Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How the 'show log nsd_chk_only' command is helpful in troubleshooting

0

0

Article ID: KB24598 KB Last Updated: 05 Jun 2012Version: 1.0
Summary:
This article provides information on how the show log nsd_chk_only command is helpful in troubleshooting.
Symptoms:
How the show log nsd_chk_only command is helpful in troubleshooting.
Cause:

Solution:

Open the /var/log/nsd_chk_only file; this file is overwritten each time you perform a commit check and it contains detailed failure information. Additionally, it provides information about platform capacity limits.

Note: The Network Security Daemon (NSD) manages firewall configurations on routers, which are running Junos software with enhanced services. It reads routing-instance, zones, policy, applications, alg configurations, and so on, verifies, and performs checks.

root@> show log nsd_chk_only 
NSD Framework init [pid = 44935]
Initializing time capsule....
Setup Matching Platform Capacity Config
---------------------------------------
Matching platform :
Model Name = srx210h
Hardware Model = srx210h
Description = JSRX 210 Highmem
Policy Capacity Config :
Max Policy = 512
Max Policy Context = 128
Max Policy per Context = 512
Max Statistics Counter = 256
Max Address per Policy = 1024
Max Applications per Policy = 128
Scheduler Capacity Config :
Max Scheduler = 128
Zones Capacity Config :
Max Security Zones = 12
NAT rule Capacity Config :
Source NAT rule number = 512
Dest NAT rule number = 512
Static NAT rule number = 512
nsd_ids_init: ******* *********<<< ssg_nsd_nat_init start >>>*********** ssg_nat_dst_config_init: ssg_nat_dst_cfg_cb_init: ssg_nat_src_config_init: ssg_nat_src_cfg_cb_init: ssg_nat_static_config_init: ssg_nat_static_cfg_cb_init: nsd alg component initialization NSD FLOW component initialization started nsd resmgr component initialization could not find security resmgr path - no resmgr config set Applying default configuration resmgr ssam config update - begin get resmgr blob through ssam unable to get resmgr blob through ssam update resmgr blob through ssam unable to get resmgr blob through ssam failed to apply default resmgr configs through ssam Initializing uidpool for policy NSD-GPRS-DEBUG:gprs_uidpool_init, 22 Getting policy version blob from ssam Unable to get Security policy version object from ssam [Error: 22] policy_dynamic_init : Unable to register Dynamic Policy SSAM async message handler. error = 22 (Invalid argument). nsd host component initialization could not find host http- no host config set turn off all host http features host ssam config update - begin get host http blob through ssam unable to get host http blob through ssam update host http blob through ssam unable to get host http blob through ssam failed turn off all http host through ssam could not find services rpm probe-server path turn off all services rpm features host ssam config update - begin get host rpm blob through ssam unable to get host rpm blob through ssam update host rpm blob through ssam unable to get host rpm blob through ssam failed to turn off all services rpm through ssam could not find host reverse telnet/SSH no host config set turn off all host reverse telnet/SSH features host ssam config update - begin get host reverse-telnet blob through ssam unable to get host reverse-telnet blob through ssam update host reverse-telnet blob through ssam unable to get host reverse-telnet blob through ssam failed turn off all reverse telnet/SSH host through ssam NSD_MEMORY_STAT::NSD_FW::nsd_fw_parse_config(): BEGIN - Amount of memory used 0 bytes, #of allocation 0, #of de-allocation 0 nsd_ids_config_pre_process: ******* nsd_zone_config_pre_process Initializing uidpool for zones. ssg_nat_used_ctx_tree_destroy ssg_nat_dst_config_pre_process: in ssg_nat_dst_blob_read_existing ssg_nat_dst_pool_tree_destroy ssg_nat_dst_pool_blob_read_existing: ssg_nat_dst_pool_blob_read_existing: the start blob_key.uid is: 0. <<<======== Destination NAT Config Start ========>>> ======== Destination NAT Pool Config Start ======== ======== Destination NAT Pool Config End ========== <<<======== Destination NAT Config End ========>>> ssg_nat_src_config_pre_process: in ssg_nat_src_blob_read_existing