SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  How can I find information in my logs

    Posted 04-12-2011 14:44

    I have a log entry in my KMD log that says

     

    Apr 12 14:23:02 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=208.143.17.2) p1_remote=usr@fqdn(udp:500,[0..14]=ca-sls05@company.com)

     

    The issue is, the VPN initiator (ca-sls05@company.com) is currently turned off and is not generating IKE requests. These are coming into my SRX240 about every 30 seconds. How can I determine the IP address that is generating these rogue requests and find out who's trying to initiate a tunnel?

     

    -J

     


    #rogue
    #SRX240
    #logs


  • 2.  RE: How can I find information in my logs

    Posted 04-12-2011 15:06

    You could run traceoptions on your security -> ike, or on security->flow, or use packet capture with a filter for destination IP 208.143.17.2 and port 500.



  • 3.  RE: How can I find information in my logs

    Posted 04-12-2011 15:15

    [edit security ike] set traceoptions flag all?

     

    What log file would I find it in?

    -J

     



  • 4.  RE: How can I find information in my logs
    Best Answer

    Posted 04-12-2011 15:43

    I usually set a separate file for trace logs.

     

     

    traceoptions {
        file ike-trace.log size 5m files 5;
        flag general;
    }

    The "flag general" should be enough to give you basic information about IKE events without filling up the logs with a bunch of stuff to sift through.

     

     

    You can bump it up to "flag all" if you need more information, or even throw in the hidden "set level 15" if you're feeling especially adventurous.

     

    You can view the log with "show log ike-trace.log" from operational mode.



  • 5.  RE: How can I find information in my logs

    Posted 04-12-2011 16:02

    Found him, thanks. I had to use flag all but the offending IP is 98.149.96.197

    -J

     



  • 6.  RE: How can I find information in my logs

    Posted 04-12-2011 16:10

    How do I delete the log file ike-trace.log?

    -J

     



  • 7.  RE: How can I find information in my logs

    Posted 04-13-2011 01:25

    Do the following to delete the file

     

    file delete /var/log/ike-trace.log

     

    Make sure that you delete or deactivate the traceoptions once fininshed