of a session timeout. Are you using UDP transport? Have you tried switching the transport protocol?

Hi Nikolay, 

Good to hear from you. 

Yes, we are using UDP transport. But for the sake of trial, I did change the stream mode transport to TCP, and there is a behaviour change. With UDP, I was losing logs for the duration where logs were dropping. Now, with TCP, I am still experiencing drops, but logs for that duration are being recovered now. Which also helped me to catch the errors due to which logs were dropping. I have added s some additional logs in the main post. Can you take a look at them?

------------------------------
Fawad Saleem
------------------------------

What's interesting about the log snippet is that it doesn't include any "error" lines for junosspaceSD, only SPLUNK. Can you check more logs to confirm that's true? I may have missed something...

As a test, you could deactivate SPLUNK logging altogether and leave just junosspaceSD and see if your monitoring graph will continue to show the same dips, though I'm not sure exactly what you're monitoring there.

The graph which you saw above is directly from splunk. Green bars are the events mapped against the time. The empty spaces in between the green bars are the dips. 

your observation is correct about junosspace. I don't observe the dips over there. Dips are only against the splunk despite both are logged via same revenue port. 

Earlier you had mentioned that you see the dips in Security Director as well. With TCP transport SD seems to be working fine. Can you confirm that with UDP transport logs to SD are dropping?

I'm just trying to confirm that SD good SPLUNK bad.

If that's the case, then you'll have to consider what's between the SRX and the SPLUNK ingestion point. From the logs, it would appear that the TCP connection to SPLUNK is established, but at some point TCP doesn't see an ACKnowledgment for 30 seconds and closes out the connection, which is normal TCP behavior dead connections. That, combined with the Splunk stats for the UDP transport suggests the forward traffic from SRX to Splunk is getting lost somewhere, and potentially also any return traffic from Splunk to SRX.

If you can double-check and confirm that Junos Space SD is ingesting logs normally without a problem, then I think we can reasonably exclude the SRX as the source of the problem.