Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
NESTA PÁGINA
 

Mensagens de erro de log de sistema para serviços de próxima geração

Este tópico descreve as mensagens de erro de log de log do sistema de cartões de serviços MX-SPC3 dos serviços de próxima geração e fornece uma comparação dessas mensagens com a placa de serviços MS-MPC.

Logs abertos de sessão

A seguir, exemplos de logs abertos de sessão para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

JSERVICES_SESSION_OPEN application source-interface-name source-address source-port source-nat-information destination-address destination-port destination-nat-information protocol-name softwire-information;

Placa de serviços MX-SPC3

RT_FLOW_SESSION_CREATE_USF Prefix service-set-name source-interface-name source-address source-port destination-address destination-port service-name nat-source-address nat-source-port nat-destination-address nat-destination-port src-nat-rule-type src-nat-rule-name dst-nat-rule-type dst-nat-rule-name protocol-name policy-name application softwire-information;

Saída de amostra MX-SPC3

Uma saída de amostra é a seguinte:

<14>1 2018-06-26T17:23:06.269-07:00 booklet RT_FLOW - RT_FLOW_SESSION_CREATE_USF [junos@2636.1.1.1.2.25 prefix="SYSLOG-PREFIX" service-set-name="JNPR-NH-SSET3" source-address="50.0.0.10" source-port="1" destination-address="60.0.0.10" destination-port="21219" connection-tag="0" service-name="icmp" nat-source-address="100.0.0.1" nat-source-port="1024" nat-destination-address="60.0.0.10" nat-destination-port="21219" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="SRC-NAT-RULE1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="p1" source-zone-name="JNPR-NH-SSET3-ZoneIn" destination-zone-name="JNPR-NH-SSET3-ZoneOut" session-id-32="160000001" username="N/A" roles="N/A" packet-incoming-interface="vms-2/0/0.100" application="UNKNOWN" nestedapplication="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1"] Prefix PADDY3 svc-set-name JNPR-NH-SSET3: session created 50.0.0.10/1->60.0.0.10/21219 0x0 icmp 100.0.0.1/1024->60.0.0.10/21219 0x0 source rule SRC-NAT-RULE1 N/A N/A 1 p1 JNPR-NH-SSET3-ZoneIn JNPR-NH-SSET3-ZoneOut 160000001 N/A(N/A) vms-2/0/0.100 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1

Logs abertos de sessão com NAT

Placa de serviços MS-MPC

SYSLOG_MSMPC{SS_TEST}JSERVICES_SESSION_OPEN: application:ike-esp-nat, xe-2/2/1.0 24.0.0.2:1234 [85.0.0.1:1024]  ->  25.0.0.2:1234 (UDP)

Placa de serviços MX-SPC3

Aug 3 02:04:28 mobst480i RT_FLOW: RT_FLOW_SESSION_CREATE_USF: Tag svc-set-name sset1: session created 90.0.0.2/1->30.0.0.2/4323 0x0 icmp 50.0.0.3/1024->30.0.0.2/4323 0x0 source rule rule1 N/A N/A 1 p1 sset1-ZoneIn sset1-ZoneOut 160000015 N/A(N/A) vms-2/0/0.1 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A

Logs abertos de sessão sem NAT

Placa de serviços MS-MPC

SYSLOG_MSMPC{SS_TEST}JSERVICES_SESSION_OPEN: application:ike-esp-nat, xe-2/2/1.0 24.0.0.2:1234  ->  25.0.0.2:1234 (UDP)

Placa de serviços MX-SPC3

RT_FLOW - RT_FLOW_SESSION_CREATE_USF [junos@2636.1.1.1.2.25 tag="SYSLOG_SFW" service-set-name="ss1" source-address="20.1.1.2" source-port="12000" destination-address="30.1.1.2" destination-port="22000" connection-tag="0" service-name="None" nat-source-address="20.1.1.2" nat-source-port="12000" nat-destination-address="30.1.1.2" nat-destination-port="22000" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="policy1" source-zone-name="ss1-ZoneIn" destination-zone-name="ss1-ZoneOut" session-id-32="190000004" username="N/A" roles="N/A" packet-incoming-interface="xe-5/3/2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A"] Tag SYSLOG_SFW svc-set-name ss1: session created 20.1.1.2/12000->30.1.1.2/22000 0x0 None 20.1.1.2/12000->30.1.1.2/22000 0x0 N/A N/A N/A N/A 6 policy1 ss1-ZoneIn ss1-ZoneOut 190000004 N/A(N/A) xe-5/3/2.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A

