Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[ScreenOS] Data Collection Checklist - Logs/data to collect for troubleshooting
Data Collection and Troubleshooting Guides can help with issue investigation as well as reduce time-to-resolve. Each problem/issue could require a different set of data to collect. This article contains a list of data to collect as well as pointers to Resolution Guides and references on how to collect the data.
What information should I collect to assist in troubleshooting prior to opening a case?
The goal of this document is to reduce the time spent on initial data collection and reduce time-to-resolve by providing a comprehensive list of what to collect or gather to troubleshoot an issue.
Caveats and Tips
get performance cpu all detail
set console page 0
.
unset console page
or set console page <number of lines>
.debug flow basic
and debug anti-spam all
at the same time.
Basic information to collect for all issues | Background Information | 1. Provide all SSH/Telnet/console session captures 2. Provide any available topology information 3. Summary of how the device is being used (production, lab system, co-location, etc.) 4. Summary of device history (new install, production for X months/years, other recent cases, etc.) 5. Summary of any recent changes in the network or on the device |
Logs | get tech-support |
See Reference section for the following:
Anti-Spam | Commands | get memory |
Debugs | debugs from "Traffic failing for a specific host/application"debug anti-spam all |
|
Additional Information | External sniffer captures from the directly connected device on both sides of the firewall. |
Antivirus (AV) | Commands | get av Repeat next block of commands 4 to 5 times at 10-second intervals: get clock get counter stat |
Debugs | debug apppry basic If update related: debug av updater If scan related : |
Application Layer Gateway (ALG) | Commands | get alg |
Debugs | debug <alg name> all # If it fails, then " debug nat <alg name> "debug rm all "Traffic failing for a specific host/application" |
|
Additional Information | Try disabling ALG globally using unset alg <alg name> , or per policy using the commands below:set policy id <#> |
Asymmetric Digital Subscriber Line (ADSL) | Commands | Get adsl basic Get int ad Get adsl stat Get adsl <#> basic Get adsl <#> if-stats Get adsl <#> sar get adsl <#> stats get adsl <#> training-status get adsl <#> vc-info get adsl <#> memory get interface adsl get interface adsl extensive If PPPoE: get pppoe all If PPPoA: Get pppoa all |
Debugs | Exec adsltest <#> ping If PPPoE: Debug pppoe basic stream If PPPoA: Debug pppoa all |
|
Additional Information | See KB12137 – "ADSL card is not loading; event log "ADSL2/0 SOC Firmware Failed (Load Bootrom Failure)" is reported" |
Authentication | Commands | get auth history get auth queue get auth statistics get auth settings get auth table If L2tp: get L2tp all |
Debugs | debug auth <option> "Traffic failing for a specific host/application" |
Auto Connect VPN (AC-VPN) | Commands | Run the following commands on the hub and both spokes simultaneously:get ike cookie # SA IDs are in hex, so you need to put "0x" in front of the id. # Example: get sa id 0x01 Enter the virtual router configured for NHRP using set vr <vr> .get protocol nhrp |
Debugs | Run the following debugs on the hub and both spokes simultaneously:set sa-filter <x.x.x.x> # <x.x.x.x> is the peer gateway. debug ike detail # Use PKI debug only if VPN uses certificates. debug auth all |
Border Gateway Protocol (BGP) | Commands | get route # <x.x.x.x> is the route in question. get route id <#> # <#> is the ID of the route in question and is found in the "get route" or "get route ip" command. get os task # Available only in 6.2 and 6.3. Enter the virtual router configured for BGP using set vr <vr> .get proto bgp config # rib received available only in 6.2 and 6.3. get proto bgp rib advertised # Available only in 6.2 and 6.3. |
Debugs | debug bgp all |
Buffer (net-pak) leak | Commands | get session frag Repeat next block of commands 2 to 3 times at 10-second intervals: get clock |
