A command to log in to other node of SRX cluster {primary:node0} lab@E1> request routing-engine login ? Possible completions: <[Enter]> Execute this command | Pipe through a command {primary:node0} lab@E1> request routing-engine login node 1 --- JUNOS 12.1R3.5 built 2012-08-09 07:05:23 UTC {secondary:node1} lab@E2> === root@SRX210H> start shell pfe network fwdd BSD platform (OCTEON processor, 416MB memory, 8192KB flash) FLOWD_OCTEON(SRX210H vty)# ? clear clear commands connect connect to a remote TNP endpoint debug Debug commands diagnostic diagnostic commands eth eth commands jsflib jsf lib information pconnect connect to a remote PIP endpoint peekbyte display memory in bytes peeklong display memory in 32bit longs peekword display memory in 16bit words plugin plugin information pty open a pty to a PIC quit quit TTY environment reboot reboot hardware set set system parameters show show system information sleep pause for a few seconds test test commands undebug Undebug commands vty open a vty to a remote TNP endpoint FLOWD_OCTEON(SRX210H vty)# FLOWD_OCTEON(SRX210H vty)# show threads PID PR State Name Stack Use Time (Last/Max/Total) cpu --- -- ------- --------------------- --------- --------------------- 1 H asleep Maintenance 1320/73824 0/8/792 ms 0% 2 L running Idle 1600/73824 0/15/2839688 ms 0% 3 H asleep Timer Services 1256/73824 0/8/33463 ms 0% 5 L asleep Ukern Syslog 856/73824 0/0/0 ms 0% 6 L asleep Sheaf Background 1120/73824 0/8/1360 ms 0% 7 M asleep mac_db 856/73824 0/0/0 ms 0% 8 M asleep Docsis 1072/73824 0/8/17890 ms 0% 9 M asleep ATMX 1312/73824 0/8/46704 ms 0% 10 M asleep XDSL 1392/73824 0/15/2119765 ms 0% 11 M asleep DSX50ms 1648/73824 0/8/209140 ms 0% 12 M asleep DSXonesec 1264/73824 0/8/20366 ms 0% 13 M asleep SFP 1216/73824 0/8/32989 ms 0% 14 M asleep Ethernet 2264/73824 0/16/6458174 ms 1% 15 M asleep RSMON syslog thread 896/73824 0/8/227 ms 0% 16 L asleep Syslog 1264/73824 0/8/192 ms 0% [...] FLOWD_OCTEON(SRX210H vty)# show threads 1971 PID PR State Name Stack Use Time (Last/Max/Total) cpu --- -- ------- --------------------- --------- --------------------- 1971 L asleep Cattle-Prod Daemon 3288/73824 0/0/0 ms 0% Wakeups: Type ID Enabled Pending Context Semaphore 00 No No 0x489ab1e8 Timer 00 No No 0x489ab998 Socket 00 Yes No 0x4a33aa80 Frame 00: sp = 0x4a336ba8, pc = 0x08014cb0 Frame 01: sp = 0x4a336c20, pc = 0x0801b9b4 Frame 02: sp = 0x4a336c58, pc = 0x08047db4 Frame 03: sp = 0x4a336c88, pc = 0x08046cc0 Frame 04: sp = 0x4a336ca8, pc = 0x08722374 Frame 05: sp = 0x4a337130, pc = 0x0802b8ec Frame 06: sp = 0x4a337158, pc = 0x00002000 FLOWD_OCTEON(SRX210H vty)# === To enable or disable the vlan tagging/untagging in control link. Spoiler root@SRX# run set chassis cluster control-link-vlan ? Possible completions: disable Disable control VLAN tag enable Enable control VLAN tag reboot Reboot the system after setting the identifiers [edit] root@SRX# run set chassis cluster control-link-vlan === To summarisr KB19943: How can I enable IKE traceoptions for only specific security associations? request security ike debug-enable local remote level Where level 7 should be high enough for most useful logs === Something I like for VPN debugging, which enables logging to the KMD log by default without the need to commit! user@srx>request security ike debug-enable local remote level and to turn off: user@srx>request security ike debug-disable === Another usefull one for taking a tcpdump of an interface to analyze with Wireshark or similar. user@srx>monitor traffic interface ge-0/0/1.0 write-file test.pcap Can be viewed on the SRX also: user@srx>monitor traffic read-file test.pcap === To see default config settings lab@srx240# show groups junos-defaults To see some system limits (not really hidden, but anyway): show log nsd_chk_only To see currently working Junos applications definitions request