Knowledge Search


×
 

[ScreenOS] Data Collection Checklist - Logs/data to collect for troubleshooting

  [KB23844] Show Article Properties


Summary:

Data Collection and Troubleshooting Guides can help with issue investigation as well as reduce time-to-resolve. Each problem/issue could require a different set of data to collect. This article contains a list of data to collect as well as pointers to Resolution Guides and references on how to collect the data.

Symptoms:

What information should I collect to assist in troubleshooting prior to opening a case?

The goal of this document is to reduce the time spent on initial data collection and reduce time-to-resolve by providing a comprehensive list of what to collect or gather to troubleshoot an issue.

Solution:

Section Contents

Caveats and Tips

  • Debugs require additional system resources to gather and store data
    • Dbuf stream is limited to a maximum of 4 MB. On SSG series devices, the debug output can be saved to a USB flash drive.
    • Gauge current system utilization before enabling any debugs.
      • get performance cpu all detail
    • Instead of using "all”, you can flag specific areas of interest.
    • Don’t forget to turn off all debugs before exiting.
      • "undebug all" or press the escape key (Esc) on your keyboard.
      • Any administrator logging out of the system will automatically turn off all debugs.
  • To deactivate paging (output stopping each page requiring you to press the space bar), issue set console page 0.
    • To re-enable, issue unset console page or set console page <number of lines>.
  • All output can be redirected to a TFTP server by appending "> tftp x.x.x.x filename".
    • x.x.x.x is the IP of the TFTP server.
    • filename is the name of the file to which the output is saved on the TFTP server.
  • Before collecting ANY information, ensure that logging is enabled on your terminal application (Putty, SecureCRT, etc.). Some of the outputs can be very long.
  • <> indicates that a variable must be entered (for example, <x.x.x.x> must be replaced with the IP address in question).
  • # indicates a comment. Read the comments. You can paste the comments into the command line without any issues.
  • All debugs indicated need to be run at the same time. For example, Anti-Spam requires both debug flow basic and debug anti-spam all at the same time.


Data to Collect for All Configurations

Regardless of configuration, all cases will benefit by attaching the session captures, requested information output, and logs when initially opening the case. If you need to investigate an intermittent concern (for example, slow transfers at peak hours), be sure to collect this data at the time of the problem.

Basic information to collect for all issues Background Information 1. Provide all SSH/Telnet/console session captures
2. Provide any available topology information
3. Summary of how the device is being used (production, lab system, co-location, etc.)
4. Summary of device history (new install, production for X months/years, other recent cases, etc.)
5. Summary of any recent changes in the network or on the device
Logs get tech-support
get event
get log sys
get log sys saved
get performance cpu all detail
get performance session detail
get session info
get dbuf stream

See Reference section for the following:

  • How to gather the data
  • Resolution Guides
  • Technical Bulletins
  • Technical Documentation


Data to Collect for Specific Issues:

Anti-Spam
Antivirus (AV)
Application Layer Gateway (ALG)
Asymmetric Digital Subscriber Line (ADSL)
Authentication
Auto Connect VPN (AC-VPN)
Border Gateway Protocol (BGP)
Buffer (net-pak) leak
Crash
Deep Inspection (DI)
Dial-up VPN
Dynamic IP (DIP)
Extended Authentication (XAuth)
Frame Relay
GPRS Tunneling Protocol (GTP)
H.323
High CPU (5.4 and lower)
High CPU (6.0r2 and higher)
Infranet Controller / Enforcer
Integrated Services Digital Network (ISDN)
Management
Media Gateway Control Protocol (MGCP)
Memory
Multicast (IGMP)
Multicast (PIM)
Multi-Link Frame Relay
NetScreen Redundancy Protocol (NSRP)
Open Shortest Path First (OSPF)
Point to Point Protocol (PPP) (including Multi-link PPP)
Point to Point Tunneling Protocol (PPTP)
Policy Based Routing (PBR) Port Authentication (802.1x)
Remote Procedure Call (RPC)
Session Initiation Protocol (SIP)
Skinny Client Control Protocol (SCCP)
Static Routing
SurfControl (Redirect or integrated URL filtering)
Throughput
Traffic failing for a specific host / application -- (Basic debug)
Traffic Shaping
Virtual Private Network (VPN)
Virtual Router Redundancy Protocol (VRRP)
WebSense (Redirect URL filtering)
Wireless

