Secured Port Block Allocation Interim Logging
Interim Logging for Secured Port Block Allocation
With port block allocation we generate one syslog log per set of ports allocated for a subscriber. These logs are UDP based and can be lost in the network, particularly for long-running flows. Interim logging triggers re-sending the above logs at a configured interval for active blocks that have traffic on at least one of the ports of the block. Depending on your network topology, you can set the interval for the port block allocation logs based on the period of the archive so that at least one log per port block (for an active flow) in each archive is present.
To configure the interim logging interval at the services interface
level, which applies to all the NAT pools on that ms- interface, include
the pba-interim-logging-interval seconds
statement at the [edit interfaces ms-fpc/pic/port services-options]
hierarchy level. The pba-interim-logging-interval
option
is supported on MX series routers with MS-DPCs and on M Series routers
with MS-100, MS-400, and MS-500 MultiServices PICS. The pba-interim-logging-interval
option is supported on MX series
routers with MS-MPCs and MS-MICs starting in Junos OS release 14.2R2.
Starting in Junos OS
Release 15.1R1, you can also configure the interim logging interval
at a NAT pool level. This capability is supported
only on MX Series routers with MS-MPCs and MS-MICs. To configure the
interim logging interval at a NAT pool level, include the interim-logging-interval seconds
statement at the [edit services nat
pool pool-name port secured-port-block-allocation]
hierarchy level. You can specify a value from 0 through 86400 seconds
for the interim logging frequency.
Benefits of Iterim Logging
Enables you to identify the currently used port blocks
Eliminates the need to search and analyze archived logs to identify the internal host that is using the external IP address and port
See Also
Guidelines for Configuring Interim Logging for Secured Port Block Allocation
Observe the following guidelines when you configure the interim logging interval for secured port block allocation:
-
Interim logging is enabled only when the interim logging functionality is configured. The
pba-interim-logging-interval
statement that you can configure at the[edit interfaces ms-fpc/pic/port services-options]
hierarchy level of an ms-interface is provided for backward compatibility. Thepba-interim-logging-interval
option is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Thepba-interim-logging-interval
option is supported on MX series routers with MS-MPCs and MS-MICs starting in Junos OS release 14.2R2.The
interim-logging-interval
statement that is available for configuration on the MS-MPC and MS-MIC starting in Junos OS release 15.1R1 provides interim logging for a specific NAT pool. -
If you configure the interim logging capability to be applicable to all PBA pools residing on that particular services interface and the interim logging capability for a specific PBA pool, the NAT pool-specific interval takes precedence over the services interface specific interval. For port blocks allocated from other PBA pools for which interim logging interval at the NAT pool-level is not configured, the logging interval value as configured at the ms- interface-level applies.
-
The default value is zero, which denotes no interim logging message is generated.
-
Interim logs are sent any time after the configured period of time in seconds. The time-difference is not fixed between the logging intervals of two logs.
-
Interim logs are generated for port blocks (both active and inactive) that contain at least one port in use by a flow which has traffic. No timer controls run on the port blocks to generate the logs. When a packet is received on a flow, the validation is performed to generate an interim log. If the conditions are satisfied, an interim log is generated for that port block. Interim logs are not generated for deleted port blocks.
-
The interim log contains the timestamp of the port block creation in hexadecimal format (when local time is set, the hexadecimal value provides the time in UTC format).
-
The conversion of the timestamp to UTC format can be performed in the external syslog server as necessary.
-
In certain scenarios, it is possible that the timestamp in hexadecimal value and the actual timestamp in ALLOC messages differ by a couple of seconds. This behavior occurs because the syslog mechanism contains a slight difference when it reads the time (as seen in PORT_BLOCK_ALLOC syslog) and the time at which NAT application reads the time (to update the ALLOC time in the subscriber context). The interim system log displays the ALLOC time retrieved from the subscriber context.
-
Because these logs are generated on CPU computation and in the fast path, a slight impact might be observed with fast path performance only when a generation of the log occurs.
-
Port block creation timestamp in hexadecimal is saved in the JSERVICES_NAT_PORT_BLOCK_RELEASE message, even if interim logging is not present.
-
If you define the logging interval when traffic flow is in progress, this functionality takes effect on existing and new flows. You need not reboot the MIC or activate and deactivate the service set.
-
If the flows or subscribers are timing out, it denotes that no new packets or traffic flows are seen for this 5-tuple data or for that particular subscriber. In such a case, interim logs are not generated.
-
If the interim-logging interval is lower than the inactivity-timeout of the flow, interim logs are not observed when the flow is timing out and the interim-logging interval has elapsed. If the interim-logging interval is lower than the subscriber-timeout value, interim logs are not observed when the subscriber is timing out and the interim-logging interval has elapsed. For example, if the inactivity-timeout is configured to 2500 seconds and the interim-logging is configured as 1800 seconds, when the flow is timing out, there is a point in time when 1800 seconds has elapsed since the last packet was seen on this flow and no interim log is generated in this case.
