Juniper ScreenOS troubleshooting

Traffic flow debugging

This is the most common way that I have set up debugs to determine what is happening to the traffic:

set ff src-ip [source ip] dst-ip [dest ip]
clear dbuf
debug flow basic
get db stream

The first line (set ff…) is not necessary, but is very useful to limit the debug to just the traffic you are interested in seeing information about. Also, when running the last command (get db stream), it is useful to pipe the output and use the keywords include or exclude to filter some information.

VPN specific commands:

Use this command check phase 1 associations and status:

get ike cookie

Use this command to check the status of the Security Associations:

get sa

**Note** Using PuTTY with a Netscreen device can be very frustrating while trying to correct mistakes that you have typed. The default configuration will not allow you to backspace any characters you have entered. In order to work around this, either use Shift+Backspace, or in the PuTTY settings under Keyboard, change the “Backspace Key” from “Control-?” to “Control-H.”

Leave a Reply