How to Check When a Failure Occurs¶
Operation Confirmed version: vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8, vSRX Version20.4R2
This section introduces how to check logs and commands when a failure occurs for | new_vfirewall |. This procedure includes SNMPTrap confirmation. Monitoring setting using SNMP function Must be performed in advance.
VRRP failure¶
VRRP switching occurs when the node is restarted or when keep-alive packets (etc.) between VRRP-operational firewalls are stopped.
Log of state where VRRP-functioning Interface ge-0/0/1 unit0 has been stopped with Disable
# MASTER
user01@vSRX-03> show vrrp
VRRP is not running
# BACKUP
user01@vSRX-04> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 13 master Active A 0.356 lcl 192.168.33.104
vip 192.168.33.134
Log of state where VRRP-functioning Interface ge-0/0/1 has been stopped with Disable
# MASTER
user01@vSRX-03> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 down 13 init Active N 0.000 lcl 192.168.33.103
vip 192.168.33.134
# BACKUP
user01@vSRX-04> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 13 master Active A 0.477 lcl 192.168.33.104
vip 192.168.33.134
Log of state where VRRP-functioning Interface ge-0/0/1 has been stopped with Disable
user01@vSRX-04> show vrrp detail
Physical interface: ge-0/0/1, Unit: 0, Address: 192.168.33.104/24
Index: 72, SNMP ifIndex: 520, VRRP-Traps: disabled, VRRP-Version: 2
Interface state: up, Group: 13, State: master, VRRP Mode: Active
Priority: 150, Advertisement interval: 1, Authentication type: none
Advertisement threshold: 3, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.33.134
Advertisement Timer: 0.313s, Master router: 192.168.33.104
Virtual router uptime: 2w0d 01:43, Master router uptime: 00:00:31
Virtual Mac: 00:00:5e:00:01:0d
Tracking: disabled
user01@vSRX-04>
Syslog check: show log messages | match vrrp
Use to check VRRP-related Syslog. The Syslogs below are output when the state of VRRP shifts from BACKUP to MASTER:
user01@vSRX-04> show log messages | match vrrp
Nov 8 06:00:57 vrrpd_update_state_machine, ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 state: backup
Nov 8 06:00:57 vrrpd_ppmd_delete_adj : ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013
Nov 8 06:00:57 vrrp_fsm_update IFD: ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 event: master
Nov 8 06:00:57 vrrp_fsm_active: ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 state from: backup
Nov 8 06:00:57 vrrpd_set_state_in_kernel : vrrp_if ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013, state : 1, group : 13
Nov 8 06:00:57 vrrp_newmaster_trap: vrrp_if : ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 trap enabled : 0
Nov 8 06:00:57 VRRPD_NEW_MASTER: Interface ge-0/0/1.0 (local address 192.168.33.104) became VRRP master for group 13 with master reason masterNoResponse
Nov 8 06:00:57 vrrp_fsm_update_for_inherit IFD: ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 event: master
Nov 8 06:00:57 Signalled dcd (PID 1544) to reconfig
Nov 8 06:00:57 vrrpd_set_state_in_kernel : vrrp_if ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013, state : 1, group : 13
Nov 8 06:00:59 vrrpd_config_holddown_expiry:
IPsec failure¶
Checking IPSEC ISAKMP Phase1 (Indication when phase1 enters Down state)
user01@vSRX-03> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
402079 DOWN e73f30f207bf64ae 0000000000000000 Main 192.168.1.101
Checking IPSec SA (Indication when establishment is not achieved because the number of Phase2 Tunnels is zero)
user01@vSRX-03> show security ipsec security-associations
Total active tunnels: 0
user01@vSRX-03>
Tunnel interface (st0) state (Down state) set to the IPSec tunnel
user01@vSRX-03> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 192.168.3.103/24
omitted
st0 up up
st0.0 up down inet 172.16.13.3/24
tap up up
vlan up down
vtep up up
SNMP Trap confirmation
An SNMP Trap is sent when the IPsec-connected opposite firewall fails.
The interface of ifIndex.520 displayed in capture shows that the tunnel interface (st0.0) is in Linkdown state.
user01@vSRX-03> show snmp mib walk 1.3.6.1.2.1.2.2.1 | no-more
ifIndex.1 = 1
omitted
ifIndex.524 = 524
ifDescr.1 = fxp0
omitted
ifDescr.510 = ge-0/0/0
ifDescr.511 = ge-0/0/0.0
ifDescr.512 = gr-0/0/0
ifDescr.513 = ip-0/0/0
ifDescr.514 = lsq-0/0/0
ifDescr.515 = mt-0/0/0
ifDescr.516 = lt-0/0/0
ifDescr.517 = sp-0/0/0
ifDescr.518 = sp-0/0/0.0
ifDescr.519 = sp-0/0/0.16383
ifDescr.520 = st0.0
ifDescr.521 = ge-0/0/1
ifDescr.522 = ge-0/0/1.0
ifDescr.523 = ge-0/0/2
ifDescr.524 = ge-0/0/2.0
Note
The ifIndex value is to be set when the apparatus is started. The value will not be fixed and will be changed depending on interface usage status (etc.). Use the aforementioned command (etc.) to check.