SRX Services Gateway
Highlighted
SRX Services Gateway

SRX300-series with routing-instance is not sending flow-related syslog

‎08-24-2020 12:52 AM

Hi,

I have a SRX300, configued the same way as older SRX 2XX-devices. The major difference is that this one is running the newer JunOS version.

The syslog-server is hosted remote. The controller logs from the platform is showing up, but nothing related to the traffic.

I have a custom routing-instance, that has the knowledge or the network. 

There is forwarding (next-table) between the default instance and the custom vr. So the routing between them looks fine, both ways.

show configuration security log | display set
set security log mode stream
set security log format sd-syslog
set security log source-address 172.22.1.7
set security log stream JSA format sd-syslog
set security log stream JSA category all
set security log stream JSA host 172.25.2.1
set security log stream JSA host port 514
set security log stream JSA host routing-instance client_VR

 

Any good ideas if there is any basic stuff i missed? - Or any ideas of troubleshooting?

I can see this logs at the JSA (checking via TCPdump)

set system syslog user * any emergency
set system syslog host 172.25.2.1 any any
set system syslog host 172.25.2.1 match "!.(Failed to connect to the server after 0 retries)|(!.*Time since last watchdog strob.*)"
set system syslog host 172.25.2.1 structured-data

 

Thanks in advance!

//Rob

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: SRX300-series with routing-instance is not sending flow-related syslog

‎08-25-2020 02:45 AM
Some recommendation:

Make sure logs are being forwarded through revenue (transit) interfaces and not via the management fxp0 interface.

Make sure your security policies are configured with atleast log at session close, but logging at session init is a plus.

The syslog related traffic is usually sourced from the master routing instance of the firewall. So, if the Syslog server is not reachable via the master instance, but only reachable via an interface on the custom VR, there has to be a static route configured in the master instance with destination belonging to the Syslog server, using the next table of the custom VR (eg. custom-vr.inet.0).

This config ( set security log stream JSA host routing-instance client_VR) might not be required. As stated earlier syslog traffic has to be sourced from the master instance, although the source of Syslog traffic can be a transit interface on the custom VR.

Verify end to end reachability between the firewall and syslog server. If there are any intermediate firewall between the path, ensure that syslog communication is allowed.

Just to confirm the source addres (172.22.1.7) belongs to a transit interface on the custom VR correct?


Kudos are always appreciated. Please mark solution as accepted if it help solves your issue.
Thanks,
B
Highlighted
SRX Services Gateway

Re: SRX300-series with routing-instance is not sending flow-related syslog

‎08-25-2020 02:50 AM
If the above doesn’t help, please share the o/p of the show route 172.22.1.7 | no-more command from the firewall.
Kudos are always appreciated. Please mark solution as accepted if it help solves your issue.
Thanks,
B
Highlighted
SRX Services Gateway
Solution
Accepted by topic author R_J
‎08-31-2020 01:25 AM

Re: SRX300-series with routing-instance is not sending flow-related syslog

‎08-26-2020 12:55 AM

Hello Rob,

 

I would suggest you to follow the below checks to resolve this issue.

 

  1. If the ping is allowed on your Syslog server, test the reachability of the server from the SRX's routing instance. e.g. user@host> ping 172.25.2.1 routing-instance client_VR
  2. Check the routing table and forwarding table to determine whether the routes are active. e.g. user@host> show route 172.25.2.1 and user@host> show route forwarding-table 172.25.2.1
  3. Please note that only for the security policies which was configured with session_init or session_cloe or both, the streams will be generated and sent out to your server. Check whether you have configured the logging under security policy. 
  4. If the logging is configured under security policy, check-in the security flow sessions whether traffic is hitting that policy where we have configured the logging.  
  5. I assume you haven't configured any firewall filter in the outbound direction blocking the port 514 in loopback or the egress interface.
  6. Finally, if all of the above are properly set, then I would suggest you to configure the packet captures in the SRX to determine whether the stream logs are sent out. Follow this link for configuring PCAP - https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709&actp=METADATA
  7. If you are seeing SRX sending the logs out then the problem resides with a next-hop device or the Syslog server itself.
  8. If you don't see SRX sending the logs out in the packet captures, just deactivate and activate the security logs once.

e.g.

user@host# deactivate security log

user@host# commit

user@host# activate security log

user@host# commit



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX300-series with routing-instance is not sending flow-related syslog

‎08-31-2020 01:24 AM

Hi, 

Thanks for the troubleshooting-lineup.

The last step solved (!!!!!), so i did a, deactivate security log, then commit confirmed 1. 

The log started to flow from the box as expected.

 

...so much time spend on solving this, and it came down to that!

 

Thanks!

 

//Rob

Feedback