ScreenOS Firewalls (NOT SRX)
Reply
Contributor
dcruz
Posts: 30
Registered: ‎03-04-2008
0
Accepted Solution

oid for subinterfaces

I'm trying to use Cacti to monitor several SSGs and an ISG, and I've come across an issue with subinterfaces on the ISG.

 

I created a host template here that works great for the SSG series. I can monitor VPN tunnels, subinterfaces, etc. However, when I try to apply the same template to the ISG, the values are all wrong. I notice that when I snmpwalk the ISG the interfaces only increment up to .7 (i.e. ifInOctets.1-7) when this device has at least 14 subinterfaces.

 

I've attached graphs between two interconnected interfaces on an ISG and an SSG. Traffic should be inversely mirrored on these graphs, but the ISG graph just seems to be all wrong. The SSGs are all running 6.1 and the ISG is running 6.0. Is there something different between the two hardware platforms or is the difference in the ScreenOS version or both that would be causing this?

Super Contributor
benjaminc
Posts: 181
Registered: ‎11-07-2007
0

Re: oid for subinterfaces

Hello,

 

Did you load the netscreen mibs? AFAIK we don't put sub interfaces in the normal enterprise mibs and you need to load the netscreen mibs to get these.

 

Thanks

 

Ben 

Contributor
dcruz
Posts: 30
Registered: ‎03-04-2008
0

Re: oid for subinterfaces

The script was calling the specific oids, but I went ahead and loaded the mibs anyway to verify.  I did a manual walk, but I still don't understand what these values are for.  Do these counters display bandwidth or something else?

 

Here is are the snippets of an interface when I did an snmpwalk. 

 

snmpwalk -v 2c -O n -c community 1.1.1.1 nsIfName
.1.3.6.1.4.1.3224.9.1.1.2.19 = STRING: aggregate1.14

 

snmpwalk -v 2c -c community 1.1.1.1 nsIfFlowInByte
NETSCREEN-INTERFACE-MIB::nsIfFlowInByte.19 = Counter32: 1321866481
 

snmpwalk -v 2c -O n -c community 1.1.1.1 nsIfFlowInByte
.1.3.6.1.4.1.3224.9.3.1.3.19 = Counter32: 1321866481



Contributor
dcruz
Posts: 30
Registered: ‎03-04-2008
0

Re: oid for subinterfaces

Wow. I asked JTAC and this is the response I got:

 

 

The RFC MIBs will respond back with hardware counter statistics that will correlate to a GET COUNTER STAT command. The Netscreen Private MIBS will return Flow statistics. The flow counters will only show traffic that passed the CPU. On an ASIC based system such as the ISG-1000 this will cause a difference in the numbers as most traffic will not pass through the CPU but be processed by the ASIC. Traffic that would pass by the CPU would be first packets, ICMP traffic, ALG traffic such as SQL H323, or packets needing fragmentation. The Netscreen MIB counters should match the GET COUNTER FLOW statistics.

As the SSG5 does not use an ASIC chip all traffic would pass by the CPU and the numbers would not match as you noted.

 

So everything is actually working as intended...

 

 

 

 

 

Contributor
dcruz
Posts: 30
Registered: ‎03-04-2008
0

Re: oid for subinterfaces

... and there's no way to monitor subinterface traffic on aggregate interfaces on ASIC platforms.
Regular Visitor
rpillon
Posts: 9
Registered: ‎09-29-2008
0

Re: oid for subinterfaces

Hi dcruz,

 

Is it possible to send me the case number by PM ?

I have the same issue for one of my customer and would like to ask for Enhancement and this feature.

 

Thanks

Contributor
skullbox
Posts: 13
Registered: ‎08-29-2010
0

Re: oid for subinterfaces

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.