[j-nsp] SSG Issue
Mark Kamichoff
prox at prolixium.com
Mon Oct 6 21:26:44 EDT 2008
On Mon, Oct 06, 2008 at 01:23:02PM -0400, Stefan Fouant wrote:
> Can you issue the following:
>
> debug flow basic
> set ffilter ip 10.1.2.6
> clear dbuf
> clear sessions
Be careful when issuing commands in the order listed above - you can
easily brick your device if the session rampup rate is high, as the
firewall will essentially generate debugging data for all connections.
I suggest issuing the "set ffilter ip 10.1.2.6" before any debug
commands, then following up with an "undebug all" after you have
reproduced the issue:
ssg550-> set ffilter src-ip 10.1.2.6
ssg550-> set ffilter dst-ip 10.1.2.6
ssg550-> clear db
ssg550-> debug flow basic
< reproduce the issue >
ssg550-> undebug all
ssg550-> get db str
Additionally, what version of ScreenOS are you running? There was a
strange policy evaluation/compilation issue I ran into earlier this year
that sporadically prevented certain policies from being hit (PR #308459,
iirc). According to JTAC, it is fixed in >= 6.0.0r6.0 - so if you have
support for the device, I'd suggest running at least this version of
ScreenOS, just to be safe.
- Mark
--
Mark Kamichoff
prox at prolixium.com
http://www.prolixium.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20081006/8187d6fc/attachment.bin>
More information about the juniper-nsp
mailing list