Anti-Spam Commands get memory
get os task
get net-pak stats
get socket
get tcp
get anti-spam
Debugs debugs from "Traffic failing for a specific host/application"
debug anti-spam all
Additional Information External sniffer captures from the directly connected device on both sides of the firewall.
[Back to Top]

Antivirus (AV) Commands get av
get av all
get av scan
get av stat
get av session
get asp stat
get memory
get os task
get net-pak stats
get socket
get tcp
get av scan-mgr


Repeat next block of commands 4 to 5 times at 10-second intervals:

get clock
get counter stat
get net-pak stats
get mem
get os task
get session info
get net-pak
Debugs debug apppry basic
debug av basic
debug av engine


If update related:

debug av updater
debug httpfx all

If scan related:

debug av scan-file
debug av no-scan

[Back to Top]

Application Layer Gateway (ALG) Commands get alg
get alg <alg name>
get rm group active
get rm resource active
get nat cookie | include allocated
Debugs debug <alg name> all
# If it fails, then "debug nat <alg name>"

debug rm all
debug nat gate
debugs from
"Traffic failing for a specific host/application"
Additional Information Try disabling ALG globally using unset alg <alg name>, or per policy using the commands below:

set policy id <#>
set application ignore
[Back to Top]

Asymmetric Digital Subscriber Line (ADSL) Commands Get adsl basic
Get int ad
Get adsl stat
Get adsl <#> basic
Get adsl <#> if-stats
Get adsl <#> sar
get adsl <#> stats
get adsl <#> training-status
get adsl <#> vc-info
get adsl <#> memory
get interface adsl
get interface adsl extensive

If PPPoE:

get pppoe all
get pppoe name <name>


If PPPoA:

Get pppoa all
Get pppoa name <name>
Debugs Exec adsltest <#> ping

If PPPoE:

Debug pppoe basic
Exec pppoe name <name> disconnect
Clear dbuf
Exec pppoe name <name> connect
Undebug all
Get dbuf
stream

If PPPoA:

Debug pppoa all
Exec pppoa name <name> disconnect
Clear dbuf
Exec pppoa name <name> connect
Undebug all
Get dbuf stream
Additional Information See KB12137 – "ADSL card is not loading; event log "ADSL2/0 SOC Firmware Failed (Load Bootrom Failure)" is reported"
[Back to Top]

Authentication Commands get auth history
get auth queue
get auth statistics
get auth settings
get auth table

If L2tp:

get L2tp all
get L2tp <name>
get L2tp <name> active
Debugs debug auth <option>
Debug proxy all
Debugs from
"Traffic failing for a specific host/application"
[Back to Top]

Auto Connect VPN (AC-VPN) Commands Run the following commands on the hub and both spokes simultaneously:

get ike cookie
get nsp
get sa
get sa stat
get sa id <#>

# SA IDs are in hex, so you need to put "0x" in front of the id.
# Example: get sa id 0x01

Enter the virtual router configured for NHRP using set vr <vr>.

get protocol nhrp
get proto nhrp cache
get proto nhrp peer
Debugs Run the following debugs on the hub and both spokes simultaneously:

set sa-filter <x.x.x.x>
# <x.x.x.x> is the peer gateway.

debug ike detail
debug pki detail

# Use PKI debug only if VPN uses certificates.

debug auth all
debug nhrp all
[Back to Top]

Border Gateway Protocol (BGP) Commands get route
get route summary
get session src-ip <x.x.x.x>
get session dst-ip <x.x.x.x>
get route ip <x.x.x.x>
# <x.x.x.x> is the route in question.

get route id <#>
# <#> is the ID of the route in question and is found in the "get route" or "get route ip" command.

get os task
get task bgp
get interface <interface> | include "status change"
# Available only in 6.2 and 6.3.

