SRX Services Gateway
SRX Services Gateway

ScreenOS --> SRX trouble shooting commands

10.26.08   |  
‎10-26-2008 04:16 PM

I've been playing with the SRX a bit and was wondering if there are similar functions in the SRX as there are in the ScreenOS. Somethings that come to mind, "debug flow basic", "set ff <options>", and snoop. Other things such as normal debug commands for IKE and other things. Thanks you in advance.



SRX Services Gateway

Re: ScreenOS --> SRX trouble shooting commands

10.26.08   |  
‎10-26-2008 09:56 PM

there are multiple ways, 


enable traceoption under flow module as well enable file/flag options under security traceoptions module and assign a file name where you want to dump all your debug messages.


for e.g.


regress@sushmita# set security flow traceoptions ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> file                 Trace file information
> flag                 Events and other information to include in trace output
> packet-filter        Flow packet debug filters
  rate-limit           Limit the incoming rate of trace messages (0..4294967295)
regress@sushmita# set security flow traceoptions file ?
Possible completions:
  <filename>           Name of file in which to write trace information
  files                Maximum number of trace files (2..1000)
  match                Regular expression for lines to be logged
  no-world-readable    Don't allow any user to read the log file
  size                 Maximum trace file size (10240..1073741824)
  world-readable       Allow any user to read the log file
regress@sushmita# set security flow traceoptions flag ?   
Possible completions:
  ager                 Ager events
  all                  All events
  basic-datapath       Basic packet flow
  cli                  CLI configuration and commands changes
  errors               Flow errors
  fragmentation        Ip fragmentation and reassembly events
  high-availability    Flow high-availability information
  host-traffic         Flow host-traffic information
  lookup               Flow lookup events
  multicast            Multicast flow information
  packet-drops         Packet drops
  route                Route information
  session              Session creation and deletion events
  session-scan         Session scan information
  tcp-advanced         Advanced TCP packet flow
  tcp-basic            TCP packet flow
  tunnel               Tunnel information
regress@sushmita# set security flow traceoptions flag all   

regress@sushmita# commit
regress@sushmita# set security traceoptions file debug-file

regress@sushmita# show security flow
traceoptions {
    flag all;

regress@sushmita# show security traceoptions
file debug-file;
flag all;



bsome more basic troubleshooting commands,


status, show chassis hardware/fpc/firmware
Log, show log messages/chassisd
Image link, ls -l /usr/share/pfe




how to check FLOW:




Debug @ CP:

[    1] T21 In CP flow based processing , mbuf 64027e00, ifl 67ctxt_type 0xd
[    2] T21 lpak_init: lpak 6a1360f8, paksize 4a, machdr 6009f996, iphdr 0x6009f9a4
[    3] T21   cp_flow_first_sanity_check: in <ge-5/0/1.0>, out <N/A>
[    4] T21 search gate for abc:>,6
[    5] T21 gate_search_hash_table: no gate found
[    6] T21   cp_flow_first_create_session
[    7] T21 CP allocates a CP session
[    8] T21 CP couldn't find session, creates a pending session 18
[    9] T21 CP lookup: no session match; created a new one
[   10] T21 CP fwd pkt to SPU ==*9*==, flag: 0x00000100
[   11] T21 cp flow rc 0x14

[   12] T20
CP flow starts, ifl_idx=67
[   13] T20 In CP flow based processing , mbuf 64028000, ifl 67ctxt_type 0xd
[   14] T20 lpak_init: lpak 6a1360f8, paksize 4a, machdr 600a0196, iphdr 0x600a01a4
[   15] T20   cp_flow_first_sanity_check: in <ge-5/0/1.0>, out <N/A>
[   16] T20 search gate for abc:>,6
[   17] T20 gate_search_hash_table: no gate found
[   18] T20   cp_flow_first_create_session
[   19] T20 find flow 0x0x6d098448
[   20] T20 CP found session 18
[   21] T20 CP fwd pkt to SPU ==*9*==, flag: 0x00000100
[   22] T20 cp flow rc 0x14



Debug @ SPU:


