Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Troubleshooting Logical Systems

 

Use the following features to monitor logical systems and troubleshoot the software issues. For more information, see the following topics:

Understanding Security Logs and Logical Systems

Security logs are system log messages that include security events. If a device is configured for logical systems, security logs generated within the context of a logical system use the name logname_LS (for example, IDP_ATTACK_LOG_EVENT_LS). The logical system version of a log has the same set of attributes as the log for devices that are not configured for logical systems. The logical system log includes logical-system-name as the first attribute.

The following security log shows the attributes for the IDP_ATTACK_LOG_EVENT log for a device that is not configured for logical systems:

The following security log shows the attributes for the IDP_ATTACK_LOG_EVENT_LS log for a device that is configured for logical systems (note that logical-system-name is the first attribute):

If a device is configured for logical systems, log parsing scripts might need to be modified because the log name includes the _LS suffix and the logical-system-name attribute can be used to segregate logs by logical system.

If a device is not configured for logical systems, the security logs remain unchanged and scripts built to parse logs do not need any modification.

Note

Only the master administrator can configure logging at the [edit security log] hierarchy level. User logical system administrators cannot configure logging for their logical systems.

Stream mode is a set of logging services that includes:

  • Off-box logging (SRX Series)

  • On-box logging and reporting (SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, SRX1500, SRX4100, SRX4200, and SRX4600 Series)

Per logical system configuration is supported for the off-box logging and logs are handled based on these configurations. Previously the user logical system logs were generated from root logical system. For off-box logging, the logical system logs can only be generated from logical system interface.

Limitations

Each SPU can only support a maximum of 1000 connections for standalone and 500 connections for cluster on the SRX5400, SRX5600, and SRX5800 devices in the Junos OS 18.2R1 release. If all the connections are used up, some connections for user logical systems might not be established.

Note

The error message will be captured in the System Log Explorer.

Configuring On-Box Reporting for logical Systems

SRX Series devices supports different types of reports for logical system users.

Reports are stored locally on the SRX Series device and there is no requirement for separate devices or tools for logs and reports storage. The on-box reports provides a simple and easy-to-use interface for viewing the security logs.

Before you begin:

  • Understand how to configure security log for logical systems. See Example: Configure Security Log for logical Systems

To configure on-box reporting for logical system:

  1. Define the logical system name as LSYS1.
  2. Create report within security log per tenant system.
  3. Confirm your configuration by entering the show logical-systems LSYS1 command.
Note

By default the report option is disabled. The set logical-systems LSYS1 security log mode stream command is enabled by default.

Example: Configure Security Log for Logical Systems

This example shows how to configure security logs for a logical system.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device.

  • Junos OS Release 18.3R1 and later releases.

Before you begin:

Overview

SRX Series devices have two types of log: system logs and security logs. System logs record control plane events, for example, admin login to the device. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy.

The two types of logs can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.

For off-box logging, security logs for a logical system are sent from a logical system interface. If the logical system interface is already configured in a routing instance, then configure routing-instance routing-instance-name at edit logical-systems logical-system-name security log stream log-stream-name host hierarchy. If the interface is not configured in routing instance, then no routing instance should be configured at edit logical-systems logical-system-name security log stream log-stream-name host hierarchy.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following procedure specifies how to configure security logs for a logical system.

  1. Specify the logging mode and the format for the log file. For off-box, stream-mode logging.
  2. For off-box security logging, specify the source address, which identifies the SRX Series device that generated the log messages. The source address is required.
  3. Specify the routing instance and define the interface.
  4. Define routing instance for a logical system.
  5. Specify the security log transport protocol for the device.

Step-by-Step Procedure

The following procedure specifies how to configure a security profile for a logical system.

  1. Configure a security profile and specify the number of maximum and reserved policies.
  2. Assign the configured security profile to TSYS1.

Results

From configuration mode, confirm your configuration by entering the show system security-profile, show logical-systems LSYS1 security log, and show logical-systems LSYS1 routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Detailed Output for Security Log

Purpose

Verify that the output displays the resource information for all logical systems.

Action

From operational mode, enter the show system security-profile security-log-stream-number tenant all command.

Meaning

The output displays the resource information for logical systems.

Configuring On-Box Binary Security Log Files for Logical System

SRX Series devices support two types of log: system logs and security logs.