Logs de fechamento da sessão

A seguir, exemplos de logs de fechamento de sessão para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

JSERVICES_SESSION_CLOSE application source-interface-name source-address source-port source-nat-information destination-address destination-port destination-nat-information protocol-name softwire-information;

Placa de serviços MX-SPC3

RT_FLOW_SESSION_CLOSE_USF Prefix service-set-name source-interface-name source-address source-port destination-address destination-port service-name nat-source-address nat-source-port nat-destination-address nat-destination-port src-nat-rule-type src-nat-rule-name dst-nat-rule-type dst-nat-rule-name protocol-name policy-name; softwire-information;

Saída de amostra MX-SPC3

Segue-se uma saída de amostra:

<14>1 2018-06-27T09:24:00.058-07:00 booklet RT_FLOW - RT_FLOW_SESSION_CLOSE_USF [junos@2636.1.1.1.2.25 prefix="SYSLOG-PREFIX" service-set-name="JNPR-NH-SSET3" reason="idle Timeout" source-address="50.0.0.10" source-port="1" destination-address="60.0.0.10" destination-port="30170" connection-tag="0" service-name="icmp" nat-source-address="100.0.0.1" nat-source-port="1024" nat-destination-address="60.0.0.10" nat-destination-port="30170" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="SRC-NAT-RULE1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="p1" source-zone-name="JNPR-NH-SSET3-ZoneIn" destination-zone-name="JNPR-NH-SSET3-ZoneOut" session-id-32="160000001" packets-from-client="1" bytes-from-client="84" packets-from-server="0" bytes-from-server="0" elapsed-time="4" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="vms-2/0/0.100" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1"] Prefix PADDY-DEF svc-set-name JNPR-NH-SSET3: session closed idle Timeout: 50.0.0.10/1->60.0.0.10/30170 0x0 icmp 100.0.0.1/1024->60.0.0.10/30170 0x0 source rule SRC-NAT-RULE1 N/A N/A 1 p1 JNPR-NH-SSET3-ZoneIn JNPR-NH-SSET3-ZoneOut 160000001 1(84) 0(0) 4 UNKNOWN UNKNOWN N/A(N/A) vms-2/0/0.100 UNKNOWN N/A N/A -1

Logs de nat fora do endereço

A seguir, exemplo, logs NAT fora de endereço para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

JSERVICES_NAT_OUTOF_ADDRESSES: nat-pool-name

Placa de serviços MX-SPC3:

Aug 10 10:06:13 champ RT_NAT: RT_SRC_NAT_OUTOF_ADDRESSES: nat-pool-name src_pool1 is out of addresses

Logs de NAT fora das portas

A seguir, exemplo, logs nat fora das portas para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

{NPU-1-PFX1}[jservices-nat]: JSERVICES_NAT_OUTOF_PORTS: natpool NAT-POOL-NPU1-PFX3 is out of ports

Placa de serviços MX-SPC3

jul 31 03:08:30 esst480h RT_NAT: RT_SRC_NAT_OUTOF_PORTS: nat-pool-name nat_pool1 is out of ports

Logs de correspondência de regras do NAT

A seguir, exemplo, logs de correspondência de regras de NAT para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

SYSLOG_MSMPC{SS_TEST}[jservices-nat]: JSERVICES_NAT_RULE_MATCH: proto 17 (UDP) application: any, xe-2/2/1.0:24.0.0.2:1234 -> 25.0.0.2:1234, Match NAT rule-set: (null), rule: NAT_RULE_TEST, term: t

Placa de serviços MX-SPC3

RT_NAT: RT_NAT_RULE_MATCH: protocol-id 17 protocol-name udp application Unknown interface-name ge-2/0/9.0 source-address 11.1.1.2 source-port 2000 destination-address 12.1.1.2 destination-port 5000 rule-set-name rule-set rule-name nat-rule

