SRX Services Gateway
Highlighted
SRX Services Gateway

Dynamic VPN Client Logging - SRX100H

‎02-03-2016 05:41 AM

Goodmorning Everyone,

 

I am wondering if the SRX100 has the ability to log VPN connections for troubleshooting. This is my first Juniper product I've had to manage in a production environment and just amazed how big the features are on this smaller device. I've been combing menus within the device but I have not ocme across an area where I could browse through log files to try and troubleshoot why one of my VPN clients has been unable to connect. Not sure if this has to be set up prior or by default it auto logs these types of transactions.

 

This is the software release -> JUNOS Software Release [12.1X44-D35.5]

 

Thank you

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Dynamic VPN Client Logging - SRX100H

‎02-03-2016 06:13 AM

Hi,

 

# set security ike traceoptions file ike-debug

# set security ike traceoptions flag all        

# set security ipsec traceoptions flag all

# commit

# run show log ike-debug | match ike << (the match ike statement is optional if you want to specify)

 

IKE or IPsec, When you apply a traceoption for IKE or IPSec, the output for this is written to a file called kmd.

Source: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16273

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: Dynamic VPN Client Logging - SRX100H

‎02-03-2016 06:17 AM
-- Please attach here the VPN configuration and we'll try to assist you .

For debugging tips :
http://forums.juniper.net/t5/Day-One-Tips/Tips-for-debugging-on-the-SRX/td-p/61550
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: Dynamic VPN Client Logging - SRX100H

‎02-04-2016 02:18 AM

Hi DQ,

 

If you're looking to log events specifically related to dynamic VPN I usually use this set of commands, to enable such logging :

 

set system syslog file remote-vpn-access any any
set system syslog file remote-vpn-access match "DYNAMIC_VPN| FWAUTH| KMD_VPN_UP_ALARM_USER"

 

Then you can use the command : >show log remote-vpn-access

To read the logs or you can redirect the logs to a SIEM or Syslog server.

 

 

Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.
Highlighted
SRX Services Gateway

Re: Dynamic VPN Client Logging - SRX100H

‎03-09-2020 02:17 PM

Hello,

 

THank you for providing relevant commands to isolate VPN logs in SRX. 

 

Is there a way to send just these logs to a remote syslog? a linux or SIEM? (Splunk etc.?)

 

If not, is there any other way to send VPN logs only to a remote syslog server. 

Thanks!

Zubair

 

 

Feedback