Troubleshooting Juniper Netscreen VPNS

The Juniper debugging utility is a very useful tool when faced with troubleshooting VPN connectivity through a firewall. But how do get that useful information to the console?
Well the first thing to keep in mind is that the output of the debug will be sent to either to the console or to a buffer. Normally , the debugging messages go to the buffer, rather than to the console. When debug messages are sent to the console, it is resource intensive, and can produce performance problems if too much debugging information is sent to the console. To be on the safe side its best to send the data to a buffer called dbuf.

This is how I would configure a basic debugging filter to provide traffic sourced from a host with the ip address of and output to the console.

NetLab-SSG20-> set console dbuf

NetLab-SSG20-> set ffilter src-ip
set ffilter src-ip
NetLab-SSG20-> debug flow basic
NetLab-SSG20-> get dbuf stream


This filter can be used for any traffic type. Below are some useful troubleshooting commands for when a VPN is not working correctly.

Used when the VPN is not being established

debug flow basic
Used when traffic is not passing through the firewall
Used to investigate vpn monitor failures
Good to confirm packets are being sent/received

get sa-filter
get ffliter = flow filter
get debug

get event – check vpn monitor messages and negotiation failures.
get route – check the route to the tunnel interface.
get int – check status of tunnel interface.

get ike cookie – used to confirm P1 SA’s
get sa – used to confirm P2 SA’s
get sa
 active – used to check tunnels that are in “Active”

get sa id 0x – get more detailed information about the SA

get sa stat – shows statistics for each SA

clear ike – used to force both P1 and P2 renegotiations, causes a complete tear down of the tunnel.

clear sa 0x – causes tear down of the P2 only.



set sa-fil <ip> – filter for debug ike
debug ike detail
debug auth all – for authentication if being used

set console dbuf
set ff src-ip <ipaddrA> dst-ip <ip-addrB> 
ip address of outermost ip header coming into the firewall
set ff src-ip <ipaddrB> dst-ip <ip-addrA> ip address of outermost ip header coming into the firewall
debug flow basic
clear db

<perform problematic activity>
undebug all
get db stream
get session src-ip
get session dst-ip
get counter stat

Reference: – How to Analyze IKE Phase 1 Messages in the Event Logs
Reference: – How to Analyze IKE Phase 2 Messages in the Event Logs
Share and Enjoy:
  • Facebook
  • Google Bookmarks
  • Digg
  • email
  • LinkedIn
  • Live

Leave a Reply