junos_exporter icon indicating copy to clipboard operation
junos_exporter copied to clipboard

Published 20 hours ago verified publisher icon czerwonk

ipsec security-associations metrics broken for single RE devices

Open mmanjos opened this issue 3 years ago • 7 comments

I think that this PR https://github.com/czerwonk/junos_exporter/pull/127 might have broken ipsec security-association metrics for single routing engine platforms. I'll try to fiddle with the code, but it's not my strong suit.

Here's what I get back from my router using -debug mode:

2021/12/26 02:38:08 Running command on router: show security ipsec security-associations
2021/12/26 02:38:09 Output for router: <rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
    <ipsec-security-associations-information junos:style="brief">
        <total-active-tunnels>1</total-active-tunnels>
        <ipsec-security-associations-block>
            <sa-block-state>up</sa-block-state>
            <ipsec-security-associations>
                <sa-direction>&lt;</sa-direction>
                <sa-tunnel-index>131073</sa-tunnel-index>
                <sa-spi>88a16818</sa-spi>
                <sa-aux-spi>0</sa-aux-spi>
                <sa-remote-gateway>****************</sa-remote-gateway>
                <sa-port>500</sa-port>
                <sa-vpn-monitoring-state>-</sa-vpn-monitoring-state>
                <sa-protocol>ESP:</sa-protocol>
                <sa-esp-encryption-algorithm>3des/</sa-esp-encryption-algorithm>
                <sa-hmac-algorithm>sha1</sa-hmac-algorithm>
                <sa-hard-lifetime>1656/</sa-hard-lifetime>
                <sa-lifesize-remaining>unlim</sa-lifesize-remaining>
                <sa-virtual-system>root</sa-virtual-system>
            </ipsec-security-associations>
            <ipsec-security-associations>
                <sa-direction>&gt;</sa-direction>
                <sa-tunnel-index>131073</sa-tunnel-index>
                <sa-spi>3c45c901</sa-spi>
                <sa-aux-spi>0</sa-aux-spi>
                <sa-remote-gateway>****************</sa-remote-gateway>
                <sa-port>500</sa-port>
                <sa-vpn-monitoring-state>-</sa-vpn-monitoring-state>
                <sa-protocol>ESP:</sa-protocol>
                <sa-esp-encryption-algorithm>3des/</sa-esp-encryption-algorithm>
                <sa-hmac-algorithm>sha1</sa-hmac-algorithm>
                <sa-hard-lifetime>1656/</sa-hard-lifetime>
                <sa-lifesize-remaining>unlim</sa-lifesize-remaining>
                <sa-virtual-system>root</sa-virtual-system>
            </ipsec-security-associations>
        </ipsec-security-associations-block>
    </ipsec-security-associations-information>
    <cli>
        <banner></banner>
    </cli>
</rpc-reply>

Using the latest build from 042c6f235bf79f53d68c996c851da416cc67bf61 , I get no junos_ipsec_security_associations_state values back from my router:

$ curl -s http://localhost:9326/metrics |grep ipsec
# HELP junos_ipsec_configured_tunnels Total configured tunnels
# TYPE junos_ipsec_configured_tunnels gauge
junos_ipsec_configured_tunnels{description="configured tunnels",name="",re_name="N/A",target="router"} 1

However, reverting back to 0.9.8 at af9cfdc2b065e202fe12b08cd535016b847e7de7 before the PR mentioned above, it looks like ipsec metrics were working back then:

$ curl -s  http://localhost:9326/metrics|grep ipsec
# HELP junos_ipsec_security_associations_active_tunnels Total active tunnels
# TYPE junos_ipsec_security_associations_active_tunnels gauge
junos_ipsec_security_associations_active_tunnels{description="active tunnels",name="",target="router"} 1
# HELP junos_ipsec_security_associations_state State of the Security Association
# TYPE junos_ipsec_security_associations_state gauge
junos_ipsec_security_associations_state{description="security association for remote gateway ****************",name="****************",target="router"} 1

mmanjos avatar Dec 26 '21 02:12 mmanjos

I think the issue might be at ipsec/collector.go:57 where the new code doesn't call prometheus.MustNewConstMetric in the case that it's a single-RE

mmanjos avatar Dec 26 '21 04:12 mmanjos

Ah, I see now how it's building the MultiRoutingEngineResults struct at line 113 in either case (multi or single)

Strange - I've stepped through the code a few times and even replaced my router's XML output (above) into the rpc_test for single RE (which passes) but the exporter output still has no active tunnels

mmanjos avatar Dec 26 '21 15:12 mmanjos

and just to confirm, in these test cases, the binary is being run with the following flags (so that ipsec is enabled):

junos_exporter -ssh.user=monitoring-ro -ssh.targets=router -web.listen-address=127.0.0.1:9326 -ssh.keyfile=/tmp/keyfile -ipsec.enabled=true -debug

And the monitoring-ro user has [ view security ] permissions (for ipsec tunnels)

mmanjos avatar Dec 26 '21 15:12 mmanjos

Version: 0.9.11 i have this problem too

valerarar avatar Feb 10 '22 15:02 valerarar

mmanjos you didn't solve the problem?

valerarar avatar May 30 '22 08:05 valerarar

@valerarar not yet, unfortunately. I might take another look at it this week with fresh eyes, but back when I reported the issue, I couldn't see what was wrong in the code

mmanjos avatar May 30 '22 16:05 mmanjos

I've just been using the build from revision https://github.com/czerwonk/junos_exporter/commit/af9cfdc2b065e202fe12b08cd535016b847e7de7 ever since reporting and it's been working fine for me. It'd be nice to find out what the issue in the multi-RE code is though

mmanjos avatar May 30 '22 16:05 mmanjos