0% found this document useful (0 votes)

2K views

SRX Cluster Monitoring Best Practices

cluster monitoring

Uploaded by

Haider Ali

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Design Considerations
A chassis cluster provides high redundancy. Before you begin managing an SRX Series chassis cluster, you need to have a basic understanding of how the cluster is formed and how it works. Chassis cluster functionality includes: A resilient system architecture, with a single active control plane for the entire cluster and multiple Packet Forwarding Engines. This architecture presents a single device view of the cluster. Synchronization of configuration and dynamic runtime states between nodes within a cluster. Monitoring of physical interfaces and failover if the failure parameters cross a configured threshold.

To form a chassis cluster, a pair of the same kind of supported SRX Series devices are combined to act as a single system that enforces the same overall security. Chassis cluster formation depends on the model. For SRX3400 and SRX3600 chassis clusters, the placement and type of SPCs, I/O cards (IOCs), and Network Processing Cards (NPCs) must match in the two devices. For SRX5600 and SRX5800 chassis clusters, the placement and type of Services Processing Cards (SPCs) must match in the two clusters. An SRX Series chassis cluster is created by physically connecting two identical cluster-supported SRX Series devices together using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. Hardware Requirements SRX1400, SRX3400, SRX3600, SRX5600, or SRX5800 Services Gateways SRX100, SRX200, or SRX600 Series branch device.

Software Requirements Junos OS Release 9.5 or later Junos OS Release 10.1R2 or later for SRX Series branch device virtual chassis management and in-band management

For more information about how to form clusters, see the Junos OS Security Configuration Guide. The control ports on the respective nodes are connected to form a control plane that synchronizes configuration and kernel state to facilitate the high availability of interfaces and services. The data plane on the respective nodes is connected over the fabric ports to form a unified data plane. The control plane software operates in active/backup mode. When configured as a chassis cluster, the two nodes back up each other, with one node acting as the primary device and the other as the secondary device, ensuring stateful failover of processes and services in the event of a system or hardware failure. If the primary device fails, the secondary device takes over processing the traffic. The data plane software operates in active/active mode. In a chassis cluster, session information is updated as traffic traverses either device, and this information is transmitted between the nodes over the fabric link to guarantee that established sessions are not dropped when a failover occurs. In active/active mode, it is possible for traffic to ingress the cluster on one node and egress the cluster from the other node. When a device joins a cluster, it becomes a node of that cluster. With the exception of unique node settings and management IP addresses, nodes in a cluster share the same configuration.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

You can deploy up to 15 chassis clusters in a Layer 2 domain. Clusters and nodes are identified in the following ways: A cluster is identified by a cluster ID (cluster-id) specified as a number from 1 through 15. A cluster node is identified by a node ID (node) specified as a number from 0 to 1.

Chassis clustering provides high availability of interfaces and services through redundancy groups and primacy within groups. A redundancy group is an abstract construct that includes and manages a collection of objects. A redundancy group contains objects on both nodes. A redundancy group is primary on one node and backup on the other at any time. When a redundancy group is said to be primary on a node, its objects on that node are active. See the Junos OS Security Configuration Guide for detailed information about redundancy groups. Redundancy groups are the concept in Junos OS Services Redundancy Protocol (JSRP) clustering that is similar to a virtual security interface (VSI) in Juniper Networks ScreenOS Software. Basically, each node has an interface in the redundancy group, where only one interface is active at a time. A redundancy group is a concept similar to a Virtual Security Device (VSD) in ScreenOS Software. Redundancy group 0 is always for the control plane, while redundancy group 1+ is always for the data plane ports.

Various Deployments of a Cluster

Firewall deployments can be active/passive or active/active. Active/passive high availability mode is the most common type of high availability firewall deployment and consists of two firewall members of a cluster. One actively provides routing, firewall, NAT, virtual private network (VPN), and security services, along with maintaining control of the chassis cluster. The other firewall passively maintains its state for cluster failover capabilities should the active firewall become inactive. SRX Series devices support the active/active high availability mode for environments in which you want to maintain traffic on both chassis cluster members whenever possible. In an SRX Series device active/active deployment, only the data plane is in active/active mode, while the control plane is actually in active/passive mode. This allows one control plane to control both chassis members as a single logical device, and in case of control plane failure, the control plane can fail over to the other unit. This also means that the dataplane can fail over independently of the control plane. Active/active mode also allows for ingress interfaces to be on one cluster member, with the egress interface on the other. When this happens, the data traffic must pass through the data fabric to go to the other cluster member and out the egress interface (known as Z mode). Active/active mode also allows the routers to have local interfaces on individual cluster members that are not shared among the cluster in failover, but rather only exist on a single chassis. These interfaces are often used in conjunction with dynamic routing protocols that fail traffic over to the other cluster member if needed.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Figure 1 shows two SRX5800 devices in a cluster.

Figure 1: SRX5800 Devices in a Cluster

To effectively manage the SRX clusters, network management applications must do the following: Identify and monitor primary and secondary nodes Monitor redundancy groups and interfaces Monitor control and data planes Monitor switchovers and failures

Best Practices for SRX Cluster Management

network management address is reachable through the backup router. For the backup router to reach the network management system, include the destination subnet in the backup router configuration. We recommend using the outbound SSH address to connect to the management systems using the SSH protocol, NETCONF XML management protocol, or Junos OS XML Management Protocol. This way the device connects back automatically even after a switchover. We recommend that the SNMP engine ID be different for each node. This is because SNMPv3 uses the engine boots value for authentication of the protocol data units (PDUs) and the SNMP engine boots value is different for each node. SNMPv3 might fail after a switchover when the engine boots value does not match the expected value. Most of the protocol stacks will resynchronize if the engine IDs are different. Keep other SNMP configurations, such as the SNMP communities, trap-groups, and so on, common between the nodes as shown in the previous sample configuration. Note: SNMP traps are sent only from the primary node. This includes events and failures detected on the secondary node. The secondary node never sends SNMP traps or informs. Use the client-only configurable option to restrict SNMP access to required clients only. Use SNMPv3 for encryption and authentication. Syslog messages should be sent from both nodes separately as the log messages are node specific. If the management station is on a different subnet than the management IP addresses, specify the same subnet in the backup router configuration and add a static route under the [edit routing-options] hierarchy level if required. As in the following sample configuration, the network management address 10.200.0.1 is reachable through the backup router. Therefore, a static route is configured. You can restrict access to the device using firewall filters. The previous sample configuration shows that SSH, SNMP, and Telnet are restricted to the 10.0.0.0/8 network. This configuration allows UDP, ICMP, OSPF, and NTP and denies other traffic. This filter is applied to the fxp0 interface. You can also use security zones to restrict the traffic. See the Junos OS Security Configuration Guide for details.

Additional Configuration for SRX Series Branch Devices The factory default configuration for the SRX100, SRX210, and SRX240 devices automatically enables Layer 2 Ethernet switching. Because Layer 2 Ethernet switching is not supported in chassis cluster mode, for these devices, if you use the factory default configuration, you must delete the Ethernet switching configuration before you enable chassis clustering. There is no dedicated fxp0 management interface. The fxp0 interface is repurposed from a built-in interface. For example, on SRX100 devices, the fe-0/0/06 interface is repurposed as the management interface and is automatically renamed fxp0. See the Junos OS Security Configuration Guide for management interface details. Syslog should be used with caution. It can cause cluster instability. Data plane logging should never be sent through syslogs for Branch SRX devices. Note: [PR/413719] For Junos OS releases before Release 9.5, on SRX3400, SRX3600, SRX5600, and SRX5800 devices, no trap is generated for redundancy group 0 failover. You can check on redundancy group 0 states only when you log in to the device. Use a master-only IP address across the cluster. This way, you can query a single IP address and that IP address is always the master for redundancy group 0. Managing Clusters Through the Redundant Ethernet Interfaces SRX clusters can be managed using the redundant Ethernet (reth) interfaces. Configuration of redundancy groups and reth interfaces differ based on deployments such as active/active mode and active/passive mode. See the Junos OS Security Configuration Guide for details of the configuration. Once the reth interfaces are configured and are reachable from the management station, secondary nodes can be accessed through the reth interfaces.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

If the reth interface belongs to redundancy group 1+, then the TCP connection to the management station is seamlessly transitioned to the new primary. But if redundancy group 0 failover occurs and the Routing Engine switches over to a new node, then connectivity is lost for all sessions for a couple of seconds. Managing Clusters Through the Transit Interfaces Clustered devices can be managed using transit interfaces. A transit interface cannot be used directly to reach a secondary node. Configuring Devices for In-Band Management and Administration The high availability feature available in Junos OS for SRX Series Services Gateways is modeled after the redundancy features found in Junos OS-based routers. Designed with separate control and data planes, Junos OS-based routers provide redundancy in both planes. The control plane in Junos OS is managed by the Routing Engines, which perform all the routing and forwarding computations (among many other things). Once the control plane converges, forwarding entries are pushed to all Packet Forwarding Engines in the system. Packet Forwarding Engines then perform route-based lookups to determine the appropriate destination for each packet without any intervention from the Routing Engines. When enabling a chassis cluster in an SRX Series Services Gateway, the same model device is used to provide control plane redundancy as shown in Figure 4.

Figure 4: SRX Series Clustering Model

Just like in a router with two Routing Engines, the control plane of an SRX cluster operates in an active/passive mode with only one node actively managing the control plane at any given time. Because of this, the forwarding plane always directs all traffic sent to the control plane (also referred to as host-inbound traffic) to the clusters primary node. This traffic includes (but is not limited to): Traffic for the routing processes, such as BGP, OSPF, IS-IS, RIP, and PIM traffic IKE negotiation messages Traffic directed to management processes, such as SSH, Telnet, SNMP, and NETCONF Monitoring protocols, such as BFD or RPM

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Note that this behavior applies only to host-inbound traffic. Through traffic (that is, traffic forwarded by the cluster, but not destined to any of the clusters interfaces) can be processed by either node, based on the clusters configuration. Because the forwarding plane always directs host-inbound traffic to the primary node, a new type of interface, the fxp0 interface, has been added to provide an independent connection to each node, regardless of the status of the control plane. Traffic sent to the fxp0 interface is not processed by the forwarding plane, but is sent to the Junos OS kernel, thus providing a way to connect to the control-plane of a node, even on the secondary node. This section explains how to manage a chassis cluster through the primary node without requiring the use of the fxp0 interfaces i.e. In-band management. This is particularly needed for SRX Series branch devices since the typical deployment for SRX Series for the branch devices is such that there is no management network available to monitor the remote branch office. Note: Before Junos OS Release 10.1R2, the management of an SRX Series branch chassis cluster required connectivity to the control plane of both members of the cluster, thereby requiring access to the fxp0 interface of each node. In Junos OS Release 10.1R2 and later, SRX Series branch devices can be managed remotely using the reth interfaces or the Layer 3 interfaces. Managing SRX Series Branch Chassis Clusters Through the Primary Node Accessing the primary node of a cluster is as easy as establishing a connection to any of the nodes interfaces (other than the fxp0 interface). Layer 3 and reth interfaces always direct the traffic to the primary node, whichever node that is. Both deployment scenarios are common and are depicted in Figure 5 and Figure 6. In both cases, establishing a connection to any of the local addresses connects to the primary node. To be precise, it connects to the primary node of redundancy group 0. For example, you can connect to the primary node even when the reth interface, a member of the redundancy group 1, is active in a different node (the same applies to Layer 3 interfaces, even if they physically reside in the backup node). You can use SSH, Telnet, SNMP, or the NETCONF XML management protocol to monitor the SRX chassis cluster. Figure 4 shows an example of an SRX Series branch device being managed over a reth interface. This model can be used for SRX Series high-end devices as well, using Junos OS Release 10.4 or later.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Figure 5: SRX Branch Deployment for In-Band Management Using a reth Interface

Figure 6 shows physical connections for in-band management using a Layer 3 interface.

Figure 6: SRX Branch Deployment for In-Band Management Using a Layer 3 Interface

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Note: If there is a failover, only in-band connections need to be able to reach the new primary node through the reth or Layer 3 interfaces to maintain connectivity between the management station and the cluster. Table 1: Advantages and Disadvantages of Using Different Interfaces
fxp Interface Using the fxp0 interface with a master-only IP address allows access to all routing instances and virtual routers within the system. The fxp0 interface can only be part of the inet.0 routing table. Since the inet.0 routing table is part of the default routing instance, it can be used to access data for all routing instances and virtual routers. The fxp0 interface with a master-only IP address can be used for management of the device even after failover, and we highly recommend this. Managing through the fxp0 interface requires two IP addresses, one per node. This also means that a switch needs to be present to connect to the cluster nodes using the fxp0 interface. Reth and Transit Interfaces A transit or reth interface has access only to the data of the routing instance or virtual router it belongs to. If it belongs to the default routing instance, it has access to all routing instances.