Debugs | If ‘failed’ counter from ‘get net-pak stats’ is incrementing and the ‘free’ counters do not decrement for over one hour, collect the following information.debug npak get # Keep this running and ensure no one logs in to or out of the firewall. See "Keep debugs running after logging out" below. Using a script, capture the following command every 15 minutes: get clock |
Crash | Commands | - Console output of the crash dump: If console output is unavailable, use "get log sys saved" |
Additional Information | - Date and time of crash - Description of the last thing that happened before the crash - Were there any changes in the network before or during the time of the crash (physical or configuration)? If so, what changes (added new equipment, links, new interface, etc.)? - What kind of traffic was going through the device at the time of crash? - How long was the firewall running before the incident occurred? - Was anyone logged in to the firewall during the time of the crash (NSM, Telnet, SSH, console, WebUI)? - Has the firewall crashed before? |
Deep Inspection (DI) | Commands | get memory |
Debugs | debugs from "Traffic failing for a specific host/application"debug idp |
|
Additional Information | External sniffer captures from the directly connected device on both sides of the firewall. |
Dial-up VPN | Commands | get ike cookie |
Debugs | If VPN is down, use the following debugs:set sa-filter <x.x.x.x> # <x.x.x.x> is the peer gateway. debug ike detail # Use PKI debug only if VPN uses certificates. debug auth all If authentication is failing, use the following commands: debug auth all # <make first connection> get dbuf stream # <make second connection attempt> get dbuf stream If VPN is up, but not passing traffic: set sa-filter <remote gateway IP> "Traffic failing for a specific host/application" |
|
Additional Information | See VPN resolution guide |
Dynamic IP (DIP) | Commands | Get dip # Only if using interface-NAT. |
Debugs | Debug dip all Debug nat gate Debug nat xlate Debug nat pport # Debug nat pport only if using interface-NAT. Debugs from "Traffic failing for a specific host/application" |
Extended Authentication (XAuth) | Commands | Get xauth active |
Debugs | debug auth <option> "Traffic failing for a specific host/application"Debug pptp all # Only if using pptp. |
Frame Relay | Commands | "x" is the slot number, "y" is the port number, and "z" is the subinterface number(tagged interface).get int serial<x/y> fr get int serial<x/y.z> fr get int serial<x/y> fr stat get int serial<x/y> fr pvc |
Debugs | Debug fr lmi |
|
Additional Information | Provide full network topology, including IP addresses. |
GPRS Tunneling Protocol (GTP) | Commands | Get gtp |
Debugs | Debugs from "Traffic failing for a specific host/application"Debug flow drop |
|
Additional Information | Is this GTP inspection or passthrough? Provide external packet captures from both sides of the firewall at the same time as the debugs. |
H.323 | Commands | get alg h323 |
Debugs | debug h323 all "Traffic failing for a specific host/application" |
|
Additional Information | Try disabling SIP ALG globally using unset alg h323 , or per policy using the commands below:set policy id <#> |
High CPU (5.4 and lower) | Commands | Get gate # Output can be long. Recommended to redirect to TFTP. get sess hardware # Get sess hardware is for the ISG and 5000 series only. # Output can be long. Recommended to redirect to TFTP. Repeat next block of commands 4 to 5 times at 10-second intervals:
get clock For ISG series, collect the following as well. Repeat next block of commands 4 to 5 times at 10-second intervals: get clock For 5200 / 5400, collect the following as well. Repeat next block of commands 4 to 5 times at 10-second intervals: <X> is 0 to 5, or until you receive "out-of-range" message. get clock |
Debugs | Debugs from "Traffic failing for a specific host/application"# Do not set the flow filters (make sure "get ff" returns nothing). If ScreenOS 5.3 or greater: set alarm snapshot CPU on # Repeat 2-3 times at 10 second intervals unset alarm snapshot CPU on |
|
