05-17-2011 07:10 AM
Really? That's the best you can do to look at traffic?
Thank you for making me hate my job when I get calls to look at traffic through SRX.
I need an idiot's guide to traceoptions... and when you're going to put in something useful to look at traffic through the firewall that doesn't involve commiting and is easy to watch a tcp handshake, etc.
Please tell me something is in the works or already in some release I'm not running yet.
05-17-2011 07:21 AM
What about policy logs (session-init and session-close)? In many cases you don't need traceoptions.
As for me, I try to avoid them when possible.
You also have packet capture on branch SRX.
But to understand what tool will surve best, we need to understand your task more clearly...
Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
05-17-2011 04:15 PM
Just thought I would chime in here. As PK mentioned, there are some other means to be able to determine whether or not a sessions is going through the SRX or dropping due to some checks and such. PK mentions session logging. There are also counters shown with 'show interfaces extensive' which can also show flow related drops such as due to TCP sequence checking or no route to destination (search in output for "Flow error statistics"). However, the best way to get a good picture of how traffic is being handled is via the flow traceoptions. You may find the below two KB articles useful.
Going forward, we are looking at ways to add to common CLI commands to help with all kinds issues that require troubleshooting. Flow tracing is certainly one that we have heard requested before. We will look into ways that can improve this going forward, but hopefully these articles will help for the time being.
04-23-2012 05:58 AM
I have to agree... JunOS making life so difficult. You had a fantastic admin friendly ScreenOS. I have used ScreenOS for many years and it has the best troubleshooting tool from CLI.. Neither Cisco or Checkpoint "CLI" gave us those wonderful debug output. fault finding was the quicest in ScreenOS products as compared to Cisco ASA or Checkpoint. Being a J Partner consultant, I hate to say this.. you making me to hate JunOS. I dont find a simple guide anywhere which gives me TCP DUMP or Snoop or packet flow with couple of commands. I need to do so much work just to get a quick look at the logs. You have too many documents and enough to confuse someone what actually is needed.
Juniper Security skilled guys have worked on ScreenOS in the past. A comparative document to show, this is the way you used to do in in ScreenOS, this is the way you do it in JunOS! That makes life little easier. Already JunOS configuration is so tedious as compared to ScreenOS. Number of lines or words to make any changes have increased so much. JunOS has become developers playground and nightmare for engineers. I am struggling to convince support guys to say, it's a fantastic product. Sorry to be rude. Just do a market survey, you would feel the heat!
People scared when you said ScreenOS will be EOL in 2013! Thanks god, product management finally moved to EOL to 2015.
This is an honest feedback. you like it or hate it. I love Juniper but I cant take this anymore!
04-23-2012 01:50 PM
I still class myself as new to Juniper, we brought our first ones up at the end of last summer, and initially I would have agreed that Traceoptions are awkward to use - actually I would still agree but the difference is that over time we have learned to use the operational show commands much more efficiently. I haven't had to use Traceoptions since last year to troubleshoot a thing, everything I need to know can easily be garnered directly from the CLI. I initially really missed the capture (we are using carrier series) and packet-tracer from the ASAs but have since realised they were really a crutch for relatively poor show commands. I actually enjoy troubleshooting on the SRX now more than the ASA (for the record I'm only just heading into P-level Junos certification but have a lot more experience on the Cisco side so it should be the other way around...).
05-10-2012 09:18 AM
tcpdump is available from the shell....
But anyways, yes, spend a little time learning whats available for tools, and junos isn't so bad to tshoot compared to screenos. There are some sites / docs with screenos->junos commands, for example:
There is also a few short web classes on IOS-Junos and ScreenOS-Junos
05-10-2012 09:56 PM
tcpdump on the shell only shows control-plane traffic, so I don't see how that is helpful when diagnosing traffic in the forwarding plane. Setting firewall filters and configuring sampling is definitely more tedious than on a Cisco ASA, for example.
To respond to session-init/close being the solution, I've had to troubleshoot ALG problems where the session logs clearly said that the session was created, but it never reached the destination due to an ALG failure. Even security flow traceoptions reported that everything was fine, but the packets never exited the SRX.
Traceoptions do provide more "under the hood" details than are available on the Cisco ASA, so they have value, but they are certainly only valuable to those who can read them.
02-19-2013 05:45 PM
I wanted to add a little bit to the discussion. I do have an issue with those request also. Now I have not yet taken the JSEC class. I am doing that within the next few weeks. SO the first thing to help prevent heartaches is to remember the Junos architecture. COntrol Plane and Data/Forwarding plane and traffic processing
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]