pfe execute command "show usp app-def tcp" target fwdd request pfe execute command "show usp app-def udp" target fwdd And last but not the least, lab@srx240# commit full to make all daemons re-read the configuration === Another hidden command I find incredibly useful when troubleshooting is: bdale@gw210> show chassis cluster information ? Possible completions: <[Enter]> Execute this command coldsync Display coldsync information command-history Display command history control-link Display control link information detail Display all chassis cluster information fabric-link Display fabric link information hardware-monitor Display hardware monitoring information interface-monitor Display interface monitoring information issu Display ISSU information loopback Display loopback monitoring information redundancy-group Display chassis cluster status per redundancy-group spu Display SPU information | Pipe through a command Not sure why it's hidden, but "detail" probably does the work of three or for commands in one go! === 1. Web-management traceoptions - lab@host1-a# set system services web-management ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > control Control of the web management process > http Unencrypted HTTP connection settings > https Encrypted HTTPS connections management-url URL path for web management access > session Session parameters [edit] lab@host1-a# set system services web-management traceoptions ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > file Trace file information > flag Area of HTTPD process to enable debugging output level Level of debugging output no-remote-trace Disable remote tracing [edit] 2. Disabling UTM process [edit] lab@host1-a# set system processes ut ^ syntax error. edit] lab@host1-a# set system processes utmd disable [edit] lab@host1-a# show | compare [edit system] + processes { + utmd disable; + } [edit] lab@host1-a# commit check configuration check succeeds 3. ALG Configuration lab@host1-a# run show security alg configuration ALG Activation List: DNS : Activated FTP : Activated H323 : Activated MGCP : Activated REAL : Activated RSH : Activated RTSP : Activated SCCP : Activated SIP : Activated SQL : Activated TALK : Activated TFTP : Activated PPTP : Activated DNS Configuration: Maximum Message Length : 0 FTP Configuration: FTP FTPS extension : No Line Break extension: : No Allow Mismatch IP Address: : No H323 Configuration: Endpoint Registration Timeout : 3600 Media Source Port Any : Off Application Screen Unknown Message NAT packets : Deny Unknown Message Routed packets : Deny Message Flood Gatekeeper Threshold : 1000 DSCP Codepoint : 64 MGCP Configuration: Inactive Media Timeout : 120 TransactionTimeout : 30 Max Call Duration : 720 Application Screen Unknown Message NAT packets : Deny Unknown Message Routed packets : Deny Message Flood Threshold : 1000 Connection Flood Threshold : 200 DSCP Codepoint : 64 SCCP Configuration: Inactive Media Timeout : 120 Application Screen Unknown Message NAT packets : Deny Unknown Message Routed packets : Deny Call Flood Threshold : 20 DSCP Codepoint : 64 SIP Configuration: Inactive Media Timeout : 120 Max Call Duration : 720 T1 Interval : 500 T4 Interval : 5 C Timeout : 3 DSCP Codepoint : 64 Application Screen Unknown Message NAT packets : Deny Unknown Message Routed packets : Deny Protect Deny Timeout : 5 Protect Deny Destination IP List [edit] and for fun ... [edit] lab@host1-a# run show version and haiku Hostname: host1-a Model: srx240h-poe JUNOS Software Release [11.4R1.6] Look, mama, no hands! Only one finger typing. Easy: commit scripts. === May be not so useful, but there are some hidden aliases for comands, e.g. you can use lab@srx> show security ike sa lab@srx> show security ipsec sa === monitor traffic interface ge-0/0/0 monitor start message monitor interface traffic detail request session member 0