Transit interfaces lose connectivity after a failover (or when the device hosting the interface goes down or is disabled), unless they are part of a reth group. The reth interface does not need two IP addresses, and no switch is required to connect to the SRX chassis cluster. Transit interfaces on each node, if used for management, needs two explicit IP addresses for each interface. But since this is a transit interface, the IP addresses are used for traffic other than management as well. SRX Series branch devices with a nonEthernet link can be managed using a reth or transit interface.

SRX branch device clusters with a nonEthernet link (ADSL, T1\E1) cannot be managed using the fxp0 interface.

How to Communicate With a Device Management stations can use the following methods to connect to the SRX clusters. This is same for any Junos OS devices and not limited to SRX chassis clusters. We recommend using a master-only IP address for any of the following protocols on SRX chassis clusters. Reth interface IP addresses can be used to connect to the clusters using any of the following interfaces: SSH or Telnet for CLI Access This is only recommended for manual configuration and monitoring of a single cluster. Junos OS XML Management Protocol This is an XML-based interface that can run over Telnet, SSH, and SSL and it is a precursor to the NETCONF XML management protocol. It provides access to Junos OS XML APIs for all configuration and operational commands that can be entered using the CLI. We recommend this method for accessing operational information. It can run over a NETCONF XML management protocol session as well. NETCONF XML Management Protocol This is the IETF-defined standard XML interface for configuration. We recommend it for configuring the device. This session can also be used to run Junos OS XML Management Protocol remote procedure calls (RPCs). SNMP From an SRX chassis cluster point of view, the SNMP system views the two nodes within the clusters as a single system. There is only one SNMP process running on the master Routing Engine. At initialization time, the protocol master indicates which SNMP process (snmpd) should be active based on the Routing Engine master configuration. The passive Routing Engine has no snmpd running. Therefore, only the primary node responds to SNMP queries and sends traps at any point of time. The secondary node can be directly queried, but it has limited MIB support which is detailed in further sections of this document. The secondary node does not send SNMP

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

traps. SNMP requests to the secondary node can be sent using the fxp0 interface IP address on the secondary node or the reth interface IP address. Syslogs Standard system log messages can be sent to an external syslog server. Note that both the primary and secondary nodes can send syslog messages. We recommend that you configure both the primary and secondary nodes to send syslog messages separately. Security Log Messages (SPU) AppTrack, an application tracking tool, provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. AppTrack messages are similar to session log messages and use syslog or structured syslog formats. The message also includes an application field for the session. If AppTrack identifies a custom-defined application and returns an appropriate name, the custom application name is included in the log message. Note that application identification has to be configured for this. See the Junos OS Security Configuration Guide for details on configuring and using application identification and tracking. This document only provides the best method and configuration to get the application tracking log messages from the SRX chassis clusters. J-Web All Junos OS devices provide a graphical user interface for configuration and administration. This interface can be used for administering individual devices. The J-Web interface is not described in this document.

High Availability Cluster Best Practices

Following are some best practices to provide high availability for SRX chassis clusters: Dual Control Links This is where two pairs of control link interfaces are connected between each device in a cluster. Dual control links are supported on the SRX5000 and SRX3000 lines. Having two control links helps to avoid a possible single point of failure. For the SRX5000 line, this functionality requires a second Routing Engine, as well as a second Switch Control Board (SCB) to house the Routing Engine, to be installed on each device in the cluster. The purpose of the second Routing Engine is only to initialize the switch on the SCB. The second Routing Engine, to be installed on SRX5000 line devices only, does not provide backup functionality. For the SRX3000 line, this functionality requires an SRX Clustering Module (SCM) to be installed on each device in the cluster. Although the SCM fits in the Routing Engine slot, it is not a Routing Engine. SRX3000 line devices do not support a second Routing Engine. The purpose of the SCM is to initialize the second control link. SRX Series branch devices do not support dual control links. Dual Data Links You can connect two fabric links between each device in a cluster, which provides a redundant fabric link between the members of a cluster. Having two fabric links helps to avoid a possible single point of failure. When you use dual fabric links, the runtime objects (RTOs) and probes are sent on one link, and the fabric-forwarded and flow-forwarded packets are sent on the other link. If one fabric link fails, the other fabric link handles the RTOs and probes, as well as data forwarding. The system selects the physical interface with the lowest slot, PIC, or port number on each node for the RTOs and probes. BFD The Bidirectional Forwarding Detection (BFD) protocol is a simple hello mechanism that detects failures in a network. Hello packets are sent at a specified, regular interval. A neighbor failure is detected when the router stops receiving a reply after a specified interval. BFD works with a wide variety of network environments and topologies. BFD failure detection times are shorter than RIP detection times, providing faster reaction times to various kinds of failures in the network. These timers are also adaptive. For example, a timer can adapt to a higher value if the adjacency fails, or a neighbor can negotiate a higher value for a timer than the one configured. Therefore, BFD liveliness can be configured between the two nodes of an SRX chassis cluster using the local interfaces and not the fxp0 IP addresses on each node. This way BFD can keep monitoring the status between the two nodes of the cluster. When there is any network issue between the nodes, the BFD session-down SNMP traps are raised, which indicates an issue between the nodes.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Track-IP The track IP feature was missing from the initial release of the SRX Series Services Gateways platform. In response to this, a Junos OS automation script was created to implement this feature. The Junos OS track IP automation script enables you to use this critical feature on the SRX Series platforms. It allows for path and next-hop validation through the existing network infrastructure using the Internet Control Message Protocol (ICMP). Upon the detection of a failure, the script executes a failover to the other node in an attempt to prevent downtime. Interface Monitoring The other SRX Series high availability feature implemented is called interface monitoring. For a redundancy group to automatically fail over to another node, its interfaces must be monitored. When you configure a redundancy group, you can specify a set of interfaces that the redundancy group is to monitor for status (or health) to determine whether the interface is up or down. A monitored interface can be a child interface of any of its redundant Ethernet (reth) interfaces. When you configure an interface for a redundancy group to monitor, you give it a weight. Every redundancy group has a threshold tolerance value initially set to 255. When an interface monitored by a redundancy group becomes unavailable, its weight is subtracted from the redundancy group's threshold. When a redundancy group's threshold reaches 0, it fails over to the other node. For example, if redundancy group 1 was primary on node 0, on the threshold-crossing event, redundancy group 1 becomes primary on node 1. In this case, all the child interfaces of redundancy group 1's reth interfaces begin handling traffic. A redundancy group failover occurs because the cumulative weight of the redundancy group's monitored interfaces has brought its threshold value to 0. When the monitored interfaces of a redundancy group on both nodes reach their thresholds at the same time, the redundancy group is primary on the node with the lower node ID, in this case, node 0. Note: We do not recommend interface monitoring for redundancy group 0. Sample Interface Monitoring Configuration chassis { cluster { reth-count 6; redundancy-group 0 { node 0 priority 129; node 1 priority 128; } redundancy-group 1 { node 0 priority 129; node 1 priority 128; interface-monitor { ge-0/0/0 weight 255; ge-8/0/0 weight 255; } ip-monitoring { global-weight 255; global-threshold 0; family { inet { 128.249.34.1 { weight 10; interface reth0.34 secondary-ip-address 128.249.34.202; } } } }

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

} } } Graceful Restart With routing protocols, any service interruption requires that an affected router recalculate adjacencies with neighboring routers, restore routing table entries, and update other protocol-specific information. An unprotected restart of a router can result in forwarding delays, route flapping, wait times stemming from protocol reconvergence, and even dropped packets. The main benefits of graceful restart are uninterrupted packet forwarding and temporary suppression of all routing protocol updates. Graceful restart enables a router to pass through intermediate convergence states that are hidden from the rest of the network. Three main types of graceful restart are available on Juniper Networks routing platforms: Graceful restart for aggregate and static routes and for routing protocolsProvides protection for aggregate and static routes and for BGP, End System-to-Intermediate System (ES-IS), IS-IS, OSPF, RIP, nextgeneration RIP (RIPng), and Protocol Independent Multicast (PIM) sparse mode routing protocols. Graceful restart for MPLS-related protocolsProvides protection for LDP, RSVP, circuit cross-connect (CCC), and translational cross-connect (TCC). Graceful restart for virtual private networks (VPNs)Provides protection for Layer 2 and Layer 3 VPNs.

The main benefits of graceful restart are uninterrupted packet forwarding and temporary suppression of all routing protocol updates. Graceful restart thus enables a router to pass through intermediate convergence states that are hidden from the rest of the network.

Retrieving Chassis Inventory and Interfaces

SRX Series chassis cluster inventory and interface information can be gathered to monitor the hardware components and the interfaces on the cluster. The primary node has the information about the secondary node components and interfaces. Using the Junos OS XML Management Protocol or NETCONF XML Management Protocol Use the <get-chassis-inventory> RPC to get the chassis inventory. This RPC reports components on both the primary and secondary nodes. See APPENDIX A: XML RPC Sample Response for samples. Use the <get-interface-information> RPC to get the interfaces inventory. This RPC reports information about the interfaces on the secondary node except for the fxp0 interface.

See the Junos OS Junos XML API Operational Reference for details about using the RPCs and varying the details of the responses. Using SNMP Use the <jnx-chas-defines> MIB to understand the SRX Series chassis structure and modeling. This MIB is not for querying. It is only used to understand the chassis cluster modeling. Sample Chassis Definition MIB jnxProductLineSRX3600 jnxProductNameSRX3600 jnxProductModelSRX3600 jnxProductVariationSRX3600 jnxChassisSRX3600 OBJECT OBJECT OBJECT OBJECT OBJECT IDENTIFIER IDENTIFIER IDENTIFIER IDENTIFIER IDENTIFIER ::= ::= ::= ::= ::= { { { { { jnxProductLine jnxProductName jnxProductModel jnxProductVariation jnxChassis 34 34 34 34 34 } } } } }

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

jnxSlotSRX3600 jnxSRX3600SlotFPC jnxSRX3600SlotHM jnxSRX3600SlotPower jnxSRX3600SlotFan jnxSRX3600SlotCB jnxSRX3600SlotFPB

OBJECT OBJECT OBJECT OBJECT OBJECT OBJECT OBJECT

IDENTIFIER IDENTIFIER IDENTIFIER IDENTIFIER IDENTIFIER IDENTIFIER IDENTIFIER

::= ::= ::= ::= ::= ::= ::=

{ { { { { { {

jnxSlot jnxSlotSRX3600 jnxSlotSRX3600 jnxSlotSRX3600 jnxSlotSRX3600 jnxSlotSRX3600 jnxSlotSRX3600

34 } 1 2 3 4 5 6 } } } } } }

jnxMediaCardSpaceSRX3600 OBJECT IDENTIFIER ::= { jnxMediaCardSpace 34 } jnxSRX3600MediaCardSpacePIC OBJECT IDENTIFIER ::= { jnxMediaCardSpaceSRX3600 1 } jnxMidplaneSRX3600 OBJECT IDENTIFIER ::= { jnxBackplane 34 }

Use the jnx-chassis MIB to get the chassis inventory. Top of MIB - Use the top-level objects to show chassis details such as the jnxBoxClass, jnxBoxDescr, jnxBoxSerialNo, jnxBoxRevision, and jnxBoxInstalled MIB objects. jnxContainersTable Use to show the containers that the device supports. jnxContentsTable Use to show the chassis contents. jnxContentsChassisId Use to show which components belong to which node. jnxLedTable Use to check the LED status of the components. This MIB only reports the LED status of the primary node. jnxFilledTable Use to show the empty/filled status of the container in the device containers table. jnxOperatingTable Use to show the operating status of Operating subjects in the box contents table. jnxRedundancyTable Use to show redundancy details on both nodes. Note that currently this MIB only reports on the Routing Engines. Both Routing Engines are reported as the master of the respective nodes. Do not use this to determine the active and backup status. jnxFruTable Use to show the field-replaceable unit (FRU) in the chassis. Note that even the empty slots are reported. Note: The jnx-chassis MIB is not supported on SRX Series branch devices in cluster mode. It is supported on standalone SRX Series branch devices. Chassis MIB Walk Example JUNIPER-MIB::jnxContentsDescr.1.1.0.0 = STRING: node0 midplane JUNIPER-MIB::jnxContentsDescr.1.2.0.0 = STRING: node1 midplane JUNIPER-MIB::jnxContentsDescr.2.1.0.0 = STRING: node0 PEM 0 JUNIPER-MIB::jnxContentsDescr.2.2.0.0 = STRING: node0 PEM 1 JUNIPER-MIB::jnxContentsDescr.2.5.0.0 = STRING: node1 PEM 0 JUNIPER-MIB::jnxContentsDescr.2.6.0.0 = STRING: node1 PEM 1 JUNIPER-MIB::jnxContentsDescr.4.1.0.0 = STRING: node0 Left Fan Tray JUNIPER-MIB::jnxContentsDescr.4.1.1.0 = STRING: node0 Top Rear Fan JUNIPER-MIB::jnxContentsDescr.4.1.2.0 = STRING: node0 Bottom Rear Fan JUNIPER-MIB::jnxContentsDescr.4.1.3.0 = STRING: node0 Top Middle Fan JUNIPER-MIB::jnxContentsDescr.4.1.4.0 = STRING: node0 Bottom Middle Fan JUNIPER-MIB::jnxContentsDescr.4.1.5.0 = STRING: node0 Top Front Fan JUNIPER-MIB::jnxContentsDescr.4.1.6.0 = STRING: node0 Bottom Front Fan JUNIPER-MIB::jnxContentsDescr.4.2.0.0 = STRING: node1 Left Fan Tray JUNIPER-MIB::jnxContentsDescr.4.2.1.0 = STRING: node1 Top Rear Fan