Additional Information | For those cases where there is a 1-second spike in CPU, it’s difficult to run the "trigger" at that moment – especially for TASK CPU. Instead, change the CPU alarm threshold so that it is triggered automatically. As soon as the spike is seen, a snapshot is automatically triggered and written to the buffer. No other external script is needed. You do not even need to be logged in to the firewall at the time of the spike.set alarm threshold cpu 70 # <let firewall run until spike is seen> # the firewall can be left unattended get alarm snapshot cpu all |
High CPU (6.0r2 and higher) | Commands | set alarm snapshot CPU on # Repeat 2-3 times at 10 second intervals unset alarm snapshot CPU on Run the following commands three times: set fprofile vector en # <wait for a few seconds> set fprofile packet stop After complete, run "unset fprofile packet enable". Also capture the information listed in "High CPU (5.4 and lower)" |
Debugs | Debugs from "Traffic failing for a specific host/application"# Do not set the flow filters (make sure "get ff" returns nothing). For ISG series, collect the following as well. Repeat next block of commands 4 to 5 times at 10-second intervals: get sat 0 d get asic d For 5200 / 5400, collect the following as well. Repeat next block of commands 4 to 5 times at 10-second intervals: <X> is 0 to 5, or until you receive "out-of-range" message get sat <X> d |
|
Additional Information | See KB8910 - Determining Which Task is Using Most Resources on the CPU For those cases where there is a 1-second spike in CPU, it’s difficult to run the "trigger" at that moment – especially for TASK CPU. Instead, change the CPU alarm threshold so that it is triggered automatically. As soon as the spike is seen, a snapshot is automatically triggered and written to the buffer. No other external script is needed. You do not even need to be logged in to the firewall at the time of the spike. set alarm threshold cpu 70 |
Infranet Controller/ Enforcer | Commands | Get infranet controller |
Debugs | Debug auth infranet Debugs from "Traffic failing for a specific host/application" |
|
Additional Information | See KB11119 – "How to troubleshoot connectivity issues between the Infranet Controller and Infranet Enforcer (Firewall)" |
Integrated Services Digital Network (ISDN) | Commands | <x/y> is card number/port number (viewed by "get interface").Get int bri<x/y> |
Debugs | Debugs from "Traffic failing for a specific host/application"debug isdn all To check the Layer 1 status: debug ipacx basic |
|
Additional Information | Provide full network topology, including IP addresses. |
Management | Commands | get socket # <#> is the socket listed in "get socket" for the application in question get task web |
Debugs | debugs from "Traffic failing for a specific host/application" |
|
Additional Information | Collect the "Commands" before, during, and after the issue occurs. |
Media Gateway Control Protocol (MGCP) | Commands | get alg mgcp |
Debugs | debug mgcp all debugs from "Traffic failing for a specific host/application" |
|
Additional Information | Try disabling the RPC ALGs globally using unset alg msrpc or unset alg sunrpc , or per policy using the commands below:set policy id <#> |
Memory | Commands | Get memory |
Debugs | Setup:clear mem debug Run the following commands every 24 hours: get clock |
|
Additional Information | - Is the memory bar in the WebUI yellow or red? - DO NOT USE "clear mem debug" AFTER TEST HAS STARTED. |
Multicast (IGMP) | Commands | get route |
Debugs | debug igmp all "Traffic failing for a specific host/application" |
|
Additional Information | Network topology showing sender, receiver and RP, as well as all IP addresses. If using both IGMP and PIM on the firewall, collect the information listed under PIM and IGMP at the same time. |
Multicast (PIM) | Commands | get route Enter the virtual router configured for PIM using set vr <vr> .get prot pim st |
Debugs | debug pim all "Traffic failing for a specific host/application" |
|
