SRX

Hi,

This was talked about before and was supposed to be a sticky at the top of the forum for everyone to participate in.  Thought I'd start it off. 

Something I like for VPN debugging, which enables logging to the KMD log by default without the need to commit!

user@srx>request security ike debug-enable local <ip-address> remote <ip-address> level <level>

 and to turn off:

user@srx>request security ike debug-disable

I floated the topic

Another usefull one for taking a tcpdump of an interface to analyze with Wireshark or similar.

user@srx>monitor traffic interface ge-0/0/1.0 write-file test.pcap

 Can be viewed on the SRX also:

user@srx>monitor traffic read-file test.pcap

Hi

Some more hidden commands:

To see default config settings

lab@srx240# show groups junos-defaults

 To see some system limits (not really hidden, but anyway):

show log nsd_chk_only

To see currently working Junos applications definitions

request pfe execute command "show usp app-def tcp" target fwdd
request pfe execute command "show usp app-def udp" target fwdd

 And last but not the least,

lab@srx240# commit full

 to make all daemons re-read the configuration.

May be not so useful, but there are some hidden aliases for comands, e.g. you can use

lab@srx> show security ike sa           
lab@srx> show security ipsec sa

(sa instead of security-associations).

Nice. also to add to it,

if your commit is taking a long time and you want to see where it is taking time, you can try:

# commit |display detail

(again , this is not a hidden command but still useful )

Another good one is:

root@SRX210H> start shell pfe network fwdd                              


BSD platform (OCTEON processor, 416MB memory, 8192KB flash)

FLOWD_OCTEON(SRX210H vty)# ?
    clear                 clear commands
    connect               connect to a remote TNP endpoint
    debug                 Debug commands
    diagnostic            diagnostic commands
    eth                   eth commands
    jsflib                jsf lib information
    pconnect              connect to a remote PIP endpoint
    peekbyte              display memory in bytes
    peeklong              display memory in 32bit longs
    peekword              display memory in 16bit words
    plugin                plugin information
    pty                   open a pty to a PIC
    quit                  quit TTY environment
    reboot                reboot hardware
    set                   set system parameters
    show                  show system information
    sleep                 pause for a few seconds
    test                  test commands
    undebug               Undebug commands
    vty                   open a vty to a remote TNP endpoint

FLOWD_OCTEON(SRX210H vty)#    

FLOWD_OCTEON(SRX210H vty)# show threads    
PID PR State     Name                   Stack Use  Time (Last/Max/Total) cpu
--- -- -------   ---------------------  ---------  ---------------------
  1 H  asleep    Maintenance           1320/73824  0/8/792 ms  0%
  2 L  running   Idle                  1600/73824  0/15/2839688 ms  0%
  3 H  asleep    Timer Services        1256/73824  0/8/33463 ms  0%
  5 L  asleep    Ukern Syslog           856/73824  0/0/0 ms  0%
  6 L  asleep    Sheaf Background      1120/73824  0/8/1360 ms  0%
  7 M  asleep    mac_db                 856/73824  0/0/0 ms  0%
  8 M  asleep    Docsis                1072/73824  0/8/17890 ms  0%
  9 M  asleep    ATMX                  1312/73824  0/8/46704 ms  0%
 10 M  asleep    XDSL                  1392/73824  0/15/2119765 ms  0%
 11 M  asleep    DSX50ms               1648/73824  0/8/209140 ms  0%
 12 M  asleep    DSXonesec             1264/73824  0/8/20366 ms  0%
 13 M  asleep    SFP                   1216/73824  0/8/32989 ms  0%
 14 M  asleep    Ethernet              2264/73824  0/16/6458174 ms  1%
 15 M  asleep    RSMON syslog thread    896/73824  0/8/227 ms  0%
 16 L  asleep    Syslog                1264/73824  0/8/192 ms  0%
[...]

FLOWD_OCTEON(SRX210H vty)# show threads 1971
PID PR State     Name                   Stack Use  Time (Last/Max/Total) cpu
--- -- -------   ---------------------  ---------  ---------------------
1971 L  asleep    Cattle-Prod Daemon    3288/73824  0/0/0 ms  0%

Wakeups:
      Type  ID  Enabled  Pending   Context
 Semaphore  00       No       No  0x489ab1e8
     Timer  00       No       No  0x489ab998
    Socket  00      Yes       No  0x4a33aa80

Frame 00: sp = 0x4a336ba8, pc = 0x08014cb0
Frame 01: sp = 0x4a336c20, pc = 0x0801b9b4
Frame 02: sp = 0x4a336c58, pc = 0x08047db4
Frame 03: sp = 0x4a336c88, pc = 0x08046cc0
Frame 04: sp = 0x4a336ca8, pc = 0x08722374
Frame 05: sp = 0x4a337130, pc = 0x0802b8ec
Frame 06: sp = 0x4a337158, pc = 0x00002000

FLOWD_OCTEON(SRX210H vty)# 

Ideally, you should never see terms like 'ifd' and 'ifl' in the logs but if you do see them in logs which look something like:

COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 10. Reason: File exists

(ifd refers to physical interface and ifl refers to logical interfaces. One ifd can have multiple ifls under it. )

and you want to know which interface it is referring to, you can use the following hidden commands:

cli> show interfaces ifl-index 10

#In case it says ifd, you can use:

cli> show interfaces ifd-index 10

A command to log in to other node of SRX cluster

{primary:node0}
lab@E1> request routing-engine login ?
Possible completions:
  <[Enter]>            Execute this command
  |                    Pipe through a command
{primary:node0}
lab@E1> request routing-engine login node 1 

--- JUNOS 12.1R3.5 built 2012-08-09 07:05:23 UTC
{secondary:node1}
lab@E2> 

commit full 

Just to add a little bit more detail.

Let say somehow you dont have the root login and still you want to capture output on PFE withough going to vty mode.

Here is the way.

admin@SRX210H>request pfe execute target fwdd command "show usp threads"<<<<Just add pfe commands in colun" ".

I know this is an SRX thread, but I find this one useful all the time on an EX VC: 

operate@Ray-20# run request rou                            
                               ^
syntax error.
operate@Ray-20# run request routing-engine ?                 
Possible completions:
  login                Allow login to one Routing Engine
{master:0}[edit]
operate@Ray-20# run request routing-engine login ?
Possible completions:
  all-members          Log in to all virtual chassis members
  backup               Log in to backup RE
  local                Log in to local virtual chassis member
  master               Log in to master RE
  member               Log in to specific virtual chassis member (0..9)
  other-routing-engine  Log in to the other Routing Engine
  re0                  Log in to RE0
  re1                  Log in to RE1
{master:0}[edit]
operate@Ray-20#                             

Junos contains default configurations in a hidden group named junos-defaults. To see them:

user@srx>show configuration groups junos-defaults

user@srx>show configuration groups junos-defaults applications