Enter the virtual router configured for BGP using set vr <vr>.

get proto bgp config
get proto bgp neighbor
get proto bgp network
get proto bgp redistrib
get proto bgp rib-in
get proto bgp router-id
get proto bgp rib received
# rib received available only in 6.2 and 6.3.

get proto bgp rib advertised
# Available only in 6.2 and 6.3.
Debugs debug bgp all
[Back to Top]

Buffer (net-pak) leak Commands get session frag
get tcp


Repeat next block of commands 2 to 3 times at 10-second intervals:

get clock
get performance cpu all detail
get performance session detail
get net-pak
get net-pak stats
get net-pak distribute
get net-b
get memory pool
get counter statistics
Debugs If ‘failed’ counter from ‘get net-pak stats’ is incrementing and the ‘free’ counters do not decrement for over one hour, collect the following information.

debug npak get
# Keep this running and ensure no one logs in to or out of the firewall. See "Keep debugs running after logging out" below.

Using a script, capture the following command every 15 minutes:

get clock
get net-pak stats
get net-pak
[Back to Top]

Crash Commands - Console output of the crash dump: If console output is unavailable, use "get log sys saved"
Additional Information - Date and time of crash
- Description of the last thing that happened before the crash
- Were there any changes in the network before or during the time of the crash (physical or configuration)? If so, what changes (added new equipment, links, new interface, etc.)?
- What kind of traffic was going through the device at the time of crash?
- How long was the firewall running before the incident occurred?
- Was anyone logged in to the firewall during the time of the crash (NSM, Telnet, SSH, console, WebUI)?
- Has the firewall crashed before?
[Back to Top]

Deep Inspection (DI) Commands get memory
get os task
get net-pak stats
get socket
get tcp
Debugs debugs from "Traffic failing for a specific host/application"
debug idp
Additional Information External sniffer captures from the directly connected device on both sides of the firewall.
[Back to Top]

Dial-up VPN Commands get ike cookie
get sa
Debugs If VPN is down, use the following debugs:

set sa-filter <x.x.x.x>
# <x.x.x.x> is the peer gateway.
debug ike detail
debug pki detail

# Use PKI debug only if VPN uses certificates.

debug auth all

If authentication is failing, use the following commands:

debug auth all
debug proxy all
clear dbuf
clear auth table
# <make first connection>
get dbuf stream
get auth table
get auth table id <#>
clear dbuf
# <make second connection attempt>
get dbuf stream
get auth table
get auth table id <#>

If VPN is up, but not passing traffic:

set sa-filter <remote gateway IP>
debug ike basic
debug ike natt
debugs from
"Traffic failing for a specific host/application"
Additional Information See VPN resolution guide
[Back to Top]

Dynamic IP (DIP) Commands Get dip
Get dip all
Get interface <interface> dip
Get interface <interface> dip detail

Get pport
# Only if using interface-NAT.
Debugs Debug dip all
Debug nat gate
Debug nat xlate
Debug nat pport
# Debug nat pport only if using interface-NAT.
Debugs from "Traffic failing for a specific host/application"
[Back to Top]

Extended Authentication (XAuth) Commands Get xauth active
Get xauth client
Get xauth server
Debugs debug auth <option>
Debugs from
"Traffic failing for a specific host/application"
Debug pptp all

# Only if using pptp.
[Back to Top]

Frame Relay Commands "x" is the slot number, "y" is the port number, and "z" is the subinterface number(tagged interface).

get int serial<x/y> fr
get int serial<x/y.z> fr
get int serial<x/y> fr stat
get int serial<x/y> fr pvc
Debugs Debug fr lmi
Debug fr pkt
Additional Information Provide full network topology, including IP addresses.
[Back to Top]

GPRS Tunneling Protocol (GTP) Commands Get gtp
Get gtp tunnel
Get ip_action
Debugs Debugs from "Traffic failing for a specific host/application"
Debug flow drop
Debug gtp all
Debug nsgp all
Additional Information Is this GTP inspection or passthrough?