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

JUNIPER-MIB::jnxContentsDescr.4.2.2.0 = STRING: node1 Bottom Rear Fan JUNIPER-MIB::jnxContentsDescr.4.2.3.0 = STRING: node1 Top Middle Fan JUNIPER-MIB::jnxContentsDescr.4.2.4.0 = STRING: node1 Bottom Middle Fan JUNIPER-MIB::jnxContentsDescr.4.2.5.0 = STRING: node1 Top Front Fan JUNIPER-MIB::jnxContentsDescr.4.2.6.0 = STRING: node1 Bottom Front Fan JUNIPER-MIB::jnxContentsDescr.7.5.0.0 = STRING: node0 FPC: SRX5k SPC @ 4/*/* JUNIPER-MIB::jnxContentsDescr.7.6.0.0 = STRING: node0 FPC: SRX5k FIOC @ 5/*/* JUNIPER-MIB::jnxContentsDescr.7.11.0.0 = STRING: node1 FPC: SRX5k SPC @ 4/*/* JUNIPER-MIB::jnxContentsDescr.7.12.0.0 = STRING: node1 FPC: SRX5k FIOC @ 5/*/* JUNIPER-MIB::jnxContentsDescr.8.5.1.0 = STRING: node0 PIC: SPU Cp-Flow @ 4/0/* JUNIPER-MIB::jnxContentsDescr.8.5.2.0 = STRING: node0 PIC: SPU Flow @ 4/1/* JUNIPER-MIB::jnxContentsDescr.8.6.1.0 = STRING: node0 PIC: 4x 10GE XFP @ 5/0/* JUNIPER-MIB::jnxContentsDescr.8.6.2.0 = STRING: node0 PIC: 16x 1GE TX @ 5/1/* JUNIPER-MIB::jnxContentsDescr.8.11.1.0 = STRING: node1 PIC: SPU Cp-Flow @ 4/0/* JUNIPER-MIB::jnxContentsDescr.8.11.2.0 = STRING: node1 PIC: SPU Flow @ 4/1/* JUNIPER-MIB::jnxContentsDescr.8.12.1.0 = STRING: node1 PIC: 4x 10GE XFP @ 5/0/* JUNIPER-MIB::jnxContentsDescr.8.12.2.0 = STRING: node1 PIC: 16x 1GE TX @ 5/1/* JUNIPER-MIB::jnxContentsDescr.9.1.0.0 = STRING: node0 Routing Engine 0 JUNIPER-MIB::jnxContentsDescr.9.3.0.0 = STRING: node1 Routing Engine 0 JUNIPER-MIB::jnxContentsDescr.10.1.1.0 = STRING: node0 FPM Board JUNIPER-MIB::jnxContentsDescr.10.2.1.0 = STRING: node1 FPM Board JUNIPER-MIB::jnxContentsDescr.12.1.0.0 = STRING: node0 CB 0 JUNIPER-MIB::jnxContentsDescr.12.3.0.0 = STRING: node1 CB 0 ifTable Use to show all the interfaces on the cluster. Note that except for the fxp0 interface on the secondary node, all interfaces of the secondary node are reported by the primary node. jnx-if-extensions/ifChassisTable Use to show the interface mapping to the respective PIC and FPC. ifStackStatusTable Use to show the sub-interfaces and respective parent interfaces.

</interface-information>

Using SNMP MIBs Use the ifTable MIB table to get the ifIndex MIB object of the fxp0 interface and the reth interfaces on the primary node. Use the ipAddrTable MIB table to determine the IP address of the interfaces. The following is a sample showing the fxp0 interface on the active primary node. Note that the ifTable MIB table reports all interfaces on the secondary node, except for the fxp0 interface on the secondary node. Sample SNMP MIB Walk of the ifTable MIB Table {primary:node0} regress@SRX5600-1> show snmp mib walk ifDescr | grep fxp0 ifDescr.1 = fxp0 ifDescr.13 = fxp0.0 regress@SRX5600-1> show snmp mib walk ipAddrTable | grep 13 ipAdEntAddr.10.204.131.37 = 10.204.131.37 ipAdEntIfIndex.10.204.131.37 = 13 ipAdEntNetMask.10.255.131.37 = 255.255.255.255 For SNMP communication directly with the secondary node, the IP address of the secondary node should be predetermined and preconfigured on the management system. Querying the ifTable MIB table directly on the secondary node returns only the fxp0 interface and a few private interface details on the secondary node and no other interfaces are reported. All other interfaces are reported by the primary node itself. Use the ifTable MIB table and the ipAddrTable MIB table as previously shown to directly query the secondary node to find the fxp0 interface details such as the ifAdminStatus and ifOperStatus MIB objects on the secondary node.

{primary:node0} regress@SRX5600-1> show snmp mib walk ifDescr | grep 552 ifDescr.552 = ge-11/1/1.0 Control Plane The control plane software, which operates in active/backup mode, is an integral part of Junos OS that is active on the primary node of a cluster. It achieves redundancy by communicating state, configuration, and other information to the inactive Routing Engine on the secondary node. If the master Routing Engine fails, the secondary one is ready to assume control. The following methods can be used to discover control port information.

Using the Junos OS XML Management Protocol or NETCONF XML Management Protocol Use the <get-configuration> RPC to get the control port configuration as shown in the following sample output. XML RPC for Redundant Group Configuration <rpc> <get-configuration inherit="inherit" database="committed"> <configuration> <chassis> <cluster> </cluster> </chassis> </configuration> </get-configuration> </rpc>

Data Plane The data plane software, which operates in active/active mode, manages flow processing and session state redundancy and processes transit traffic. All packets belonging to a particular session are processed on the same node to ensure that the same security treatment is applied to them. The system identifies the node on which a session is active and forwards its packets to that node for processing. The data link is referred to as the fabric interface. It is used by the cluster's Packet Forwarding Engines to transmit transit traffic and to synchronize the data plane softwares dynamic runtime state. When the system creates the fabric interface, the software assigns it an internally derived IP address to be used for packet transmission. The fabric is a physical connection between two nodes of a cluster and is formed by connecting a pair of Ethernet interfaces back-to-back (one from each node). The following methods can be used to find out the data plane interfaces.

Using the Junos OS XML Management Protocol or NETCONF XML Management Protocol Use the <get-chassis-cluster-data-plane-interfaces> RPC to get the data plane interfaces as shown in the following sample output. XML RPC for Cluster Dataplane Interface Details <rpc> <get-chassis-cluster-data-plane-interfaces> </get-chassis-cluster-data-plane-interfaces> </rpc><rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/10.4I0/junos"> <chassis-cluster-dataplane-interfaces>

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

<fabric-interface-index>0</fabric-interface-index> <fabric-information> <child-interface-name>xe-5/0/0</child-interface-name> <child-interface-status>up</child-interface-status> </fabric-information> <fabric-interface-index>1</fabric-interface-index> <fabric-information> <child-interface-name>xe-11/0/0</child-interface-name> <child-interface-status>up</child-interface-status> </fabric-information> </chassis-cluster-dataplane-interfaces> Using SNMP The ifTable MIB table reports fabric (fab) interfaces and the link interfaces. However, the relationship between the underlying interfaces and fabric interfaces cannot be determined using SNMP.

Provisioning Cluster Nodes

Use the NETCONF XML management protocol for configuration and provisioning of SRX Series devices and Junos OS devices in general. See the NETCONF XML Management Protocol Guide for usage. We recommend using groups to configure SRX Series chassis clusters. Use global groups for all configurations that are common between the nodes and keep the node-specific configuration to a minimum as mentioned in previous sections of this document. Junos OS commit scripts can be used to customize the configuration as desired. Junos OS commit scripts are: Run at commit time Inspect the incoming configuration Perform actions including: Failing the commit (self-defense) Modifying the configuration (self-correcting) Commit scripts can: Generate custom error/warning/syslog messages Make changes or corrections to the configuration Commit scripts allow you better control over how your devices are configured: Your design rules Your implementation details 100 percent of your design standards

Performance and Fault Management of Clusters

Note that the primary node returns the status of the secondary nodes as well. Exceptions to this rule, if there are any, are mentioned in specific sections. Sample responses and outputs are presented where it is feasible and necessary. Chassis Components and Environment This section shows the options available for monitoring chassis components such as FPCs, PICs, and Routing Engines for measurements such as operating state, CPU, and memory. Note: The jnx-chassis MIB is not supported for SRX Series branch devices in cluster mode. However, it is supported for standalone SRX Series branch devices. Therefore, we recommend using options other than SNMP for chassis monitoring of SRX Series branch devices.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Table 2: Instrumentation for Chassis Component Monitoring

<active-sessions>0</active-sessions> <active-session-valid>0</active-sessionvalid> <active-session-pending>0</activesession-pending> <active-session-invalidated>0</activesession-invalidated> <active-session-other>0</active-sessionother> <max-sessions>524288</max-sessions> </flow-session-summary-information> <flow-session-information xmlns="http://xml.juniper.net/junos/10.4 D0/junos-flow"></flow-sessioninformation> <flow-session-information xmlns="http://xml.juniper.net/junos/10.4 D0/junos-flow"> <flow-fpc-pic-id> on FPC4 PIC1:</flowfpc-pic-id> </flow-session-information> <flow-session-summary-information xmlns="http://xml.juniper.net/junos/10.4 D0/junos-flow"> <active-unicast-sessions>0</activeunicast-sessions> <active-multicast-sessions>0</activemulticast-sessions> <failed-sessions>0</failed-sessions> <active-sessions>0</active-sessions> <active-session-valid>0</active-sessionvalid> <active-session-pending>0</activesession-pending> <active-session-invalidated>0</activesession-invalidated> <active-session-other>0</active-sessionother> <max-sessions>1048576</max-sessions> </flow-session-summary-information> <flow-session-information xmlns="http://xml.juniper.net/junos/10.4 D0/junos-flow"></flow-sessioninformation> </multi-routing-engine-item> </multi-routing-engine-results> </rpc-reply> Use the <get-performance-sessioninformation> RPC for SPU session performance. Use the <get-spu-monitoring-information> RPC for monitoring SPU CPU utilization, memory utilization, max flow sessions, and so on.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Security Features Following is a summary of Junos OS XML RPCs and SNMP MIBs related to security features and supported on SRX Series devices. The RPCs and MIBs might not be directly comparable to each other. One might provide more or less information than the other. Use the following information to help you decide on which instrumentation to use. Instrumentation for Security Monitoring
Feature and Functionality Junos OS XML RPC SNMP MIB

IPsec

<get-ipsec-tunnel-redundancyinformation> <get-services-ipsec-statisticsinformation> <get-ike-security-associations> <get-service-nat-mapping-information> <get-service-nat-pool-information> <get-ids-statistics> <get-firewall-counter-information> <get-firewall-filter-information> <get-firewall-information> <get-firewall-log-information> <get-firewall-prefix-actioninformation> <get-flow-table-statistics-information> <get-firewall-policies> <get-aaa-module-statistics> <get-aaa-subscriber-statistics> <get-aaa-subscriber-table> <get-idp-addos-application-information> <get-idp-application-system-cache> <get-idp-counter-information> <get-idp-detail-status-information> <get-idp-memory-information> <get-idp-policy-template-information> <get-idp-predefined-attack-filters> <get-idp-predefined-attack-groups> <get-idp-predefined-attacks> <get-idp-recent-security-packageinformation> <get-idp-security-package-information>

JNX-IPSEC-MONITOR-MIB JUNIPER-JS-IPSEC-VPN Juniper-IPSEC-FLOW-MONITOR

NAT Screening Firewall

JNX-JS-NAT-MIB JNX-JS-SCREENING-MIB JUNIPER-FIREWALL-MIB

Security Policies AAA

JUNIPER-JS-POLICY-MIB JUNIPER-USER-AAA-MIB

IDP

JUNIPER-JS-IDP-MIB

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

<get-idp-ssl-key-information> <get-idp-ssl-session-cache-information> <get-idp-status-information> <get-idp-subscriber-policy-list>

