SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Debug IKE proposals

    Posted 08-13-2012 13:46

    Is it possible using IKE traceoptions or IKE debug to see which proposal options a peer is attempting to negotiate phase1 with?

     

    I'd like to have someone configure an ASA with "random" proposals and see if I can debug/trace what those are and create the appropriate config. Unless I'm missing something though, flag all and/or ike debug do not show this.

     

     



  • 2.  RE: Debug IKE proposals

    Posted 08-15-2012 00:43

    Hello, if you have configured traceoptions, you can check log kmd.(show log kmd).



  • 3.  RE: Debug IKE proposals

    Posted 08-15-2012 07:05

    I've done this, and debug. But it doesn't actually show which proposal the peer sent, just that there is a mismatch.



  • 4.  RE: Debug IKE proposals

    Posted 08-15-2012 13:07

    You can pump up the debug level:

     

    Non-traceoptions way (if you have a new enough JUNOS, I don't remember when this became possible):

    > request security ike debug-enable level 15 local <local> remote <remote>

     

    This dumps into kmd log.

     

    Using traceoptions:

     

    # set security ike traceoptions file ike-debug size 10m files 2
    # set security ike traceoptions flag all
    # set security ike traceoptions level 15

     

    This will put the logs into the ike-debug file and keep it separate from kmd.