Provide external packet captures from both sides of the firewall at the same time as the debugs.
[Back to Top]

H.323 Commands get alg h323
get alg h323 counters
get rm group active
get rm resource active
get nat cookie | include allocated
Debugs debug h323 all
debug rm all
debug nat gate
debug nat xlate
debugs from
"Traffic failing for a specific host/application"
Additional Information Try disabling SIP ALG globally using unset alg h323, or per policy using the commands below:

set policy id <#>
set application ignore
[Back to Top]

High CPU (5.4 and lower) Commands Get gate
Get sess frag
Get tcp
Get dbuf stream
get session

# Output can be long. Recommended to redirect to TFTP.

get sess hardware

# Get sess hardware is for the ISG and 5000 series only.
# Output can be long. Recommended to redirect to TFTP.

Repeat next block of commands 4 to 5 times at 10-second intervals:
get clock
get counter stat
get perf cpu all detail
get perf sess detail
get os task
get session info


For ISG series, collect the following as well.
Repeat next block of commands 4 to 5 times at 10-second intervals:

get clock
get sat 0 d
get sat 0 x-c
get sat 0 fr
get sat 0 c
get sat 0 s

For 5200 / 5400, collect the following as well.
Repeat next block of commands 4 to 5 times at 10-second intervals:

<X> is 0 to 5, or until you receive "out-of-range" message.
get clock
get sat <X> d
get sat <X> x-c
get sat <X> fr
get sat <X> c
get sat <X> s
Debugs Debugs from "Traffic failing for a specific host/application"
# Do not set the flow filters (make sure "get ff" returns nothing).

If ScreenOS 5.3 or greater:

set alarm snapshot CPU on
set alarm snapshot CPU trigger
# Repeat 2-3 times at 10 second intervals

unset alarm snapshot CPU on
get alarm snapshot CPU all
Additional Information For those cases where there is a 1-second spike in CPU, it’s difficult to run the "trigger" at that moment – especially for TASK CPU. Instead, change the CPU alarm threshold so that it is triggered automatically. As soon as the spike is seen, a snapshot is automatically triggered and written to the buffer. No other external script is needed. You do not even need to be logged in to the firewall at the time of the spike.

set alarm threshold cpu 70
set alarm snapshot cpu on
# <let firewall run until spike is seen>
# the firewall can be left unattended
get alarm snapshot cpu all
[Back to Top]

High CPU (6.0r2 and higher) Commands set alarm snapshot CPU on
set alarm snapshot CPU trigger
# Repeat 2-3 times at 10 second intervals
unset alarm snapshot CPU on
get alarm snapshot CPU all
set fprofile packet en


Run the following commands three times:

set fprofile vector en
set fprofile packet start
# <wait for a few seconds>

set fprofile packet stop
get fprofile packet
get fprofile packet ip
get fprofile packet ip dport
get fprofile packet ip dst-ip
get fprofile packet ip sport
get fprofile packet ip src-ip
get fprofile packet ip proto
get fprofile packet none-ip
get fprofile packet none-ip dst-mac
get fprofile packet none-ip proto
get fprofile packet none-ip src-mac
get fprofile vector


After complete, run "unset fprofile packet enable".

Also capture the information listed in "High CPU (5.4 and lower)"
Debugs Debugs from "Traffic failing for a specific host/application"
# Do not set the flow filters (make sure "get ff" returns nothing).

