juniper 排错入门.

1、排错入门 debug and snoop Basic Debugs Traffic Not Passing - debug flow basic VPN Not Working - debug ike detail Everything Else! - debug ? The Snoop Tool - snoop ? Flow Debugger Basics Never send the debug to the console! set console dbuf Always use a flow filter! set ffilter ? The flow filter uses an O

2、R algorithm. You can set multiple filters and it will filter any traffic that fits any of the filters. To turn the flow debugger ON/OFF debug/undebug flow basic Try to run debugs only during scheduled downtimes. Flow Debugger Example, ICMP request * 997629.0: packet received 60* ipid = 5359(14ef), 0

3、3c9f550 packet passed sanity check. trust:05/4608-51/512,1(8/0) chose interface trust as incoming nat if. search route to (trust, 05-51) in vr trust-vr for vsd-0/flag-0/ifp-null Dest 2.route 51-, to untrust routed (51, 0.0.

4、0.0) from trust (trust in 0) to untrust policy search from zone 2- zone 1 No SW RPC rule match, search HW rule Permitted by policy 9 No src xlate choose interface untrust as outgoing phy if no loop on ifp untrust. session application type 0, name None, timeout 60sec service lookup identified service

5、 0. Session (id:818) created for first pak 1 route to 51 arp entry found for 51 nsp2 wing prepared, ready cache mac in the session flow got session. flow session id 818 post addr xlation: 05-51. Flow Debugger Example, ICMP Response * 997629.0: packet rec

6、eived 60* ipid = 29278(725e), 03c391d0 packet passed sanity check. untrust:51/512-05/4608,1(0/0) existing session found. sess token 3 flow got session. flow session id 818 post addr xlation: 51-05. IKE Debugger Basics For simplicity, try to only initia

7、te only 1 IKE tunnel at a time. Always send the debug to the buffer set console dbuf To turn the debugger ON/OFF debug ike basic/debug ike detail Try to run the debug during a scheduled downtime IKE Debug Example, P1 :Initiate IKE * Recv kernel msg IDX-0, TYPE-5 * IKE Phase 1: Initiated negotiation

8、in main mode. 08 IKE Construct ISAKMP header. IKE Construct SA for ISAKMP IKE Construct NetScreen VID IKE Construct custom VID IKE Xmit : SA VID VID IKE * Recv packet if of vsys * IKE Recv : SA VID VID IKE Process VID: IKE Process VID: IKE Process SA: IKE Construct ISAKMP header. IKE Cons

9、truct KE for ISAKMP IKE Construct NONCE IKE Xmit : KE NONCE IKE * Recv packet if of vsys * IKE Recv : KE NONCE IKE Process KE: IKE Process NONCE: IKE Construct ISAKMP header. IKE Construct ID for ISAKMP IKE Construct HASH IKE Xmit*: ID HASH IKE * Recv packet if of vsys * IKE Recv*: ID HASH IKE Proce

10、ss ID: IKE Process HASH: IKE Phase 1: Completed Main mode negotiation with a -second lifetime. IKE Debug Example, P2 :Initiate IKE Phase 2: Initiated Quick Mode negotiation. IKE Construct ISAKMP header. IKE Construct HASH IKE Construct SA for IPSEC IKE Construct NONCE for IPSec IKE Construct KE for

11、PFS IKE Construct ID for Phase 2 IKE Construct ID for Phase 2 IKE Xmit*: HASH SA NONCE KE ID ID IKE * Recv packet if of vsys * IKE Recv*: HASH SA NONCE KE ID ID IKE Process SA: IKE Process KE: IKE Process NONCE: IKE Process ID: IKE Process ID: IKE Phase 2 msg-id : Completed Quick Mode negotiation wi

12、th SPI , tunnel ID , and lifetime seconds/ KB. IKE Construct ISAKMP header. IKE Construct HASH in QM IKE Xmit*: HASH IKE Debug Example, P1 :Responser IKE * Recv packet if of vsys * IKE Recv : SA VID VID IKE Process VID: IKE Process VID: IKE Process SA: IKE Construct ISAKMP header. IKE Construct SA f

13、or ISAKMP IKE Construct NetScreen VID IKE Construct custom VID IKE Xmit : SA VID VID IKE * Recv packet if of vsys * IKE Recv : KE NONCE IKE Process KE: IKE Process NONCE: IKE Construct ISAKMP header. IKE Construct KE for ISAKMP IKE Construct NONCE IKE Xmit : KE NONCE IKE * Recv packet if of vsys * I

14、KE Recv*: ID HASH IKE Process ID: IKE Process HASH: IKE Construct ISAKMP header. IKE Construct ID for ISAKMP IKE Construct HASH IKE Xmit*: ID HASH IKE Phase 1: Completed Main mode negotiation with a -second lifetime. IKE Debug Example, P2 :Responser IKE * Recv packet if of vsys * IKE Recv*: HASH SA

