Knowledge Search


×
 

[IDP] Data Collection Checklist - Logs/data to collect for troubleshooting IDP on IDP Series, SRX Series, and ISG Series

  [KB27231] Show Article Properties


Summary:

This document lists what information should be collected when there is a problem on one of the following Juniper devices running IDP (Intrusion Detection and Prevention):

  • IDP Series
  • SRX Series running IDP
  • ISG Series running IDP


Symptoms:

What information should I collect to assist in troubleshooting prior to opening a case?

The goal of this document is to reduce the time spent on initial data collection and reduce time to resolve by providing a comprehensive list of what to collect or gather to troubleshoot an issue.



Cause:

Solution:

Collect the following data for your device.  Either attach the data to your case or securely transfer the data using these instructions: KB23337 - How to upload large files to a JTAC Case


IDP Series - IDP75, IDP250, IDP800, or IDP8200:

tech-support -
This will pull the configuration, recent logs, stats, etc.

Core files -
Check the /var/idp/device/corefiles directory for the presence of files. If core files are present, then collect those.

Entire logs directory -
As the tech-support only grabs recent logs, if the problem has been occuring for a period of time, you may need to get all the logs. Get them as follows:
cd /var/idp/device/sysinfo
tar -cf logs_archive logs

Packet captures (pcaps) -
If relevant, get any necessary pcaps for traffic reproduction


SRX Series running IDP:

request support information | no-more -
Log your SSH session and enter this in operational mode at the Junos CLI to pull the configuration and statistics from the time it was requested.

show system core-dumps -
Enter this command in operational mode at the Junos CLI to see if core dumps were generated. If core dumps are present, then collect those.

Entire logs directory -
The SRX writes and archives many logs, it is good to have these logs. Archive the logs as follows from the CLI:
root@host> start shell
root@host% cd /var/log
root@host% tar -cf varlogs.tar *

Packet captures (pcaps) -
If relevant, get any necessary pcaps for traffic reproduction



ISG1000 or ISG2000 running IDP:

get tech -
This is the equivalent of the RSI on the SRX for the ISG. Log your SSH session and issue this and the next command.

get sm-ctx tech -
This is the tech-support file for the IDP security modules

Core files -
Enter exec sm 3 ksh "ls -l /idp/log to look for .core files. To TFTP the core files to a TFTP server, enter the following command:
# exec sm <#> save tftp <tftp-ip> <filename>     from /idp/log/engine.core

Logs -
In the event of a policy push failure, etc there may be some useful information in sloginfo. Enter the following command after enabling SSH session logging:
# exec sm # ksh "sloginfo
For more information, see KB10738 - Troubleshooting ISG/IDP policy push failures.

Packet captures (pcaps) -
If relevant, get any necessary pcaps for traffic reproduction


Related Links: