I have been managing two SRX clusters for the past 2 years.
I am so happy I have bough these devices, they are so reliable, so feature rich, flexible and great fun to setup. Another very important point is; Juniper's support is amazingly good.
One of the great options built into the Juniper SRX is the ability to monitor traffic coming IN an going OUT of your device; one very handy debugging tool is the 'traceoptions'.
If you have a problem with communication, hosts not able to communicate with one another, a VPN which is not routing through the correct interface, NAT is not happening and you not sure why. You can set up a 'traceoptions' and it will capture the traffic as it traverses your firewall and will help you in pinpoint the problem.
I was setting up an Ipsec VPN to another location, and it was not working. The traffic was not going through the tunnel. I was really getting nowhere or making any progress with the configuration.
Then I read about 'traceoptions' and once I did understand it, and set it up, I could easily figure out what was going on. The traffic intended to go through the tunnel and be routed to st0 interface was going through the reth3 Interface.
I am going to show you how to setup a simple tracetions monitor to help you in troubleshoot many communication problems.
The way I approach is; I first identify the source and destination hosts IPs you are having trouble.
In my case my private source IP is 192.168.1.5 my destination Public IP is 8.8.8.8
admin@srx100-01# set security flow traceoptions file flow-trace
admin@srx100-01# set security flow traceoptions flag basic-datapath
admin@srx100-01# set security flow traceoptions packet-filter f0 source-prefix 192.168.1.5/32
admin@srx100-01# set security flow traceoptions packet-filter f0 destination-prefix 8.8.8.8/32
admin@srx100-01# show | compare (this command displays the lines which will be added to your config)
admin@srx100-01# commit and-quit (this line commits the changes and exits you one level back
admin@srx100-01# show security flow traceoptions
admin@srx100-01> show configuration security flow
admin@srx100-01> show log flow-trace
Don't forget to delete the 'traceoptions' once you have identified and solved the problem.
Deleting is very easy all you have to do is, to replace the word 'set' for 'delete', see below:
How to delete traceoptions from your SRX
admin@srx100-01# delete security flow traceoptions file flow-trace
admin@srx100-01# delete security flow traceoptions flag basic-datapath
admin@srx100-01# delete security flow traceoptions packet-filter f0 source-prefix 192.168.1.5/32
admin@srx100-01# delete security flow traceoptions packet-filter f0 destination-prefix 8.8.8.8/32
admin@srx100-01# commit
That is it folks. I hope this will help you in troubleshooting your next problems.
By Renato Oliveira
Fine, but set up an extra filter too, f1, source and dest. reverse, to see how the packet travels back....
ReplyDeleteJuniper is a funny device, to find the real cause of the issue!