search

czerwonk / junos_exporter

Exporter for devices running JunOS to use with https://prometheus.io/
MIT License
198 stars 81 forks source link

ipsec security-associations metrics broken for single RE devices #165

Open mmanjos opened 2 years ago

mmanjos commented 2 years ago

I think that this PR https://github.com/czerwonk/junos_exporter/pull/127 might have broken ipsec security-association metrics for single routing engine platforms. I'll try to fiddle with the code, but it's not my strong suit.

Here's what I get back from my router using -debug mode:

2021/12/26 02:38:08 Running command on router: show security ipsec security-associations
2021/12/26 02:38:09 Output for router: <rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
    <ipsec-security-associations-information junos:style="brief">
        <total-active-tunnels>1</total-active-tunnels>
        <ipsec-security-associations-block>
            <sa-block-state>up</sa-block-state>
            <ipsec-security-associations>
                <sa-direction>&lt;</sa-direction>
                <sa-tunnel-index>131073</sa-tunnel-index>
                <sa-spi>88a16818</sa-spi>
                <sa-aux-spi>0</sa-aux-spi>
                <sa-remote-gateway>****************</sa-remote-gateway>
                <sa-port>500</sa-port>
                <sa-vpn-monitoring-state>-</sa-vpn-monitoring-state>
                <sa-protocol>ESP:</sa-protocol>
                <sa-esp-encryption-algorithm>3des/</sa-esp-encryption-algorithm>
                <sa-hmac-algorithm>sha1</sa-hmac-algorithm>
                <sa-hard-lifetime>1656/</sa-hard-lifetime>
                <sa-lifesize-remaining>unlim</sa-lifesize-remaining>
                <sa-virtual-system>root</sa-virtual-system>
            </ipsec-security-associations>
            <ipsec-security-associations>
                <sa-direction>&gt;</sa-direction>
                <sa-tunnel-index>131073</sa-tunnel-index>
                <sa-spi>3c45c901</sa-spi>
                <sa-aux-spi>0</sa-aux-spi>
                <sa-remote-gateway>****************</sa-remote-gateway>
                <sa-port>500</sa-port>
                <sa-vpn-monitoring-state>-</sa-vpn-monitoring-state>
                <sa-protocol>ESP:</sa-protocol>
                <sa-esp-encryption-algorithm>3des/</sa-esp-encryption-algorithm>
                <sa-hmac-algorithm>sha1</sa-hmac-algorithm>
                <sa-hard-lifetime>1656/</sa-hard-lifetime>
                <sa-lifesize-remaining>unlim</sa-lifesize-remaining>
                <sa-virtual-system>root</sa-virtual-system>
            </ipsec-security-associations>
        </ipsec-security-associations-block>
    </ipsec-security-associations-information>
    <cli>
        <banner></banner>
    </cli>
</rpc-reply>

Using the latest build from 042c6f235bf79f53d68c996c851da416cc67bf61 , I get no junos_ipsec_security_associations_state values back from my router:

$ curl -s http://localhost:9326/metrics |grep ipsec
# HELP junos_ipsec_configured_tunnels Total configured tunnels
# TYPE junos_ipsec_configured_tunnels gauge
junos_ipsec_configured_tunnels{description="configured tunnels",name="",re_name="N/A",target="router"} 1

However, reverting back to 0.9.8 at af9cfdc2b065e202fe12b08cd535016b847e7de7 before the PR mentioned above, it looks like ipsec metrics were working back then:

$ curl -s  http://localhost:9326/metrics|grep ipsec
# HELP junos_ipsec_security_associations_active_tunnels Total active tunnels
# TYPE junos_ipsec_security_associations_active_tunnels gauge
junos_ipsec_security_associations_active_tunnels{description="active tunnels",name="",target="router"} 1
# HELP junos_ipsec_security_associations_state State of the Security Association
# TYPE junos_ipsec_security_associations_state gauge
junos_ipsec_security_associations_state{description="security association for remote gateway ****************",name="****************",target="router"} 1
mmanjos commented 2 years ago

I think the issue might be at ipsec/collector.go:57 where the new code doesn't call prometheus.MustNewConstMetric in the case that it's a single-RE

mmanjos commented 2 years ago

Ah, I see now how it's building the MultiRoutingEngineResults struct at line 113 in either case (multi or single)

Strange - I've stepped through the code a few times and even replaced my router's XML output (above) into the rpc_test for single RE (which passes) but the exporter output still has no active tunnels

mmanjos commented 2 years ago

and just to confirm, in these test cases, the binary is being run with the following flags (so that ipsec is enabled):

junos_exporter -ssh.user=monitoring-ro -ssh.targets=router -web.listen-address=127.0.0.1:9326 -ssh.keyfile=/tmp/keyfile -ipsec.enabled=true -debug

And the monitoring-ro user has [ view security ] permissions (for ipsec tunnels)

valerarar commented 2 years ago

Version: 0.9.11 i have this problem too

valerarar commented 2 years ago

mmanjos you didn't solve the problem?

mmanjos commented 2 years ago

@valerarar not yet, unfortunately. I might take another look at it this week with fresh eyes, but back when I reported the issue, I couldn't see what was wrong in the code

mmanjos commented 2 years ago

I've just been using the build from revision https://github.com/czerwonk/junos_exporter/commit/af9cfdc2b065e202fe12b08cd535016b847e7de7 ever since reporting and it's been working fine for me. It'd be nice to find out what the issue in the multi-RE code is though