How to enable VPN (IKE/IPsec) traceoptions for only specific SAs (Security Associations)

This article provides a method to filter the IKE/IPsec traceoptions to aid in troubleshooting VPN issues. This is the Junos OS equivalent of the sa-filter command on ScreenOS devices.

Enabling IKE/IPsec traceoptions when working with multiple VPNs can impact troubleshooting efforts as follows:

  • Additional problems may be seen such as tunnel buildup latency
  • Increased logging activity in the log outputs makes it difficult to parse a specific VPN
  • High CPU usage due to increased logging activity

Using the method described in the solution will mitigate the above.

Use the per-tunnel debugging feature to collect logs for a particular tunnel, defined by local and remote gateway IPs.

Notes:

  • This feature is available on Junos OS Release 11.4R3 and higher versions, excluding 12.1R1-12.1R7.
  • On SRX high-end systems (SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800) use of per-tunnel debugging requires SPU-level command entry. Usage at the RE operational prompt will result in no data collection.

For branch SRX devices

1.Identify the local and remote IP addresses of the problematic tunnel.

2.Enable per-tunnel debugging, using the command

3.Attempt tunnel establishment, so that the logs are captured.

4.Disable per-tunnel debug:

5.Review logs written to

Note: If you have the ike traceoptions file configured, the logs will be written to the file specified there.

For high-end SRX devices

Warning: Use of per-tunnel debugging for high-end devices involves accessing SPU-level commands. Care should be taken to follow the directions below exactly.
1.Identify the local and remote IP addresses of the problematic tunnel (for use in Step 6).

2.Identify the anchoring SPU (FPC # and PIC #) for the problematic IKE gateway.

Note: DEP (Dynamic Endpoint)-based tunnels will randomly select SPU at the time of incoming IKE establishment and will not reflect in the ‘tunnel-map’ output.

3.Open up shell as root user:

4.Run tnpdump to find the TNP address for the physical SPU, which was found in Step 2. In this excerpt, it is assumed that node0 is primary for the RG1.

5.Telnet to the SPU found in Step 2:

6.Run MGD and then CLI:

7.Enable per-tunnel debugging:

8.Attempt tunnel establishment, so that the debugs are captured.

9.Disable per-tunnel debug:

10.Log out of SPU and shell:

11.Review logs written to

Checking the debug status

You can determine the debug status with the command

Example:

For high-end SRX devices, use the command while logged into SPU.

About the author

Prasanna

Leave a Comment