-
The interim logs are recorded for those pools that have PBA configured. If pools exist without the PBA configuration present on the service network processing unit (NPU), interim logs are not saved even if you enable the interim logging functionality.
-
You can configure only a range of values for the interval at which the logs need to be generated, such as 0, [1800, 86400].
-
You can enable the generation of syslogs by using the syslog statement at the
[edit system]
and[edit services service-sets service-set name nat rule rule-name term term-name then]
hierarchy levels that contain the NAT rules with PBA pools. Interim logs are not triggered if the recording of syslogs are not enabled on the system. -
We recommend that you configure the interim-logging interval to be higher than the inactivity timeout period for established flows. Also, we recommend that you configure the interim-logging interval to be higher than the subscriber-timeout value. When endpoint-independent mapping (EIM) is configured, the interim-logging interval must be higher than the sum of the address pooling paired (APP) timeout and EIM timeout values.
-
Transmission of logs occurs in clear-text format similar to other log messages that the services PICs do not encrypt. It is assumed that the transport of logs and the positioning of the log collector are within a secured realm. Because the messages do not contain sensitive details such as username or passwords, the messages do not cause any security or reliability risks. Increased generation of log messages does not cause a possibility of a flood of logs because the frequency of logging can be configured, depending on the network topology, traffic levels, and your monitoring needs.
-
The logs for PBA in the microkernel start with the prefix of ASP_*. These logs have been modified to start with the prefix of JSERVICES_*. The following are examples of system logs for PBA in the microkernel and with the Junos OS Extension-Provider packages installed and configured on the device.
Microkernel: 1970-01-01 00:32:36 {nat64}[FWNAT]:ASP_NAT_PORT_BLOCK_ACTIVE: 2001:db8:0:0:0:0:0:2 -> 10.1.1.1:1050-1091 0x6f
Junos OS Extension-Provider (eJunos): 1970-01-01 00:32:36 {nat64}[FWNAT]:JSERVICES_NAT_PORT_BLOCK_ACTIVE: 2001:db8:0:0:0:0:0:2 -> 10.1.1.1:1050-1091 0x6f
-
Also, you can specify the interim logging interval per NAT pool instead of a global configuration per MS-PIC, based on whether you want the syslog settings to apply to all the NAT pools on a device or for a particular NAT pool. For NAT, the member interfaces must have the jservices-nat package configured. The JSERVICES_NAT_PORT_BLOCK_ACTIVE system logging message is generated when you configure interim logging for PBA. The following sample logs denote the log messages generated with the interim interval set as 1800 seconds. You can notice that the timestamp between consecutive interim logs is more than 1800 seconds.
1970-01-01 00:01:51 [FWNAT]:JSERVICES_NAT_PORT_BLOCK_ALLOC: 2001:db8:0:0:0:0:0:2 -> 10.1.1.1:1050-1091 1970-01-01 00:32:36 {nat64}[FWNAT]:JSERVICES_NAT_PORT_BLOCK_ACTIVE: 2001:db8:0:0:0:0:0:2 -> 10.1.1.1:1050-1091 0x6f 1970-01-01 01:03:20 {nat64}[FWNAT]:JSERVICES_NAT_PORT_BLOCK_ACTIVE: 2001:db8:0:0:0:0:0:2 -> 10.1.1.1:1050-1091 0x6f 1970-01-01 01:34:04 {nat64}[FWNAT]:JSERVICES_NAT_PORT_BLOCK_ACTIVE: 2001:db8:0:0:0:0:0:2 -> 10.1.1.1:1050-1091 0x6f 1970-01-01 02:04:48 {nat64}[FWNAT]:JSERVICES_NAT_PORT_BLOCK_ACTIVE: 2001:db8:0:0:0:0:0:2 -> 10.1.1.1:1050-1091 0x6f
-
Starting in Junos OS release 19.3R1, when you configure a softwire prefix other than 128, all the JSERVICES_NAT_PORT_BLOCK logs now displays the prefixed B4 address. The following JSERVICES_NAT_PORT_BLOCK are modified:
-
JSERVICES_NAT_PORT_BLOCK_ALLOC
-
JSERVICES_NAT_PORT_BLOCK_RELEASE
-
JSERVICES_NAT_PORT_BLOCK_ACTIVE
In earlier Junos OS releases, when a softwire prefix was configured, some of the B4 addresses displayed in the JSERVICES_NAT_PORT_BLOCK log were /128 addresses. For example, when a /56 prefix was configured, the port block syslog displayed the following B4 addresses:
-
The JSERVICES_NAT_PORT_BLOCK_ALLOC displayed the /128 B4 address of the first B4 which was allocated a port from a particular port block
-
The JSERVICES_NAT_PORT_BLOCK_RELEASE displayed the /128 B4 address of the last B4 which released its port back to the port block
-
See Also
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.