For the command, please make sure there is a space between ">" and "tftp", otherwise you'll see the error - get log sys save >tftp ? ^--------unknown keyword >tftp Should be: SSG-5-> get log sys save > tftp ? IPv4 Address Regards, Sam

Hi Corrine,

 

Yes, the missing space is causing the "unknown keyword" error.

 

But in regards to the crash, I'm not familiar with your firewall's history, so I have a few questions.

 

1. what platform?

2. what version of screenOS?

3. output of "get envar"

4. output of "get sys"

5. how do you know it was a crash and not a system lockup, or power-related issue?

6. how frequent is this issue?

 

When an actual crash occurs, some of the trace info is written to the flash, then reset -- this content can be retrieved by "get log sys save".  There are rare exceptions where the firewall may not create a crash file, or the system may lockup before before able to write to a file.

 

if this "crash" is frequent, then I suggest connecting to console port for firewall and enable logging on the terminal application (such as hyperterm) -- you do not need to log into the firewall.  If a crash occurs, the output will be printed to console, which will help jtac in troubleshooting the issue.

 

 

Regards,

Sam

 

 

 

Hi Sam,

 

Thanks very much,sorry I reply your message later.

 

 

1. what platform?

Hardware Version:1010(0)

 

2. what version of screenOS?

Firmware Version:5.0.0r8.1 (Firewall+VPN)

 

3. output of "get envar"

get envar=get event ?right?

 

When autoresetting had happend, then firewall produced some events as follows.

 

012-08-07 09:34:49   system  notif  00029  DNS has been refreshed.
2012-08-07 09:33:58   system  notif  00029  DNS has been refreshed.
2012-08-07 09:33:58   system   info  00004  DNS entries have been refreshed by HA.
2012-08-07 09:33:50   system  notif  00531  The system clock was updated from primary NTP server type 210.72.145.44 with a ms adjustment of 1440428270 ms. Authentication was None. Update mode was Automatic
2012-08-07 09:33:50   system   info  00551  Rapid Deployment cannot start because gateway has undergone configuration changes.
2012-08-07 09:33:50   system  notif  00767  System was reset at 2012-07-13 17:49:16 by netscreen
2012-08-07 09:33:50   system  notif  00767  System is operational.
2012-08-07 09:33:48   system  notif  00513  The physical state of interface untrust has changed to Up
2012-08-07 09:33:48   system  notif  00513  The physical state of interface trust has changed to Up
2012-08-07 09:33:48   system  notif  00535  PKI: Saved CA configuration (CA cert subject name OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US,)
2012-08-07 09:33:48   system  notif  00535  PKI: Saved CA CERT with subject name OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US,
2012-08-07 09:33:48   system  notif  00535  PKI: Saved REFERENCES OF CA CERT with subject name CN=URL,OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US,

 

4. output of "get sys"

I will give you later,but I thought that was ok.

 

5. how do you know it was a crash and not a system lockup, or power-related issue?

I did not know that ,but I just suppose that firewall crashed.

From your question,you meant that system lockup and power-related issure,which appear the same events information with the crash affair,right?

How can I judge about the all situations?

 

 

6. how frequent is this issue?

That was happened every two weeks(fourteen days).

 

I input the command "get log sys save" by the CLI,but nothing to display.

 

The resetting happened every fortnight(fourteen days),so I want to export the crash dump information from the firewall flash to the TFTP server.

 

Thanks.

 

B.R.

Corrine

 

 

 

Your instincts are correct.

 

If you have a crash dump on the SSG there is a bug at play.

 

First, update the firmware to the latest release in your OS version. 

 

fw>get sys | inc software

Software Version: 6.2.0r10.0, Type: Firewall+VPN

check that r10 is the newest in this case in the 6.2 release chain.

 

If not, update and see if the issue has been solved.

 

If the issue is not fixed in the latest release you do want to pull the crash dump to the tftp and open an issue with this information along with your configuration and the output of get tech-support.

 

The information will be passed to the development team and an update created.  When the fix is found they will give you a "cut" release you can have immediately.  And they can tell you which "R" release will have it as a permanent fix in the OS chain.

 

 

 

Hi Corrine.

 

As suggested, please upgrade the 5GT.  ScreenOS 5.0 is very old and is out of support -- there's been many changes since then.

 

If you are running any UTM features, such as web filtering, anti-virus, then highest you can upgrade to is 5.4.0r25

If you are NOT running any UTM features, then upgrade to 6.2.0r14.

 

After upgrading, I recommend connecting a PC to the console port, open a terminal application, and enable logging.  If the 5GT does crash, then you'll see additional output in printed on the console that JTAC will need to help diagnose the issue.

 

 

"get event" and "get log sys" are volatile, and will be wiped out when a firewall reboots, so is of no value when troubleshooting crash-related issues.

 

"get log sys save" output is saved to the flash prior to reboot, but again, there can be situations where the firewall does not.

 

"get envar" is not the same as "get event". For this issue, I would look at the line referencing last reset.  If this date does not correspond to the last time the firewall did indeed reset, then there could be other issues beside a "crash".

 

 

 

I believe the next best course of action is to upgrade, then monitor the 5GT.

 

 

Regards,

Sam

Hi Sam,

 

Thanks for your reply and help.

 

About your reply as follows:

get envar" is not the same as "get event". For this issue, I would look at the line referencing last reset.  If this date does not correspond to the last time the firewall did indeed reset, then there could be other issues beside a "crash".

 

The firewall log notes indicated that the last reset time at  2012-07-13 17:49:16 as follows, which time is indeed resetting I did last time after the auto-resetting problem arised first time,so according to your reply, that maybe the other issues.right?

 

2012-08-07 09:33:50   system  notif  00767  System was reset at 2012-07-13 17:49:16 by netscreen

 

If firewall have the power issues,what kind of logs will appear?

 

I want to change the ScreenOS from current version to 5.4.0r25,which you recommanded before,

Could you please give me some suggestions about my upgrading?

 

Thanks.

B.R.

Corrine

 

Hi Corrine,

 

If you did reset manually, then the time in "get envar" will reflect the correct time.

 

If there is power issue, then "get system" will show how long the system has been up; in addition, "get envar" will show last reset as being a time prior to previous reset.

 

I would upgrade to latest screenOS and monitor the firewall.

 

Here is a KB that shows you how to upgrade the firewall.

 

Please make sure to save the config first (get tech)

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB13672

 

Regards,

Sam