ssg_nat_src_pool_tree_destroy ssg_nat_src_pool_ext_tree_destroy ssg_nat_src_pool_blob_read_existing: <<<======== Source NAT Config Start ========>>> ======== Source NAT Pool Config Start ======== ======== Source NAT Pool Config End ========== <<<======== Source NAT Config End ========>>> ssg_nat_src_global_blob_read_existing: addr_persistent: 0. raise_threshold: 0. clear_threshold: 0. cur_position: 1. port_rand: 1. ifl_port_overload: 1. ssg_nat_static_config_pre_process: in ssg_nat_static_blob_read_existing reading routing instances config. could not find routing-instances path nsd_ids_config_read: check 1 nsd_ids_config_read: Screen was not configured under security nsd_shm_config_read: "static-host-mapping" configuration not present or deleted .. so clearing our shm tree reading security zone config.
processing security zones.
nsd_zone_process_zones.. nsd_zone_process_zones: dax_walk_list called with DAX_WALK_CONFIGURED. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone test nsd_zone_config_added: calling add update of dependent entities for zone: test nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 1 nsd_zone_config_added: calling add update of dependent entities for zone: 1 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 12 nsd_zone_config_added: calling add update of dependent entities for zone: 12 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 3 nsd_zone_config_added: calling add update of dependent entities for zone: 3 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 4 nsd_zone_config_added: calling add update of dependent entities for zone: 4 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 5 nsd_zone_config_added: calling add update of dependent entities for zone: 5 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 6 nsd_zone_config_added: calling add update of dependent entities for zone: 6 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 7 nsd_zone_config_added: calling add update of dependent entities for zone: 7 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 8 nsd_zone_config_added: calling add update of dependent entities for zone: 8 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 9 nsd_zone_config_added: calling add update of dependent entities for zone: 9 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 10 nsd_zone_config_added: calling add update of dependent entities for zone: 10 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone 11 nsd_zone_config_added: calling add update of dependent entities for zone: 11 nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_security_changed_cb.. nsd_zone_process_config_changed: Assigned screen id 65535 to zone junos-global nsd_zone_config_added: calling add update of dependent entities for zone: junos-global nsd_zone_interface_add_update: nsd_zone_interfaces_parse: nsd_zone_interface_all_deleted: nsd_zone_config_added: NSD current mode 0 nsd_zone_address_book_add_update: processing security zoneaddress-book add update. check_only is 1 processing security zone address-book. nsd_zone_process_zones: Number of security zones configured (12); Maximum supported for this platform (12); zone_tree count (13) Reading security application config. ssg_nsd_nat_config_read() (check_only:1). ssg_nat_dst_config_read: check_only:1 ssg_nat_dst_config_read: no 'destination-nat' configured! ssg_nat_src_config_read: check_only:1 ssg_nat_static_config_read: check_only:1 ssg_nat_static_config_read: no 'static-nat' configured! ssg_nsd_nat_config_read() exits with status: TRUE. reading security alg config reading security alg h323 config reading security alg h323 endpoint-registration-timeout 3600 reading security alg h323 application-screen message-flood gatekeeper threshold = 1000 reading security alg mgcp config reading security alg mgcp transaction-timeout = 30 reading security alg mgcp maximum-call-duration = 720 reading security alg mgcp inactive-media-timeout = 120 reading security alg mgcp application-screen message-flood threshold = 1000 reading security alg mgcp application-screen connection-flood threshold = 200 reading security alg sccp config reading security alg sccp inactive-media-timeout = 120 reading security alg sccp application-screen call-flood threshold = 