traceoptions (Security Group VPN)
Syntax
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag (all | certificates | config | database | general | high-availability | ike | next-hop-tunnels | parse | policy-manager | routing-socket | thread | timer);
gateway-filter {
local-address ip-address;
remote-address ip-address;
}
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
Hierarchy Level
[edit security group-vpn member ike] [edit security group-vpn server]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Configure group VPN tracing options to aid in troubleshooting the IKE or server issues. This helps troubleshoot one or multiple tunnels negotiation by standard tracefile configuration. Tracing allows the user to view the detailed packet exchange and the negotiation information. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 devices and vSRX Virtual Firewall instances.
Options
file—Configure the trace file options.filename—Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory/var/log.filesnumber—Maximum number of trace files. When a trace file namedtrace-filereaches its maximum size, it is renamed totrace-file.0, thentrace-file.1, and so on, until the maximum number of trace files is reached. The oldest archived file is overwritten.If you specify a maximum number of files, you also must specify a maximum file size with the
sizeoption and a filename.Range: 2 through 1000 files
Default: 10 files
matchregular-expression—Refine the output to include lines that contain the regular expression.sizemaximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a trace file namedtrace-filereaches this size, it is renamedtrace-file.0. When thetrace-fileagain reaches its maximum size,trace-file.0is renamedtrace-file.1andtrace-fileis renamedtrace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten.If you specify a maximum file size, you also must specify a maximum number of trace files with the
filesoption and filename.Syntax:
x kto specify KB,xmto specify MB, orxgto specify GBRange: 10 KB through 1 GB
Default: 128 KB
world-readable | no-world-readable—By default, log files can be accessed only by the user who configures the tracing operation. Theworld-readableoption enables any user to read the file. To explicitly set the default behavior, use theno-world-readableoption.
flag—Trace operation to perform. To specify more than one trace operation, include multipleflagstatements.all—Trace all activity.certificates—Trace certificate-related activity.config—Trace configuration activity.database—Trace SA-related database activity.general—Trace general activity.high-availability—Trace high-availability operations.ike—Trace IKE protocol activity.next-hop-tunnels—Trace next-hop tunnel operations.parse—Trace configuration processing.policy-manager—Trace IKE callback activity.routing-socket—Trace routing socket activity.thread—Trace thread processing.timer—Trace timer activity.
gateway-filter—Configure debugging for the tunnel between the group VPN server and a group member. This option is configured on a group VPN server or member.local-address—When configured on a server, the IP address of the group VPN server. When configured on a member, the IP address of the group VPN member.remote-address—When configured on a server, the IP address of the group VPN member. When configured on a member, the IP address of the group VPN server.
level—Set the level of debugging.all—Match all levels.error—Match error conditions.info—Match informational messages.notice—Match conditions that should be handled specifically.verbose—Match verbose messages.warning—Match warning messages.
no-remote-trace—Disable remote tracing.
Required Privilege Level
trace—To view this statement in the configuration.
trace-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 10.2. Support for gateway-filter option
for the [edit security group-vpn member ike] hierarchy level added
in Junos OS Release 15.1X49-D30 for vSRX Virtual Firewall.