Troubleshooting Networks

The Trusted Solaris tools and commands described in this section can help you debug networking problems. For information on the commands, refer to the appropriate man pages. Refer also to Part 3, "Managing Hosts and Networks," in the Trusted Solaris Administrator's Procedures manual. In addition, standard network debugging commands such as snoop(1M), ipcs(1), and netstat(1M) are available in the Trusted Solaris environment.

• To get security information for the source, destination, and gateway hosts in the transmission, use tninfo(1M). You can check whether the information that the kernel is caching is correct. This command is intended to be run at ADMIN_HIGH and effective user ID 0. These restrictions can be overridden by the file_mac_read, sys_trans_label, and file_dac_read privileges. Use tninfo as follows:

  • tninfo -h [<hostname>] displays the IP Address, port, and template for all hosts or the given host.

  • tninfo -t <templatename> displays the following information for all templates or the given template: host type, minimum label (in label and hex format), maximum label (in label and hex format), allowed privileges, and IP label type (RIPSO, CIPSO, or none).

  • tninfo -k displays kernel statistics: number of host accreditation check failures, number of network accreditation check failures, and memory allocation statistics.

• To change or check network security information, use the SMC tools to access the tnrhtp, tnrhdb, and tnidb files. If you are not using the NIS+ tables for networking, these changes will take place immediately after you exit from SMC. If you are using NIS+ tables, then the changes will take place when the network daemon next polls the databases or when the system is rebooted. If you wish the change to take place sooner, you can shorten the polling interval using tnctl(1M) with the -p option on the host that needs the updated information.

• To collect debugging information from the network daemon if the network is already running, use tnctl(1M) with the -d option. Debugging data is written by default to the file /var/tsol/tndlog. Search the log file for failures and other symptoms of problems.

• To check TSIX transmissions, use tokmapd with the -d option (or tokmapctl -d) to create a log and choose an appropriate debugging level. Debugging data is written by default to the file /var/tsol/tokmapdlog. Use snoop(1M) to check that both source and destination can transmit tokens.