Debugging ScreenOS on Juniper Netscreen

Debugging on the Netscreen wasn’t all the obvious to me. Because I don’t always work on Netscreens here is a note to myself to remember how to do it.

Netscreen ScreenOS debug and show to do it right

Get logged into CLI on the box.

Do a ‘get debug’ to check if there are any debugs currently running.

netscreen(M)-> get debug flow
: basic
netscreen(M)->

This tells that there is a ‘flow basic’ debug already running. To turn it off press ‘escape’ key.

netscreen(M)-> All debug off
netscreen(M)->

The Netscreen OS uses the idea of flow filters to define interesting traffic. Makes sense, because a firewall doesn’t just handle packets, it really handles flow for inspection but the flow is actually made up of packets.

So now we need to set some flow filters:

netscreen(M)-> set ff src-ip 192.168.1.10
filter added
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 195.232.226.225
id:1 src ip 195.232.226.226
id:2 src ip 192.168.1.10
netscreen(M)->

You can see that a ‘get ff’ will display for the flow filter you have created. Note that you have many entries in the flow filter.

netscreen(M)-> set ff ?
dst-ip flow filter dst ip
dst-port flow filter dst port
ip-proto flow filter ip proto
src-ip flow filter src ip
src-port flow filter src port
netscreen(M)->

If you need to the clear the filter…..

netscreen(M)-> unset ff
filter 0 removed
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 195.232.226.226
id:1 src ip 192.168.1.10
netscreen(M)-> unset ff
filter 0 removed
netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
netscreen(M)->

You get the idea, I’m sure.

So let turn on debug

netscreen(M)-> debug flow basic

and check which debugs are turned on.

netscreen(M)-> get debug
flow: basic
netscreen(M)->

The Netscreen stores the debug in some sort of buffer and we can display the buffer with this command

netscreen(M)-> get db str
76:192.168.1.2/8411->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50294(c476), @e00c6918
packet passed sanity check.
flow packet already have session.
flow session id 286622
vsd 0 is active
flow_tcp_fin_vector()
post addr xlation: 10.33.248.81->10.102.151.20.
update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1
**st: e00fd118: c477:192.168.1.2/8417->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50295(c477), @e00fd118
packet passed sanity check.
flow packet already have session.
flow session id 286652
vsd 0 is active
Got ack, 192.168.1.2(33815)->192.168.200.25(7222), natpflag 0x200400, nspflag 0x1801, 0x1800, timeout=900
transfer packet to hardware.
**st: e00cd118: c49a:192.168.1.2/8417->192.168.200.25/1c36,6,40
****** 93412.0: packet received [40]******
ipid = 50330(c49a), @e00cd118
packet passed sanity check.
flow packet already have session.
flow session id 286652
vsd 0 is active
flow_tcp_fin_vector()
post addr xlation: 10.33.248.81->10.102.151.20.
update policy out counter info. packet send out to 00000c07ac1f through ethernet2/1
**st: e009f918: c49d:192.168.1.2/8417->192.168.200.25/1c36,6,40

and thats it.

Understanding ‘ff’ (Flow Filter) statements ordering

The following set of flow filters are applied as any. That is, if ANY packet matches ANY of of the flow filters then that packet will be matched.

netscreen(M)-> get ff
Flow filter based on:
id:0 src ip 192.168.100.1
id:1 src ip 192.168.100.2
id:2 src ip 192.168.1.10
netscreen(M)->

So this ruleset will match any IP packets with a source address of 192.168.100.1, 192.168.100.2 and 192.168.1. This is mostly a problem when you make the mistake of

netscreen(M)-> set ff dst-ip 192.168.1.10
filter added
netscreen(M)-> set ff dst-port 80
filter added
netscreen(M)-> get ff
Flow filter based on:
id:0 dst ip 192.168.1.10
id:1 dst port 80
netscreen(M)->

this will show you every packet, from any IP on port 80 PLUS any packets 192.168.1.10.

The correct method

netscreen(M)-> set ff dst-ip 192.168.1.10 ?
dst-port flow filter dst port
ip-proto flow filter ip proto
src-port flow filter src port
netscreen(M)-> set ff dst-ip 192.168.1.10 dst-port 80
filter added
netscreen(M)->

This will correctly match packets with a destination of 192.168.1.10 on port 80.

Virtual Systems

Remember that you cannot do debugging from within a virtual system. You must be in the root vsys to be able to run a debug commands.

In order to debug and obtain output for the traffic flow through the Netscreen, you will need action a couple of commands, these are shown below,

5gt-> unset ff
filter 0 removed
5gt-> undebug all
5gt-> clear db

5gt-> set ff dst-port 8080
filter added
5gt-> debug flow basic
5gt-> get db str

Below shows you what each command does.... 