15、NONCE KE ID ID IKE Process SA: IKE Process KE: IKE Process NONCE: IKE Process ID: IKE Process ID: IKE Construct ISAKMP header. IKE Construct HASH IKE Construct SA for IPSEC IKE Construct NONCE for IPSec IKE Construct KE for PFS IKE Construct ID for Phase 2 IKE Construct ID for Phase 2 IKE Xmit*: HAS

16、H SA NONCE KE ID ID IKE * Recv packet if of vsys * IKE Recv*: HASH IKE Phase 2 msg-id : Completed Quick Mode negotiation with SPI , tunnel ID , and lifetime seconds/ KB. Debug ? admin debug admin arp arp debugging asp ASP debugging asset-recovery asset recovery debugging auth user authentication deb

17、ugging autocfg Auto config debugging av AntiVirus debugging bgp bgp debugging cluster command propagated to cluster members cpapi cpapi debugging dhcp debug dhcp dip dip debugging dlog dlog debugging dns dns debugging driver driver debugging emweb EmWeb debugging filesys Filesys debugging flash flas

18、h operating debugging flow Flow level debugging flow-tunnel Flow Tunnel debugging fs file system debugging gc gc receive and transmit debug gdb GDB debugging global-pro global-pro debugging gt generic tunnel debugging gtmac gtmac debug h323 h323 debugging httpfx http-fx debugging icmp icmp debugging

19、 idp set idp debug parameters ids ids debugging igmp igmp debugging ike ike debugging interface interface debugging intfe Intfe debugging ip ip debugging ixf ixf debug l2tp L2TP debugging lance Lance debugging ldap ldap debug menu logging logging debugging memory Memory debugging mip mip debugging m

20、odem Moden debugging Debug ? nasa nasa debugging nat nat debugging netif netif debugging npak npak debugging nrtp Reliable Xfer Protocol debugging nsgp debug nsgp nsmgmt debug nsmgmt nsp NSM NSP message content nsrd NSRD debugging nsrp debug nsrp obj-id obj id debugging ospf ospf debugging pccard Pc

21、card debugging pim pim debugging pki pki debug menu pluto Pluto debugging policy policy debugging portnum portnum debugging ppcdrv driver debugging ppp ppp debugging pppoe pppoe debugging proxy tcp proxy debugging rd rd debug info report report debugging rip rip debugging rm rm debugging rms rms deb

22、ug info rpc rpc debugging rs rs debug info sa-mon sa monitor debugging scan-mgr scan manager debugging sendmail sendmail debugging session session debugging shaper debug shaper sip sip debugging snmp snmpnew debugging socket socket debug ssh debug ssh ssl ssl debugging stflow saturn flow debug info

23、sw-key software key debugging syslog syslog debugging Debug ? tag tag info task Task debugging tcp tcp debug telnet debug telnet time device clock time debugging timer Timer debugging trackip debug trackip traffic traffic control debugging udp udp debugging uf UF debugging url-blk url filtering debu

24、gging user user/group database debugging vip vip debugging vr vritual router debugging vsys vsys debugging vwire VWIRE debugging web WebUI debugging webtrends webtrends debugging zone zone debugging Debug ? Some debugs do not flow to the buffer Many not tested or minimally tested Try to run the debu

25、g during scheduled downtimes Debug Flow vs. Snoop Debug Flow Sampled at higher flow level Provides information about how the NetScreen processes a packet Can be used to debug higher level flow problems Snoop Sampled at lower driver level Provides information as to whether a packet reached the NetScr

26、eens interface Can be used to debug very basic IP/Ethernet level problems. The snoop tool should be used when the debug tool is showing that no packets are being processed, yet you are certain that data is reaching the NetScreen. Snoop Basics Always send snoop to the debug buffer To Turn the Snoop o

27、n/off ns5gt- snoop Start Snoop, type ESC or snoop off to stop, continue? y/n y ALWAYS run the snoop during scheduled downtime! Snoop Basics Always set a filter on the Snooper tool ns5gt- snoop ? detail snoop detail configuration filter snoop filter configuration info show snoop information off turn

28、off snoop Note: Snoop uses an AND algorithm in the filter. ns5gt- snoop filter ? delete delete snoop filter ethernet snoop specified ethernet id snoop filter id ip snoop ip packet off turn off snoop filter on turn on snoop filter tcp snoop tcp packet udp snoop udp packet Snoop Example ns5gt- snoop info Snoop: ON Filters Defined: 2, Active Filters 2 Detail: OFF, Detail Display length: 96 Snoop filter based on: id 1(on): IP src-ip 05 dst-ip 51 dir(B) id 2(on): IP src-ip 51 dst-ip 05 dir(B) Snoop Example ns5gt- get db s 999