一,Flow的排查
通常配置完成后,发现业务访问不正常或是不通,需要使用一些方法进行排查
1,在接口上抓包查看实时的Traffic信息
SRX> monitor traffic interface ge-0/0/0.0 no-resolve
2,Flow的Debug
set security flow traceoptions file flowlog #生成文件名flowlog
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter to0 source-prefix 192.168.1.61/32
set security flow traceoptions packet-filter to0 destination-prefix 192.168.0.12/32
#上面2条是设置一个packet-filter把从源192.168.1.61到目标192.168.0.12的流量Debug信息记入floglog文件
SRX> show log filelog #查看filelog文件内容
SRX> clear log filelog #清除filelog文件内容
3,其他可用命令
show security flow session summary
show security flow session destination-prefix
show security flow session session-identifier
show interface extensive
4,IPSEC VPN的排查
常用命令
show security ike security-association
show security ike security-association index detail
show security ike stats sa (隐藏命令需要完整输入)
show security ike stats sa index (隐藏命令需要完整输入)
show security ike memory-usage (隐藏命令需要完整输入)
show security ipsec security-association
show security ipsec security-association index detail
show security flow session tunnel
monitor interface st0.x
show security ipsec statistics
show security ipsec next-hop-tunnels
相关 logs:
show log messages
show log kmd
开启DEBUG:
edit security ike traceoptions
set file ike-debug
set flag all
edit security ipsec traceoptions
set flag all
5,LOG信息查看方法
SRX> file list /cf/var/log
查看日志文件内容
6,RSI和LOG日志信息收集方法
Juniper----常用Troubleshooting 方法及日志收集
最新推荐文章于 2024-06-19 14:48:09 发布