ON THIS PAGE
System Log Error Messages for Next Gen Services
This topic describes Next Gen Services MX-SPC3 services card system log error messages and provides a comparison of these messages with the MS-MPC services card.
Session Open Logs
Following are example session open logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
JSERVICES_SESSION_OPEN application source-interface-name
source-address source-port source-nat-information destination-address
destination-port destination-nat-information protocol-name softwire-information;
MX-SPC3 Services Card
RT_FLOW_SESSION_CREATE_USF Prefix service-set-name source-interface-name
source-address source-port destination-address destination-port service-name
nat-source-address nat-source-port nat-destination-address nat-destination-port
src-nat-rule-type src-nat-rule-name dst-nat-rule-type dst-nat-rule-name
protocol-name policy-name application softwire-information;
Sample MX-SPC3 Output
A sample output is as follows:
<14>1 2018-06-26T17:23:06.269-07:00 booklet RT_FLOW
- RT_FLOW_SESSION_CREATE_USF [junos@2636.1.1.1.2.25 prefix="SYSLOG-PREFIX"
service-set-name="JNPR-NH-SSET3" source-address="50.0.0.10" source-port="1"
destination-address="60.0.0.10" destination-port="21219" connection-tag="0"
service-name="icmp" nat-source-address="100.0.0.1" nat-source-port="1024"
nat-destination-address="60.0.0.10" nat-destination-port="21219" nat-connection-tag="0"
src-nat-rule-type="source rule" src-nat-rule-name="SRC-NAT-RULE1"
dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="p1"
source-zone-name="JNPR-NH-SSET3-ZoneIn" destination-zone-name="JNPR-NH-SSET3-ZoneOut"
session-id-32="160000001" username="N/A" roles="N/A" packet-incoming-interface="vms-2/0/0.100"
application="UNKNOWN" nestedapplication="UNKNOWN" encrypted="UNKNOWN"
application-category="N/A" application-sub-category="N/A" application-risk="-1"]
Prefix PADDY3 svc-set-name JNPR-NH-SSET3: session created 50.0.0.10/1->60.0.0.10/21219
0x0 icmp 100.0.0.1/1024->60.0.0.10/21219 0x0 source rule SRC-NAT-RULE1
N/A N/A 1 p1 JNPR-NH-SSET3-ZoneIn JNPR-NH-SSET3-ZoneOut 160000001
N/A(N/A) vms-2/0/0.100 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1
Session Open Logs With NAT
MS-MPC Services Card
SYSLOG_MSMPC{SS_TEST}JSERVICES_SESSION_OPEN: application:ike-esp-nat,
xe-2/2/1.0 24.0.0.2:1234 [85.0.0.1:1024] -> 25.0.0.2:1234 (UDP)
MX-SPC3 Services Card
Aug 3 02:04:28 mobst480i RT_FLOW: RT_FLOW_SESSION_CREATE_USF:
Tag svc-set-name sset1: session created 90.0.0.2/1->30.0.0.2/4323
0x0 icmp 50.0.0.3/1024->30.0.0.2/4323 0x0 source rule rule1 N/A N/A
1 p1 sset1-ZoneIn sset1-ZoneOut 160000015 N/A(N/A) vms-2/0/0.1 UNKNOWN
UNKNOWN UNKNOWN N/A N/A -1 N/A
Session Open Logs Without NAT
MS-MPC Services Card
SYSLOG_MSMPC{SS_TEST}JSERVICES_SESSION_OPEN: application:ike-esp-nat,
xe-2/2/1.0 24.0.0.2:1234 -> 25.0.0.2:1234 (UDP)
MX-SPC3 Services Card
RT_FLOW - RT_FLOW_SESSION_CREATE_USF [junos@2636.1.1.1.2.25
tag="SYSLOG_SFW" service-set-name="ss1" source-address="20.1.1.2"
source-port="12000" destination-address="30.1.1.2" destination-port="22000"
connection-tag="0" service-name="None" nat-source-address="20.1.1.2"
nat-source-port="12000" nat-destination-address="30.1.1.2" nat-destination-port="22000"
nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A"
dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="policy1"
source-zone-name="ss1-ZoneIn" destination-zone-name="ss1-ZoneOut"
session-id-32="190000004" username="N/A" roles="N/A" packet-incoming-interface="xe-5/3/2.0"
application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"