The two types of log are collected and saved either on-box or off-box. The following procedure explains how to configure security logs in binary format for on-box (event-mode) logging for logical system.

The following procedure specifies binary format for event-mode security logging, and defines the log filename, path, and log file characteristics for logical system.

  1. Specify the logging mode and the format for the log file. For on-box, event-mode logging:
  2. (Optional) Specify a log filename.
    Note

    Security log filename is not mandatory. If security log filename is not configured, by default the file bin_messages is created in the /var/log directory.

  3. Confirm your configuration by entering the show logical-systems LSYS1 command.

The following procedure specifies binary format for stream-mode security logging, and defines the log filename and log file characteristics for logical system.

  1. Specify the logging mode and the format for the log file. For on-box, stream-mode logging:
  2. (Optional) Specify a log filename.
  3. Confirm your configuration by entering the show logical-systems LSYS1 command.

Configuring Off-Box Binary Security Log Files for Logical System

SRX Series devices support two types of log: system logs and security logs.

The two types of log can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.

The following procedure specifies binary format for stream-mode security logging, and defines the logging mode, source address, and host name characteristics for logical system.

  1. Specify the logging mode and the format for the log file. For off-box, stream-mode logging:
  2. Specify the source address for off-box security logging.
  3. Specify the host name.
  4. Confirm your configuration by entering the show logical-systems LSYS1 command.

Understanding Data Path Debugging for Logical Systems

Data path debugging provides tracing and debugging at multiple processing units along the packet-processing path. Data path debugging can also be performed on traffic between logical systems.

Note

Only the master administrator can configure data path debugging for logical systems at the [edit security datapath-debug] level. User logical system administrators cannot configure data path debugging for their logical systems.

End-to-end event tracing traces the path of a packet from when it enters the device to when it leaves the device. When the master administrator configures end-to-end event tracing, the trace output contains logical system information.

The master administrator can also configure tracing for traffic between logical systems. The trace output shows traffic entering and leaving the logical tunnel between logical systems. When the preserve-trace-order option is configured, the trace message is sorted chronologically. In addition to the trace action, other actions such as packet-dump and packet-summary may be configured for traffic between logical systems.

Data path debugging is supported on SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800.

Performing Tracing for Logical Systems (Master Administrators Only)

Note

Only the master administrator can configure data path debugging for logical systems at the root level.

To configure an action profile for a trace or packet capture:

  1. Specify event types and trace actions. You can specify any combination of event types and trace actions. For example, the following statements configure multiple trace actions for each event type:
  2. Specify action profile options.
  3. Configure packet filter options.

To capture trace messages for logical systems:

  1. Configure the trace capture file.
  2. Display the captured trace in operational mode.
  3. Clear the log.

To perform packet capture for logical systems:

  1. Configure the packet capture file.
  2. Enter operational mode to start and then stop the packet capture.
    Note

    Packet capture files can be opened and analyzed offline with tcpdump or any packet analyzer that recognizes the libpcap format. You can also use FTP or the Session Control Protocol (SCP) to transfer the packet capture files to an external device.

  3. Disable packet capture from configuration mode.Note

    Disable packet capture before opening the file for analysis or transferring the file to an external device with FTP or SCP. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file.

  4. Display the packet capture.
    • To display the packet capture with the tcpdump utility:

    • To display the packet capture from CLI operational mode:

Troubleshooting DNS Name Resolution in Logical System Security Policies (Master Administrators Only)

Problem

Description: The address of a hostname in an address book entry that is used in a security policy might fail to resolve correctly.

Cause

Normally, address book entries that contain dynamic hostnames refresh automatically for SRX Series devices. The TTL field associated with a DNS entry indicates the time after which the entry should be refreshed in the policy cache. Once the TTL value expires, the SRX Series device automatically refreshes the DNS entry for an address book entry.

However, if the SRX Series device is unable to obtain a response from the DNS server (for example, the DNS request or response packet is lost in the network or the DNS server cannot send a response), the address of a hostname in an address book entry might fail to resolve correctly. This can cause traffic to drop as no security policy or session match is found.

Solution

The master administrator can use the show security dns-cache command to display DNS cache information on the SRX Series device. If the DNS cache information needs to be refreshed, the master administrator can use the clear security dns-cache command.

Note

These commands are only available to the master administrator on devices that are configured for logical systems. This command is not available in user logical systems or on devices that are not configured for logical systems.