DDOS_PROTOCOL_VIOLATION_SET warning
All of a sudden things may start go wrong in your juniper switches and when you examine the logs you see the followings;
Category: troubleshooting
Wonderful tool traceroute monitor
There is one traceroute option which you might not have noticed so far: It is the monitor. I use this option during packet drop issues from time to time to see if there is any hop on the path which might be causing some drop or latency. It is extremely handy and you can also
Read More »
flow trace without commit
On SRX, there is now a handy feature introduced in 12.1X46-D10. You can enable flow trace without going into configuration on the operational mode. I believe this will make troubleshooting easier as it saves time if you need to try different flow filters. Here is how you can enable a sample ICMP flow trace for
Read More »
JNCIE-SEC: Traceoptions & IPSEC troubleshooting
In IPSEC topic, I am continuing with traceoptions and troubleshooting section. In this post, I will try to explain how I troubleshoot IPSEC VPNs mostly initial setup. IPsec VPNs Implementation of IPsec VPNs Multipoint tunnels Policy and route-based VPNs Traceoptions Dual and backup tunnels On-demand tunnels DRP over a tunnel Dynamic VPNs Certificate-based VPNs PKI
Read More »
Packet mode and host-inbound traffic
Did you know that if you enable packet-mode in traffic interface of an SRX box, host inbound traffic isn’t allowed anymore? Device can still process transit traffic but inbound traffic won’t work. For example, apply a filter like below to an interface and try to SSH to IP 98.1.1.1, you shouldn’t be allowed. #show interfaces
Read More »
How to take packet capture in SRX
I wasn’t planning to put my notes about packet capture here today but I have got an issue with my ESX server file upload component. I kept receiving “I/O Error” during a file upload to datastore directly or big (e.g 1-2 GB) ova file deployments. I took several captures with no positive result in the
Read More »
Packet debug in SRX
If you want to debug a packet flow you can use the following config by which testdebug.log file will contain icmp traffic debugs. [edit security flow] root@host# show traceoptions { file testdebug.log; flag basic-datapath; packet-filter look-icmp { protocol icmp; } }
You must be logged in to post a comment.