Data Center LAN Migration Guide - Juniper Networks

Data Center LAN Migration Guide
OSI Layer 4-7: Transport to Application Troubleshooting
This type of problem is most likely to occur on firewalls or on routers secured with firewall filters. Below are some
important things to remember when troubleshooting Layer 4-7 issues:
• Standard troubleshooting tools such as ping and traceroute may not work. Generally, ping and traceroute are not
enabled through a firewall except in specific circumstances.
• Firewalls are routers too, In addition to enforcing stateful policies on traffic, firewalls also have the responsibility of
routing packets to their next hop. To do this, firewalls must have a working and complete routing table statically or
dynamically defined. If the table is incomplete or incorrect, the firewall will not be able to forward traffic correctly.
• Firewalls are stateful and build state for every session that has passed through the firewall. If a non-SYN packet
comes to the firewall and the firewall does not have a session open for that packet, it is considered an “out of state”
packet. This can be the sign of an attack or an application that is dormant beyond the firewall session timeout
duration attempting to send traffic.
• By definition, stateful firewalls enforce traffic though their policy based on the network and transport layers of the
OSI model. In addition, firewalls may also do protocol anomaly checks and signature matches on the application
layer for selected protocols.
• This function is implemented by ALGs. ALGs recognize application-specific sequences, change the application layer
to make protocols compatible with Port Address Translation (PAT) attempting to send traffic and Network Address
Translation (NAT), and deliver higher layer content to deep inspection (DI), antivirus, URL filter, and spam filter
features, if enabled.
• If you experience a problem that involves the passing or blocking of traffic, the very first place to look is the firewall
logs. Often the log messages will give strong hints about the problem.
Tools
Junos OS has embedded script tools to simplify and automate some tasks for network engineers. Commit scripts,
operation (op) scripts, and event scripts provide self monitoring, self diagnosing, and self healing capabilities to the
network. The apply-macro command feeds a commit script to extend and customize the router configuration based
on user-defined data and templates. Together, these tools offer an almost infinite number of applications to reduce
downtime, minimize human error, accelerate service deployment, and reduce overall operational costs. For more
information, refer to: www.juniper.net/us/en/community/junos/script-automation.
Troubleshooting Summary
Presenting an exhaustive and complete troubleshooting guide falls outside the scope of this Data Center LAN
Migration Guide. Presented in this section is a methodology to understand the factors contributing to a problem and a
logical approach to the diagnostics needed to investigate root causes. This method relies on the fact that IP networks
are modeled around multiple layered architectures. Each layer depends on the services of the underlying layers. From
the physical network topology comprised of access, aggregation, and core tiers to the model of IP communication
founded on the 7 OSI layers, matching symptoms to the root cause layer is a critical step in the troubleshooting
methodology. Juniper platforms have also implemented a layered architecture by integrating separate control and
forwarding planes. Once the root cause layer is correctly identified, the next steps are to isolate the problem and to
take the needed corrective action at that specific layer.
For more details on platform specifics, please refer to the Juniper technical documentation that can be found at:
www.juniper.net/techpubs.
62 Copyright © 2012, Juniper Networks, Inc.