Other Statistics and MIBS There are other MIBs such as the OSPF MIB and IP Forwarding MIB that are supported on SRX Series devices. See the Junos OS Network Management Configuration Guide and the SRX5x00 and SRX3x00 Services Gateways MIB References for details about other MIBs supported on SRX Series devices. RMON Junos OS supports the remote monitoring (RMON) MIB (RFC 2819). RMON can be used to send alerts for MIB variables when they cross upper and lower thresholds. This can be used for various MIB variables. Some good examples are interface statistics monitoring and Routing Engine CPU monitoring. The following configuration snippet shows RMON configuration for monitoring a Routing Engine on node 0 of a cluster and for monitoring octets out of interface index 2000. rmon { alarm 100 { interval 5; variable jnxOperatingCPU.9.1.0.0; sample-type absolute-value; request-type get-request; rising-threshold 90; falling-threshold 80; rising-event-index 100; falling-event-index 100; } event 100 { type log-and-trap; community petblr; } alarm 10 { interval 60; variable ifHCInOctets.2000; sample-type delta-value; request-type get-request; startup-alarm rising-alarm; rising-threshold 100000; falling-threshold 0; rising-event-index 10; falling-event-index 10; } event 10 { type log-and-trap; community test; } }

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Health Monitoring On Juniper Networks routers, RMON alarms and events provide much of the infrastructure needed to reduce the polling overhead from the network management system (NMS). However, with this approach, you must set up the NMS to configure specific MIB objects into RMON alarms. This often requires device-specific expertise and customization of the monitoring application. In addition, some MIB object instances that need monitoring are set only at initialization or change at runtime and cannot be configured in advance. To address these issues, the health monitor extends the RMON alarm infrastructure to provide predefined monitoring for a selected set of object instances (for file system usage, CPU usage, and memory usage) and includes support for unknown or dynamic object instances (such as Junos OS processes). See the Junos OS Network Management Configuration Guide for details about configuration and health monitoring. Fault Management You can use SNMP traps and system log messages for fault monitoring of SRX Series chassis clusters. SNMP Traps The following SNMP traps are supported on SRX Series devices. Note that only the primary node sends SNMP traps. For details of each trap, see the Junos OS Network Management Configuration Guide and the SRX5600 and SRX5800 Services Gateways MIB Reference. Traps Supported by SRX Series Chassis Clusters
Trap Name SNMPv2 Trap OID Category Platforms Support the trap Varbinds : See the note in the Overview and Configuration sections

authenticationFailure

1.3.6.1.6.3.1.1 .5.5

Authenticatio n Link

All Junos OS devices All Junos OS devices

None

linkDown

1.3.6.1.6.3.1.1 .5.3

1: ifIndex 1.3.6.1.2.1.2.2.1.1 2: ifAdminStatus 1.3.6.1.2.1.2.2.1.7 3: ifOperStatus 1.3.6.1.2.1.2.2.1.8 Additionally, ifName1.3.6.1.2.1.31.1.1.1.1 is also sent. 1: ifIndex 1.3.6.1.2.1.2.2.1.1 2: ifAdminStatus 1.3.6.1.2.1.2.2.1.7 3: ifOperStatus 1.3.6.1.2.1.2.2.1.8 Additionally, ifName1.3.6.1.2.1.31.1.1.1.1 is also sent.

linkUp

1.3.6.1.6.3.1.1 .5.4

Link

All Junos OS devices

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

pingProbeFailed

1.3.6.1.2.1.80. 0.1

Remote operations

All Junos OS devices

pingTestFailed

1.3.6.1.2.1.80. 0.2

Remote operations

All Junos OS devices

1: pingCtlTargetAddressType - 1.3.6.1.2.1.80.1.2.1.3 2: pingCtlTargetAddress 1.3.6.1.2.1.80.1.2.1.4 3: pingResultsOperStatus 1.3.6.1.2.1.80.1.3.1.1 4: pingResultsIpTargetAddressTyp e -1.3.6.1.2.1.80.1.3.1.2 5: pingResultsIpTargetAddress 1.3.6.1.2.1.80.1.3.1.3 6: pingResultsMinRtt 1.3.6.1.2.1.80.1.3.1.4 7: pingResultsMaxRtt 1.3.6.1.2.1.80.1.3.1.5 8: pingResultsAverageRtt 1.3.6.1.2.1.80.1.3.1.6 9: pingResultsProbeResponses 1.3.6.1.2.1.80.1.3.1.7 10: pingResultsSentProbes 1.3.6.1.2.1.80.1.3.1.8 11: pingResultsRttSumOfSquares 1.3.6.1.2.1.80.1.3.1.9 12: pingResultsLastGoodProbe 1.3.6.1.2.1.80.1.3.1.10 1: pingCtlTargetAddressType - 1.3.6.1.2.1.80.1.2.1.3 2: pingCtlTargetAddress 1.3.6.1.2.1.80.1.2.1.4 3: pingResultsOperStatus 1.3.6.1.2.1.80.1.3.1.1 4: pingResultsIpTargetAddressTyp e -1.3.6.1.2.1.80.1.3.1.2 5: pingResultsIpTargetAddress 1.3.6.1.2.1.80.1.3.1.3 6: pingResultsMinRtt 1.3.6.1.2.1.80.1.3.1.4 7: pingResultsMaxRtt 1.3.6.1.2.1.80.1.3.1.5 8: pingResultsAverageRtt 1.3.6.1.2.1.80.1.3.1.6 9: pingResultsProbeResponses 1.3.6.1.2.1.80.1.3.1.7 10: pingResultsSentProbes 1.3.6.1.2.1.80.1.3.1.8 11:

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

pingResultsRttSumOfSquares 1.3.6.1.2.1.80.1.3.1.9 12: pingResultsLastGoodProbe 1.3.6.1.2.1.80.1.3.1.10

pingTestCompleted 1.3.6.1.2.1.80.0.3

Remote operations

All Junos OS devices

traceRoutePathChange

1.3.6.1.2.1.81.0.1

Remote operations

All Junos OS devices

traceRouteTestFailed

1.3.6.1.2.1.81.0.2

Remote operations

All Junos OS devices

1: pingCtlTargetAddressType - 1.3.6.1.2.1.80.1.2.1.3 2: pingCtlTargetAddress 1.3.6.1.2.1.80.1.2.1.4 3: pingResultsOperStatus 1.3.6.1.2.1.80.1.3.1.1 4: pingResultsIpTargetAddressTyp e -1.3.6.1.2.1.80.1.3.1.2 5: pingResultsIpTargetAddress 1.3.6.1.2.1.80.1.3.1.3 6: pingResultsMinRtt 1.3.6.1.2.1.80.1.3.1.4 7: pingResultsMaxRtt 1.3.6.1.2.1.80.1.3.1.5 8: pingResultsAverageRtt 1.3.6.1.2.1.80.1.3.1.6 9: pingResultsProbeResponses 1.3.6.1.2.1.80.1.3.1.7 10: pingResultsSentProbes 1.3.6.1.2.1.80.1.3.1.8 11: pingResultsRttSumOfSquares 1.3.6.1.2.1.80.1.3.1.9 12: pingResultsLastGoodProbe 1.3.6.1.2.1.80.1.3.1.10 1: traceRouteCtlTargetAddressTyp e-1.3.6.1.2.1.81.1.2.1.3 2: traceRouteCtlTargetAddress -1.3.6.1.2.1.81.1.2.1.4 3: traceRouteResultsIpTgtAddrTyp e-1.3.6.1.2.1.81.1.5.1.2 4: traceRouteResultsIpTgtAddr1.3.6.1.2.1.81.1.5.1.3 1: traceRouteCtlTargetAddressTyp e-1.3.6.1.2.1.81.1.2.1.3 2: traceRouteCtlTargetAddress -1.3.6.1.2.1.81.1.2.1.4 3: traceRouteResultsIpTgtAddrTyp

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

e-1.3.6.1.2.1.81.1.5.1.2 4: traceRouteResultsIpTgtAddr1.3.6.1.2.1.81.1.5.1.3
traceRouteTestCompleted 1.3.6.1.2.1.81.0.3

Remote operations

All Junos OS devices

fallingAlarm

1.3.6.1.2.1.16.0.1

RMON alarm

All Junos OS devices

1: traceRouteCtlTargetAddressTyp e-1.3.6.1.2.1.81.1.2.1.3 2: traceRouteCtlTargetAddress -1.3.6.1.2.1.81.1.2.1.4 3: traceRouteResultsIpTgtAddrTyp e-1.3.6.1.2.1.81.1.5.1.2 4: traceRouteResultsIpTgtAddr1.3.6.1.2.1.81.1.5.1.3 1: alarmIndex .1.3.6.1.2.1.16.3.1.1.1 2: alarmVariable.1.3.6.1.2.1.16.3.1.1.3 3: alarmSampleType.1.3.6.1.2.1.16.3.1.1.4 4: alarmValue.1.3.6.1.2.1.16.3.1.1.5 5: alarmFallingThreshold.1.3.6.1.2.1.16.3.1.1.8 1: alarmIndex .1.3.6.1.2.1.16.3.1.1.1 2: alarmVariable.1.3.6.1.2.1.16.3.1.1.3 3: alarmSampleType.1.3.6.1.2.1.16.3.1.1.4 4: alarmValue.1.3.6.1.2.1.16.3.1.1.5 5: alarmRisingThreshold.1.3.6.1.2.1.16.3.1.1.7 1) bgpPeerLastError1.3.6.1.2.1.15.3.1.14 2)bgpPeerState-The BGP peer connection state. 1) bgpPeerLastError1.3.6.1.2.1.15.3.1.14 2) bgpPeerState-The BGP peer connection state. 1) ospfRouterId 1.3.6.1.2.1.14.1.1 2) ospfVirtIfAreaId1.3.6.1.2.1.14.9.1.1 3) ospfVirtIfNeighbor1.3.6.1.2.1.14.9.1.2

risingAlarm

1.3.6.1.2.1.16.0.2

RMON alarm

All Junos OS devices

bgpEstablished

1.3.6.1.2.1.15.7.1

Routing

bgpBackwardTransition

1.3.6.1.2.1.15.7.2

Routing

M, T, MX, J,EX, SRX Branch M, T, MX, J, EX , SRX Branch M, T, MX, J, EX, SRX Branch

ospfVirtIfStateChange

1.3.6.1.2.1.14.16.2.1

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

1.3.6.1.6.3.1.1.5.1

Startup

All Junos OS devices All Junos OS devices All Junos OS devices All Junos OS devices M, T, MX, J, EX, SRX Branch

1) ospfRouterId.1.3.6.1.2.1.14.1.1.0 2) ospfVirtIfAreaId.1.3.6.1.2.1.14.9.1.1 3) ospfVirtIfNeighbor.1.3.6.1.2.1.14.9.1.2 4) ospfPacketType1.3.6.1.2.1.14.16.1.3.0 5)ospfLsdbType.1.3.6.1.2.1.14.4.1.2 6)ospfLsdbLsid.1.3.6.1.2.1.14.4.1.3 7)ospfLsdbRouterId.1.3.6.1.2.1.14.4.1.4 1) ospfRouterId .1.3.6.1.2.1.14.1.1.0 2)ospfLsdbAreaId .1.3.6.1.2.1.14.4.1.1 3)ospfLsdbType.1.3.6.1.2.1.14.4.1.2 4)ospfLsdbLsid.1.3.6.1.2.1.14.4.1.3 5)ospfLsdbRouterId.1.3.6.1.2.1.14.4.1.4 1) ospfRouterId .1.3.6.1.2.1.14.1.1.0 2) ospfIfIpAddress .1.3.6.1.2.1.14.7.1.1 3) ospfAddressLessIf .1.3.6.1.2.1.14.7.1.2 4) ospfIfState .1.3.6.1.2.1.14.7.1.12 None

warmStart

1.3.6.1.6.3.1.1.5.2

Startup

None

vrrpTrapNewMaster

1.3.6.1.2.1.68.0.1

VRRP

1)vrrpOperMasterIpAddr.1.3.6.1.2.1.68.1.3.1.7 1)vrrpTrapPacketSrc.1.3.6.1.2.1.68.1.5.0 2)vrrpTrapAuthErrorType.1.3.6.1.2.1.68.1.6.0 1) mplsTunnelAdminStatus.1.3.6.1.2.1.10.166.3.2.2.1.3 4 2) mplsTunnelOperStatus.1.3.6.1.2.1.10.166.3.2.2.1.3 5

vrrpTrapAuthFailure

1.3.6.1.2.1.68.0.2

VRRP

mplsTunnelUp

1.3.6.1.2.1.10.166.3. 0.1

1.3.6.1.4.1.2636.3.1.13.1.7
jnxRedundancySwitchOver 1.3.6.1.4.1.2636.4.1. 4

Chassis (alarm conditions)

