How to Check When a Failure Occurs

Operation Confirmed version: vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8, vSRX Version20.4R2

This section introduces how to check logs and commands when a failure occurs for | new_vfirewall |. This procedure includes SNMPTrap confirmation. Monitoring setting using SNMP function Must be performed in advance.

VRRP failure

VRRP switching occurs when the node is restarted or when keep-alive packets (etc.) between VRRP-operational firewalls are stopped.

  • Log of state where VRRP-functioning Interface ge-0/0/1 unit0 has been stopped with Disable

# MASTER

user01@vSRX-03> show vrrp
VRRP is not running

# BACKUP

user01@vSRX-04> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             13   master   Active      A  0.356 lcl    192.168.33.104
                                                                vip    192.168.33.134
  • Log of state where VRRP-functioning Interface ge-0/0/1 has been stopped with Disable

# MASTER

user01@vSRX-03> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    down           13   init     Active      N  0.000 lcl    192.168.33.103
                                                                vip    192.168.33.134


# BACKUP

 user01@vSRX-04> show vrrp
 Interface     State       Group   VR state VR Mode   Timer    Type   Address
 ge-0/0/1.0    up             13   master   Active      A  0.477 lcl    192.168.33.104
                                                                 vip    192.168.33.134
  • Log of state where VRRP-functioning Interface ge-0/0/1 has been stopped with Disable

user01@vSRX-04> show vrrp detail
Physical interface: ge-0/0/1, Unit: 0, Address: 192.168.33.104/24
  Index: 72, SNMP ifIndex: 520, VRRP-Traps: disabled, VRRP-Version: 2
  Interface state: up, Group: 13, State: master, VRRP Mode: Active
  Priority: 150, Advertisement interval: 1, Authentication type: none
  Advertisement threshold: 3, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.33.134
  Advertisement Timer: 0.313s, Master router: 192.168.33.104
  Virtual router uptime: 2w0d 01:43, Master router uptime: 00:00:31
  Virtual Mac: 00:00:5e:00:01:0d
  Tracking: disabled

user01@vSRX-04>
  • Syslog check: show log messages | match vrrp

Use to check VRRP-related Syslog. The Syslogs below are output when the state of VRRP shifts from BACKUP to MASTER:

user01@vSRX-04> show log messages | match vrrp
Nov  8 06:00:57 vrrpd_update_state_machine, ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 state: backup
Nov  8 06:00:57 vrrpd_ppmd_delete_adj : ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013
Nov  8 06:00:57 vrrp_fsm_update IFD: ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 event: master
Nov  8 06:00:57 vrrp_fsm_active: ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 state from: backup
Nov  8 06:00:57 vrrpd_set_state_in_kernel : vrrp_if ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013, state : 1, group : 13
Nov  8 06:00:57 vrrp_newmaster_trap: vrrp_if : ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 trap enabled : 0
Nov  8 06:00:57 VRRPD_NEW_MASTER: Interface ge-0/0/1.0 (local address 192.168.33.104) became VRRP master for group 13 with master reason masterNoResponse
Nov  8 06:00:57 vrrp_fsm_update_for_inherit IFD: ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013 event: master
Nov  8 06:00:57 Signalled dcd (PID 1544) to reconfig
Nov  8 06:00:57 vrrpd_set_state_in_kernel : vrrp_if ge-0/0/1.000.000.000.0000:0000:0000:0000:0000:0000:c0a8:2168.013, state : 1, group : 13
Nov  8 06:00:59 vrrpd_config_holddown_expiry:

IPsec failure

  • Checking IPSEC ISAKMP Phase1 (Indication when phase1 enters Down state)

user01@vSRX-03> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
402079  DOWN   e73f30f207bf64ae  0000000000000000  Main           192.168.1.101
  • Checking IPSec SA (Indication when establishment is not achieved because the number of Phase2 Tunnels is zero)

user01@vSRX-03> show security ipsec security-associations
  Total active tunnels: 0

user01@vSRX-03>
  • Tunnel interface (st0) state (Down state) set to the IPSec tunnel

user01@vSRX-03> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.3.103/24
omitted
st0                     up    up
st0.0                   up    down inet     172.16.13.3/24
tap                     up    up
vlan                    up    down
vtep                    up    up
  • SNMP Trap confirmation

An SNMP Trap is sent when the IPsec-connected opposite firewall fails.

vsrx_failure-log_fig1

The interface of ifIndex.520 displayed in capture shows that the tunnel interface (st0.0) is in Linkdown state.

user01@vSRX-03> show snmp mib walk 1.3.6.1.2.1.2.2.1 | no-more
ifIndex.1     = 1
  omitted
ifIndex.524   = 524
ifDescr.1     = fxp0
  omitted
ifDescr.510   = ge-0/0/0
ifDescr.511   = ge-0/0/0.0
ifDescr.512   = gr-0/0/0
ifDescr.513   = ip-0/0/0
ifDescr.514   = lsq-0/0/0
ifDescr.515   = mt-0/0/0
ifDescr.516   = lt-0/0/0
ifDescr.517   = sp-0/0/0
ifDescr.518   = sp-0/0/0.0
ifDescr.519   = sp-0/0/0.16383
ifDescr.520   = st0.0
ifDescr.521   = ge-0/0/1
ifDescr.522   = ge-0/0/1.0
ifDescr.523   = ge-0/0/2
ifDescr.524   = ge-0/0/2.0

Note

The ifIndex value is to be set when the apparatus is started. The value will not be fixed and will be changed depending on interface usage status (etc.). Use the aforementioned command (etc.) to check.