ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Posts: 8
Registered: ‎11-29-2010
0 Kudos

NS5200 can't monitor interfaces if the interfaces have sub-interfaces

HI,ALLSmiley Surprised

          Someone can help me ? NS5200 can't monitor some interfaces if the interfaces have sub-interfaces,can i use some command to find out OID about sub-interfaces?

Distinguished Expert
Posts: 4,121
Registered: ‎03-30-2009
0 Kudos

Re: NS5200 can't monitor interfaces if the interfaces have sub-interfaces

See this previous discussion.  The answer is on ASIC based platforms you can't.  On cpu flow platforms you can get the oid from the netscreen mib.  I can't find the spec architecture but I believe the NS series have the ASIC.


I asked JTAC and this is the response I got:

The RFC MIBs will respond back with hardware counter statistics that will correlate to a GET COUNTER STAT command. The Netscreen Private MIBS will return Flow statistics. The flow counters will only show traffic that passed the CPU. On an ASIC based system such as the ISG-1000 this will cause a difference in the numbers as most traffic will not pass through the CPU but be processed by the ASIC. Traffic that would pass by the CPU would be first packets, ICMP traffic, ALG traffic such as SQL H323, or packets needing fragmentation. The Netscreen MIB counters should match the GET COUNTER FLOW statistics.

As the SSG5 does not use an ASIC chip all traffic would pass by the CPU and the numbers would not match as you noted.


So everything is actually working as intended...

... and there's no way to monitor subinterface traffic on aggregate interfaces on ASIC platforms. 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7