All Junos OS devices

1) jnxRedundancyContentsIndex1.3.6.1.4.1.2636.3.1.14.1.1 2) jnxRedundancyL1Index1.3.6.1.4.1.2636.3.1.14.1.2 3) jnxRedundancyL2Index1.3.6.1.4.1.2636.3.1.14.1.3 4) jnxRedundancyL3Index1.3.6.1.4.1.2636.3.1.14.1.4 5) jnxRedundancyDescr1.3.6.1.4.1.2636.3.1.14.1.5 6) jnxRedundancyConfig1.3.6.1.4.1.2636.3.1.14.1.6 7) jnxRedundancyState1.3.6.1.4.1.2636.3.1.14.1.7 8) jnxRedundancySwitchoverCount1.3.6.1.4.1.2636.3.1.14.1.8 9) jnxRedundancySwitchoverTime1.3.6.1.4.1.2636.3.1.14.1.9 10) jnxRedundancySwitchoverReason -1.3.6.1.4.1.2636.3.1.14.1.10 1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6 7) jnxFruSlot1.3.6.1.4.1.2636.3.1.15.1.7 1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6 7) jnxFruSlot-

jnxFruRemoval

1.3.6.1.4.1.2636.4.1. 5

Chassis (alarm conditions)

All Junos OS devices

jnxFruInsertion

1.3.6.1.4.1.2636.4.1. 6

Chassis (alarm conditions)

All Junos OS devices

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

1.3.6.1.4.1.2636.3.1.15.1.7
jnxFruPowerOff 1.3.6.1.4.1.2636.4.1. 7

Chassis (alarm conditions)

All Junos OS devices

jnxFruPowerOn

1.3.6.1.4.1.2636.4.1. 8

Chassis (alarm conditions)

All Junos OS devices

jnxFruFailed

1.3.6.1.4.1.2636.4.1. 9

Chassis (alarm conditions)

All Junos OS devices

1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6 7) jnxFruSlot1.3.6.1.4.1.2636.3.1.15.1.7 8) jnxFruOfflineReason1.3.6.1.4.1.2636.3.1.15.1.10 9) jnxFruLastPowerOff1.3.6.1.4.1.2636.3.1.15.1.11 10) jnxFruLastPowerOn1.3.6.1.4.1.2636.3.1.15.1.12 1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6 7) jnxFruSlot1.3.6.1.4.1.2636.3.1.15.1.7 8) jnxFruOfflineReason1.3.6.1.4.1.2636.3.1.15.1.10 9) jnxFruLastPowerOff1.3.6.1.4.1.2636.3.1.15.1.11 10) jnxFruLastPowerOn1.3.6.1.4.1.2636.3.1.15.1.12 1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6

JUNIPER NETWORKS

All Junos OS devices

1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6 7) jnxFruSlot1.3.6.1.4.1.2636.3.1.15.1.7 1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6 7) jnxFruSlot1.3.6.1.4.1.2636.3.1.15.1.7 1) jnxFruContentsIndex1.3.6.1.4.1.2636.3.1.15.1.1 2) jnxFruL1Index1.3.6.1.4.1.2636.3.1.15.1.2 3) jnxFruL2Index1.3.6.1.4.1.2636.3.1.15.1.3 4) jnxFruL3Index1.3.6.1.4.1.2636.3.1.15.1.4 5) jnxFruName1.3.6.1.4.1.2636.3.1.15.1.5 6) jnxFruType1.3.6.1.4.1.2636.3.1.15.1.6 7) jnxFruSlot1.3.6.1.4.1.2636.3.1.15.1.7 1) jnxContentsContainerIndex.1.3.6.1.4.1.2636.3.1.8.1.1 2) jnxContentsL1Index.1.3.6.1.4.1.2636.3.1.8.1.2 3) jnxContentsL2Index.1.3.6.1.4.1.2636.3.1.8.1.3 4) jnxContentsL3Index.1.3.6.1.4.1.2636.3.1.8.1.4 5) jnxContentsDescr.1.3.6.1.4.1.2636.3.1.8.1.6 6) jnxOperatingState-

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

.1.3.6.1.4.1.2636.3.1.13.1.6
jnxFanOK 1.3.6.1.4.1.2636.4.2. 2

Chassis (cleared alarm conditions)

Configuration

All Junos OS devices

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

jnxPingRttThresholdExceede d

1.3.6.1.4.1.2636.4.9. 0.1

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

jnxPingRttStdDevThresholdE xceeded

1.3.6.1.4.1.2636.4.9. 0.2

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

1)pingCtlTargetAddressType.1.3.6.1.2.1.80.1.2.1.3 2)pingCtlTargetAddress.1.3.6.1.2.1.80.1.2.1.4 3)pingResultsOperStatus.1.3.6.1.2.1.80.1.3.1.1 4)pingResultsIpTargetAddressT ype-.1.3.6.1.2.1.80.1.3.1.2 5)pingResultsIpTargetAddress -.1.3.6.1.2.1.80.1.3.1.3 6)jnxPingResultsMinRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.3 7)jnxPingResultsMaxRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.4 8)jnxPingResultsAvgRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.5 9)pingResultsProbeResponses .1.3.6.1.2.1.80.1.3.1.7 10)pingResultsSentProbes .1.3.6.1.2.1.80.1.3.1.8 11)pingResultsRttSumOfSquares - .1.3.6.1.2.1.80.1.3.1.9 12)pingResultsLastGoodProbe .1.3.6.1.2.1.80.1.3.1.10 13)jnxPingCtlRttThreshold.1.3.6.1.4.1.2636.3.7.1.2.1.7 14)jnxPingResultsRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.1 1)pingCtlTargetAddressType.1.3.6.1.2.1.80.1.2.1.3 2)pingCtlTargetAddress.1.3.6.1.2.1.80.1.2.1.4 3)pingResultsOperStatus.1.3.6.1.2.1.80.1.3.1.1 4)pingResultsIpTargetAddressT ype-.1.3.6.1.2.1.80.1.3.1.2 5)pingResultsIpTargetAddress -.1.3.6.1.2.1.80.1.3.1.3 6)jnxPingResultsMinRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.3 7)jnxPingResultsMaxRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.4 8)jnxPingResultsAvgRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.5 9)pingResultsProbeResponses .1.3.6.1.2.1.80.1.3.1.7 10)pingResultsSentProbes .1.3.6.1.2.1.80.1.3.1.8 11)pingResultsRttSumOfSquares - .1.3.6.1.2.1.80.1.3.1.9 12)pingResultsLastGoodProbe .1.3.6.1.2.1.80.1.3.1.10 13)jnxPingCtlRttStdDevThresho

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

ld .1.3.6.1.4.1.2636.3.7.1.2.1.1 1 14)jnxPingResultsStdDevRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.6
jnxPingRttJitterThresholdExc eeded 1.3.6.1.4.1.2636.4.9. 0.3

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

jnxPingEgressThresholdExce eded

1.3.6.1.4.1.2636.4.9. 0.4

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

1)pingCtlTargetAddressType.1.3.6.1.2.1.80.1.2.1.3 2)pingCtlTargetAddress.1.3.6.1.2.1.80.1.2.1.4 3)pingResultsOperStatus.1.3.6.1.2.1.80.1.3.1.1 4)pingResultsIpTargetAddressT ype-.1.3.6.1.2.1.80.1.3.1.2 5)pingResultsIpTargetAddress -.1.3.6.1.2.1.80.1.3.1.3 6)jnxPingResultsMinRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.3 7)jnxPingResultsMaxRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.4 8)jnxPingResultsAvgRttUs.1.3.6.1.4.1.2636.3.7.1.3.1.5 9)pingResultsProbeResponses .1.3.6.1.2.1.80.1.3.1.7 10)pingResultsSentProbes .1.3.6.1.2.1.80.1.3.1.8 11)pingResultsRttSumOfSquares - .1.3.6.1.2.1.80.1.3.1.9 12)pingResultsLastGoodProbe .1.3.6.1.2.1.80.1.3.1.10 13)jnxPingCtlRttJitterThresho ld.1.3.6.1.4.1.2636.3.7.1.2.1.9 1)pingCtlTargetAddressType.1.3.6.1.2.1.80.1.2.1.3 2)pingCtlTargetAddress.1.3.6.1.2.1.80.1.2.1.4 3)pingResultsOperStatus.1.3.6.1.2.1.80.1.3.1.1 4)pingResultsIpTargetAddressT ype-.1.3.6.1.2.1.80.1.3.1.2 5)pingResultsIpTargetAddress -.1.3.6.1.2.1.80.1.3.1.3 6)jnxPingResultsMinEgressUs.1.3.6.1.4.1.2636.3.7.1.3.1.8 7)jnxPingResultsMaxEgressUs.1.3.6.1.4.1.2636.3.7.1.3.1.9 8)jnxPingResultsAvgEgressUs.1.3.6.1.4.1.2636.3.7.1.3.1.1 0 9)pingResultsProbeResponses .1.3.6.1.2.1.80.1.3.1.7 10)pingResultsSentProbes -

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

.1.3.6.1.2.1.80.1.3.1.8 11)pingResultsRttSumOfSquares - .1.3.6.1.2.1.80.1.3.1.9 12)pingResultsLastGoodProbe .1.3.6.1.2.1.80.1.3.1.10 13)jnxPingCtlEgressTimeThresh old.1.3.6.1.4.1.2636.3.7.1.2.1.1 0 14)jnxPingResultsEgressUs.1.3.6.1.4.1.2636.3.7.1.3.1.7

jnxPingEgressStdDevThresho ldExceed 1.3.6.1.4.1.2636.4.9. 0.5

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

jnxPingEgressJitterThreshold Exceeded

1.3.6.1.4.1.2636.4.9. 0.6

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

1)pingCtlTargetAddressType.1.3.6.1.2.1.80.1.2.1.3 2)pingCtlTargetAddress.1.3.6.1.2.1.80.1.2.1.4 3)pingResultsOperStatus.1.3.6.1.2.1.80.1.3.1.1 4)pingResultsIpTargetAddressT ype-.1.3.6.1.2.1.80.1.3.1.2 5)pingResultsIpTargetAddress -.1.3.6.1.2.1.80.1.3.1.3 6)jnxPingResultsMinEgressUs.1.3.6.1.4.1.2636.3.7.1.3.1.8 7)jnxPingResultsMaxEgressUs.1.3.6.1.4.1.2636.3.7.1.3.1.9 8)jnxPingResultsAvgEgressUs.1.3.6.1.4.1.2636.3.7.1.3.1.1 0 9)pingResultsProbeResponses .1.3.6.1.2.1.80.1.3.1.7 10)pingResultsSentProbes .1.3.6.1.2.1.80.1.3.1.8 11)pingResultsRttSumOfSquares - .1.3.6.1.2.1.80.1.3.1.9 12)pingResultsLastGoodProbe .1.3.6.1.2.1.80.1.3.1.10 13)jnxPingCtlEgressJitterThre shold.1.3.6.1.4.1.2636.3.7.1.2.1.1 2 1)pingCtlTargetAddressType.1.3.6.1.2.1.80.1.2.1.3 2)pingCtlTargetAddress.1.3.6.1.2.1.80.1.2.1.4 3)pingResultsOperStatus.1.3.6.1.2.1.80.1.3.1.1 4)pingResultsIpTargetAddressT ype-.1.3.6.1.2.1.80.1.3.1.2 5)pingResultsIpTargetAddress -.1.3.6.1.2.1.80.1.3.1.3 6)jnxPingResultsMinIngressUs .1.3.6.1.4.1.2636.3.7.1.3.1.1 3 7)jnxPingResultsMaxIngressUs.1.3.6.1.4.1.2636.3.7.1.3.1.1 4 8)jnxPingResultsAvgIngressUs.1.3.6.1.4.1.2636.3.7.1.3.1.1 5 9)pingResultsProbeResponses .1.3.6.1.2.1.80.1.3.1.7

jnxPingIngressThresholdExce eded

1.3.6.1.4.1.2636.4.9. 0.7

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

10)pingResultsSentProbes .1.3.6.1.2.1.80.1.3.1.8 11)pingResultsRttSumOfSquares - .1.3.6.1.2.1.80.1.3.1.9 12)pingResultsLastGoodProbe .1.3.6.1.2.1.80.1.3.1.10 13)jnxPingCtlIngressTimeThres hold.1.3.6.1.4.1.2636.3.7.1.2.1.1 3 14)jnxPingResultsIngressUs.1.3.6.1.4.1.2636.3.7.1.3.1.1 2

jnxPingIngressStddevThresh oldExceeded 1.3.6.1.4.1.2636.4.9. 0.8

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

jnxPingIngressJitterThreshol dExceeded

1.3.6.1.4.1.2636.4.9. 0.9

Remote operations

All Junos OS devices except EX and high-end SRX Series devices

jnxAccessAuthServiceUp

1.3.6.1.4.1.2636.3.5 1.1.0.1 1.3.6.1.4.1.2636.3.5 1.1.0.2 1.3.6.1.4.1.2636.3.5 1.1.0.3 1.3.6.1.4.1.2636.3.5 1.1.0.4 1.3.6.1.4.1.2636.3.3 9.1.2.1.0.1

