SRX

Hi All

IPSec Site to Site vpn tunnels , how do I get more info out of the logs:

On a traffic monitor i see the pahse2 trying to connect:

17:44:21.639838 Out IP truncated-ip - 376 bytes missing! x.x.x.x.4500 > x.x.x.x.500: isakmp: phase 2/others ? #103[E]: [|#114]

But in the lmd log file there is no errors or warning , but the vpn is not comming up.

please enable traceoption flags under ike/ipsec to get more information.

thanks

raheel anwar

example:

root# set security ike traceoptions ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> file                 Trace file information
> flag                 Tracing parameters for IKE
  no-remote-trace      Disable remote tracing
{primary:node0}[edit]
roott# set security ike traceoptions flag all  

roott# set security ipsec traceoptions flag ?
Possible completions:
  all                  Trace with all flags enabled
  next-hop-tunnel-binding  Trace next-hop tunnel binding events
  packet-drops         Trace packet drops
  packet-processing    Trace data packet processing events
  security-associations  Trace security association management events
{primary:node0}[edit]
roott# set security ipsec traceoptions flag all

Just to add to Raheels post, you can specify a file where the logs is going to be collected and the logs will be located in the /var/log directory.

You can also use the command "show log <filename>", the filename is the name of the file you specify under traceoption file hierarchy.

Thanks

for IPSEC the traceoptions are logged to "kmd" file (you have no option to specify another one).

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16273