For ISG series, collect the following as well.
Repeat next block of commands 4 to 5 times at 10-second intervals:

get sat 0 d

get asic d

For 5200 / 5400, collect the following as well.
Repeat next block of commands 4 to 5 times at 10-second intervals:

<X> is 0 to 5, or until you receive "out-of-range" message
get sat <X> d
Additional Information See KB8910 - Determining Which Task is Using Most Resources on the CPU

For those cases where there is a 1-second spike in CPU, it’s difficult to run the "trigger" at that moment – especially for TASK CPU. Instead, change the CPU alarm threshold so that it is triggered automatically. As soon as the spike is seen, a snapshot is automatically triggered and written to the buffer. No other external script is needed. You do not even need to be logged in to the firewall at the time of the spike.

set alarm threshold cpu 70
set alarm snapshot cpu on
# <let firewall run until spike is seen>
# the firewall can be left unattended
get alarm snapshot cpu all
[Back to Top]

Infranet Controller/ Enforcer Commands Get infranet controller
Get infranet enforcer
Get auth infranet
Debugs Debug auth infranet
Debugs from "Traffic failing for a specific host/application"
Additional Information See KB11119 – "How to troubleshoot connectivity issues between the Infranet Controller and Infranet Enforcer (Firewall)"
[Back to Top]

Integrated Services Digital Network (ISDN) Commands <x/y> is card number/port number (viewed by "get interface").

Get int bri<x/y>
get int bri<x/y> isdn
get int bri<x/y> isdn q921 status
get int bri<x/y> isdn q921 status
get int bri<x/y> isdn q931 status
get int bri<x/y> isdn q931 status
get int bri<x/y> extensive
get int bri<x/y> bri-options
get int bri<x/y> hold-time
get int bri<x/y> screen
get int dialer<x>
get int dialer<x> screen
get int dialer<x> ppp
get ppp sa
get ppp ml
get counter flow
Debugs Debugs from "Traffic failing for a specific host/application"
debug isdn all
debug ppp basic


To check the Layer 1 status:

debug ipacx basic
debug ipacx rx
debug ipacx tx
debug ipacx phy
debug ipacx stack
Additional Information Provide full network topology, including IP addresses.
[Back to Top]

Management Commands get socket
get tcp
get memory
get os task
get net-pak stats
get socket
get socket id <#>
# <#> is the socket listed in "get socket" for the application in question
get task web
get net-buf | include free
get net-pak stats
get net-pak distribute
Debugs debugs from "Traffic failing for a specific host/application"
debug socket all
debug tcp all
debug admin all
debug auth all
debug web all (if WebUI is the issue)
debug httpfx all (if issue with link in WebUI)
debug telnet all (if telnet is the issue)
debug ssl all (if WebUI via HTTPS is the issue)
debug ssh all (is SSH is the issue)
Additional Information Collect the "Commands" before, during, and after the issue occurs.
[Back to Top]

Media Gateway Control Protocol (MGCP) Commands get alg mgcp
get alg mgcp calls
get alg mgcp counters
get alg mgcp endpoints
get alg mgcp sessions
Debugs debug mgcp all
debugs from "Traffic failing for a specific host/application"
Additional Information Try disabling the RPC ALGs globally using unset alg msrpc or unset alg sunrpc, or per policy using the commands below:

set policy id <#>
set application ignore
[Back to Top]

Memory Commands Get memory
Debugs Setup:

clear mem debug
set mem debug 1000


Run the following commands every 24 hours:

get clock
get mem
get mem pool
get mem ipc
get mem chunk
get mem ker
get mem debug
get mem used
get os task
get net-pak
get net-pak s
get net-b
Additional Information - Is the memory bar in the WebUI yellow or red?
- DO NOT USE "clear mem debug" AFTER TEST HAS STARTED.
[Back to Top]

Multicast (IGMP) Commands get route
get session
get igmp group all
get igmp interface all
get igmp stat
Debugs debug igmp all
debug vr mroute
debug vr cachemiss
debug vr mroute-lookup
debug flow mcast
debugs from
"Traffic failing for a specific host/application"
Additional Information Network topology showing sender, receiver and RP, as well as all IP addresses. If using both IGMP and PIM on the firewall, collect the information listed under PIM and IGMP at the same time.
[Back to Top]

Multicast (PIM) Commands get route
get session


Enter the virtual router configured for PIM using set vr <vr>.