Logs de versão do grupo NAT

A seguir, exemplo, logs de correspondência de regras do NAT para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

SYSLOG_MSMPC{SS_TEST}[jservices-nat]: JSERVICES_NAT_POOL_RELEASE: natpool release 85.0.0.1:1024[1]

Placa de serviços MX-SPC3

RT_NAT: RT_SRC_NAT_POOL_RELEASE: nat-pool-name nat-pool address 112.1.1.4 port 1024 count 1

Logs de alocação de blocos de porta NAT

A seguir, exemplo, logs de alocação de blocos de porta NAT para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Exemplo de placa de serviços MS-MPC 1

SYSLOG_MSMPC{ss1}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ALLOC: 11.1.1.2 -> 112.1.1.4:42494-42503 0x59412760

Exemplo de placa de serviços MX-SPC3 1

Aug 9 23:01:59 esst480r RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 20.1.1.5 used/maximum [1/1] blocks, allocates port block [49774-49923] from 100.0.0.1 in source pool p1 lsys_id: 0

Exemplo de placa de serviços MS-MPC 2

SYSLOG_MSMPC{ss1}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_RELEASE: 2001:2010:0:0:0:0:0:2 -> 161.161.16.1:56804-56813 0x597ef2c3

Exemplo de placa de serviços MX-SPC3 2

RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 11.1.1.2 used/maximum [1/2] blocks, allocates port block [13934-13943] from 112.1.1.1 in source pool nat-pool lsys_id: 0

Logs provisórios de alocação de blocos de porta NAT

A seguir, exemplos de logs provisórios para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

SYSLOG_MSMPC{ss1}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ACTIVE: 11.1.1.2 -> 112.1.1.4:42494-42503 0x59412760

Placa de serviços MX-SPC3

RT_NAT: RT_SRC_NAT_PBA_INTERIM: Subscriber 50.0.0.3 used/maximum [1/1] blocks, allocates port block [5888-6015] from 202.0.0.1 in source pool JNPR-CGNAT-PUB-POOL lsys_id: 0

Logs de versão do bloco de porta NAT

A seguir, exemplo, logs de versão de bloqueio de porta NAT para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

JSERVICES_NAT_PORT_BLOCK_RELEASE source-address nat-source-address nat-source-port-range-start nat-source-port-range-end object-create-time;

Placa de serviços MX-SPC3

RT_NAT: RT_SRC_NAT_PBA_RELEASE: Subscriber 11.1.1.2 used/maximum [2/3] blocks, releases port block [3839-3843] from 112.1.2.1 in source pool nat-pool lsys_id: 0

Logs DE NAT determinísticos

Placa de serviços MS-MPC

{ss1}[jservices-nat]: JSERVICES_DET_NAT_CONFIG: Deterministc NAT Config [2001:2010::-2001:2010::ff]:[161.161.16.1-161.161.16.254]:0:200:0:1024-65535

Regra de firewall stateful aceita logs

A seguir, exemplo, a regra de firewall stateful aceita logs para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

Sep 20 01:36:51 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20 08:36:19: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_RULE_ACCEPT: proto 17 (UDP) application: any, interface: xe-2/2/1.0, 24.0.0.2:1234 -> 25.0.0.2:1234, Match SFW allow rule-set: (null), rule: SFW_RULE_TEST, term: t

Placa de serviços MX-SPC3

expo RT_FLOW: RT_FLOW_SESSION_POLICY_ACCEPT_USF: Tag SYSLOGMSG svc-set-name ss1:session created with policy accept 20.1.1.2/5->30.1.1.2/15100 0x0 icmp R11  1 sfw_policy1 ss1-ZoneIn ss1-ZoneOut 160000010 N/A(N/A) xe-5/3/2.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A

Saída de amostra MX-SPC3

Aqui está uma saída de amostra para a placa MX-SPC3:

