Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Which trace-options to use for troubleshooting SKYATP issues on SRX/vSRX devices

0

0

Article ID: KB31794 KB Last Updated: 23 Jun 2017Version: 1.0
Summary:

This article discusses the different debugging options for common issues that are seen with SKYATP on SRX/vSRX devices.

Some common issues include:

  • Issues with advanced-anti-malware service
  • Issues with certificates
  • Issues with SSL proxy
  • Traffic flow issues
Solution:

Advanced-anti-malware

For issues with SKYATP enrollment and services not running as expected, use the trace–options for advanced-anti-malware service:
  • Enabling trace options

    set services advanced-anti-malware traceoptions file skyatp.log
    set services advanced-anti-malware traceoptions file size 100M
    set services advanced-anti-malware traceoptions level all
    set services advanced-anti-malware traceoptions flag all
    commit
    
  • Viewing the logs

    run show log skyatp.log
    

Security PKI

For issues related to certificates on the device used for the SKYATP communication, configure public key infrastructure (PKI) trace options:
  • Enabling trace options

    set security pki traceoptions file pki.log
    set security pki traceoptions flag all
    commit
    
  • Viewing the logs

    show log pki.log
    

SSL Proxy

Debug tracing on both the routing engine (RE) and the Packet Forwarding Engine (PFE) can be enabled for SSL proxy by setting the following configuration. You can enable logs in the SSL proxy profile to get to the root cause for the drop.
  • Enabling trace options

    set services ssl traceoptions file ssl.log
    set services ssl traceoptions file size 100m
    set services ssl traceoptions flag all
    commit
    
  • Viewing the logs

    run show log ssl.log

Flow Trace Options

Set flow trace options to troubleshoot traffic flowing through your SRX/vSRX series device when SKYATP is enabled. Refer to KB16233 - [SRX] How to use 'flow traceoptions' and the 'security datapath-debug'

We recommend checking the message logs (show log messages) on the device as well as logs on the SKYATP portal to understand the issue and troubleshoot further.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search