[    1] T11 NO flow_pkt_serialization. mbuf 6401f400
[    2] T11 flow process pak, mbuf 6401f400, ifl 67, ctxt_type 17 inq type 1
[    3] T11 lpak_init: lpak 6a1275a8, paksize 4a, machdr 6007d1b6, iphdr 0x6007d1c4
[    4] T11 inq_type 0x1
[    5] T11 Received pkt from CP with tunnel info 0
[    6] T11 <>;6> : <abc/ge-5/0/1.0>
[    7] T11 packet [60] ipid = 37798, @6007d1c4
[    8] T11 flow_process_pkt: local_flag: 0x00000100
[    9] T11  find flow: table 0x6a342df0, hash 9928(0xffff), sa, da, sp 36359, dp 21, proto 6, tok 10
[   10] T11   flow_first_sanity_check: in <ge-5/0/1.0>, out <N/A>
[   11] T11 search gate for abc:>,6
[   12] T11 gate_search_hash_table: no gate found
[   13] T11   flow_first_create_session
[   14] T11 tbl = 0x6a342df0
[   15] T11 tbl = 0x6a342df0
[   16] T11 First path alloc and instl pending session, natp=0x6b147e18, id=9
[   17] T11   flow_first_in_dst_nat: in <ge-5/0/1.0>, out <N/A>
[   18] T11   flow_first_in_dst_nat: dst_adr, sp 36359, dp 21
[   19] T11   chose interface ge-5/0/1.0 as incoming nat if.
[   20] T11   flow_first_routing: Before route-lookup ifp: in <ge-5/0/1.0>, out <N/A>
[   21] T11 flow_first_routing: call flow_route_lookup(): src_ip, x_dst_ip, ifp ge-5/0/1.0, sp 36359, dp 21, ip_proto 6, tos 0
[   22] T11 Doing DESTINATION addr route-lookup
[   23] T11 flow_ipv4_rt_lkup: nh word 0x30010
[   24] T11 flow_ipv4_rt_lkup success, iifl 0x43, oifl 0x44
[   25] T11   routed (x_dst_ip from abc (ge-5/0/1.0 in 128) to ge-6/2/7.0, Next-hop:
[   26] T11   policy search from zone abc-> zone abc
[   27] T11 policy_flow_search: starting policy lookup
[   28] T11 policy_ipv4_lookup: Vsys: (0) Src Zone: (abc) Dst Zone: (abc) src_ip: ( dst_ip: ( src_port: (36359) dst_port: (21) protocol: (6)
[   29] T11 policy_ipv4_lookup: Invalid context entry for ctx: (0/6/6)
[   30] T11 policy_flow_search: no valid policy found,  returning default policy
[   31] T11    policy found 2
[   32] T11 Permitted by policy 2
[   33] T11 flow_first_src_xlate: src nat to returns status 0, dip id 0.
[   34] T11   dip id = 0/0,>
[   35] T11   choose interface ge-6/2/7.0 as outgoing phy if
[   36] T11 is_loop_pak: No loop: on ifp: ge-6/2/7.0, addr:, rtt_idx:0
[   37] T11   session application type 1, name FLOW STUB: LOOKUP DISABLED TO AVOID CRASH,  timeout 1800sec curr_ageout_time:20secs
[   38] T11 FLOW STUB: ALG vector attachment disabled to avoid crash[   39] T11   service lookup identified service 0.
[   40] T11   flow_first_final_check: in <ge-5/0/1.0>, out <ge-6/2/7.0>
[   41] T11 In flow_first_complete_session
[   42] T11   existing vector list 2-6671d878.
[   43] T11   Session (id:9) created for first pak 2
[   44] T11 first pak processing successful
[   45] T11   flow_first_install_session======> 0x6b147e18
[   46] T11  nsp 0x6b147e18, nsp2 0x6b147e8c
[   47] T11   make_nsp_ready_no_resolve()
[   48] T11 flow_ipv4_rt_lkup: nh word 0x50010
[   49] T11 flow_ipv4_rt_lkup success, iifl 0x0, oifl 0x43
[   50] T11   route to %i???
[   51] T11 tbl = 0x6a342df0
[   52] T11 tbl = 0x6a342df0
[   53] T11 queue pak for pending session 9, natp=0x6b147e18, paks queued 1
[   54] T11 first path session installation succeeded
[   55] T11   flow didn't create session, code=3.
[   56] T11   flow process -- pak is dropped, a copy is queued.
[   57] T11  ----- flow_process_pkt rc 0xf (fp rc 3)

[   58] T11 SPU: post jexec executed, drop packet



hope this helps.



Raheel Anwar


Follow me on Twitter @anwar_raheel

If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
SRX Services Gateway

Re: ScreenOS --> SRX trouble shooting commands

10.27.08   |  
‎10-27-2008 10:41 PM

To add to Raheel's comments, the traceoption flag which is analogous to 'debug flow basic' is the basic-datapath flag. Also you can configure packet-filters which are analogous to 'set ff' in ScreenOS. The output of flow traceoptions writes to /var/log/security-trace file by default. 


Check out some Application Notes available for JUNOS with enhanced services. SRX uses same options. In particular the Route-based or Policy-based VPN application notes include a section on flow tracing. 


As for snoop function, packet-capture like on J-Series is not supported yet on SRX. But it will be in the future. You can use 'monitor traffic' to capture traffic to and from the RE side, but not transit traffic at this time.



SRX Services Gateway

GRE over IPSec Junos-ES

11.26.08   |  
‎11-26-2008 03:49 AM