ScreenOS Firewalls (NOT SRX)
Reply
Contributor
MM2503
Posts: 12
Registered: ‎04-30-2009

Re: Troubleshooting Tips - Debug commands

Hi Folks,

 

At the moment I am looking for a way to get payload level information on a packet trace from around 40 remote sites that each run an SSG20 or SSG140.

 

I know I can run "snoop detail" then "snoop" then get db stream to view the packets.

 

What i want to do is this.

 

1:-  Set the output of snoop to be saved in a format readable by wireshark.  i.e. in a .dmp format.  Preferably on a  NFS or SMB share so the flash on the unit is not consumed for long duration snooping.

 

2:-  I also want to be able to turn the snoop command on and off based on a schedule.

 

I need to avoid having PC's on each site running wireshark as this would be difficult and costly to achieve.

 

Any advice would be appreciated.

 

Regards

 

Marc

Trusted Expert
wzknet
Posts: 52
Registered: ‎07-27-2009
0

Re: Troubleshooting Tips - Debug commands

Thanks AndyC.

 

I come from china.

JNCIS-FWV
JNCIS-SEC
JNCIA-ER
JNCIS-ER
CCNA
http://k968888.blog.sohu.com
Trusted Contributor
yorel
Posts: 32
Registered: ‎07-23-2009

Re: Troubleshooting Tips - Debug commands

[ Edited ]

Hey, I'd like to point a very useful thing about the output of the debug, how to interpret the protocol and the header of the packet. In the output of the Andy's debug we can see this line:
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.70.250, port 2396, proto 1)

The packet protocol is 1, that is, ICMP. Now, we can see the Type and Code of the packet:
ethernet0/5:10.1.1.5/17152->1.1.70.250/256,1(8/0)<Root>
Type 8: Echo
Code 0: No Code
Result:10.1.1.5 is sending an ping to 1.1.70.250

A real case occured me yesterday. A customer complaint me the SSG is dropping communications between a router and his syslog server. With a debug I saw the next:
ethernet0.1:4:10.12.11.9/514->10.17.3.9/1051,1(3/3)
I saw in the packet the protocol was 1, ICMP. The (3/3) means:
Type 3: Destination Unreachable
Code 3: Port Unreachable


That is, the syslog server is sending a ICMP Unreachable with code 3 to the SSG notifying the port 514 was not opened. From this way, I could prove to the customer the problem was not the SSG but the port's server wasn't opened.

 

Hope it helps for future issues,

Regards

Message Edited by yorel on 07-28-2009 11:42 AM
Message Edited by yorel on 07-28-2009 11:44 AM
Message Edited by yorel on 07-28-2009 02:58 PM
Visitor
Brett
Posts: 1
Registered: ‎10-17-2009
0

Re: Troubleshooting Tips - Debug commands

[ Edited ]

Hi All,

 

I came accross this the other day and it helped with a problem we were trying to diagnose. This is only uselful on the ASIC based firewalls.

 

On a per policy basis you can have traffic that match's the policy NOT processes in hardware. This way you get a lot more information in the debugs as the CPU will process all traffic. Just need to watch how this effects the CPU performance.

 

Firewall (VSYS) # set policy id 71 <cr>
Firewall (VSYS/policy:71)(M)-> set no-hw-session

 

Rgds

Message Edited by Brett on 10-17-2009 08:35 PM
Message Edited by Brett on 10-17-2009 08:36 PM
Message Edited by Brett on 10-17-2009 08:36 PM
Juniper Employee
Ajay
Posts: 8
Registered: ‎02-27-2009

Re: Troubleshooting Tips - Debug commands

Hi Brett,

 

This is really helpful to diagnose the problem. In high end platforms once the sessions are created all further packets will be processed in the ASIC in most of the cases and we will not be able to see any packets in debug.

 

When we set no hardware session then session will not be installed in the asic.

We need to be very careful when doing it because if lot of traffic hits the particular policy then all the packets hitting that policy will be processed by CPU and which can cause a network outage.

 

So what we need to keep in mind that we create a specific policy which allows only specific host and then test it.

 

Regards,

Ajay

AJ
Visitor
Cameron1
Posts: 6
Registered: ‎01-13-2010
0

Re: Troubleshooting Tips - Debug commands

Inctedibly helpful post by yorel regarding ICMP codes!  Very helpful for lab and troubleshooting environents.

Trusted Expert
雨中星辰
Posts: 3
Registered: ‎06-23-2010
0

Re: Troubleshooting Tips - Debug commands

thank you!
Visitor
shrikant
Posts: 2
Registered: ‎09-21-2010
0

Re: Troubleshooting Tips - Debug commands

anyone help me what exactly mean the following line in the capture

 

POLL_DROP_PAK: vlist 0xb390da4, 0x0

Visitor
agk.pandey@gmail.com
Posts: 8
Registered: ‎02-15-2011
0

Re: Troubleshooting Tips - Debug commands

Thanks for this link. It;s very useful for VPN .

I want to prepare  for the exam JNCIS FWV exam. Can you please guide me.

I have good experience with Juniper FW's and also with NSM.

 

Please help.

If you can help me with any reading document then it will be very helpful as I can not afford to take the training.

 

 

Thanks

Ajay.

Distinguished Expert
spuluka
Posts: 2,566
Registered: ‎03-30-2009
0

JNCIA-FWV Material

See this previous thread for study material on the ScreenOS firewall certifications.

JNCIA-FWV

JNCIS-FWV

 

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/JNCIA-FWV-Certifield/m-p/75724

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.