Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I capture debugging (debug flow) information?

0

0

Article ID: KB5536 KB Last Updated: 10 Aug 2018Version: 11.0
Summary:

The Debug utility can help troubleshoot traffic flow issues for many different traffic types.  This article explains how to run debug flow basic and other debug options.

Symptoms:

Environment:

  • Debugging Primer
  • debug flow
  • set ffilter
Solution:

When contacting support, debugging information may be requested to further troubleshoot a problem.  Use the following procedure to obtain debugging information:

  1. Connect or Telnet to the Juniper Firewall device.

  2. Turn on the dbuf buffer.  This sets up a portion of memory required to hold the debug information needed. When troubleshooting the firewall, the output of the debug will be directed either to the console or to a buffer. Usually, the debugging information should go to the buffer, opposed to the console. When information is sent to the console, it is resource intensive, and can produce performance problems if too much debugging information is sent to the console. The alternative is sending the data to a buffer called dbuf.

    From the command line interface (CLI):
    set console dbuf
  3. Check the dbuf size with following command:
    fw->  get dbuf info
    count: 0, last index: 0, cur index: 0, size: 1048576
    start: 0, pause: 0

    With ScreenOS, we can increase the value for the dbuf upto 4 MB, by using following command:

    fw-> set db size
    <number>
                 size in kilobytes of debug buffer [from 32 to 4096]
    fw-> set db size 4096
  4. Set the parameters for debugging.  This is important.  Specify what information is to be captured in the debug.  Capturing too much information can overload the CPU of the Firewall.  For additional information, refer to KB6709 - Understanding debug flow filters

    From the CLI:

    fw-> set ffilter ?

    dst-ip               flow filter dst ip
    dst-port             flow filter dst port
    ip-proto             flow filter ip proto
    src-ip               flow filter src ip
    src-port             flow filter src port
    ns100-> set ffilter

    These are the options available to filter a debug.

    Example:

    Trying to find out why a PC, IP address 192.168.10.50, on the local network cannot get out to the Internet.  Set up a filter so the debug will show what happens when that PC tries to communicate to the Internet:

    set ffilter src-ip 192.168.10.50

    The Firewall will perform a debug on the data coming from the source IP of 192.168.10.50.

    Note: Keep in mind that these parameters apply to the outermost IP header, so if the packets are encapsulated in a VPN tunnel, then you may not capture those packets in the tunnel, unless you also add filters for the VPN tunnel.

  5. Turn on the debug flow.  This will display information related to the flow of traffic through the box.  There are three levels of debug flow:

    - basic
    - all
    - drop

    For most cases, debug flow basic should be sufficient.  From the CLI:

    debug flow basic 

    Use 'debug flow drop' command to see dropped or denied packets (including those that did not make it to the policy engine).  This will give you detailed information about all packets trying to pass through the firewall, but for some reason is dropped.  Logs on the policy will only get logged if a session is completed.  This debug will give you dropped information, just in case a session does not get created.

    debug flow drop

    For information on common debug types, refer to  KB6721 - What are the common Debug types?

  6. After traffic has flowed through the firewall and failed, turn off the debug.  Press the <esc> or from the CLI:

    undebug all

    You can check the output of the debug from the CLI:

    Example:

    fw-> get dbuf stream
    ****** 77681977.0: <Untrust/ethernet0/0> packet received [44]******
      ipid = 7607(1db7), @05ee3254
      packet passed sanity check.
      flow_decap_vector IPv4 process
      ethernet0/0:192.168.10.50/59523->4.2.2.2/3389,6<Root>
      no session found
      flow_first_sanity_check: in <ethernet0/0>, out <N/A>
      chose interface ethernet0/0 as incoming nat if.‚Äč

    To clear the contents of debug buffer, use the 'clear db' command

Modification History:

2018-08-09: Minor non-technical edits.

2017-12-07: Replaced the old debug output with new one. Tagged for ScreenOS. Added command for clearing DB.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search