This article provides a method to filter the IKE/IPsec traceoptions to aid in troubleshooting VPN issues. This is the Junos OS equivalent of the sa-filter command on ScreenOS devices.
Enabling IKE/IPsec traceoptions when working with multiple VPNs can impact troubleshooting efforts as follows:
- Additional problems may be seen such as tunnel buildup latency
- Increased logging activity in the log outputs makes it difficult to parse a specific VPN
- High CPU usage due to increased logging activity
Using the method described in the solution will mitigate the above.
Use the per-tunnel debugging feature to collect logs for a particular tunnel, defined by local and remote gateway IPs.
Notes:
- This feature is available on Junos OS Release 11.4R3 and higher versions, excluding 12.1R1-12.1R7.
- On SRX high-end systems (SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800) use of per-tunnel debugging requires SPU-level command entry. Usage at the RE operational prompt will result in no data collection.
For branch SRX devices
1.Identify the local and remote IP addresses of the problematic tunnel.
2.Enable per-tunnel debugging, using the command
request security ike debug-enable local <local-ip> remote <remote-ip>: root@srx-branch> request security ike debug-enable local 1.1.1.1 remote 2.2.2.2
3.Attempt tunnel establishment, so that the logs are captured.
4.Disable per-tunnel debug:
root@srx-branch> request security ike debug-disable
5.Review logs written to
/var/log/kmd: root@srx-branch> show log kmd
Note: If you have the ike traceoptions file configured, the logs will be written to the file specified there.
For high-end SRX devices
Warning: Use of per-tunnel debugging for high-end devices involves accessing SPU-level commands. Care should be taken to follow the directions below exactly.
1.Identify the local and remote IP addresses of the problematic tunnel (for use in Step 6).
2.Identify the anchoring SPU (FPC # and PIC #) for the problematic IKE gateway.
Note: DEP (Dynamic Endpoint)-based tunnels will randomly select SPU at the time of incoming IKE establishment and will not reflect in the ‘tunnel-map’ output.
user@srx5800> show security ike tunnel-map node0: -------------------------------------------------------------------------- Gateway ID Gateway Name FPC PIC IKED Instance 2 gw_to_peer1 4 0 1
3.Open up shell as root user:
user@srx5800> start shell user root Password: <enter in root level password>
4.Run tnpdump to find the TNP address for the physical SPU, which was found in Step 2. In this excerpt, it is assumed that node0 is primary for the RG1.
root@srx5800% tnpdump Name TNPaddr MAC address IF MTU E H R cluster5.node0 0x1500001 02:00:00:01:00:04 em0 1500 3 0 3 node0.fpc3 0x1500013 02:00:00:01:00:13 em0 1500 5 0 3 node0.fpc4 0x1500014 02:00:00:01:00:14 em0 1500 4 0 3 node0.fpc5 0x1500015 02:00:00:01:00:15 em0 1500 4 0 3 node0.fpc3.pic0 0x1500113 02:00:00:01:01:13 em0 1500 3 0 3 node0.fpc4.pic0 0x1500114 02:00:00:01:01:14 em0 1500 3 0 3 node0.fpc3.pic1 0x1500213 02:00:00:01:02:13 em0 1500 2 0 3 node0.fpc4.pic1 0x1500214 02:00:00:01:02:14 em0 1500 2 0 3 cluster5.node1 0x2500001 02:00:00:02:00:04 em0 1500 0 0 3 cluster5.node1 0x2500001 02:00:01:02:00:04 em1 1500 0 1 3 node1.re0 0x2500004 02:00:00:02:00:04 em0 1500 0 0 3 node1.re0 0x2500004 02:00:01:02:00:04 em1 1500 0 1 3 node1.fpc3 0x2500013 02:00:00:02:00:13 em0 1500 4 0 3 node1.fpc4 0x2500014 02:00:00:02:00:14 em0 1500 5 0 3 node1.fpc5 0x2500015 02:00:00:02:00:15 em0 1500 4 0 3 node1.fpc11 0x250001b 02:00:00:02:00:1b em0 1500 5 0 3 node1.fpc3.pic0 0x2500113 02:00:01:02:01:13 em1 1500 2 0 3 node1.fpc4.pic0 0x2500114 02:00:00:02:01:14 em0 1500 3 0 3 node1.fpc3.pic1 0x2500213 02:00:00:02:02:13 em0 1500 3 0 3 node1.fpc4.pic1 0x2500214 02:00:01:02:02:14 em1 1500 2 0 3 cluster5.master 0xf500001 02:00:00:01:00:04 em0 1500 3 0 3 bcast 0xffffffff ff:ff:ff:ff:ff:ff em0 1500 0 0 3 bcast 0xffffffff ff:ff:ff:ff:ff:ff em1 1500 0 1 3
5.Telnet to the SPU found in Step 2:
telnet -Ji <tnp-address of SPU> USER NAME: root Password: <empty> Run 'mgd' on shell root@SRX5800% telnet -Ji 0x1500114 Trying 129.80.1.120... Connected to 0x1500114. Escape character is '^]'. SPC4_PIC0 (ttyp0) login: root root@SPC7_PIC0%
6.Run MGD and then CLI:
root@SPC4_PIC0% mgd root@SPC4_PIC0% cli root@SPC4_PIC0>
7.Enable per-tunnel debugging:
root@SPC4_PIC0> request security ike debug-enable local <local-ip> remote <remote-ip> root@SPC4_PIC0> request security ike debug-enable local 2.2.2.2 remote 1.1.1.1 KMD instance kmd2: -------------------------------------------------------------------------- KMD instance kmd1: -------------------------------------------------------------------------- root@SPC4_PIC0>
8.Attempt tunnel establishment, so that the debugs are captured.
9.Disable per-tunnel debug:
request security ike debug-disable root@SPC4_PIC0> request security ike debug-disable KMD instance kmd2: -------------------------------------------------------------------------- KMD instance kmd1: --------------------------------------------------------------------------
10.Log out of SPU and shell:
root@SPC4_PIC0> exit root@SPC4_PIC0% exit logout root@srx5800% exit
11.Review logs written to
/var/log/kmd: root@srx5800>show log kmd
Checking the debug status
You can determine the debug status with the command
show security ike debug-status:
Example:
root> show security ike debug-status Enabled flag: all level: 7 Local IP: 1.1.1.1, Remote IP: 2.2.2.2
For high-end SRX devices, use the command while logged into SPU.