Additional Information | Network topology showing sender, receiver and RP, as well as all IP addresses. If using both IGMP and PIM on the firewall, collect the information listed under PIM and IGMP at the same time. |
Multi-link Frame Relay | Commands | Get int mlx mlfr_uni_uni |
Debugs | Debug ml pkt |
|
Additional Information | Provide full network topology, including IP addresses. Verify the frame relay is OK from the frame-relay tab in the WebUI. |
NetScreen Redundancy Protocol (NSRP) | Commands | Get nsrp # If running 6.1 or lower, run "get log sys | include config" after this command. Repeat the next block of commands 4 to 5 times at 10-second intervals: Get nsrp |
Debugs | Debug nsrp all |
|
Additional Information | Debugs and get commands have to be collected from both cluster members. See NSRP resolution guide. |
Open Shortest Path First (OSPF) | Commands | get route # <x.x.x.x> is the route in question get route id <#> # <#> is the ID of the route in question and is found in the "get route" or "get route ip" command get os task # Status change is only available in 6.2 and 6.3 get interface <interface> protocol ospf set vr <vr> .get protocol ospf area # Output can be long. Recommend redirecting to TFTP. |
Debugs | debug ospf all |
Point to Point Protocol (PPP) (including Multi-link PPP) | Commands | Get int <interface> ppp |
Debugs | Debug ppp basic |
|
Additional Information | Provide full network topology, including IP addresses. |
Point to Point Tunneling Protocol (PPTP) | Commands | get alg pptp |
Debugs | If ALG is disabled, debugs from "Traffic failing for a specific host/application"If ALG is enabled, debug rm all debugs from "Traffic failing for a specific host/application" |
|
Additional Information |
Policy Based Routing (PBR) | Commands | get route For all virtual routers with PBR configured: get vr <vr> access-list |
Debugs | debugs from "Traffic failing for a specific host/application"debug pbr all |
|
Additional Information | Provide full network topology, including IP addresses. |
Port Authentication (802.1x) | Commands | get auth history |
Debugs | debug auth <option> |
Remote Procedure Call (RPC) | Commands | get service map-sun-rpc |
Debugs | debugs from "Traffic failing for a specific host/application"debug rpc all |
|
Additional Information | Try disabling the RPC ALGs globally using unset alg msrpc or unset alg sunrpc , or per policy using the commands below:set policy id <#> See KB11951 – "Troubleshoot MSRPC problems on firewalls running ScreenOS" (login required) |
Session Initiation Protocol (SIP) | Commands | get alg sip |
Debugs | debug sip all "Traffic failing for a specific host/application" |
|
Additional Information | Try disabling SIP ALG globally using unset alg sip , or per policy using the commands below:set policy id <#> |
Skinny Client Control Protocol (SCCP) | Commands | get alg sccp |
Debugs | debug mgcp all debugs from "Traffic failing for a specific host/application" |
|
Additional Information | Try disabling the RPC ALGs globally using unset alg msrpc or unset alg sunrpc , or per policy using the commands below:set policy id <#> See KB18226 – "ScreenOS firewall's SCCP ALG does not support version 17" |
Static Routing | Commands | get route # <x.x.x.x> is the route in question get route id <#> # <#> is the ID of the route in question and is found in the "get route" or "get route ip" command get counter flow route source # <vr> is the virtual router where the route is located. |
Debugs | debugs from "Traffic failing for a specific host/application"debug vr basic |
Throughput | Commands | get net-pak s # Set pps is only on 6.1 and later # redundant and aggregate interfaces not supported get int bgroupx mac-table # SSG with bgroup interfaces only. get session # Output can be long. Recommended to redirect to TFTP. get sess hardware # ISG and 5000 series only. # Output can be long. Recommended to redirect to TFTP. Repeat next block of commands 4 to 5 times at 10-second intervals: get clock get os task # PPS is only on 6.1 and later # redundant and aggregate interfaces not supported. SSG-5 and SSG-20 get switch counter <#> # <#> is 0 to 10 SSG-140 only get driver switch statistics For ISG series, collect the following as well. Repeat next block of commands 4 to 5 times at 10-second intervals: get clock # Asic demux only on 6.0r2 and later. get sat 0 d # fresno 1 is ISG-2000 only get counter stat For 5200 / 5400, collect the following as well. Repeat next block of commands 4 to 5 times at 10-second intervals: <X> is 0 to 5, or until you receive "out-of-range" message. get clock # ASIC demux is only on 6.0r2 and later. get sat <X> d If MGT1 with 24FE interface card: get michigan <X> count If 8G2, 2XGE, 8G2-G4, and 2XGE-G4 interface cards: get arch 0 |