20 reading security alg sip config reading security alg sip maximum-call-duration = 720 reading security alg sip inactive-media-timeout = 120 reading security alg sip t1-interval = 500 reading security alg sip t4-interval = 5 reading security alg sip c-timeout = 3 reading security alg sip application-screen protect deny timeout = 5 check for security alg passed Going to read [security flow] tree Going to read [security flow traceoptions] traceoptions flag Read [security flow traceoptions config] = 2 trace flag 0x4 Read [security flow tcp-sessionsyn-flood-protection-mode] = 1 Getting [flow aging] config blob from ssam flow_ssam_get_obj_config: Config blob [flow aging] fetched ssam-low-wm:100, ssam-high-wm:100, low-wm:100, high-wm:100 [security flow] config read successfully [security flow] config read successfully Using default security forwarding-options ipv6_security 0, inet6 mode 3 Forwarding options: inet 2, inet6 3, mpls 3, iso 3 could not find security resmgr path - no resmgr config set check for security resmgr passed Reading security scheduler config. Could not find security-scheduler path Reading security policy config. processing security polices. NSD-POLICY::processing security polices from-zone. NSD-POLICY::processing security polices from-zone name test NSD-POLICY::processing security polices to-zone name 1 NSD-POLICY::processing security polices from-zone [test] to-zone [1] policy [p2], id [-1] NSD-POLICY::processing security polices from-zone [test] to-zone [1] policy [p2] Match NSD-POLICY::processing security polices from-zone [test] to-zone [1] policy [p2] Action NSD-POLICY::processing security polices then deny [1] get_address_from_zone_handle: address any, zone 0x9a1300: test get_address_from_zone_handle: address any, zone 0x9a1400: 1 NSD-POLICY::processing security polices from-zone [test] to-zone [1] policy [p1], id [-1] NSD-POLICY::processing security polices from-zone [test] to-zone [1] policy [p1] Match NSD-POLICY::processing security polices from-zone [test] to-zone [1] policy [p1] Action get_address_from_zone_handle: address any, zone 0x9a1300: test get_address_from_zone_handle: address any, zone 0x9a1400: 1 Policy Capacity Limits (Current Value / Limit):
-----------------------------------------------
Number of Policies = (2 / 512)
Number of Policy Contexts = (0 / 128)
Maximum Policies per Context = (2 / 512)
Maximum Statistics Counter = (0 / 256)
Maximum Source Address per Policy = (1 / 1024)
Maximum Destination Address per Policy = (1 / 1024)
Maximum Application per Policy = (1 / 128)
Dynamic Policy Enabled!!!! reading security host config reading security host http = 80 reading security host https = 443 check for security host passed could not find services rpm probe-server path check for services rpm passed could not find host reverse telnet/SSH no host config set check for security host passed nsd_ids_config_post_process: ******* ****** nsd_shm_dump_host_details: Dumping shm_tree ****** ****** nsd_shm_dump_host_details: END of HOST entries ****** ssg_nsd_nat_config_post_process: begin. ssg_nat_dst_config_post_process(...) ssg_nat_src_config_post_process (...) ssg_nat_static_config_post_process(...) snmp_clean_ssg_src_nat_tree: clean tree snmp_clean_nat_rule_hit_tree: clean tree snmp_clean_nat_pool_hit_tree: clean tree nsd_ri_tree_delete: begin to delete intf_ri_tree nsd_ri_tree_delete: begin to delete ri_tree Scheduler cleanup done. Security policy config cleanup. NSD configuration processing successfull. NSD_MEMORY_STAT::NSD_FW::nsd_fw_parse_config(): END - Amount of memory used 0 bytes, #of allocation 0, #of de-allocation 0 nsd_ids_destroy: ******* ssg_nat_dst_config_destroy: ssg_nat_dst_cfg_cb_destroy: ssg_nat_dst_tree_destroy: nat_rule_set_ctx_tree_destroy ssg_nat_dst_pool_tree_destroy ssg_nat_src_config_destroy: ssg_nat_src_cfg_cb_destroy: ssg_nat_src_tree_destroy nat_rule_set_ctx_tree_destroy ssg_nat_src_pool_ext_tree_destroy ssg_nat_src_pool_tree_destroy ssg_nat_static_config_destroy: ssg_nat_static_cfg_cb_destroy: ssg_nat_static_tree_destroy: nat_rule_set_ctx_tree_destroy nat_static_addr_tree_destroy(...) ssg_nat_used_ctx_tree_destroy NSD-GPRS-DEBUG:gprs_uidpool_destroy, 39
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search