get prot pim st
get prot pim nei
get prot pim mroute
get prot pim rp active
get prot pim rpf
get prot pim join-prune
get mcore
get mroute
Debugs debug pim all
debug vr mroute
debug vr cachemiss
debug vr mroute-lookup
debug flow mcast
debugs from
"Traffic failing for a specific host/application"
Additional Information Network topology showing sender, receiver and RP, as well as all IP addresses. If using both IGMP and PIM on the firewall, collect the information listed under PIM and IGMP at the same time.
[Back to Top]

Multi-link Frame Relay Commands Get int mlx mlfr_uni_uni
Get int serial<x/y> mlfr_uni_uni
Debugs Debug ml pkt
Debug ml fr
Debug ml frag
Debug ml assem
Debug fr lip
Additional Information Provide full network topology, including IP addresses.

Verify the frame relay is OK from the frame-relay tab in the WebUI.
[Back to Top]

NetScreen Redundancy Protocol (NSRP) Commands Get nsrp
Get nsrp monitor
Get interface
Exec nsrp sync global-config check-sum

# If running 6.1 or lower, run "get log sys | include config" after this command.

Repeat the next block of commands 4 to 5 times at 10-second intervals:

Get nsrp
Get nsrp counter
Get nsrp counter packet
Get interface
Debugs Debug nsrp all
Additional Information Debugs and get commands have to be collected from both cluster members.

See NSRP resolution guide.
[Back to Top]

Open Shortest Path First (OSPF) Commands get route
get route summary
get session src-ip <x.x.x.x>
get session dst-ip <x.x.x.x>
get route ip <x.x.x.x>

# <x.x.x.x> is the route in question
get route id <#>
# <#> is the ID of the route in question and is found in the "get route" or "get route ip" command
get os task
get task ospf
get interface <interface> | include "status change"

# Status change is only available in 6.2 and 6.3
get interface <interface> protocol ospf

Enter the virtual router configured for OSPF using set vr <vr>.

get protocol ospf area
get protocol ospf auth
get protocol ospf config
get proto ospf int
get proto ospf neighbor
get proto ospf routes
get proto ospf data
get proto ospf database detail
# Output can be long. Recommend redirecting to TFTP.
Debugs debug ospf all
[Back to Top]

Point to Point Protocol (PPP) (including Multi-link PPP) Commands Get int <interface> ppp
Get ppp sa
Get ppp ml
Get counter flow
Debugs Debug ppp basic
Additional Information Provide full network topology, including IP addresses.
[Back to Top]

Point to Point Tunneling Protocol (PPTP) Commands get alg pptp
get alg pptp counters
get alg pptp xlate
get rm group active
get nat cookie | include allocated
Debugs If ALG is disabled,
debugs from "Traffic failing for a specific host/application"

If ALG is enabled,
debug rm all
debug nat gate
debug nat xlate

debugs from "Traffic failing for a specific host/application"
Additional Information
[Back to Top]

Policy Based Routing (PBR) Commands get route
get session


For all virtual routers with PBR configured:

get vr <vr> access-list
get vr <vr> action-group
get vr <vr> config
get vr <vr> match-group
get vr <vr> policy
Debugs debugs from "Traffic failing for a specific host/application"
debug pbr all
debug vr lookup
debug vr session
Additional Information Provide full network topology, including IP addresses.
[Back to Top]

Port Authentication (802.1x) Commands get auth history
get auth queue
get auth statistics
get auth settings
get auth table
get dot1x
get dot1x session
get dot1x statistics
Debugs debug auth <option>
Debug dot1x all
[Back to Top]

Remote Procedure Call (RPC) Commands get service map-sun-rpc
get service map-ms-rpc
Debugs debugs from "Traffic failing for a specific host/application"
debug rpc all
Additional Information Try disabling the RPC ALGs globally using unset alg msrpc or unset alg sunrpc, or per policy using the commands below:

set policy id <#>
set application ignore


See KB11951 – "Troubleshoot MSRPC problems on firewalls running ScreenOS" (login required)
[Back to Top]