• unset ff =remove all flow filters
• undebug all = clears all previous debug settings
• clear db = clears the debug buffer
• set ff dst-port 8080 = creates a flow filter for port 8080
• debug flow basic = sets the debug flow level to basic
• get db str = shows the debug buffer stream

Once you have got your debug stream buffer you can remove the flow filter, the debug basic and clear the debug buffer.

You can also use the snoop packet capture feature as a troubleshooting tool, the how to guide can be found here

Example, you want to debug a connection from a client(192.168.110.20) to the internet (google – 8.8.8.8).

From your client you start a continuous ping to 8.8.8.8, now you are able to debug the traffic on your juniper device.

Go via SSH to your Juniper:

1	ssh netscreen@192.168.110.1

1 2 3 4

320-node2(M)-> 320-node2(M)-> undebug all 320-node2(M)-> get ffilter 320-node2(M)->clear db

Create new filter:

1 2 3 4 5 6 7 8 9

320-node2(M)-> set ffilter <RETURN> # Available debug options: dst-ip flow filter dst ip dst-port flow filter dst port ip-proto flow filter ip proto src-ip flow filter src ip src-port flow filter src port 320-node2(M)-> set ffilter src-ip 192.168.110.20 dst-ip 8.8.8.8 320-node2(M)-> debug flow basic

View dump:

1	320-node2(M)-> get db stream

Example, you want to debug a connection from a client(192.168.110.20) to the internet (google – 8.8.8.8).

From your client you start a continuous ping to 8.8.8.8, now you are able to debug the traffic on your juniper device.

Go via SSH to your Juniper:

1	ssh netscreen@192.168.110.1

1 2 3 4

320-node2(M)-> 320-node2(M)-> undebug all 320-node2(M)-> get ffilter 320-node2(M)->clear db

Create new filter:

1 2 3 4 5 6 7 8 9

320-node2(M)-> set ffilter <RETURN> # Available debug options: dst-ip flow filter dst ip dst-port flow filter dst port ip-proto flow filter ip proto src-ip flow filter src ip src-port flow filter src port 320-node2(M)-> set ffilter src-ip 192.168.110.20 dst-ip 8.8.8.8 320-node2(M)-> debug flow basic

View dump:

1	320-node2(M)-> get db stream

Debug Netscreen Juniper SSG

Debug is one of the unlisted commands in Juniper-ScreenOS. As usual, be aware that debugging on a firewall (or other network device) depending on the traffic load, can cause high CPU utilization which can impact performance.

Debug IKE Phase 1:

debug ike all
debug ike basic
debug ike detail

Debug ldap auth server:

debug auth all

Netscreen puts the debug information in the dbuf. You can set the size of the buffer with “set dbuf size <number>” where <number> can be from 32 to 4096 in kbytes.

set dbuf size 512

View the debug output:

get dbuf stream

Clear the buffer (debug information):

clear dbuf

Pipe the debug detail to your tftp server for later analysis or if you get too much info on the screen:

get dbuf stream > tftp 192.168.1.100 firewall.log

Disable debug:

undebug all

Check phase two status:

get sa active
get sa inactive
get sa stat

Basic debug scenario using filters based on source and destination:

set ff src-ip <x.x.x.x> dst-ip <y.y.y.y>
set ff src-ip <y.y.y.y> dst-ip <x.x.x.x>
clear db
!
! Initiate traffic over the VPN then type:
!
debug flow basic
!
! or
!
debug ike detail
!
! Wait for a few seconds then type:
!
undebug all
get db stream
unset ff
unset ff

Informative troubleshooting commands:

get event
get event interface ?
get event src-ip <x.x.x.x> dst-ip <y.y.y.y>
get log | inc [interesting_key]
get log traffic policy [number] | inc [interesting_keyword]

Example, you want to debug a connection from a client(192.168.110.20) to the internet (google – 8.8.8.8).

From your client you start a continuous ping to 8.8.8.8, now you are able to debug the traffic on your juniper device.

Go via SSH to your Juniper:

1	ssh netscreen@192.168.110.1

1 2 3 4

320-node2(M)-> 320-node2(M)-> undebug all 320-node2(M)-> get ffilter 320-node2(M)->clear db

Create new filter:

1 2 3 4 5 6 7 8 9

320-node2(M)-> set ffilter <RETURN> # Available debug options: dst-ip flow filter dst ip dst-port flow filter dst port ip-proto flow filter ip proto src-ip flow filter src ip src-port flow filter src port 320-node2(M)-> set ffilter src-ip 192.168.110.20 dst-ip 8.8.8.8 320-node2(M)-> debug flow basic

View dump:

1	320-node2(M)-> get db stream