Monday, January 5, 2009

Debugging traffic flow in netscreens

I use Juniper Netscreen (5GT and SSG5) to maintain the intersite VPNs in my company, and to function as firewalls. I was having an FTP issue today, which I suspect is caused by the firewall, so I wanted to see what was going on.

If you work on several pieces of equipment that are similar in function and interface, you might get confused, or your brain takes a shortcut, and you end up doing something silly, like typing "ls" at a Windows command line. Same thing with me and routers sometimes, so I logged into my netscreen and typed "debug" and hit question mark, because I wasn't sure of the argument list. The list of arguments came up, and I started scrolling through , looking for likely candidates. Around this time, it hit me, "There is no debug statement in ScreenOS". I quit out, and just hit "?", which should give me a list of all available commands. Sure enough, it wasn't listed there:

alpha:ns1(M)-> ?
clear clear dynamic system info
delete delete persistent info in flash
exec exec system commands
exit exit command console
get get system information
ping ping other host
reset reset system
save save command
set configure system parameters
trace-route trace route
unset unconfigure system parameters

Well...huh. So I googled it. It turns out that there is a debug command, just not generally documented, and it can do what I'm looking for. I found a blog entry on Geek2Live that seemed to hold the general ideas of what I wanted, and it even included a nifty mindmap to explain it.

If you're interested in this sort of thing, you might enjoy this list of hidden ScreenOS commands and the Juniper knowledge base article on capturing debug flow information.