Routing
Highlighted
Routing

CGNAT Syslog

2 weeks ago

Hi, I set up sending nat event logs to an external server, here is my config:

service-set NAT {
    syslog {
        host 1.1.1.1 {
            services any;
            class {
                session-logs {
                    open;
                }
                nat-logs;
            }
            source-address 172.31.255.1;
        }
    }
    nat-rules FIRST_RULE;
    next-hop-service {
        inside-service-interface ms-0/2/0.4090;
        outside-service-interface ms-0/2/0.4091;
    }
}

but on the server I see only a few messages in 15 minutes, while in the output of the command there are a lot more messages:

Interface: ms-0/2/0
  Service-set: NAT
    Host: 1.1.1.1
      Sent: 1106614
      Dropped: 868159
      Session open logs:
        Sent: 694117
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      Session close logs:
        Sent: 0
        Dropped: 692504 (low priority: 0, none severity: 0, no class set: 692504, above rate limit: 0)
      Packet logs:
        Sent: 0
        Dropped: 175655 (low priority: 0, none severity: 0, no class set: 175655, above rate limit: 0)
      Stateful firewall logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      ALG logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      NAT logs:
        Sent: 412497
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      IDS logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP MAP logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP protocol logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP protocol error logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP debug logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      HA open sync logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      HA close sync logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      DET_NAT_CONFIG logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      URL Filtering logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      Other logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)

 

test@TEST> show configuration interfaces ms-0/2/0 
unit 0 {
    family inet {
        address 172.31.255.1/32;
    }
}

which I do wrong ?

5 REPLIES 5
Highlighted
Routing

Re: CGNAT Syslog

2 weeks ago

Hello,

 

Is the 1.1.1.1 the actual address You are using in Your network for CGNAT syslog server, or is it an attempt to sanitize config?

If the former then it is a bad choice because it belongs to Cloudflare public DNS server.

So, if You are running a full table and also configured 1.1.1.1 somewhere in Your network, then You are bumping into well-known duplicate IP problem when all sorts of weird things can happen.

HTH

Thx

Alex 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: CGNAT Syslog

[ Edited ]
a week ago

@aarseniev wrote:

Hello,

 

Is the 1.1.1.1 the actual address You are using in Your network for CGNAT syslog server, or is it an attempt to sanitize config?

If the former then it is a bad choice because it belongs to Cloudflare public DNS server.

So, if You are running a full table and also configured 1.1.1.1 somewhere in Your network, then You are bumping into well-known duplicate IP problem when all sorts of weird things can happen.

HTH

Thx

Alex 



Of course not. I replaced my real address for hiding

Highlighted
Routing

Re: CGNAT Syslog

a week ago

@xamza1412 wrote:

Hi, I set up sending nat event logs to an external server, here is my config:

service-set NAT {
    syslog {
        host 1.1.1.1 {
            services any;
            class {
                session-logs {
                    open;
                }
                nat-logs;
            }
            source-address 172.31.255.1;
        }
    }
    nat-rules FIRST_RULE;
    next-hop-service {
        inside-service-interface ms-0/2/0.4090;
        outside-service-interface ms-0/2/0.4091;
    }
}

but on the server I see only a few messages in 15 minutes, while in the output of the command there are a lot more messages:

Interface: ms-0/2/0
  Service-set: NAT
    Host: 1.1.1.1
      Sent: 1106614
      Dropped: 868159
      Session open logs:
        Sent: 694117
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      Session close logs:
        Sent: 0
        Dropped: 692504 (low priority: 0, none severity: 0, no class set: 692504, above rate limit: 0)
      Packet logs:
        Sent: 0
        Dropped: 175655 (low priority: 0, none severity: 0, no class set: 175655, above rate limit: 0)
      Stateful firewall logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      ALG logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      NAT logs:
        Sent: 412497
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      IDS logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP MAP logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP protocol logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP protocol error logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      PCP debug logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      HA open sync logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      HA close sync logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      DET_NAT_CONFIG logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      URL Filtering logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)
      Other logs:
        Sent: 0
        Dropped: 0 (low priority: 0, none severity: 0, no class set: 0, above rate limit: 0)

 

test@TEST> show configuration interfaces ms-0/2/0 
unit 0 {
    family inet {
        address 172.31.255.1/32;
    }
}

which I do wrong ?


for the whole night on the syslog only about 20 messages, on the BRAS there are 400 subscribers 

Highlighted
Routing
Solution
Accepted by topic author xamza1412
a week ago

Re: CGNAT Syslog

a week ago

Hello,

 


@xamza1412 wrote:


Of course not. I replaced my real address for hiding


 

 

Ok fine.

Is there a firewall between MX and syslog server? If yes have You checked it for alleged "UDP flood attack" events coming from 172.31.255.1 src.IP and disabled UDP flood detection for 172.31.255.1 address?

 

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: CGNAT Syslog

[ Edited ]
a week ago

@aarseniev wrote:

Hello,

 


@xamza1412 wrote:


Of course not. I replaced my real address for hiding


 

 

Ok fine.

Is there a firewall between MX and syslog server? If yes have You checked it for alleged "UDP flood attack" events coming from 172.31.255.1 src.IP and disabled UDP flood detection for 172.31.255.1 address?

 

HTH

Thx

Alex

 

 


 

Oooo, my friend) this is my jamb, firewall Smiley LOL