SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SNMP query issues on SRX 3600

    Posted 10-10-2012 01:21

    We have a pair of clustered SRX3600's, that's not responding to SNMP queries (snmpget and/or snmpwalk), attempted using both v1 and v2c. The error returned is timeout, 

     

    We are using a dedicated reth interface (with 2 x 10GE) for in-band management, and that interface is configured in its own security zone with host inbound services configured and enabled (eg. https, ssh, snmp, ping etc).  

    A specific static route is used to route back to the SNMP manager, which is off on a remote IP subnet. We have routing-instance setup and the zone is also setup correctly within the routing-instance.

     

    It continues to report a timeout error when trying to snmp query the SRX3600s.  We also experience a similar (if not the same) issue on other pair of clustered SRX3600's. 

     

    When i see the session flow I see that the return traffic packet counters are not incrementing. It's as if the traffic is bidirectional. We are using junos 11.4R3.7. 

     

    Any hint or help would be really appreciated.  Thanks!

     

    I can provide some output , config etc if required 

     



  • 2.  RE: SNMP query issues on SRX 3600

    Posted 10-10-2012 01:24

    below is some output

     

     

     

    Session ID: 160400890, Policy name: XXXX, State: Active, Timeout: 54, Valid

      In: 172.21.62.115/59918 --> 172.25.227.191/161;udp, If: reth2.0, Pkts: 3, Bytes: 225

      Out: 172.25.227.191/161 --> 172.21.62.115/59918;udp, If: .local..5, Pkts: 0, Bytes: 0

     

     

    Oct 10 10:51:08 10:51:07.1147817:CID-01:FPC-08:PIC-00:THREAD_ID-31:RT:nsp:0x3a943d28, 172.21.62.115/56387 -> 172.25.227.191/161:17,

     If: reth2.0, nsp-flag: 0x21 tok: 0x5013, nh:0x0

     

    Oct 10 10:51:08 10:51:07.1147870:CID-01:FPC-08:PIC-00:THREAD_ID-31:RT:nsp:0x3a943dac, 172.25.227.191/161 ->  172.21.62.115/56387:17,

     If: .local..5, nsp-flag: 0x10 tok: 0x5002, nh:0xfffb0006

     

    Oct 10 10:51:08 10:51:07.1147943:CID-01:FPC-08:PIC-00:THREAD_ID-31:RT:  make_nsp_ready_no_resolve()

     

    Oct 10 10:51:08 10:51:07.1147967:CID-01:FPC-08:PIC-00:THREAD_ID-31:RT:  route lookup: dest-ip 172.21.62.115 orig ifp reth2.0 output_ifp reth2.0 orig-zone 19 out-zone 19 vsd 1

     

    Oct 10 10:57:52 10:57:51.1181104:CID-01:FPC-08:PIC-00:THREAD_ID-25:RT:  choose interface .local..5 as outgoing phy if

     

    No loop: ifp doesnt match .local..5 vs looked-up: reth0.1, addr: 172.25.227.191, rtt_idx: 5, addr_type:0x3



  • 3.  RE: SNMP query issues on SRX 3600

    Posted 10-11-2012 23:11

    Hi,

     

    The flow trace is incomplete . As you mentioned you are using routing instances, i hope you have taken care of the routing and community string properly.  KB17774 explains about authentication issues(community with routing instance).

     

    If you could provide the complete setup and flow trace, that really helps to solve the issue.



  • 4.  RE: SNMP query issues on SRX 3600

    Posted 10-14-2012 00:00

    Hi Pradeep,

     

    Thanks heaps for that pointer. I can tell you that i didnt use routing instances in my SNMP configuration. We are already monitoring the srx via the mgmt(fxp) interfaces. However, we want to monitor via inband as well. Wil use that KB link and see if it helps. Will let you know how I go with it

     

    Regards,



  • 5.  RE: SNMP query issues on SRX 3600

    Posted 10-14-2012 19:44

    Hi Pradeep and Dark,

     

    Both your solutions helped me get it working. However it only allowed me to choose one as accept solution. So i just did eenie-meenie stuff. Smiley Happy Sorry if I hurt one of you. But I really appreciate your quick help

     

    One more question , with the mgmt fxp0 interface. Can I snmp to it from another subnet ? or the SNMP manager has to be in the same subnet??

     

    Regards, Kishore



  • 6.  RE: SNMP query issues on SRX 3600

    Posted 10-17-2012 04:50

    Yes you can, but you will need to have another gateway that is not the SRX as it is designed to be an OOB network.

     

    Try setting: 

    set system backup-router <gateway_ip> destination <your_source_network>



  • 7.  RE: SNMP query issues on SRX 3600

    Posted 12-28-2012 22:06

    Thank you kindly. I will try and get back to you. I have just posted another question regarding "commit at" command. If you think you can take a look that will be great 🙂



  • 8.  RE: SNMP query issues on SRX 3600
    Best Answer

    Posted 10-12-2012 10:52

    Under the community you must specify the routing instance that the interface is bound to as well as the networks allowed to poll the interface. Under the SNMP stanza you must also specify routing-instance-access as well. Finally, when polling the SRX you must specify the VR you wish to poll preceding the community string, so readonly becomes default@readonly instead.

     

     

    See: http://kb.juniper.net/InfoCenter/index?page=content&id=KB17775&actp=RSS



  • 9.  RE: SNMP query issues on SRX 3600

    Posted 10-13-2012 23:57

    Hi dark1587,

     

    Thanks heaps for your reply. I wil try your advice tomorrow and get back to you. Appreciate your time with this.

    one other thing is that we are also monitoring the SRX via the mgmt as well(out of band). Thats working absolutely fine.

    however, we would also like to monitor inband as well which is the reth ip address and hence this query.

     

    Regards,