Routing

last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  MX not sending SYSLOG to STRM

    Posted 12-03-2016 09:12

    Please excuse my ignorance but I've never configred an MX before and haven't even had any class on it - if you know a good video/text that would be great.

     

    I've inherited an MX104 in our lab and tried to setup syslog to get it back to our SIEM. Basic config is

    MGMT interfaces

SIEM: x.x.255.220
SRX:  x.x.255.250
    SRX:ge-9 192.168.2.2/30
    set interfaces ge-2/0/9 description "Link to MX for SYSLOG"
    set interfaces ge-2/0/9 unit 0 family inet address 192.168.2.2/30

    MX:ge-9 192.168.2.1/30
    set interfaces ge-0/1/9 description "Link to SRX for SYSLOG"
    set interfaces ge-0/1/9 unit 0 family inet address 192.168.2.1/30

    So you can see (I hope) the connection between the SRX and the MX is via /30 network.

     

     

    NOTE: I do have a filter setup on MX output so that just source/destination/udp/514 is allowed out and I turned on ICMP for testing. There is also an input filter on SRX side.

     

    Now I have the SRX and other devices correctly sending syslog messages to the SIEM but the same configuration doesn't seem to work on the MX. Guessing that's due to the nature of what the MX is so it needs more steps?

     

    The basic syslog config from the MX (from memory so if syntax is a bit off sorry):

    set system syslog host 192.168.2.2 any any

    NOTE: there is also file syslog setup but they seem to work

    If I force an interface up/down I see the syslog message on the terminal (user any is enabled) but I don't see it on the SRX.

     

     

    When I look at the interface on the MX, I don't see any packets attempting to leave and obviously don't see any packets getting to the interface on the SRX.

     

    When I attempt to ping from SRX to MX, I get timeouts but if I look at the interface on SRX I see the packet count going up and my filter counter (the temp one for ICMP) does go up. When I look at the interface on the MX I see the packet getting to the interface so I have to assume that the reply is not making it out of the MX.

     

    This is confirmed by pinging from MX to SRX and I do see the counter on my filter on the MX going up but there is no packet hitting the interface and I receive the message OPERATION NOT PERMITTED.

     

    Given this, I have to assume that I have something missing on the MX configuration but I don't know what it is and again, since I've never looked at one nor configured one, I'm not sure where to look.

     

    Searching for SENDING SYSLOG FROM MX TO EXTERNAL HOST yields basic configurations which I already have but gives not indication of settings necessary on the interface which is what I'm guessing is wrong.

     

    Again, sorry for my lack of understanding here but this is my first exposure to the MX series; everything else has been SRX/EX and thanks for any help you can provide.



  • 2.  RE: MX not sending SYSLOG to STRM

    Posted 12-03-2016 11:17

    Hello,

     

    @AlfonsoDeMusser wrote:

     

     

    I've inherited an MX104 in our lab and tried to setup syslog to get it back to our SIEM. Basic config is

    MGMT interfaces

SIEM: x.x.255.220
SRX:  x.x.255.250
    SRX:ge-9 192.168.2.2/30
    set interfaces ge-2/0/9 description "Link to MX for SYSLOG"
    set interfaces ge-2/0/9 unit 0 family inet address 192.168.2.2/30

    MX:ge-9 192.168.2.1/30
    set interfaces ge-0/1/9 description "Link to SRX for SYSLOG"
    set interfaces ge-0/1/9 unit 0 family inet address 192.168.2.1/30

     

    <skip>

     

    The basic syslog config from the MX (from memory so if syntax is a bit off sorry):

    set system syslog host 192.168.2.2 any any

    NOTE: there is also file syslog setup but they seem to work

     

    You are sending the MX syslog to SRX itself, not to STRM.

    If You change 192.168.2.2 to actual STRM IP _AND_ make sure MX know a route to actual STRM IP, then You should see the MX syslog arriving at STRM.

    HTH

    Thx

    Alex



  • 3.  RE: MX not sending SYSLOG to STRM

    Posted 12-05-2016 03:00
    @aarseniev wrote:

    The basic syslog config from the MX (from memory so if syntax is a bit off sorry):

    set system syslog host 192.168.2.2 any any

    NOTE: there is also file syslog setup but they seem to work

     

    You are sending the MX syslog to SRX itself, not to STRM.

