Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I capture debugging (debug flow) information?

0

0

Article ID: KB5536 KB Last Updated: 03 Sep 2020Version: 12.0
Summary:

The Debug utility can help troubleshoot traffic flow issues for many different traffic types. This article explains how to run debug flow basic and other debug options.

 

Symptoms:

Environment:

  • Debugging Primer

  • debug flow

  • set ffilter

  • How to take debug captures

 

Solution:

When contacting Support, debugging information may be requested to further troubleshoot a problem. Use the following procedure to obtain debugging information:

  1. Connect or Telnet to the Juniper Firewall device.

  2. Turn on the dbuf buffer. This sets up a portion of the memory that is required to hold the debug information needed. When troubleshooting the firewall, the output of the debug will be directed either to the console or to a buffer. Usually, the debugging information should go to the buffer, as opposed to the console. When information is sent to the console, it is resource intensive, and can produce performance problems if too much debugging information is sent to the console. The alternative is sending the data to a buffer called dbuf.

From the command line interface (CLI):

set console dbuf 
  1. Check the dbuf size with the following command:

fw->  get dbuf info
count: 0, last index: 0, cur index: 0, size: 1048576
start: 0, pause: 0

With ScreenOS, we can increase the value for the dbuf up to 4 MB by using the following command:

fw-> set db size
<number>             size in kilobytes of debug buffer [from 32 to 4096]
fw-> set db size 4096
  1. Set the parameters for debugging. This is important. Specify what information is to be captured in the debug. Capturing too much information can overload the CPU of the Firewall. For additional information, refer to KB6709 - Understanding debug flow filters.

From the CLI:

fw-> set ffilter ?

dst-ip               flow filter dst ip
dst-port             flow filter dst port
ip-proto             flow filter ip proto
src-ip               flow filter src ip
src-port             flow filter src port
ns100-> set ffilter

These are the options available to filter a debug.

Example:

Trying to find out why a PC, IP address 192.168.10.50, on the local network cannot get out to the Internet. Set up a filter so the debug will show what happens when that PC tries to communicate to the Internet:

set ffilter src-ip 192.168.10.50

The Firewall will perform a debug on the data coming from the source IP of 192.168.10.50.

Note: Keep in mind that these parameters apply to the outermost IP header, so if the packets are encapsulated in a VPN tunnel, then you may not capture those packets in the tunnel, unless you also add filters for the VPN tunnel.

  1. Turn on the debug flow. This will display information related to the flow of traffic through the box. There are three levels of debug flow:

  • basic
  • all
  • drop

For most cases, debug flow basic should be sufficient. From the CLI:

debug flow basic 

Use the 'debug flow drop' command to see dropped or denied packets (including those that did not make it to the policy engine). This will give you detailed information about all packets trying to pass through the firewall, but for some reason are dropped.  Logs on the policy will only get logged if a session is completed.  This debug will give you dropped information, just in case a session does not get created.

debug flow drop

For information about common debug types, refer to  KB6721 - What are the common Debug types?

  1. After traffic has passed through the firewall and failed, turn off the debug. Press <esc> or from the CLI:

undebug all 

You can check the output of the debug from the CLI:

Example:

fw-> get dbuf stream
****** 77681977.0: <Untrust/ethernet0/0> packet received [44]******
  ipid = 7607(1db7), @05ee3254
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:192.168.10.50/59523->4.2.2.2/3389,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  chose interface ethernet0/0 as incoming nat if.‚Äč

To clear the contents of the debug buffer, use the 'clear db' command.

 

Modification History:
  • 2020-09-03: Minor, non-technical edits

  • 2018-08-09: Minor non-technical edits

  • 2017-12-07: Replaced the old debug output with new one. Tagged for ScreenOS. Added command for clearing DB

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search