• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 38 subscribers
  • Views 1458 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to reduce alert noise on Juniper SRX Chassis Cluster Switchover traps?

kevinbowen

Hello,

I have a pair of Juniper SRX5800 firewalls that I want to generate alert messages on JUNIPER-CHASSIS-CLUSTER-MIB:jnxJsChassisClusterSwitchover  SNMP Trap messages.

The main issue that I am seeing is that I am receiving eight messages on the initial failover and sixteen messages when I fail the devices back.

When looking in Trap Viewer, I can see that the firewall is generating duplicate messages(This may be a bug with Juniper which I will follow up with them on that issue). However, I would like to set a filter and a threshold to minimize the number of email messages being sent out.

I have, unsuccessfully, tried to filter on a particular line in the trap details as well as setting a threshold to reduce the number of emails generated.

The alert never fires when I have either a Trap Details Pattern OR a Trigger Threshold set, or when both are set at the same time.

Here are the details of the particular trap that I am interested in:

Trap Type: JUNIPER-CHASSIS-CLUSTER-MIB:jnxJsChassisClusterSwitchover

Trap Details:

jnxJsChClusterSwitchoverInfoRedundancyGroup=0

jnxJsChClusterSwitchoverInfoClusterId=3

jnxJsChClusterSwitchoverInfoNodeId=1

jnxJsChClusterSwitchoverInfoPreviousState=secondary

jnxJsChClusterSwitchoverInfoCurrentState=primary

jnxJsChClusterSwitchoverInfoReason=Manual failover

snmpTrapOID=JUNIPER-CHASSIS-CLUSTER-MIB:jnxJsChassisClusterSwitchover

sysUpTime=18 minutes 53.89 seconds

experimental.1057.1.0=10.xxx.xxx.xxx

snmpTrapEnterprise=JUNIPER-CHASSIS-CLUSTER-MIB:jnxJsChassisClusterMIB

Also note that when I view the trap details in the Trap Viewer, I see the line in details for jnxJsChClusterSwitchoverInfoCurrentState=primary without any spaces.

However, when the message arrives in my inbox, the message details have been changed to read: jnxJsChClusterSwitchoverInfoCurrentState:= secondary

Please note the addition of a colon and space inserted between the MIB instance and the value.


I have tried the following Trap Details patterns without the alarm alerts being sent:


*jnxJsChClusterSwitchoverInfoCurrentState=primary*
*jnxJsChClusterSwitchoverInfoCurrentState:= primary*

as well as the regular expression:
*jnxJsChClusterSwitchoverInfoCurrentState*=*primary*


Does anyone have suggestions on a better filter, or an explanation on why the ones that I am using are not working?

Also, why aren't my threshold settings firing the alerts even though I can see the alerts in my trap viewer?


Let me know if you need any additional information. Thanks.


Orion Platform 2013.1.0, SAM 5.5.0, NCM 7.1.1, NPM 10.5, NTA 3.11.0, UDT 2.5.1, IVIM 1.6.

  • 0

    I know this is an old question, but maybe this will help someone.

    I think the email alerts and the trap details might be built from the OIDName and OIDValue (or maybe OIDValue_Unicode -the values in OIDValue and OIDValue_Unicode appear to be identical from what I've seen so I can't be positive which one is actually used) columns in the TrapVarBinds table. If you look in the TrapVarBinds table you should see something like this in the OIDName and OIDvalue columns for that trap:

    OIDNameOIDValue
    nxJsChClusterSwitchoverInfoRedundancyGroup0
    jnxJsChClusterSwitchoverInfoClusterId3
    jnxJsChClusterSwitchoverInfoNodeId1
    jnxJsChClusterSwitchoverInfoPreviousStatesecondary
    jnxJsChClusterSwitchoverInfoCurrentStateprimary
    jnxJsChClusterSwitchoverInfoReasonManual failover
    snmpTrapOIDJUNIPER-CHASSIS-CLUSTER-MIB:jnxJsChassisClusterSwitchover
    sysUpTime18 minutes 53.89 seconds
    experimental.1057.1.010.xxx.xxx.xxx
    snmpTrapEnterpriseJUNIPER-CHASSIS-CLUSTER-MIB:jnxJsChassisClusterMIB

    The Trap Viewer actions appear to only filter on what's in the OIDValue (or again it might be the OIDValue_Unicode column) when you use trap details as filter criteria. Basically it looks for the values that are on the right side of the "=" sign in the trap details you see in the trap viewer or equivalently everything to the right of the ":= " portion of the trap email.  For example if you try *primary* instead of *jnxJsChClusterSwitchoverInfoCurrentState=primary* as filter criteria for the trap details of your trap action, I think your trap action will work.

    You can check it out if you run the below SQL query (substituting x.x.x.x with the IP address of the device sending the traps, of course) and look at the OIDName and OIDValue columns:

    select * from dbo.Traps join dbo.TrapVarBinds on dbo.Traps.TrapID = dbo.TrapVarBinds.TrapID

    where IPAddress = 'x.x.x.x' order by dbo.TrapVarBinds.TrapID DESC

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.