application-category="N/A" application-sub-category="N/A" application-risk="-1"
application-characteristics="N/A"] Tag SYSLOG_SFW svc-set-name ss1:
session created 20.1.1.2/12000->30.1.1.2/22000 0x0 None 20.1.1.2/12000->30.1.1.2/22000
0x0 N/A N/A N/A N/A 6 policy1 ss1-ZoneIn ss1-ZoneOut 190000004 N/A(N/A)
xe-5/3/2.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A
Session Close Logs
Following are example session close logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
JSERVICES_SESSION_CLOSE application source-interface-name
source-address source-port source-nat-information destination-address
destination-port destination-nat-information protocol-name softwire-information;
MX-SPC3 Services Card
RT_FLOW_SESSION_CLOSE_USF Prefix service-set-name source-interface-name
source-address source-port destination-address destination-port service-name
nat-source-address nat-source-port nat-destination-address nat-destination-port
src-nat-rule-type src-nat-rule-name dst-nat-rule-type dst-nat-rule-name
protocol-name policy-name; softwire-information;
Sample MX-SPC3 Output
A sample output follows:
<14>1 2018-06-27T09:24:00.058-07:00 booklet RT_FLOW
- RT_FLOW_SESSION_CLOSE_USF [junos@2636.1.1.1.2.25 prefix="SYSLOG-PREFIX"
service-set-name="JNPR-NH-SSET3" reason="idle Timeout" source-address="50.0.0.10"
source-port="1" destination-address="60.0.0.10" destination-port="30170"
connection-tag="0" service-name="icmp" nat-source-address="100.0.0.1"
nat-source-port="1024" nat-destination-address="60.0.0.10" nat-destination-port="30170"
nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="SRC-NAT-RULE1"
dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="p1"
source-zone-name="JNPR-NH-SSET3-ZoneIn" destination-zone-name="JNPR-NH-SSET3-ZoneOut"
session-id-32="160000001" packets-from-client="1" bytes-from-client="84"
packets-from-server="0" bytes-from-server="0" elapsed-time="4" application="UNKNOWN"
nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="vms-2/0/0.100"
encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A"
application-risk="-1"] Prefix PADDY-DEF svc-set-name JNPR-NH-SSET3:
session closed idle Timeout: 50.0.0.10/1->60.0.0.10/30170 0x0 icmp
100.0.0.1/1024->60.0.0.10/30170 0x0 source rule SRC-NAT-RULE1 N/A
N/A 1 p1 JNPR-NH-SSET3-ZoneIn JNPR-NH-SSET3-ZoneOut 160000001 1(84)
0(0) 4 UNKNOWN UNKNOWN N/A(N/A) vms-2/0/0.100 UNKNOWN N/A N/A -1
NAT Out of Address Logs
Following are example NAT Out of Address logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
JSERVICES_NAT_OUTOF_ADDRESSES: nat-pool-name
MX-SPC3 Services Card:
Aug 10 10:06:13 champ RT_NAT: RT_SRC_NAT_OUTOF_ADDRESSES:
nat-pool-name src_pool1 is out of addresses
NAT Out of Ports Logs
Following are example NAT Out of Ports logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
{NPU-1-PFX1}[jservices-nat]: JSERVICES_NAT_OUTOF_PORTS:
natpool NAT-POOL-NPU1-PFX3 is out of ports
MX-SPC3 Services Card
jul 31 03:08:30 esst480h RT_NAT: RT_SRC_NAT_OUTOF_PORTS:
nat-pool-name nat_pool1 is out of ports
NAT Rule Match Logs
Following are example NAT rule match logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
SYSLOG_MSMPC{SS_TEST}[jservices-nat]: JSERVICES_NAT_RULE_MATCH:
proto 17 (UDP) application: any, xe-2/2/1.0:24.0.0.2:1234 -> 25.0.0.2:1234,
Match NAT rule-set: (null), rule: NAT_RULE_TEST, term: t
MX-SPC3 Services Card
RT_NAT: RT_NAT_RULE_MATCH: protocol-id 17 protocol-name
udp application Unknown interface-name ge-2/0/9.0 source-address 11.1.1.2
source-port 2000 destination-address 12.1.1.2 destination-port 5000
rule-set-name rule-set rule-name nat-rule
NAT Pool Release Logs
