SSL Proxy Logs
SSL Proxy Logs
SSL Proxy Logs
When logging is enabled in an SSalphaTable 1.
Table 1: SSL Proxy Logs
Logs generated when a session is dropped by SSL proxy.
Logs generated when a session is processed by SSL proxy even after encountering some minor errors.
Logs generated if non-SSL sessions are initially mistaken as SSL sessions.
Logs generated when a session is allowlisted.
Logs used for reporting errors.
Logs used for reporting warnings.
Logs used for reporting general information.
All logs contain similar information as shown in the following example (actual order of appearance):
logical-system-name, session-id, source-ip-address, source-port, destination-ip-address,destination-port, nat-source-ip-address, nat-source-port, nat-destination-ip-address, nat-destination-port, proxy profile name, source-zone-name, source-interface-name, destination-zone-name,destination-interface-name, message
The message field contains the reason for the log generation. One of three prefixes shown in Table 2 identifies the source of the message. Other fields are descriptively labeled.
Table 2: SSL Proxy Log Prefixes
Logs generated due to errors related to the device or an action taken as part of the SSL proxy profile. Most logs fall into this category.
Logs generated during the handshaking process if an error is detected by the openssl library.
Logs generated during the handshaking process if an error is detected in the certificate (x509 related errors).
Jun 1 05:11:13 18.104.22.168 junos-ssl-proxy: SSL_PROXY_SSL_SESSION_DROP: lsys:root 23 < 203.0.113.1/35090->192.0.2.1/443> NAT:< 203.0.113.1/35090->192.0.2.1/443> ssl-inspect-profile <untrust:ge-0/0/0.0->trust:ge-0/0/1.0> message:certificate error: self signed certificate
These logs capture sessions that are dropped by SSL proxy, not sessions that are marked by other modules that also use SSL proxy services.
For SSL_PROXY_SESSION_WHITELIST messages, an additional host field is included after the session-id and contains the IP address of the server or domain that has been allowlisted.
Jun 1 05:25:36 22.214.171.124 junos-ssl-proxy: SSL_PROXY_SESSION_WHITELIST: lsys:root 24 host:192.0.2.1/443<203.0.113.1/35090->192.0.2.1/443> NAT:< 203.0.113.1/35090->192.0.2.1/443 > ssl-inspect-profile <untrust:ge-0/0/0.0->trust:ge-0/0/1.0> message:system: session whitelisted
Enabling Debugging and Tracing for SSL Proxy
Debug tracing on both Routing Engine and the Packet Forwarding Engine can be enabled for SSL proxy by setting the following configuration:
SSL proxy is supported on SRX340, SRX345, SRX380, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800 devices and vSRX instances. Table 3 shows the supported levels for trace options.
Table 3: Trace Levels
Only error traces on both the Routing Engine and the Packet Forwarding Engine.
Packet Forwarding Engine–Only event details up to the handshake should be traced.
Routing Engine–Traces related to commit. No periodic traces on the Routing Engine will be available
Packet Forwarding Engine–Data transfer summary available.
Routing Engine–Traces related to commit (more extensive). No periodic traces on the Routing Engine will be available.
All traces are available.
Table 4 shows the flags that are supported.
Table 4: Supported Flags in Trace
Configuration-related traces only.
Enable tracing on the SSL-I plug-in.
Enable tracing on the SSL-Proxy-Policy plug-in.
Enable tracing on the SSL-T plug-in.
Enable tracing only for profiles that have enable-flow-tracing set.
You can enable logs in the SSL proxy profile to get to the root cause for the drop. The following errors are some of the most common:
Server certification validation error. Check the trusted CA configuration to verify your configuration.
System failures such as memory allocation failures.
Ciphers do not match.
SSL versions do not match.
SSL options are not supported.
Root CA has expired. You need to load a new root CA.
You can enable the ignore-server-auth-failure option in the SSL proxy profile to ensure that certificate validation, root CA expiration dates, and other such issues are ignored. If sessions are inspected after the ignore-server-auth-failure option is enabled, the problem is localized.