Routing

jnxAccessAuthServiceDown

Routing

jnxAccessAuthServerDisable d jnxAccessAuthServerEnabled

Routing

jnxJsFwAuthFailure

Routing

J Series and SRX Series J Series and SRX Series J Series and SRX Series J Series and SRX Series J Series and SRX Series

None

1)jnxUserAAAServerName.1.3.6.1.4.1.2636.3.51.1.1.3. 1.0 1)jnxUserAAAServerName.1.3.6.1.4.1.2636.3.51.1.1.3. 1.0 1)jnxJsFwAuthUserName.1.3.6.1.4.1.2636.3.39.1.2.1. 1.2.1.0 2)jnxJsFwAuthClientIpAddr.1.3.6.1.4.1.2636.3.39.1.2.1. 1.2.4.0 3)jnxJsFwAuthServiceDesc.1.3.6.1.4.1.2636.3.39.1.2.1. 1.2.2.0

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

jnxJsFwAuthServiceUp

1.3.6.1.4.1.2636.3.3 9.1.2.1.0.2 1.3.6.1.4.1.2636.3.3 9.1.2.1.0.3 1.3.6.1.4.1.2636.3.3 9.1.2.1.0.4 1.3.6.1.4.1.2636.3.3 9.1.8.1.0.1

Routing

jnxJsFwAuthServiceDown

Routing

jnxJsFwAuthCapacityExceed ed jnxJsScreenAttack

Routing

J Series and SRX Series J Series and SRX Series J Series and SRX Series J Series and SRX Series

4)jnxJsFwAuthReason.1.3.6.1.4.1.2636.3.39.1.2.1. 1.2.3.0 None

None

1)jnxJsScreenZoneName.1.3.6.1.4.1.2636.3.39.1.8.1. 1.1.1.1 2)ifName1.3.6.1.2.1.31.1.1.1.1 3)jnxJsScreenAttackType.1.3.6.1.4.1.2636.3.39.1.8.1. 2.1.0 4)jnxJsScreenAttackCounter.1.3.6.1.4.1.2636.3.39.1.8.1. 2.2.0 5)jnxJsScreenAttackDescr.1.3.6.1.4.1.2636.3.39.1.8.1. 2.3.0 1)jnxJsScreenZoneName.1.3.6.1.4.1.2636.3.39.1.8.1. 1.1.1.1 2)jnxJsScreenAttackType.1.3.6.1.4.1.2636.3.39.1.8.1. 2.1.0 3)jnxJsScreenCfgStatus.1.3.6.1.4.1.2636.3.39.1.8.1. 2.4.0 1)alarmIndex .1.3.6.1.2.1.16.3.1.1.1 2)alarmVariable .1.3.6.1.2.1.16.3.1.1.3 3) jnxRmonAlarmGetFailReason -.1.3.6.1.4.1.2636.3.13.1.1.3 1)alarmIndex .1.3.6.1.2.1.16.3.1.1.1 2)alarmVariable .1.3.6.1.2.1.16.3.1.1.3

jnxJsScreenCfgChange

1.3.6.1.4.1.2636.3.3 9.1.8.1.0.2

Routing

J Series and SRX Series

jnxRmonAlarmGetFailure

1.3.6.1.4.1.2636.4.3. 0.1

RMON alarm

All Junos OS devices

jnxRmonGetOk

1.3.6.1.4.1.2636.4.3. 0.2

RMON alarm

All Junos OS devices

.1.3.6.1.4.1.2636.5.1 .1.1.0.2

Routing

All Junos OS devices

1)jnxBgpM2PeerLocalAddrType.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.6 2)jnxBgpM2PeerLocalAddr.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.7 3)jnxBgpM2PeerRemoteAddrType.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.10 4)jnxBgpM2PeerRemoteAddr.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.11 5)jnxBgpM2PeerLastErrorReceiv ed.1.3.6.1.4.1.2636.5.1.1.2.2.1 .1.1 6)jnxBgpM2PeerState.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.2 1)jnxBgpM2PeerLocalAddrType.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.6 2)jnxBgpM2PeerLocalAddr.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.7 3)jnxBgpM2PeerRemoteAddrType.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.10 4)nxBgpM2PeerRemoteAddr.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.11 5)jnxBgpM2PeerLastErrorReceiv ed.1.3.6.1.4.1.2636.5.1.1.2.2.1 .1.1 6)jnxBgpM2PeerLastErrorReceiv edText.1.3.6.1.4.1.2636.5.1.1.2.2.1 .1.5 7)jnxBgpM2PeerState.1.3.6.1.4.1.2636.5.1.1.2.1.1 .1.2

Note that if the fxp0 interface goes down on the backup Routing Engine, it does not send any traps. The system logging feature (syslog) can be used to monitor the secondary node fxp0 interface by logging a link down message. System Log Messages The system logging feature can be sent by both the primary and secondary nodes as previously mentioned. You can configure the system to send specific syslog messages to the external syslog servers based on regular expressions or severity. See the Junos OS System Log Messages Reference to check for syslogs you are interested in.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

A SYSLOG event can be converted to an SNMP trap using an event policy. Event policies instruct the eventd process to select specific events, correlate the events, and perform a set of actions. The following sample shows the jnxSyslog trap configuration for a ui_commit_progress (configuration commit in progress) event. Configuration event-options { policy syslogtrap { events [ ui_commit ui_commit_progress ]; then { raise-trap; } } }

jnxSyslogTrap Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< <<< V2 Trap <<< Source: 116.197.179.6 <<< Destination: 116.197.179.5 <<< Version: SNMPv2 <<< Community: petblr <<< <<< OID : sysUpTime.0 <<< type : TimeTicks <<< value: (284292835) 789:42:08.35 <<< <<< OID : snmpTrapOID.0 <<< type : Object <<< value: jnxSyslogTrap <<< <<< OID : jnxSyslogEventName.83 <<< type : OctetString <<< value: "UI_COMMIT_PROGRESS" <<< HEX : 55 49 5f 43 4f 4d 4d 49 <<< 54 5f 50 52 4f 47 52 45 <<< 53 53 <<< <<< OID : jnxSyslogTimestamp.83 <<< type : OctetString <<< HEX : 07 da 07 06 0d 1f 11 00 <<< 2b 00 00 <<< <<< OID : jnxSyslogSeverity.83 <<< type : Number <<< value: 7 <<< <<< OID : jnxSyslogFacility.83 <<< type : Number <<< value: 24

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul

6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6

13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21 13:31:21

snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0]

<<< <<< OID : jnxSyslogProcessId.83 <<< type : Gauge <<< value: 84003 <<< <<< OID : jnxSyslogProcessName.83 <<< type : OctetString <<< value: "mgd" <<< HEX : 6d 67 64 <<< <<< OID : jnxSyslogHostName.83 <<< type : OctetString <<< HEX : <<< <<< OID : jnxSyslogMessage.83 <<< type : OctetString <<< value: "UI_COMMIT_PROGRESS: Commit opera <<< tion in progress: notifying mib <<< 2d(15)" <<< HEX : 55 49 5f 43 4f 4d 4d 49 <<< 54 5f 50 52 4f 47 52 45 <<< 53 53 3a 20 43 6f 6d 6d <<< 69 74 20 6f 70 65 72 61 <<< 74 69 6f 6e 20 69 6e 20 <<< 70 72 6f 67 72 65 73 73 <<< 3a 20 20 6e 6f 74 69 66 <<< 79 69 6e 67 20 6d 69 62 <<< 32 64 28 31 35 29 <<< <<< OID : jnxSyslogAvAttribute.83.1 <<< type : OctetString <<< value: "message" <<< HEX : 6d 65 73 73 61 67 65 <<< <<< OID : jnxSyslogAvValue.83.1 <<< type : OctetString <<< value: " notifying mib2d(15)" <<< HEX : 20 6e 6f 74 69 66 79 69 <<< 6e 67 20 6d 69 62 32 64 <<< 28 31 35 29 <<< <<< OID : snmpTrapEnterprise.0 <<< type : Object <<< value: jnxProductNameSRX240 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Detecting a Failover or Switchover

A switchover can be detected using a failover trap, the chassis cluster status, or an automatic failover trap.

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Failover Trap
The trap message can help you troubleshoot failovers. It contains the following information: The cluster ID and node ID The reason for the failover The redundancy group that is involved in the failover The redundancy groups previous state and current state

These are the different states that a cluster can be in at any given instant: hold, primary, secondary-hold, secondary, ineligible, and disabled. Traps are generated for the following state transitions (only a transition from a hold state does not trigger a trap): primary <> secondary primary > secondary-hold secondary-hold > secondary secondary > ineligible ineligible > disabled ineligible > primary secondary > disabled

Other Indications for Failover When a failover occurs in the RG0 redundancy group: An SNMP warm start trap is sent by the new primary node. After a failover, LinkUp traps are sent for all the interfaces that come up on the new primary node. Syslog messages are sent from the new primary node.

Using Operational and Event Scripts for Management and Monitoring Junos OS operation (op) scripts automate network and router management and troubleshooting. Op scripts can perform any function available through the remote procedure calls (RPCs) supported by either of the two application programming interfaces (APIs): the Junos OS Extensible Markup Language (XML) API and the Junos OS XML Management Protocol API. Scripts are written in the Extensible Stylesheet Language Transformations (XSLT) or Stylesheet Language Alternative Syntax (SLAX) scripting languages. Op scripts allow you to: Monitor the overall status of a routing platform. Customize the output of operational mode commands. Reconfigure the routing platform to avoid or work around known problems in the Junos OS software. Change the routers configuration in response to a problem.

Junos OS event scripts automate network and router management and troubleshooting. They are simply the op scripts triggered by event policies. The following shows an example of a jnx event trap. In the example, the ev-syslog-trap event script raises a jnxEvent trap whenever an alarm is triggered on the device. Configuration regress@SRX-3400-1 > show configuration event-options policy trap { events SYSTEM; attributes-match { SYSTEM.message matches "Alarm set"; } then { event-script ev-syslog-trap.slax { arguments { event SYSTEM; message "{$$.message}"; } } } }

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

SCRIPT
See APPENDIX C: Event Script for information about generating the jnxEventTrap SNMP traps and to see the script used to generate the trap shown in the following example. Bring a link down on the device to set an alarm. The following trap is sent. Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< <<< V2 Trap <<< Source: 116.197.178.12 <<< Destination: 66.129.237.197 <<< Version: SNMPv2 <<< Community: test <<< <<< OID : sysUpTime.0 <<< type : TimeTicks <<< value: (246317536) 684:12:55.36 <<< <<< OID : snmpTrapOID.0 <<< type : Object <<< value: jnxEventTrap <<< <<< OID : jnxEventTrapDescr.0 <<< type : OctetString <<< value: "'Event-Trap'" <<< HEX : 27 45 76 65 6e 74 2d 54 <<< 72 61 70 27 <<< <<< OID : jnxEventAvAttribute.1 <<< type : OctetString <<< value: "'event'" <<< HEX : 27 65 76 65 6e 74 27 <<< <<< OID : jnxEventAvValue.1 <<< type : OctetString <<< value: "'SYSTEM'" <<< HEX : 27 53 59 53 54 45 4d 27 <<< <<< OID : jnxEventAvAttribute.2 <<< type : OctetString <<< value: "'message'" <<< HEX : 27 6d 65 73 73 61 67 65 <<< 27 <<< <<< OID : jnxEventAvValue.1 <<< type : OctetString <<< value: "' Minor alarm set, ge-1/0/0: Link down'"

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Apr Apr Apr Apr Apr Apr

16 16 16 16 16 16

05:09:43 05:09:43 05:09:43 05:09:43 05:09:43 05:09:43

snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0] snmpd[0]

<<< HEX : 27 20 4d 69 6e 6f 72 20 <<< 61 6c 61 72 6d 20 73 65 <<< 74 2c 20 67 65 2d 31 2f <<< 30 2f 30 3a 20 4c 69 6e <<< 6b 20 64 6f 77 6e 27 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Utility MIB for Monitoring The Juniper Networks jnx-utility MIB is a powerful tool to expose Junos OS data using SNMP. A generic utility MIB is defined to hold data populated by op scripts or event scripts. There are five separate tables in this MIB, one for each of the following data types: 32-bit counters, 64-bit counters, signed integers, unsigned integers, and octet strings. Each data instance is identified by an arbitrary ASCII name defined when the data is populated. Each data instance also has a corresponding timestamp identifying when it was last updated. The data in these MIB tables can be populated using hidden CLI commands, which are also accessible from an op script via the jcs:invoke RPC API. One of the examples we use for reading power on the device, which is not available using SNMP, is the jnxUtility MIB. For example, the following command gives the power readings on SRX Series devices. With a simple event script, you can read the power output every minute and populate the jnx-utility MIB. Similarly, you can write op scripts or event scripts that can populate a variety of data of different types. See APPENDIX D: Utility MIB example for sample scripts and usage of the utility MIB.