    If You change 192.168.2.2 to actual STRM IP _AND_ make sure MX know a route to actual STRM IP, then You should see the MX syslog arriving at STRM.

    HTH

    Thx

    Alex

     Alex you are correct. I have a routing instance created in the SRX that takes all the syslog from all the devices in my network and routes it to the STRM. I'm quite confident that if the syslog message would get to the SRX, that it would be routed properly. Also trying to create a route in the MX to let it know how to get to the STRM on the ..255 network, would require it to go to the SRX anyway as there is no direct connection between the two networks.

     

    The fact that I do not see any packets hitting the interface leaving the MX is the issue and having the separate 172/30 network between the MX and SRX requires that no matter what, the message needs to go through the SRX to get to the STRM on the x.x.255 network.

     

    I'm guessing that it's the OPERATION NOT PERMITTED error when I try to ping out the interface from the MX to the SRX that I need to resolve but I don't know how. I'm thinking that if I get that solved, the packet would at least leave the MX and then it's just a routing issue.

     

     



  • 4.  RE: MX not sending SYSLOG to STRM

    Posted 12-05-2016 05:19

    Why are you sending syslog messages to SRX instead of the STRM directly? Like aarseniev said, change that IP to the STRM IP.



  • 5.  RE: MX not sending SYSLOG to STRM

    Posted 12-05-2016 05:23

    Hello,

     

    @AlfonsoDeMusser wrote:

    I'm quite confident that if the syslog message would get to the SRX, that it would be routed properly.

     

     

    If You are targeting the SRX IP as systlog destination, then no, it won't. SRX would drop such packet as udp port 514 is not opened externally on SRX. 

    You need to change the MX syslog destination to actual STRM IP and verify reachability from MX to that IP to make Your MX syslog to arrive at STRM. 

    Or configure destination NAT on SRX for 192.168.2.2 UDP/514.

    HTH

    Thx

    Alex



  • 6.  RE: MX not sending SYSLOG to STRM

    Posted 12-05-2016 08:20

    While I respect your knowledge and opinion that it won't work, I've not done an adequate job of telling you why it will. I have other EX devises that route their syslog message to the STRM via the SRX as well. There are the appropriate firewall filters on the SRX interfaces to check source/destination IP and UDP/514 and then use the routing instance that is setup to route to the STRM. They all work perfectly fine. Again, the reason is there isn't a direct connection between the two networks (172.x.x.x to 192.x.x.x) so the SRX handles that. We also have a second syslog capture setup on a VM running in the 192 network which is why the routing instance is setup. It sends to both destinations. If I've still confused you, I apologize. If you still really want me to send it to the STRM, I can create all the routes in the MX to tell it that the route to the STRM is through the same interface I'm trying to use now (ge-0/1/9) which is directly connected to the SRX. This still doesn't explain why the packet counter on the MX interface isn't increasing.

     

    In troubleshooting the problem, I do not even see the ping packet (or any packet) hitting the interface on the MX (looking at the counters from show interface ge-0/1/9) when I try to ping from the MX to the SRX. That is where I get the OPERATION NOT PERMITTED error.

     

    BUT, when I ping from the SRX to the MX, I DO see the packet hit the interface on the MX. So that tells me that there is a configuration issue on the MX that is preventing ANY packet from getting to the interface leaving the MX heading to the SRX.

     

    Again, given that I've never had to configure an MX before, I'm treating like a standard SRX and I think that is incorrect but I don't know what I'm missing. I tried putting input/output firewall filters on the MX interface and put couters on them as well but they don't see any traffic either.

     

    Are you required to setup service-sets on the MX and apply those similar to firewall filters on the SRX? If so, is there a simple syslog config to use?



  • 7.  RE: MX not sending SYSLOG to STRM
    Best Answer

    Posted 12-08-2016 08:20

    Just to close the issue out, finally got it working.

     

    What I did originally was setup a routing-instance that had the static route to the 192.168 network via the 0/1/9 interface. Then the firewall rule which was looking for and allowing the SYSLOG messages out of the MX was "then routing-instance OUT_SYSLOG". That apparently doesn't work the same as it does on an SRX.

     

    What I ended up doing was change the firewall filter to a simple accept and then created a static route globally for the 192.168 using the 0/1/9 interface. Once that was done, the SYSLOG messages started showing up on the SIEM - yeah!

     

    Now it's just tuning and setting up the baseline.

     

    Thanks for the assist!!!