SRX Services Gateway
Reply
New User
jayk77
Posts: 2
Registered: ‎04-12-2011
0

traceoptions - I hate you more than life

Really?  That's the best you can do to look at traffic?

Thank you for making me hate my job when I get calls to look at traffic through SRX.

 

I need an idiot's guide to traceoptions... and when you're going to put in something useful to look at traffic through the firewall that doesn't involve commiting and is easy to watch a tcp handshake, etc.

Please tell me something is in the works or already in some release I'm not running yet.

 

 

Distinguished Expert
Distinguished Expert
pk
Posts: 803
Registered: ‎10-09-2008
0

Re: traceoptions - I hate you more than life

Hi,

 

What about policy logs (session-init and session-close)? In many cases you don't need traceoptions.

As for me, I try to avoid them when possible.

You also have packet capture on branch SRX.

But to understand what tool will surve best, we need to understand your task more clearly...

 

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: traceoptions - I hate you more than life

Just thought I would chime in here. As PK mentioned, there are some other means to be able to determine whether or not a sessions is going through the SRX or dropping due to some checks and such. PK mentions session logging. There are also counters shown with 'show interfaces extensive' which can also show flow related drops such as due to TCP sequence checking or no route to destination (search in output for "Flow error statistics"). However, the best way to get a good picture of how traffic is being handled is via the flow traceoptions. You may find the below two KB articles useful.

 

KB16233 - How to use 'Flow Traceoptions' and the 'security datapath-debug' in SRX series

 

KB16110 - SRX Getting Started -- Troubleshooting Traffic Flows and Session Establishment

 

 

Going forward, we are looking at ways to add to common CLI commands to help with all kinds issues that require troubleshooting. Flow tracing is certainly one that we have heard requested before. We will look into ways that can improve this going forward, but hopefully these articles will help for the time being.

 

-Richard

Visitor
soumen.2.paul@bt.com
Posts: 1
Registered: ‎03-29-2011
0

Re: traceoptions - I hate you more than life

Guys

I have to agree... JunOS making life so difficult. You had a fantastic admin friendly ScreenOS. I have used ScreenOS for many years and it has the best troubleshooting tool from CLI.. Neither Cisco or Checkpoint "CLI" gave us those wonderful debug output. fault finding was the quicest in ScreenOS products as compared to Cisco ASA or Checkpoint. Being a J Partner consultant, I hate to say this.. you making me to hate JunOS. I dont find a simple guide anywhere which gives me TCP DUMP or Snoop or packet flow with couple of commands. I need to do so much work just to get a quick look at the logs. You have too many documents and enough to confuse someone what actually is needed.

 

Juniper Security skilled guys have worked on ScreenOS in the past. A comparative document to show, this is the way you used to do in in ScreenOS, this is the way you do it in JunOS! That makes life little easier. Already JunOS configuration is so tedious as compared to ScreenOS. Number of lines or words to make any changes have increased so much. JunOS has become developers playground and nightmare for engineers. I am struggling to convince support guys to say, it's a fantastic product. Sorry to be rude. Just do  a market survey, you would feel the heat!

People scared when you said ScreenOS will be EOL in 2013! Thanks god, product management finally moved to EOL to 2015.

 

This is an honest feedback. you like it or hate it. I love Juniper but I cant take this anymore!

 

Regards

Soumen Paul

JNCIS JunOS
JNCIS FWV
Contributor
Ahriakin
Posts: 30
Registered: ‎05-29-2011
0

Re: traceoptions - I hate you more than life

I still class myself as new to Juniper, we brought our first ones up at the end of last summer, and initially I would have agreed that Traceoptions are awkward to use - actually I would still agree but the difference is that over time we have learned to use the operational show commands much more efficiently. I haven't had to use Traceoptions since last year to troubleshoot a thing, everything I need to know can easily be garnered directly from the CLI. I initially really missed the capture (we are using carrier series) and packet-tracer from the ASAs but have since realised they were really a crutch for relatively poor show commands. I actually enjoy troubleshooting on the SRX now more than the ASA (for the record I'm only just heading into P-level Junos certification but have a lot more experience on the Cisco side so it should be the other way around...).

Contributor
ed_gpc
Posts: 195
Registered: ‎09-21-2010
0

Re: traceoptions - I hate you more than life

tcpdump is available from the shell....

 

But anyways, yes, spend a little time learning whats available for tools, and junos isn't so bad to tshoot compared to screenos.  There are some sites / docs with screenos->junos commands, for example:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14000

 

There is also a few short web classes on IOS-Junos and ScreenOS-Junos

Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: traceoptions - I hate you more than life

tcpdump on the shell only shows control-plane traffic, so I don't see how that is helpful when diagnosing traffic in the forwarding plane.  Setting firewall filters and configuring sampling is definitely more tedious than on a Cisco ASA, for example.

 

To respond to session-init/close being the solution, I've had to troubleshoot ALG problems where the session logs clearly said that the session was created, but it never reached the destination due to an ALG failure.  Even security flow traceoptions reported that everything was fine, but the packets never exited the SRX.

 

Traceoptions do provide more "under the hood" details than are available on the Cisco ASA, so they have value, but they are certainly only valuable to those who can read them.

Distinguished Expert
lyndidon
Posts: 1,282
Registered: ‎06-06-2011
0

Re: traceoptions - I hate you more than life

I wanted to add a little bit to the discussion. I do have an issue with those request also. Now I have not yet taken the JSEC class. I am doing that within the next few weeks. SO the first thing to help prevent heartaches is to remember the Junos architecture. COntrol Plane and Data/Forwarding plane and traffic processing

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.