SRX Log Messages

You can obtain information about the sessions and packet flows active on your device, including detailed information about specific sessions. (The SRX Series device also displays information about failed sessions.) You can display this information to observe activity and for debugging purposes. For example, you can use the show security flow session command: To display a list of incoming and outgoing IP flows, including services To show the security attributes associated with a flow, for example, the policies that apply to traffic belonging to that flow To display the session timeout value, when the session became active, for how long it has been active, and if there is active traffic on the session

Best Practices for SRX Cluster Management

destination-address="2.1.1.1" nat-destination-port="23" src-nat-rule-name="None" dstnat-rule-name="None" protocol-id="6" policy-name="trust-untrust" source-zonename="trust" destination-zone-name="untrust" session-id-32="208" packets-fromclient="37" bytes-from-client="2094" packets-from-server="30" bytes-from-server="1822" elapsed-time="6"] In this case, the SRX Series device traffic log messages are sent to an external syslog server through the dataplane. This ensures that the Routing Engine is not a bottleneck for logging. It also ensures that the Routing Engine does not get impacted during excessive logging. In addition to traffic logs, the control plane and logs sent to the Routing Engine are written to a file in flash memory. The following is a sample configuration to enable this type of logging. Configuration Syslog (self logs) - this config can be customized as per required *self* logging. set system syslog file messages any notice set system syslog file messages authorization info set system syslog file messages kernel info Traffic logs ( via dataplane) set security log mode stream set security log format sd-syslog set security log source-address 10.204.225.164 set security log stream vmware-server severity debug set security log stream vmware-server host 10.204.225.218 In this case both the traffic logs and logs sent to the Routing Engine are sent to a syslog server. The following is a sample configuration to enable this type of logging. Configuration set system syslog host 10.204.225.218 any notice set system syslog host 10.204.225.218 authorization info set system syslog host 10.204.225.218 kernel info Traffic logs set security set security set security set security set security

log log log log log

mode stream format sd-syslog source-address 10.204.225.164 stream vmware-server severity debug stream vmware-server host 10.204.225.218

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Configuring Control Plane Logs The SRX Series device control plane is responsible for overall control of the SRX Series platform, along with running a number of software processes to perform tasks like routing protocol operations, routing table calculations, managing administrators, managing SNMP, authentication, and many other mission-critical functions. There are a wide range of log messages that are generated on the control plane, and the control plane offers granular support for defining what log messages should be written to both files as well as sent to syslog servers. This section offers an overview on how to configure various syslog options on the control plane. Only sending log messages through syslog services is covered in this section. 1. Configure the syslog server and selected log messages. To configure the syslog server to receive log messages from the SRX Series device, define which syslog hosts receive the streams along with which facilities and severities to send. Note that multiple facilities and priorities can be configured to send multiple log message types. To send all message types, specify the any option for the facility and severity. user@SRX# set system syslog host <syslog server> <facility> <severity> 2. Configure the syslog source IP address. The source IP address of the syslog stream is needed because the SRX Series device can send the syslog message with any address. The same IP address should be used regardless of which interface is selected. user@SRX# set system syslog host <syslog server> source-address <source-address> 3. Configure regular expression matching (optional). Sometimes an administrator might want to filter the log messages that are sent to the syslog server. Log filtering can be specified with the match statement. In this example, only logs defined in the match statement regular expression (IDP) are sent to the syslog server. user@SRX# set system syslog host <syslog server> <facility> <severity> match IDP Branch SRX Series Device Logging You can configure the SRX Series device to send only traffic logs to the syslog server via the control plane. In this configuration: No security logs are configured. No control plane logs are received.

root@SRX3400-1> show snmp mib walk jnxOperatingState jnxOperatingState.1.1.0.0 = 2 jnxOperatingState.1.2.0.0 = 2 jnxOperatingState.2.2.0.0 = 2 jnxOperatingState.2.4.0.0 = 2 jnxOperatingState.4.1.0.0 = 2 jnxOperatingState.4.1.1.0 = 2 jnxOperatingState.4.1.2.0 = 2 jnxOperatingState.4.1.3.0 = 2 jnxOperatingState.4.1.4.0 = 2 jnxOperatingState.4.2.0.0 = 2 jnxOperatingState.4.2.1.0 = 2 jnxOperatingState.4.2.2.0 = 2 jnxOperatingState.4.2.3.0 = 2 jnxOperatingState.4.2.4.0 = 2 jnxOperatingState.7.1.0.0 = 2 jnxOperatingState.7.2.0.0 = 2 jnxOperatingState.7.3.0.0 = 2 jnxOperatingState.7.6.0.0 = 2 jnxOperatingState.7.7.0.0 = 2 jnxOperatingState.7.9.0.0 = 2 jnxOperatingState.7.10.0.0 = 2 jnxOperatingState.7.11.0.0 = 2 jnxOperatingState.7.14.0.0 = 2 jnxOperatingState.7.15.0.0 = 2

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

jnxOperatingState.8.1.1.0 = 2 jnxOperatingState.8.2.1.0 = 2 jnxOperatingState.8.3.1.0 = 2 jnxOperatingState.8.6.1.0 = 2 jnxOperatingState.8.7.1.0 = 2 jnxOperatingState.8.9.1.0 = 2 jnxOperatingState.8.10.1.0 = 2 jnxOperatingState.8.11.1.0 = 2 jnxOperatingState.8.14.1.0 = 2 jnxOperatingState.8.15.1.0 = 2 jnxOperatingState.9.1.0.0 = 2 jnxOperatingState.9.3.0.0 = 2 jnxOperatingState.10.1.1.0 = 2 jnxOperatingState.10.2.1.0 = 2 jnxOperatingState.12.1.0.0 = 2 jnxOperatingState.12.3.0.0 = 2

Redundant Ethernet Interface Statistics in MIB II Tables root@SRX3400-1> ifName.194 = ifName.195 = ifName.236 = ifName.537 = ifName.544 = ifName.546 = show snmp mib walk ifName |grep reth reth0 reth1 reth2 reth0.0 reth1.0 reth2.0

{primary:node0} root@SRX3400-1> show snmp mib walk ifTable|grep 537 ifIndex.537 = 537 ifDescr.537 = reth0.0 ifType.537 = 161 ifMtu.537 = 1500 ifSpeed.537 = 4294967295 ifPhysAddress.537 = 00 10 db ff 10 00 ifAdminStatus.537 = 1 ifOperStatus.537 = 1 ifLastChange.537 = 67326279 ifInOctets.537 = 487194518 ifInUcastPkts.537 = 3822455 ifInNUcastPkts.537 = 0 ifInDiscards.537 = 0 ifInErrors.537 = 0 ifInUnknownProtos.537 = 0 ifOutOctets.537 = 9790018 ifOutUcastPkts.537 = 227792 ifOutNUcastPkts.537 = 0 ifOutDiscards.537 = 0 ifOutErrors.537 = 0 ifOutQLen.537 = 0 ifSpecific.537 = 0.0 root@SRX3400-1> show snmp mib walk ifXTable|grep 537

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

ifName.537 = reth0.0 ifInMulticastPkts.537 = 0 ifInBroadcastPkts.537 = 0 ifOutMulticastPkts.537 = 0 ifOutBroadcastPkts.537 = 0 ifHCInOctets.537 = 17667077627 ifHCInUcastPkts.537 = 17183691748 ifHCInMulticastPkts.537 = 0 ifHCInBroadcastPkts.537 = 0 ifHCOutOctets.537 = 9790270 ifHCOutUcastPkts.537 = 227798 ifHCOutMulticastPkts.537 = 0 ifHCOutBroadcastPkts.537 = 0 ifLinkUpDownTrapEnable.537 = 1 ifHighSpeed.537 = 10000 ifPromiscuousMode.537 = 2 ifConnectorPresent.537 = 2 ifAlias.537 ifCounterDiscontinuityTime.537 = 0

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

APPENDIX C: Event Script for Generating jnxEventTrap SNMP Traps

version 1.0; ns junos = "http://xml.juniper.net/junos/*/junos"; ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; param $event; param $message; match / { /* * trapm utilty wants the following characters in the value to be escaped * '[', ']', ' ', '=', and ',' */ var $event-escaped = { call escape-string($text = $event, $vec = '[] =,'); } var $message-escaped = { call escape-string($text = $message, $vec = '[] =,'); } <op-script-results> { var $rpc = <request-snmp-generate-trap> { <trap> "jnxEventTrap"; <variable-bindings> "jnxEventTrapDescr[0]='Event-Trap' , " _ "jnxEventAvAttribute[1]='event' , " _ "jnxEventAvValue[1]='" _ $event-escaped _ "' , " _ "jnxEventAvAttribute[2]='message' , " _ "jnxEventAvValue[1]='" _ $message-escaped _ "'"; } var $res = jcs:invoke($rpc); } } template escape-string ($text, $vec) { if (jcs:empty($vec)) { expr $text; } else { var $index = 1; var $from = substring($vec, $index, 1); var $changed-value = { call replace-string($text, $from) { with $to = { expr "\\"; expr $from; } }

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

} call escape-string($text = $changed-value, $vec = substring($vec, $index + 1)); } } template replace-string ($text, $from, $to) { if (contains($text, $from)) { var $before = substring-before($text, $from); var $after = substring-after($text, $from); var $prefix = $before _ $to; expr $before; expr $to; call replace-string($text = $after, $from, $to); } else { expr $text; } }

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

APPENDIX D: Utility MIB Examples

This appendix presents examples of show command output and SNMP MIB walk results using the utility MIB for power readings on a Junos OS device. show Command Output for Power Readings regress@PE3> show chassis environment pem PEM 0 status: State Online Temperature OK AC Input: OK DC Output Voltage Current 50 12 PEM 1 status: State Online Temperature OK AC Input: OK DC Output Voltage Current 50 13 PEM 2 status: State Present PEM 3 status: State

Power 600

Load 35

Power 650

Load 38

Present

In the following example, the index is PEM <pem number> <type of reading>. SNMP MIB Walk Results for the jnx-utility MIB Populated with Power Readings router> show snmp mib walk jnxUtil ascii jnxUtilStringValue."PEM0dc-current" = 12 jnxUtilStringValue."PEM0dc-load" = 35 jnxUtilStringValue."PEM0dc-power" = 600 jnxUtilStringValue."PEM0dc-voltage" = 50 jnxUtilStringValue."PEM1dc-current" = 13 jnxUtilStringValue."PEM1dc-load" = 38 jnxUtilStringValue."PEM1dc-power" = 650 jnxUtilStringValue."PEM1dc-voltage" = 50 jnxUtilStringTime."PEM0dc-current" = 07 d9 09 15 0a 10 2d 00 2b 00 00 jnxUtilStringTime."PEM0dc-load" = 07 d9 09 15 0a 10 2d 00 2b 00 00 jnxUtilStringTime."PEM0dc-power" = 07 d9 09 15 0a 10 2d 00 2b 00 00 jnxUtilStringTime."PEM0dc-voltage" = 07 d9 09 15 0a 10 2d 00 2b 00 00 jnxUtilStringTime."PEM1dc-current" = 07 d9 09 15 0a 10 2d 00 2b 00 00 jnxUtilStringTime."PEM1dc-load" = 07 d9 09 15 0a 10 2d 00 2b 00 00 jnxUtilStringTime."PEM1dc-power" = 07 d9 09 15 0a 10 2d 00 2b 00 00 jnxUtilStringTime."PEM1dc-voltage" = 07 d9 09 15 0a 10 2d 00 2b 00 00 Sample Script version 1.0; ns junos = "http://xml.juniper.net/junos/*/junos";

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; ns ext = "http://xmlsoft.org/XSLT/namespace"; import "../import/junos.xsl"; match / { <op-script-results> { var $command="get-environment-pem-information"; var $pem = jcs:invoke($command); var $chassis= "get-chassis-inventory"; var $getchassis = jcs:invoke($chassis);

if ( contains( $getchassis , "EX") or contains( $getchassis , "M10") or contains( $getchassis , "M7")) { <xsl:message terminate="yes"> "Power readings not supported"; }

/* if PEM is empty then exit and terminate*/ if( jcs:empty( $pem) ) { <xsl:message terminate="yes"> "Power readings not reported"; }

for-each ($pem/environment-component-item) { var $pemslot = substring-after(name, " "); for-each (./dc-information/dc-detail/*) { var $info=name(); var $valueofinfo = .; call snmp_set($instance = "PEM" _ $pemslot _ $info, $value = $valueofinfo); } } } } template snmp_set($instance, $value = "0", $type = "string" ) { var $set_rpc = <request-snmp-utility-mib-set> { <object-type> $type; <object-value> $value; <instance> $instance; } var $out = jcs:invoke($set_rpc); }

JUNIPER NETWORKS

Juniper Networks, Inc.