Following are example NAT Rule Match logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
SYSLOG_MSMPC{SS_TEST}[jservices-nat]: JSERVICES_NAT_POOL_RELEASE:
natpool release 85.0.0.1:1024[1]
MX-SPC3 Services Card
RT_NAT: RT_SRC_NAT_POOL_RELEASE: nat-pool-name nat-pool
address 112.1.1.4 port 1024 count 1
NAT Port Block Allocation Logs
Following are example NAT port block allocation logs for MS-MPC services cards versus MX-SPC3 services processing card:
- MS-MPC Services Card-Example 1
- MX-SPC3 Services Card-Example 1
- MS-MPC Services Card-Example 2
- MX-SPC3 Services Card-Example 2
MS-MPC Services Card-Example 1
SYSLOG_MSMPC{ss1}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ALLOC:
11.1.1.2 -> 112.1.1.4:42494-42503 0x59412760
MX-SPC3 Services Card-Example 1
Aug 9 23:01:59 esst480r RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber
20.1.1.5 used/maximum [1/1] blocks, allocates port block [49774-49923]
from 100.0.0.1 in source pool p1 lsys_id: 0
MS-MPC Services Card-Example 2
SYSLOG_MSMPC{ss1}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_RELEASE:
2001:2010:0:0:0:0:0:2 -> 161.161.16.1:56804-56813 0x597ef2c3
MX-SPC3 Services Card-Example 2
RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 11.1.1.2 used/maximum
[1/2] blocks, allocates port block [13934-13943] from 112.1.1.1 in
source pool nat-pool lsys_id: 0
NAT Port Block Allocation Interim Logs
Following are example interim logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
SYSLOG_MSMPC{ss1}[jservices-nat]: JSERVICES_NAT_PORT_BLOCK_ACTIVE:
11.1.1.2 -> 112.1.1.4:42494-42503 0x59412760
MX-SPC3 Services Card
RT_NAT: RT_SRC_NAT_PBA_INTERIM: Subscriber 50.0.0.3 used/maximum
[1/1] blocks, allocates port block [5888-6015] from 202.0.0.1 in source
pool JNPR-CGNAT-PUB-POOL lsys_id: 0
NAT Port Block Release Logs
Following are example NAT port block release logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
JSERVICES_NAT_PORT_BLOCK_RELEASE source-address nat-source-address
nat-source-port-range-start nat-source-port-range-end object-create-time;
MX-SPC3 Services Card
RT_NAT: RT_SRC_NAT_PBA_RELEASE: Subscriber 11.1.1.2 used/maximum
[2/3] blocks, releases port block [3839-3843] from 112.1.2.1 in source
pool nat-pool lsys_id: 0
Deterministic NAT Logs
MS-MPC Services Card
{ss1}[jservices-nat]: JSERVICES_DET_NAT_CONFIG: Deterministc
NAT Config [2001:2010::-2001:2010::ff]:[161.161.16.1-161.161.16.254]:0:200:0:1024-65535
Stateful Firewall Rule Accept Logs
Following are example stateful firewall rule accept logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
Sep 20 01:36:51 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20
08:36:19: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_RULE_ACCEPT:
proto 17 (UDP) application: any, interface: xe-2/2/1.0, 24.0.0.2:1234
-> 25.0.0.2:1234, Match SFW allow rule-set: (null), rule: SFW_RULE_TEST,
term: t
MX-SPC3 Services Card
expo RT_FLOW: RT_FLOW_SESSION_POLICY_ACCEPT_USF: Tag SYSLOGMSG
svc-set-name ss1:session created with policy accept 20.1.1.2/5->30.1.1.2/15100
0x0 icmp R11 1 sfw_policy1 ss1-ZoneIn ss1-ZoneOut 160000010 N/A(N/A)
xe-5/3/2.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A
Sample MX-SPC3 Output
Here’s a sample output for MX-SPC3 card:
<14>1 2018-06-27T09:23:56.808-07:00 booklet RT_FLOW
- RT_FLOW_SESSION_POLICY_ACCEPT_USF [junos@2636.1.1.1.2.25 prefix="PADDY-DEF"
service-set-name="JNPR-NH-SSET3" source-address="50.0.0.10" source-port="1"
destination-address="60.0.0.10" destination-port="30170" connection-tag="0"
service-name="icmp" rule-name="Tobe implemented" rule-set-name="To
