Troubleshooting a @JuniperNetworks SRX Flow

How I troubleshoot on an SRX

  1. Prerequisite: Log Everything!
  2. Look for logs
    1. If you see denied logs, the SRX is not allowing the flow.
      1. Check the policy configuration:
        1. Make sure this traffic is hitting the correct policy
        2. Change the policy or reorder policies to allow the traffic
    2. If you see permitted logs, the SRX is allowing the flow.
      1. Log into the device to verify traffic flow through the device. (step 3)
    3. If you don’t see any logs, the SRX may not see the traffic.
      1. Log into the device and perform a datapath-debug and packet capture
  3. Look for sessions
    1. ‘show security flow session’
      1. If there is bidirectional traffic incrementing:
        1. The SRX is passing traffic both ways.
        2. This may not mean the SRX is good, however.
          1. Check tcp-mss
          2. Check ALGs
          3. Check NAT
      2. If there is unidirectional traffic incrementing:
        1. Setup a “flow trace”
        2. The SRX may be dropping traffic due to an asymmetrical routing situation.
        3. The egress network may not be getting the packet to the destination
        4. The egress network may not be returning the reply from the destination
        5. The destination host may have a bad route
          1. Static default routes on servers can point out spare interfaces
          2. No or invalid routes on servers would prevent traffic from returning.
      3. If no session exists and you aren’t seeing logs:
        1. Setup a “datapath-debug” and packet capture.
        2. Setup a stateless firewall filter to count incoming packets
        3. The SRX may not be seeing the ingress traffic

 

 

Setting up a flow trace

set security flow traceoptions file flow-trace
set security flow traceoptions file size 5m
set security flow traceoptions file files 10
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter inbound source-prefix 2.2.2.2/32
set security flow traceoptions packet-filter inbound destination-prefix 1.1.1.1/32
set security flow traceoptions packet-filter inbound destination-port 80
set security flow traceoptions packet-filter outbound source-prefix 1.1.1.1/32
set security flow traceoptions packet-filter outbound destination-prefix 2.2.2.2/32
set security flow traceoptions packet-filter outbound source-port 80
deactivate security flow traceoptions

Setting up a datapath debug

set security datapath-debug traceoptions file datapath-trace
set security datapath-debug traceoptions file size 5m
set security datapath-debug traceoptions file files 10
set security datapath-debug traceoptions file world-readable
set security datapath-debug capture-file datapath-packet-dump
set security datapath-debug capture-file format pcap
set security datapath-debug maximum-capture-size 1500
set security datapath-debug action-profile custom-profile preserve-trace-order
set security datapath-debug action-profile custom-profile record-pic-history
set security datapath-debug action-profile custom-profile event np-ingress count
set security datapath-debug action-profile custom-profile event np-egress count
set security datapath-debug action-profile custom-profile event np-egress packet-summary
set security datapath-debug action-profile custom-profile event jexec trace
set security datapath-debug action-profile custom-profile event lbt packet-dump
set security datapath-debug action-profile custom-profile event pot packet-summary
set security datapath-debug action-profile custom-profile module flow flag all
set security datapath-debug packet-filter inbound action-profile custom-profile
set security datapath-debug packet-filter inbound source-prefix 172.20.32.129/32
set security datapath-debug packet-filter inbound destination-prefix 172.20.66.50/32
set security datapath-debug packet-filter outbound action-profile custom-profile
set security datapath-debug packet-filter outbound source-prefix 172.20.66.50/32
set security datapath-debug packet-filter outbound destination-prefix 172.20.32.129/32
deactivate security datapath-debug


Leave a Reply

There aren't any comments at the moment, be the first to start the discussion!