Best Practices for SRX Cluster Management

Configuration on the Device host> show configuration event-options generate-event { 1-min time-interval 60; } policy powerUtil { events 1-min; then { event-script power.slax; } }

General Disclaimer Although Juniper Networks has attempted to provide accurate information in this guide, Juniper Networks does not warrant or guarantee the accuracy of the information provided herein. Juniper Networks may change the programs or products mentioned at any time without prior notice. Mention of non-Juniper Networks products or services is for information purposes only and constitutes neither an endorsement nor a recommendation of such products or services or of any company that develops or sells such products or services. ALL INFORMATION PROVIDED IN THIS GUIDE IS PROVIDED AS IS, WITH ALL FAULTS, AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED OR STATUTORY. JUNIPER NETWORKS AND ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES RELATED TO THIS GUIDE AND THE INFORMATION CONTAINED HEREIN, WHETHER EXPRESSED OR IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT, OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. JUNIPER NETWORKS AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR REVENUES, COSTS OF REPLACEMENT GOODS OR SERVICES, LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OF THE GUIDE OR ANY JUNIPER NETWORKS PRODUCT OR SERVICE, OR DAMAGES RESULTING FROM USE OF OR RELIANCE ON THE INFORMATION PROVIDED IN THIS GUIDE, EVEN IF JUNIPER NETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Many of the Juniper Networks products and services identified in this guide are provided with, and subject to, written software licenses and limited warranties. Those licenses and warranties provide the purchasers of those products with certain rights. Nothing in this guide shall be deemed to expand, alter, or modify any warranty or license or any other agreement provided by Juniper Networks with any Juniper Networks product, or to create any new or additional warranties or licenses.

JUNIPER NETWORKS

Juniper Networks, Inc.

NIOS 8.2.7 ReleaseNotes Rev.D
No ratings yet
NIOS 8.2.7 ReleaseNotes Rev.D
70 pages
F5 CLI VIP Creation
No ratings yet
F5 CLI VIP Creation
3 pages
Stores Management System Project Report
100% (3)
Stores Management System Project Report
108 pages
(v3.2) Easyuefi - Efi Boot Option - System Partition Manager and Boot Issue Fixer
No ratings yet
(v3.2) Easyuefi - Efi Boot Option - System Partition Manager and Boot Issue Fixer
3 pages
BestPractice SRX Cluster Management1.1
No ratings yet
BestPractice SRX Cluster Management1.1
83 pages
DRBD-Cookbook: How to create your own cluster solution, without SAN or NAS!
From Everand
DRBD-Cookbook: How to create your own cluster solution, without SAN or NAS!
Joerg Christian Seubert
No ratings yet
Juniper SRX Series & GreenBow IPSec VPN Client Software Configuration (English)
No ratings yet
Juniper SRX Series & GreenBow IPSec VPN Client Software Configuration (English)
13 pages
Juniper Dynamic VPN
No ratings yet
Juniper Dynamic VPN
14 pages
Intro Juniper 1
No ratings yet
Intro Juniper 1
45 pages
Juniper Basic Config
No ratings yet
Juniper Basic Config
12 pages
Junos Space Security Director
No ratings yet
Junos Space Security Director
346 pages
SRX Cluster
No ratings yet
SRX Cluster
11 pages
SRX For Beginners
No ratings yet
SRX For Beginners
6 pages
IJOS Lab Guide - Lab3.Ready
No ratings yet
IJOS Lab Guide - Lab3.Ready
23 pages
Juniper Networks - (M - MX - T-Series) Troubleshooting Checklist - Routing Engine High CPU
No ratings yet
Juniper Networks - (M - MX - T-Series) Troubleshooting Checklist - Routing Engine High CPU
5 pages
SRX HA Deployment Guide v1.2
No ratings yet
SRX HA Deployment Guide v1.2
35 pages
JMF 15.a SG
100% (1)
JMF 15.a SG
374 pages
Avaya Cisco Interoperability
No ratings yet
Avaya Cisco Interoperability
137 pages
IJOS Lab Guide - Lab1.Ready
No ratings yet
IJOS Lab Guide - Lab1.Ready
17 pages
SRX SNMP Monitoring Guide - v1.2
No ratings yet
SRX SNMP Monitoring Guide - v1.2
15 pages
Juniper Demo Lab Manual
No ratings yet
Juniper Demo Lab Manual
60 pages
How To Load Images To The EVE
No ratings yet
How To Load Images To The EVE
2 pages
Guide For Junos Upgrade
No ratings yet
Guide For Junos Upgrade
19 pages
Shortest Path Bridging (802.1aq) Technical Configuration Guide
No ratings yet
Shortest Path Bridging (802.1aq) Technical Configuration Guide
263 pages
JSEC EX InstructorNotes 30may2010
No ratings yet
JSEC EX InstructorNotes 30may2010
9 pages
Junos Bootcamp Mod 1
No ratings yet
Junos Bootcamp Mod 1
13 pages
CLIRefVOSS 8.10 CRG
No ratings yet
CLIRefVOSS 8.10 CRG
1,893 pages
Juniper
No ratings yet
Juniper
68 pages
Cisco Nexus7000 Fundamentals Config Guide 8x
No ratings yet
Cisco Nexus7000 Fundamentals Config Guide 8x
190 pages
TCS Portal Guidelines - Candidate & TPO
No ratings yet
TCS Portal Guidelines - Candidate & TPO
16 pages
Mc-Lag: Active-Active V1.1
No ratings yet
Mc-Lag: Active-Active V1.1
53 pages
CURSO OJXE SG 9.a
No ratings yet
CURSO OJXE SG 9.a
582 pages
Juniper SRX Password Reset
No ratings yet
Juniper SRX Password Reset
3 pages
Cisco Firepower App For Splunk v2 WORKING
No ratings yet
Cisco Firepower App For Splunk v2 WORKING
19 pages
Junos Enterprise Switching: Chapter 7: High Availability
No ratings yet
Junos Enterprise Switching: Chapter 7: High Availability
57 pages
Lenteur SSL Palo Alto
No ratings yet
Lenteur SSL Palo Alto
17 pages
SRX Troubleshooting
100% (1)
SRX Troubleshooting
53 pages
BIG-IP Global Traffic Manager Concepts
No ratings yet
BIG-IP Global Traffic Manager Concepts
62 pages
Cisco MDS 9000 Family NX-OS Fundamentals Configuration Guide
No ratings yet
Cisco MDS 9000 Family NX-OS Fundamentals Configuration Guide
244 pages
DayOne OSPF Enterprise
No ratings yet
DayOne OSPF Enterprise
98 pages
Juniper Simulator With Designer For JNCIA
No ratings yet
Juniper Simulator With Designer For JNCIA
60 pages
10.a-R LD
No ratings yet
10.a-R LD
14 pages
VSS - 4500 Cisco
No ratings yet
VSS - 4500 Cisco
17 pages
JSEC C2 Arch 10.a.pps
No ratings yet
JSEC C2 Arch 10.a.pps
34 pages
Monitoring - and - Troubleshooting Juniper
100% (1)
Monitoring - and - Troubleshooting Juniper
33 pages
JUNIPER Certification Paths by Credential
No ratings yet
JUNIPER Certification Paths by Credential
11 pages
Orion Administrator Guide
No ratings yet
Orion Administrator Guide
352 pages
SPBM Fundamentals and Testing: Baystack PV
100% (2)
SPBM Fundamentals and Testing: Baystack PV
96 pages
Avaya Template
No ratings yet
Avaya Template
4 pages
Riverbed RS Technology Presentation
No ratings yet
Riverbed RS Technology Presentation
31 pages
Array Network - Webui
No ratings yet
Array Network - Webui
68 pages
Basic Junos
No ratings yet
Basic Junos
54 pages
Advanced Junos Security Ajsec
No ratings yet
Advanced Junos Security Ajsec
3 pages
VPC Best Practices BRKDCT-2378 PDF
No ratings yet
VPC Best Practices BRKDCT-2378 PDF
91 pages
Contrail Use Cases
100% (1)
Contrail Use Cases
35 pages
17-Troubleshooting EtherChannel II
No ratings yet
17-Troubleshooting EtherChannel II
12 pages
BIG-IP CGNAT Implementations
No ratings yet
BIG-IP CGNAT Implementations
116 pages
AdvancedJunosCoSCookbook v2 PDF
No ratings yet
AdvancedJunosCoSCookbook v2 PDF
131 pages
Junos Space Security Director Technical Overview
No ratings yet
Junos Space Security Director Technical Overview
118 pages
Juniper SRX Vs Palo Alto Next Gen Firewall PDF
No ratings yet
Juniper SRX Vs Palo Alto Next Gen Firewall PDF
3 pages
JRE-12.b SG
No ratings yet
JRE-12.b SG
174 pages
SRX Troubleshooting
100% (2)
SRX Troubleshooting
53 pages
Generation of Computer
No ratings yet
Generation of Computer
12 pages
Snort 3 GA On OracleLinux 8
No ratings yet
Snort 3 GA On OracleLinux 8
28 pages
Experiment No. 4 Title: Cookies and Session Handling Using PHP
No ratings yet
Experiment No. 4 Title: Cookies and Session Handling Using PHP
12 pages
Basic Programming Using C++ Input/ Output (Cin/cout Object)
No ratings yet
Basic Programming Using C++ Input/ Output (Cin/cout Object)
3 pages
IES-3164GP-LA-datasheet
No ratings yet
IES-3164GP-LA-datasheet
4 pages
Canon MX340 Manual
No ratings yet
Canon MX340 Manual
973 pages
Syllabus SWE-316 PDF
No ratings yet
Syllabus SWE-316 PDF
4 pages
Operating System
No ratings yet
Operating System
74 pages
Computer Graphics Chapter-2
No ratings yet
Computer Graphics Chapter-2
112 pages
Summary Last Lecture: - D/A Converters
No ratings yet
Summary Last Lecture: - D/A Converters
34 pages
SAPs Client Server Architecture
No ratings yet
SAPs Client Server Architecture
31 pages
04 Assembly Programming
No ratings yet
04 Assembly Programming
22 pages
Drive Test Training 2021
No ratings yet
Drive Test Training 2021
35 pages
Intel SGX Performance Considerations
No ratings yet
Intel SGX Performance Considerations
6 pages
L 2
No ratings yet
L 2
21 pages
Paper I: Electrical Engineering Syllabus For IES Exam
No ratings yet
Paper I: Electrical Engineering Syllabus For IES Exam
9 pages
Voice Based Notice Board Using Android Application
No ratings yet
Voice Based Notice Board Using Android Application
17 pages
5.6 RT Crane Wiring Diagram DC12V
No ratings yet
5.6 RT Crane Wiring Diagram DC12V
1 page
Data Representation in Computer Systems Is The Process of Encoding
No ratings yet
Data Representation in Computer Systems Is The Process of Encoding
3 pages
Beryl (Radial Thru-Hole) RT Series
No ratings yet
Beryl (Radial Thru-Hole) RT Series
2 pages
Protection relay-Woodward-WIC1PALME - Manual
No ratings yet
Protection relay-Woodward-WIC1PALME - Manual
12 pages
Addendum A:: Getting Started With OMV
No ratings yet
Addendum A:: Getting Started With OMV
17 pages
Roland Comm Firmware Update Manual v1.0
No ratings yet
Roland Comm Firmware Update Manual v1.0
12 pages
94 Manual
No ratings yet
94 Manual
12 pages
252 SiPass Int MP2 65SP2 RelNotes A-100083-1 en A
100% (1)
252 SiPass Int MP2 65SP2 RelNotes A-100083-1 en A
40 pages
Drop Box
No ratings yet
Drop Box
31 pages
Lbna 24885 Enc
No ratings yet
Lbna 24885 Enc
32 pages
S7jal71b en US
No ratings yet
S7jal71b en US
1,527 pages