Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to run a 'debug ike detail'?

0

0

Article ID: KB14620 KB Last Updated: 19 Mar 2020Version: 5.0
Summary:

A debug ike detail can help when troubleshooting a VPN that has issues. This article gives information on how to run this command.

 

Symptoms:

I cannot determine the reason my VPN will not become active. Is there a debug that will help?

 

Solution:

First, before running debug ike, check the event log.  The event log gives excellent descriptions for VPN errors.

get log event

Also, refer to the VPN Resolution Guide for troubleshooting your VPN connectivity: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.

 

If further analysis is needed, then perform the following to get the debug ike output. Before running debug ike detail, it is best to filter on the IP address of the SA (of the troubled VPN).

  1. Enter the command get sa, and note the gateway IP address in question:

    ns-> get sa
    total configured sa: 1
    HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
    00000001< 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 1 0
    00000001> 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 2 0
  2. Set an SA filter (not a flow filter) for the gateway IP address, so that only debugs related to that VPN gateway are captured:

    ns5400-> set sa-fil 1.1.1.1
    <1.1.1.1> is added to the SA IP filters
  3. Begin the debug:

    ns-> undebug all         (to turn off any debugs currently enabled)
    ns-> set db size 4096     (to increase debug buffer)
    ns-> clear db            (to clear debug buffer)
    ns-> debug ike detail
    ns-> debug pki all      
       (if using certificates)

    [attempt to bring VPN up, or if rekey is enabled wait for VPN to reconnect.  The output of 'get event' will give you a clue when it starts and fails.   Then after the VPN failure, run 'undebug all' to stop the debugs from overwriting the circular buffer.]

    ns-> get db stream       (to view debug output)

    When done, perform the following clean-up:

    ns-> unset db size      (to return the debug buffer size back to the default)
    ns-> undebug all        (to turn off debugs)
The results of the debug will have the IP address of the sa-filter at the beginning.

For a sample output of debug ike detail, refer to KB22768 - Understanding VPN negotiation messages in main mode along with snoop and debug flow basic

Other information that will be helpful to JTAC, if you need to open a case, could be obtained from the following command outputs:

get tech
get event
get ike cookie
get sa

 

Modification History:

2020-03-19: Minor changes made in Summary section; article checked for accuracy and found to be valid and relevant

2017-12-07: Article reviewed for accuracy. Tagged article as ScreenOS in title of the KB. Minor grammatical change done. Article is correct and complete.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search