Debugs | Debugs from "Traffic failing for a specific host / application" | |
Additional Information | External sniffer captures from the directly connected device on both sides of the firewall. |
Traffic failing for a specific host/ application (Basic debug) | Commands | If traffic logging is enabled:get log traffic src-ip <x.x.x.x> dst-ip <y.y.y.y> # <x.x.x.x> is the source IP. # <y.y.y.y> is the destination IP. |
Debugs | unset ff # Repeat above command until you get "invalid id" snoop filter delete set ff src-ip <x.x.x.x> dst-ip <y.y.y.y> # <x.x.x.x> is the source IP address. # <y.y.y.y> is the destination IP address. # There are multiple options available for filters. Select the best filter for your situation (ports, protocol, etc.). snoop detail (option available when logged in as root)snoop detail len 1514 (option available when logged in as root)debug flow basic # <initiate the traffic you are having issues with> undebug all
If ISG and 5200/5400 series, enable the following debugs as well as the ones listed above: debug stflow basic |
|
Additional Information | Ensure that the debug buffer is set to 4 MB by issuing the command "set dbuf size 4096". See "logging to USB" below for information on logging the debug to a USB device (SSG series only). If ISG or 5200/5400 series, you will be able to see the first packet only, due to the ASIC. Starting in 6.1, you can keep the session in CPU in order to see the entire flow. This is set on a per-policy basis, and can cause high CPU depending on how much traffic is using the policy. To enable this, use the following commands: set policy id <#> # <#> is the policy ID found by issuing the command "get policy" set no-hw-sess |
Traffic Shaping | Commands | Get traffic mode # tmng is only available in ScreenOS 5.3 and higher |
Debugs | Debug shaper all # Debugs from "Traffic failing for a specific host/application" |
|
Additional Information | For ASIC-based systems, refer to KB5896 – "Traffic Shaping Support on ASIC platforms (ISG-1000, ISG-2000, NS5200, NS5400)" |
Virtual Private Network (VPN) | Commands | get ike cookie # SA IDs are in hex, so you need to put "0x" in front of the id. # Example: get sa id 0x01 get nsp |
Debugs | If VPN is down, use the following debugs:set sa-filter <x.x.x.x> # <x.x.x.x> is the peer gateway. debug ike detail # Use PKI debug only if VPN uses certificates. debug auth all If VPN is up, but not passing traffic, use the following debugs: Debugs from "Traffic failing for a specific host/application" set sa-filter <x.x.x.x> # <x.x.x.x> is the peer gateway. debug ike basic # ISG and 5200/5400 series only. debug tag vpn # ISG and 5200/5400 series only. |
|
Additional Information | In ScreenOS 6.2, flow filters can be configured only for tunneled traffic (inner or private IPs). See the VPN resolution guide. |
Virtual Router Redundancy Protocol (VRRP) | Commands | Get vrrp interface |
Debugs | Debug vrrp all |
|
Additional Information | VRRP is supported only on SSG series devices. |
WebSense (Redirect URL filtering) | Commands | get url |
Debugs | debug url rec debugs from "Traffic failing for a specific host/application" |
Wireless | Commands | Get interface <wireless> assoc |
Debugs | Debug wlan <option> # Use with caution, as it will increase system load. Specify the debug option based on the error in the event log. |
2020-09-22: Removed Surfcontrol, as it is unsupported
2020-05-17: Article reviewed for accuracy. No changes made. Article is correct and complete.
Related Links
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search