Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Troubleshooting Flow-Tap
This section includes the following topics:
General Troubleshooting Steps
If your flow-tap application does not seem to be operating as expected, use the following steps to troubleshoot.
Check the configuration:
- Ensure the configuration matches the configuration in the “Flow-Tap Configuration on Juniper Networks Router” section within Configuring Flow-Tap Services for Lawful Intercept of this document; all components must be present.
- Ensure that Layer 3 services have been enabled for the services PIC (MS-400 PIC).
- Ensure that the sp-x/y/z interface is present.
- Ensure that policer is present. Verify this by using the show policer CLI command.
- Log in to the services PIC and issue the show flow-tap services summary statement. Verify that flow-tap actions have occurred by observing the packet count for packets processed to date.
- Review information for the analyzer device and ensure that packets have been received by that device.
- Issue the monitor inter sp-0/2/0.100 command. From the output, determine if packets have been received and processed by the services PIC interface.
- Issue the show log dfcd command to see
details from the parameter file that is being accepted by the router.
If any of the information reported is inaccurate, this indicates a
possible source of the problem. Example output follows:
show log dfcdAug 25 11:16:49 dfc_proto_pkt_handler: packet handling begins Aug 25 11:16:49 Msg: ADD DTCP/0.6 Csource-ID: verint Cdest-ID: cd1 Source-Address: * Dest-Address: * Source-Port: * Dest-Port: * Protocol: 17 Flags: STATIC X-JTap-Cdest-Dest-Address: 192.168.3.2 X-JTap-Cdest-Dest-Port: 1814 X-JTap-Cdest-Source-Address: 10.209.74.183 X-JTap-Cdest-Source-Port: 65534 X-JTap-Cdest-TTL: 255 Seq: 1 Authentication-Info: 3db78d10deb83f8934f021e40dc2b49f45bc6dc7
Troubleshooting No Packets Received by the Analyzer Software
Use the following troubleshooting steps if you determine that no packets are being received by the analyzer software:
- Ensure that the target flow is occurring in the Juniper Networks router by installing a firewall filter counter on the interface toward the intended destination. If the counter increments, this indicates that packets are being sent, and the problem is with the flow-tap.
- Next, log in to each of the Flexible PIC Concentrators
(FPCs) and look for the installation of the firewall filters. You
will see information similar to this example:
user@FFPC1# show filterProgram Filters: --------------- Index Dir Cnt Text Bss Name ----- ------ ------ ------ ------ -------- 3 96 0 20 0 __default_bpdu_filter__ 17000 48 0 4 20 __default_arp_policer__ 57023 240 576 40 96 __flowtap_inet__ 65280 48 0 4 0 __auto_policer_template__ 65281 96 0 16 0 __auto_policer_template_1__user@FFPC1# show filter index 57023 counterFilter Counters/Policers: Index Packets Bytes Name ----- -------------------- -------------- -------- 57023 0 0 Flowtap-Internal_IFL-ID-77 57023 0 0 Flowtap-Internal_IFL-ID-76 57023 0 0 Flowtap-Internal_IFL-ID-75 57023 0 0 Csource-verint___Cdest-cd2___ID-2
- If you don’t see information for the filters,
try restarting the dynamic-flow-capture process, then reapply
the parameter file from the mediation device. Configure the syslog
logging level to any any and observe the messages file for
the login activity. The following is a sample output:
Oct 2 13:48:44 FFPC1 sshd[27410]: Accepted password for verint from 172.24.18.168 port 2902 ssh2 Oct 2 13:48:45 FFPC1 ssh-relay[27414]: user 'verint' requesting 'flow-tap-dtcp' service Oct 2 13:48:45 FFPC1 ssh-relay[27414]: connected as user 'verint' to 'flow-tap-dtcp' server Oct 2 13:48:45 FFPC1 dfcd[27182]: New 'flow-tap-dtcp' relay connection from user: verint host: 172.24.18.168 auth: 1
