SRX Services Gateway
SRX Services Gateway

show system statistics

‎07-30-2019 07:46 PM

Hi all,

 

1-) As you see from command of >show security flow statistics there are dropped and fragment packets... How to verify these statistics with >show system statistics?

 

>show security flow statistics

Current sessions: 161
Packets forwarded: 674569471
Packets dropped: 4512166 ===========>
Fragment packets: 45320533 ==========>

 

2-) >clear security flow statistics works. >clear system statistics is not working? how to clear system statistics.  

3-) How to easily understant or check that branch srx's functionality or role is just router(Layer 3) not firewall(L7)?

Thanks,

Arix

6 REPLIES 6
SRX Services Gateway

Re: show system statistics

‎07-30-2019 08:25 PM

Hi Arix,

 

1) "show security flow statistics" are the statistics collected specific to the SPU whereas system statistics is at the device level to collect statistics of all the protocol traffic. https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-flo...

 

2) System statistics can be cleared only with a reboot of the device.

 

3) show security flow status -> Will help understand this. Packet mode indicates simple L3 forwarding.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461

 

Hope this helps.

 

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!! 

SRX Services Gateway

Re: show system statistics

[ Edited ]
‎07-30-2019 08:34 PM

Hello,

 

1. Sorry, I did not understand this point. "show system statistics" and "show security flow statistics" report different things. While "show security flow staistics" provides flow(session) statistics, "show system statistics" provides RE bound stats. 

 

3. As earlier mentioned you can use "show security flow status" to check whether SRX is working in packet mode or flow mode

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461

 

Please take note than flow mode does not necessarily mean L7 services are in use. It only means firewalling services are active.

 

Regards,

 

Vikas

SRX Services Gateway

Re: show system statistics

[ Edited ]
‎07-31-2019 08:59 PM

Hi,

I understand that it is in packet flow mode.... But based on your replies, what to say about the following current configuration on device relating to iso, ipsec-vpn and gre-in? Are these needed to be delete? Or how to double check they are not being used on security module on srx?

 

 

SRX Services Gateway

Re: show system statistics

‎07-31-2019 09:16 PM

Hello,

 

Family iso would be needed if you are using IS-IS
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/iso-address.html

 

The remaining two configurations are to adjust the MSS values within IPSEC and GRE tunnels.

 

If you are using none of the above you can delete them.

show configuration security ipsec
show configuration | display set | match "gr|iso"

 

I hope this helps. Regards,

 

Vikas

SRX Services Gateway

Re: show system statistics

‎08-01-2019 03:42 AM

hi Vikas, thanks for response...

 

1-)Just checked and there is no is-is routing configuration, but there is only one statement as below. Should it be deleted or?
650srx> show configuration | display set | match iso
set security forwarding-options family iso mode packet-based

 

2-) There is no any ike or ipsec configuration under the security stanza... And also I checked the following..nothing coming up....

show security ike security-associations
show security ipsec security-associations

So are the following statements ready to deleted or? Just a little bit concerning about gre is related to gr-0/0/0 virtual interface?

set security flow tcp-mss ipsec-vpn
set security flow tcp-mss gre-in mss 1360
set security flow tcp-mss gre-out

 

 

650srx> show configuration interfaces gr-0/0/0 | display set
set interfaces gr-0/0/0 description tunnel_5"
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.110.145.5
set interfaces gr-0/0/0 unit 0 tunnel destination 192.168.25.17
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 1380
set interfaces gr-0/0/0 unit 0 family inet address 172.16.20.5/30

650srx> show interfaces terse | match gr
gr-0/0/0 up up
gr-0/0/0.0 up up inet 172.16.20.5/30
gre up up

 

3-) 650srx> show configuration interfaces st0 | display set ----->there is no any st0 config but it is up up shown below. Should it be administratively down? I mean "down down" as it is notbeing used?

650srx> show interfaces terse | match st0
st0 up up

650srx> show interfaces terse | match st
st0 up up

650srx> show interfaces st0 extensive ------------->there is no traffic either....
Physical interface: st0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 503, Generation: 137
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192, Speed: Unspecified
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running
Interface flags: Point-To-Point
Statistics last cleared: Never
Traffic statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps

650srx>

SRX Services Gateway

Re: show system statistics

‎08-01-2019 04:42 AM
Hi,
That being the case, I would leave that config in there. This is not service impacting.
You may also want to check statistics on the gr interface - show interfaces gr-0/0/0 extensive
Regards,
Vikas


Juniper Public