<14>1 2018-06-27T09:23:56.808-07:00 booklet RT_FLOW - RT_FLOW_SESSION_POLICY_ACCEPT_USF [junos@2636.1.1.1.2.25 prefix="PADDY-DEF" service-set-name="JNPR-NH-SSET3" source-address="50.0.0.10" source-port="1" destination-address="60.0.0.10" destination-port="30170" connection-tag="0" service-name="icmp" rule-name="Tobe implemented" rule-set-name="To be implemented" protocol-id="1" policy-name="p1" source-zone-name="JNPR-NH-SSET3-ZoneIn" destination-zone-name="JNPR-NH-SSET3-ZoneOut" session-id-32="160000001" username="N/A"roles="N/A" packet-incoming-interface="vms-2/0/0.100" application="UNKNOWN" nested-application="UNKNOWN"encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1"] Prefix PADDY-DEF svc-set-name JNPR-NH-SSET3: session created 50.0.0.10/1->60.0.0.10/30170 0x0 icmp To be implemented To be implemented 1 p1 JNPR-NH-SSET3-ZoneIn JNPR-NH-SSET3-ZoneOut 160000001 N/A(N/A) vms-2/0/0.100 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1

Regra de firewall stateful rejeita logs

A seguir, exemplo, a regra do firewall stateful rejeita logs para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

Sep 20 01:42:02 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20 08:41:31: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_RULE_REJECT: proto 17 (UDP) application: any, 24.0.0.2:1234 -> 25.0.0.2:1234, Match SFW reject rule-set: (null), rule: SFW_RULE_TEST, term: t

Placa de serviços MX-SPC3

expo RT_FLOW: RT_FLOW_SESSION_RULE_REJECT_USF: Tag SYSLOGMSG svc-set-name ss1: session denied 20.1.1.2/5->30.1.1.2/15183 0x0 icmp R11 1(8) sfw_policy1 ss1-ZoneIn ss1-ZoneOut UNKNOWN UNKNOWN N/A(N/A) xe-5/3/2.0 No Rejected by policy 160000030 N/A N/A -1 N/A

Logs de descarte de regra de firewall stateful

A seguir, exemplo, a regra de firewall stateful descarta logs para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

Sep 20 01:43:57 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20 08:43:26: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_RULE_DISCARD: proto 17 (UDP) application: any, 24.0.0.2:1234 -> 25.0.0.2:1234, Match SFW drop rule-set: (null), rule: SFW_RULE_TEST, term: t

Placa de serviços MX-SPC3

RT_FLOW - RT_FLOW_SESSION_RULE_DISCARD_USF [junos@2636.1.1.1.2.25 tag="SYSLOG_SFW" service-set-name="ss1" source-address="20.1.1.2" source-port="10000" destination-address="30.1.1.2" destination-port="20000" connection-tag="0" service-name="None" rule-name="R1" rule-set-name="" protocol-id="17" icmp-type="0" policy-name="policy1" source-zone-name="ss1-ZoneIn" destination-zone-name="ss1-ZoneOut" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="xe-5/3/2.0" encrypted="No" reason="Denied by policy" session-id-32="190000014" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A"] Tag SYSLOG_SFW svc-set-name ss1: session denied 20.1.1.2/10000->30.1.1.2/20000 0x0 None R1 17(0) policy1 ss1-ZoneIn ss1-ZoneOut UNKNOWN UNKNOWN N/A(N/A) xe-5/3/2.0 No Denied by policy 190000014 N/A N/A -1 N/A

Regra de firewall stateful sem logs de queda de regra

A seguir, exemplo, regra de firewall stateful sem logs de queda de regra para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

Sep 20 01:43:57 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20 08:43:26: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_NO_RULE_DROP: proto 17 (UDP) application: any, 24.0.0.2:1234 -> 25.0.0.2:1234

Placa de serviços MX-SPC3

RT_FLOW_SESSION_NO_RULE_DROP_USF Prefix service-set-name protocol-id protocol-name source-interface-name separator source-address source-port destination-address destination-port event-type;

Firewall stateful sem logs de queda de políticas

A seguir, exemplos de logs de firewall stateful para placas de serviços MS-MPC versus placa de processamento de serviços MX-SPC3:

Placa de serviços MS-MPC

JSERVICES_SFW_NO_POLICY source-address destination-address;

Placa de serviços MX-SPC3

RT_FLOW_SESSION_NO_POLICY_USF Prefix service-set-name source-address destination-address;

Documentação relacionada