Session Initiation Protocol (SIP) Commands get alg sip
get alg sip calls
get alg sip counters
get alg sip details
get alg sip memory
get alg sip rate
get alg sip settings
get alg sip transactions
get rm group active
get rm resources active
get nat cookie | include allocated
Debugs debug sip all
debug rm all
debug nat gate
debug nat xlate
debugs from
"Traffic failing for a specific host/application"
Additional Information Try disabling SIP ALG globally using unset alg sip, or per policy using the commands below:

set policy id <#>
set application ignore
[Back to Top]

Skinny Client Control Protocol (SCCP) Commands get alg sccp
get alg sccp calls
get alg sccp counters
Debugs debug mgcp all
debugs from "Traffic failing for a specific host/application"
Additional Information Try disabling the RPC ALGs globally using unset alg msrpc or unset alg sunrpc, or per policy using the commands below:

set policy id <#>
set application ignore


See KB18226 – "ScreenOS firewall's SCCP ALG does not support version 17"
[Back to Top]

Static Routing Commands get route
get session src-ip <x.x.x.x>
get session dst-ip <x.x.x.x>
get route ip <x.x.x.x>
# <x.x.x.x> is the route in question
get route id <#>
# <#> is the ID of the route in question and is found in the "get route" or "get route ip" command
get counter flow
get vr
route source
# <vr> is the virtual router where the route is located.
Debugs debugs from "Traffic failing for a specific host/application"
debug vr basic
debug vr route
[Back to Top]

SurfControl (Redirect or integrated URL filtering) Commands
get url get socket get net-pak stats
Debugs Debugs from "Traffic failing for a specific host / application"

If using integrated SurfControl:
debug uf all

If using redirected SurfControl:
Debug url all
[Back to Top]

Throughput Commands get net-pak s
get sess frag
get counter stat
get gate
get pport
get flow
get tcp
get zone <zone> screen counter
set pps

# Set pps is only on 6.1 and later
# redundant and aggregate interfaces not supported
get int bgroupx mac-table
# SSG with bgroup interfaces only.

get session
# Output can be long. Recommended to redirect to TFTP.

get sess hardware
# ISG and 5000 series only.
# Output can be long. Recommended to redirect to TFTP.

Repeat next block of commands 4 to 5 times at 10-second intervals:

get clock
get perf cpu all detail
get perf sess detail
get counter stat
get os task
get arp
get session info
get net-pak s
get pps

# PPS is only on 6.1 and later
# redundant and aggregate interfaces not supported.

SSG-5 and SSG-20
get switch counter <#>
# <#> is 0 to 10

SSG-140 only
get driver switch statistics

For ISG series, collect the following as well.
Repeat next block of commands 4 to 5 times at 10-second intervals:

get clock
get asic demux

# Asic demux only on 6.0r2 and later.
get sat 0 d
get sat 0 x-c
get sat 0 fr
get sat 0 c
get sat 0 s
get fresno 0
get fresno 1

# fresno 1 is ISG-2000 only
get counter stat
get arp asic 0


For 5200 / 5400, collect the following as well.
Repeat next block of commands 4 to 5 times at 10-second intervals:

<X> is 0 to 5, or until you receive "out-of-range" message.
get clock
get asic demux

# ASIC demux is only on 6.0r2 and later.
get sat <X> d
get sat <X> x-c
get sat <X> fr
get sat <X> c
get sat <X> s
get counter stat
get arp asic X


If MGT1 with 24FE interface card:

get michigan <X> count
get michigan <X> igmac 0
get michigan <X> igmac 1
get michigan <X> igmac 2

If 8G2, 2XGE, 8G2-G4, and 2XGE-G4 interface cards:

get arch 0
get arch 1
get arch 2
Debugs Debugs from "Traffic failing for a specific host / application"
Additional Information External sniffer captures from the directly connected device on both sides of the firewall.
[Back to Top]

