SRX

I configured an SRX1500 with multiple IPSEC-VPNs and saw in the logs that the remote tunnel-IP is shown with the wrong IP address. It was observed in the log that the IP is displayed reversed: 

For example, the correct IP of the tunnel is 172.24.21.20 but the log shows 20.21.24.172, anyone know why this happened?

This confusion is critical because collecting the logs on the syslog server generates alarms or events that are not real.

Thanks in advanced

------------------------------
Alfonso Delgado
------------------------------

I don't follow the issue.  The two addresses seem unrelated as 172.24.21.20 is a private RFC1918 ip address typically used for the internal traffic or st0 interfaces and  20.21.24.172 is a standard public ip which would be external gateway addresses.

Maybe share the log message that is not as expected and what you are looking for in the logs?

I configured an SRX1500 with multiple IPSEC-VPNs and saw in the logs that the remote tunnel-IP is shown with the wrong IP address. It was observed in the log that the IP is displayed reversed: 

For example, the correct IP of the tunnel is 172.24.21.20 but the log shows 20.21.24.172, anyone know why this happened?

This confusion is critical because collecting the logs on the syslog server generates alarms or events that are not real.

Thanks in advanced

------------------------------
Alfonso Delgado
------------------------------

I configured an SRX1500 with multiple IPSEC-VPNs and saw in the logs that the remote tunnel-IP is shown with the wrong IP address. It was observed in the log that the IP is displayed reversed: 

For example, the correct IP of the tunnel is 172.24.21.20 but the log shows 20.21.24.172, anyone know why this happened?

This confusion is critical because collecting the logs on the syslog server generates alarms or events that are not real.

Thanks in advanced

------------------------------
Alfonso Delgado
------------------------------

Alfonso, I can confirm, I have seen the exact same behavior. It seemed to me at the time to be just a cosmetic bug, so haven't opened a support case for it yet. But you bring a good point about it throwing off logging systems.

Steve, in some log messages, when an IP address is converted into a string, it's read in reverse byte order. So an actual endpoint IP of 192.168.0.1, for example, appears as 1.0.168.192 in the logs. It's not every in every log message, but some IPs in some log messages are reversed like that.

I configured an SRX1500 with multiple IPSEC-VPNs and saw in the logs that the remote tunnel-IP is shown with the wrong IP address. It was observed in the log that the IP is displayed reversed: 

For example, the correct IP of the tunnel is 172.24.21.20 but the log shows 20.21.24.172, anyone know why this happened?

This confusion is critical because collecting the logs on the syslog server generates alarms or events that are not real.

Thanks in advanced

------------------------------
Alfonso Delgado
------------------------------

Thanks Nikolay,

I think that's the reason, but I wanted to confirm that it is a bug.

In my case we analyze the log with the customer and we have to give explanations for that result or that possible public IP, which is not correct because it is the internal network.

Is there any channel to report these cases?.  May is regarding to the firmware version?

Thanks.

Alfonso, I can confirm, I have seen the exact same behavior. It seemed to me at the time to be just a cosmetic bug, so haven't opened a support case for it yet. But you bring a good point about it throwing off logging systems.

Steve, in some log messages, when an IP address is converted into a string, it's read in reverse byte order. So an actual endpoint IP of 192.168.0.1, for example, appears as 1.0.168.192 in the logs. It's not every in every log message, but some IPs in some log messages are reversed like that.

I configured an SRX1500 with multiple IPSEC-VPNs and saw in the logs that the remote tunnel-IP is shown with the wrong IP address. It was observed in the log that the IP is displayed reversed: 

For example, the correct IP of the tunnel is 172.24.21.20 but the log shows 20.21.24.172, anyone know why this happened?

This confusion is critical because collecting the logs on the syslog server generates alarms or events that are not real.

Thanks in advanced

------------------------------
Alfonso Delgado
------------------------------