be implemented" protocol-id="1" policy-name="p1" source-zone-name="JNPR-NH-SSET3-ZoneIn"
destination-zone-name="JNPR-NH-SSET3-ZoneOut" session-id-32="160000001"
username="N/A"roles="N/A" packet-incoming-interface="vms-2/0/0.100"
application="UNKNOWN" nested-application="UNKNOWN"encrypted="UNKNOWN"
application-category="N/A" application-sub-category="N/A" application-risk="-1"]
Prefix PADDY-DEF svc-set-name JNPR-NH-SSET3: session created 50.0.0.10/1->60.0.0.10/30170
0x0 icmp To be implemented To be implemented 1 p1 JNPR-NH-SSET3-ZoneIn
JNPR-NH-SSET3-ZoneOut 160000001 N/A(N/A) vms-2/0/0.100 UNKNOWN UNKNOWN
UNKNOWN N/A N/A -1
Stateful Firewall Rule Reject Logs
Following are example stateful firewall rule reject logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
Sep 20 01:42:02 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20
08:41:31: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_RULE_REJECT:
proto 17 (UDP) application: any, 24.0.0.2:1234 -> 25.0.0.2:1234, Match
SFW reject rule-set: (null), rule: SFW_RULE_TEST, term: t
MX-SPC3 Services Card
expo RT_FLOW: RT_FLOW_SESSION_RULE_REJECT_USF: Tag SYSLOGMSG
svc-set-name ss1: session denied 20.1.1.2/5->30.1.1.2/15183 0x0 icmp
R11 1(8) sfw_policy1 ss1-ZoneIn ss1-ZoneOut UNKNOWN UNKNOWN N/A(N/A)
xe-5/3/2.0 No Rejected by policy 160000030 N/A N/A -1 N/A
Stateful Firewall Rule Discard Logs
Following are example stateful firewall rule discard logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
Sep 20 01:43:57 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20
08:43:26: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_RULE_DISCARD:
proto 17 (UDP) application: any, 24.0.0.2:1234 -> 25.0.0.2:1234, Match
SFW drop rule-set: (null), rule: SFW_RULE_TEST, term: t
MX-SPC3 Services Card
RT_FLOW - RT_FLOW_SESSION_RULE_DISCARD_USF [junos@2636.1.1.1.2.25
tag="SYSLOG_SFW" service-set-name="ss1" source-address="20.1.1.2"
source-port="10000" destination-address="30.1.1.2" destination-port="20000"
connection-tag="0" service-name="None" rule-name="R1" rule-set-name=""
protocol-id="17" icmp-type="0" policy-name="policy1" source-zone-name="ss1-ZoneIn"
destination-zone-name="ss1-ZoneOut" application="UNKNOWN" nested-application="UNKNOWN"
username="N/A" roles="N/A" packet-incoming-interface="xe-5/3/2.0"
encrypted="No" reason="Denied by policy" session-id-32="190000014"
application-category="N/A" application-sub-category="N/A" application-risk="-1"
application-characteristics="N/A"] Tag SYSLOG_SFW svc-set-name ss1:
session denied 20.1.1.2/10000->30.1.1.2/20000 0x0 None R1 17(0) policy1
ss1-ZoneIn ss1-ZoneOut UNKNOWN UNKNOWN N/A(N/A) xe-5/3/2.0 No Denied
by policy 190000014 N/A N/A -1 N/A
Stateful Firewall Rule No Rule Drop Logs
Following are example stateful firewall rule no rule drop logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
Sep 20 01:43:57 mobst480b (FPC Slot 5, PIC Slot 0) 2017-09-20
08:43:26: SYSLOG_MSMPC{SS_TEST}[jservices-sfw]: JSERVICES_SFW_NO_RULE_DROP:
proto 17 (UDP) application: any, 24.0.0.2:1234 -> 25.0.0.2:1234
MX-SPC3 Services Card
RT_FLOW_SESSION_NO_RULE_DROP_USF Prefix service-set-name
protocol-id protocol-name source-interface-name separator source-address
source-port destination-address destination-port event-type;
Stateful Firewall No Policy Drop Logs
Following are example stateful firewall logs for MS-MPC services cards versus MX-SPC3 services processing card:
MS-MPC Services Card
JSERVICES_SFW_NO_POLICY source-address destination-address;
MX-SPC3 Services Card
RT_FLOW_SESSION_NO_POLICY_USF Prefix service-set-name
source-address destination-address;