Traffic failing for a specific host/ application (Basic debug) Commands If traffic logging is enabled:
get log traffic src-ip <x.x.x.x> dst-ip <y.y.y.y>
# <x.x.x.x> is the source IP.
# <y.y.y.y> is the destination IP.
Debugs unset ff
# Repeat above command until you get "invalid id"
snoop filter delete


set ff src-ip <x.x.x.x> dst-ip <y.y.y.y>
set ff src-ip <y.y.y.y> dst-ip <x.x.x.x>
snoop filter ip src-ip <x.x.x.x> dst-ip <y.y.y.y>
snoop filter ip src-ip <y.y.y.y> dst-ip <x.x.x.x>
# <x.x.x.x> is the source IP address.
# <y.y.y.y> is the destination IP address.
# There are multiple options available for filters. Select the best filter for your situation (ports, protocol, etc.).

snoop detail   (option available when logged in as root)
snoop detail len 1514  (option available when logged in as root)
debug flow basic
snoop
clear dbuf
# <initiate the traffic you are having issues with>
undebug all
snoop off

get db stream

If ISG and 5200/5400 series, enable the following debugs as well as the ones listed above:

debug stflow basic
debug tag info
debug flow session
Additional Information Ensure that the debug buffer is set to 4 MB by issuing the command "set dbuf size 4096".

See "logging to USB" below for information on logging the debug to a USB device (SSG series only).

If ISG or 5200/5400 series, you will be able to see the first packet only, due to the ASIC. Starting in 6.1, you can keep the session in CPU in order to see the entire flow. This is set on a per-policy basis, and can cause high CPU depending on how much traffic is using the policy. To enable this, use the following commands:

set policy id <#>
# <#> is the policy ID found by issuing the command "get policy"
set no-hw-sess
exit
[Back to Top]

Traffic Shaping Commands Get traffic mode
Get traffic stat
Get int
Get policy
Get policy id <#>
Get traffic tmng
# tmng is only available in ScreenOS 5.3 and higher
Debugs Debug shaper all
Undebug shaper token
# Debugs from "Traffic failing for a specific host/application"
Additional Information For ASIC-based systems, refer to KB5896 – "Traffic Shaping Support on ASIC platforms (ISG-1000, ISG-2000, NS5200, NS5400)"
[Back to Top]

Virtual Private Network (VPN) Commands get ike cookie
get sa
get sa stat
get sa id <#>
# SA IDs are in hex, so you need to put "0x" in front of the id.
# Example: get sa id 0x01

get nsp
Debugs If VPN is down, use the following debugs:

set sa-filter <x.x.x.x>
# <x.x.x.x> is the peer gateway.
debug ike detail
debug pki detail
# Use PKI debug only if VPN uses certificates.
debug auth all

If VPN is up, but not passing traffic, use the following debugs:

Debugs from "Traffic failing for a specific host/application"
set sa-filter <x.x.x.x>
# <x.x.x.x> is the peer gateway.
debug ike basic
debug ike natt
debug tag info
# ISG and 5200/5400 series only.
debug tag vpn
# ISG and 5200/5400 series only.
Additional Information In ScreenOS 6.2, flow filters can be configured only for tunneled traffic (inner or private IPs).

See the VPN resolution guide.
[Back to Top]

Virtual Router Redundancy Protocol (VRRP) Commands Get vrrp interface
Get vrrp stat
Get vrrp virtual-group
Debugs Debug vrrp all
Additional Information VRRP is supported only on SSG series devices.
[Back to Top]

WebSense (Redirect URL filtering) Commands get url
get socket
Debugs debug url rec
debug url req
debugs from "Traffic failing for a specific host/application"
[Back to Top]

Wireless Commands Get interface <wireless> assoc
Get wlan
Get wlan acl
Get ssid
Get ssid <ssid>
Debugs Debug wlan <option>
# Use with caution, as it will increase system load. Specify the debug option based on the error in the event log.
[Back to Top]

References:

How to:

Resolution Guides: KB9936 - JTAC Certified step-by-step troubleshooting flowcharts and articles



Technical Bulletins (login required to see all): For more information on Technical Bulletins, see KB9890 - How do I subscribe to a technical bulletin so I can I get email alerts regarding product issues, new product release announcements and security or safety issues?.



Technical Documentation: [Back to Top]


Related Links: