ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Corrine
Posts: 28
Registered: ‎07-11-2012
0

unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) file-name

Hi,

 

I want to get the dump files from juniper netscreen 5GT.

After I connecting the RS-232 and network cable,and using the 3cdaemon software for setting up TFTP server in laptop, I inputted the "get log sys save(d) >tftp IP-address file-name" by the CLI,then displayed error which is unknown keyword TFTP.Why?

 

When I try to input the "get log sys save(d) command in CLI,but nothing to display!

 

Could please tell me which have the problems?

How can I sovle it to get the dump files ?

 

Thanks.

 

PS:the network cable connect to the trust port 1 on juniper netscreen 5GT

 

B.R.

Corrine

 

Contributor
adgwytc
Posts: 81
Registered: ‎08-09-2010
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Hmmmm.... Works for me:-

 

get core-dump > tftp {IP Address} {Filename}

 

"get log" on the ssg 5 only gives the following options:-

 

asset-recovery                 show asset recovery info
audit-loss-mitigation      show audit-loss-mitigation info
cli                                       display cli log entries
flow-deny                          show flow deny log info
self                                    show self log info
setting                              show log setting info
traffic                                 show traffic log info
usb                                   get usb log

 

So, I am not sure what you are trying to achieve other than view the log files.

 

You have to use the "get core-dump" commands.

 

Trusted Expert
samc
Posts: 527
Registered: ‎07-23-2012
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

For the command, please make sure there is a space between ">" and "tftp", otherwise you'll see the error - get log sys save >tftp ? ^--------unknown keyword >tftp Should be: SSG-5-> get log sys save > tftp ? IPv4 Address Regards, Sam
Contributor
Corrine
Posts: 28
Registered: ‎07-11-2012
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Hi Sam,

 

Thanks for your help.

but about your reply as follows,I have quesitons here.

 

For the command, please make sure there is a space between ">" and "tftp", otherwise you'll see the error - get log sys save >tftp ? ^--------unknown keyword >tftp Should be: SSG-5-> get log sys save > tftp ? IPv4 Address Regards, Sam

 

 

You mean that I just have space missing,right?

but have not the command error to acquire the crush dump files?

 

Thanks.

 

B.R.

Corrine

Trusted Expert
samc
Posts: 527
Registered: ‎07-23-2012
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Hi Corrine,

 

Yes, the missing space is causing the "unknown keyword" error.

 

But in regards to the crash, I'm not familiar with your firewall's history, so I have a few questions.

 

1. what platform?

2. what version of screenOS?

3. output of "get envar"

4. output of "get sys"

5. how do you know it was a crash and not a system lockup, or power-related issue?

6. how frequent is this issue?

 

When an actual crash occurs, some of the trace info is written to the flash, then reset -- this content can be retrieved by "get log sys save".  There are rare exceptions where the firewall may not create a crash file, or the system may lockup before before able to write to a file.

 

if this "crash" is frequent, then I suggest connecting to console port for firewall and enable logging on the terminal application (such as hyperterm) -- you do not need to log into the firewall.  If a crash occurs, the output will be printed to console, which will help jtac in troubleshooting the issue.

 

 

Regards,

Sam

 

 

 

Contributor
Corrine
Posts: 28
Registered: ‎07-11-2012
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Hi Sam,

 

Thanks very much,sorry I reply your message later.

 

 

1. what platform?

Hardware Version:1010(0)

 

2. what version of screenOS?

Firmware Version:5.0.0r8.1 (Firewall+VPN)

 

3. output of "get envar"

get envar=get event ?right?

 

When autoresetting had happend, then firewall produced some events as follows.

 

012-08-07 09:34:49   system  notif  00029  DNS has been refreshed.
2012-08-07 09:33:58   system  notif  00029  DNS has been refreshed.
2012-08-07 09:33:58   system   info  00004  DNS entries have been refreshed by HA.
2012-08-07 09:33:50   system  notif  00531  The system clock was updated from primary NTP server type 210.72.145.44 with a ms adjustment of 1440428270 ms. Authentication was None. Update mode was Automatic
2012-08-07 09:33:50   system   info  00551  Rapid Deployment cannot start because gateway has undergone configuration changes.
2012-08-07 09:33:50   system  notif  00767  System was reset at 2012-07-13 17:49:16 by netscreen
2012-08-07 09:33:50   system  notif  00767  System is operational.
2012-08-07 09:33:48   system  notif  00513  The physical state of interface untrust has changed to Up
2012-08-07 09:33:48   system  notif  00513  The physical state of interface trust has changed to Up
2012-08-07 09:33:48   system  notif  00535  PKI: Saved CA configuration (CA cert subject name OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US,)
2012-08-07 09:33:48   system  notif  00535  PKI: Saved CA CERT with subject name OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US,
2012-08-07 09:33:48   system  notif  00535  PKI: Saved REFERENCES OF CA CERT with subject name CN=URL,OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US,

 

4. output of "get sys"

I will give you later,but I thought that was ok.

