Thursday, February 21, 2013
Juniper Netscreen: How do I capture debugging (debug flow) information
From the command line interface (CLI):
!Turn on the dbuf buffer
set console dbuf
!Set the parameters for debugging
set ffilter src-ip 192.168.10.50
!Turn on the debug flow
debug flow basic
!Use debug flow drop command to see dropped or denied packets (including those that did not make it to the policy engine).
debug flow drop
!turn debug off
undebug all
!check captured the stream
get dbuf stream
How do I capture debugging (debug flow) information?
How to configure preempt and priority NSRP options. How to force one firewall to be the preferred master.
SUMMARY:
PROBLEM OR GOAL:
SOLUTION:
On the other firewall, the preferred backup, only the priority needs to be specified. Assign the priority to be a higher value than the priority of the preferred master.
Note: A preempt hold-time may also be configured on the preferred master. Refer to the Concepts & Examples ScreenOSReference Guide: Vol 11, High Availability for more information.
How to force a device in the cluster to be the preferred master?
One of the firewalls of the cluster needs to be the preferred master. How do you configure this?
The NSRP parameters preempt and priority are used to control the preferred master.
On the preferred master, enable 'preempt' mode and assign a lower priority to the firewall in the cluster.
On the preferred master, enable 'preempt' mode and assign a lower priority to the firewall in the cluster.Configuration example:
Important: The device with the lowest priority will be the preferred master.nsisg1000(M)-> set nsrp vsd-group id 0 priority 50 <- To assign priority to device. By default the priority is 100
nsisg1000(M)->set nsrp vsd-group id 0 preempt <- To enable preempt mode
To verify configuration:nsisg1000(M)get nsrp vsd-group
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself 12090607
total number of vsd groups: 1
Total iteration=375750,time=399053148,max=6586,min=274,average=1062
On the other firewall, the preferred backup, only the priority needs to be specified. Assign the priority to be a higher value than the priority of the preferred master.nsisg1000(B)-> set nsrp vsd-group id 0 priority 100
Note: A preempt hold-time may also be configured on the preferred master. Refer to the Concepts & Examples ScreenOSReference Guide: Vol 11, High Availability for more information.
Subscribe to:
Posts (Atom)