 

5. how do you know it was a crash and not a system lockup, or power-related issue?

I did not know that ,but I just suppose that firewall crashed.

From your question,you meant that system lockup and power-related issure,which appear the same events information with the crash affair,right?

How can I judge about the all situations?

 

 

6. how frequent is this issue?

That was happened every two weeks(fourteen days).

 

I input the command "get log sys save" by the CLI,but nothing to display.

 

The resetting happened every fortnight(fourteen days),so I want to export the crash dump information from the firewall flash to the TFTP server.

 

Thanks.

 

B.R.

Corrine

 

 

 

Distinguished Expert
spuluka
Posts: 2,828
Registered: ‎03-30-2009
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Your instincts are correct.

 

If you have a crash dump on the SSG there is a bug at play.

 

First, update the firmware to the latest release in your OS version. 

 

fw>get sys | inc software

Software Version: 6.2.0r10.0, Type: Firewall+VPN

check that r10 is the newest in this case in the 6.2 release chain.

 

If not, update and see if the issue has been solved.

 

If the issue is not fixed in the latest release you do want to pull the crash dump to the tftp and open an issue with this information along with your configuration and the output of get tech-support.

 

The information will be passed to the development team and an update created.  When the fix is found they will give you a "cut" release you can have immediately.  And they can tell you which "R" release will have it as a permanent fix in the OS chain.

 

 

 

Steve Puluka BSEET
Juniper Ambassador
Expert Network Security Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Trusted Expert
samc
Posts: 527
Registered: ‎07-23-2012
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Hi Corrine.

 

As suggested, please upgrade the 5GT.  ScreenOS 5.0 is very old and is out of support -- there's been many changes since then.

 

If you are running any UTM features, such as web filtering, anti-virus, then highest you can upgrade to is 5.4.0r25

If you are NOT running any UTM features, then upgrade to 6.2.0r14.

 

After upgrading, I recommend connecting a PC to the console port, open a terminal application, and enable logging.  If the 5GT does crash, then you'll see additional output in printed on the console that JTAC will need to help diagnose the issue.

 

 

"get event" and "get log sys" are volatile, and will be wiped out when a firewall reboots, so is of no value when troubleshooting crash-related issues.

 

"get log sys save" output is saved to the flash prior to reboot, but again, there can be situations where the firewall does not.

 

"get envar" is not the same as "get event". For this issue, I would look at the line referencing last reset.  If this date does not correspond to the last time the firewall did indeed reset, then there could be other issues beside a "crash".

 

 

 

I believe the next best course of action is to upgrade, then monitor the 5GT.

 

 

Regards,

Sam

Contributor
Corrine
Posts: 28
Registered: ‎07-11-2012
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Hi Sam,

 

Thanks for your reply and help.

 

About your reply as follows:

get envar" is not the same as "get event". For this issue, I would look at the line referencing last reset.  If this date does not correspond to the last time the firewall did indeed reset, then there could be other issues beside a "crash".

 

The firewall log notes indicated that the last reset time at  2012-07-13 17:49:16 as follows, which time is indeed resetting I did last time after the auto-resetting problem arised first time,so according to your reply, that maybe the other issues.right?

 

2012-08-07 09:33:50   system  notif  00767  System was reset at 2012-07-13 17:49:16 by netscreen

 

If firewall have the power issues,what kind of logs will appear?

 

I want to change the ScreenOS from current version to 5.4.0r25,which you recommanded before,

Could you please give me some suggestions about my upgrading?

 

Thanks.

B.R.

Corrine

 

Trusted Expert
samc
Posts: 527
Registered: ‎07-23-2012
0

Re: unknown keyword TFTP,when I type the command get log sys save(or saved)>TFTP (IP-address) fil

Hi Corrine,

 

If you did reset manually, then the time in "get envar" will reflect the correct time.

 

If there is power issue, then "get system" will show how long the system has been up; in addition, "get envar" will show last reset as being a time prior to previous reset.

 

I would upgrade to latest screenOS and monitor the firewall.

 

Here is a KB that shows you how to upgrade the firewall.

 

Please make sure to save the config first (get tech)

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB13672

 

Regards,

Sam

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.