Network Monitoring and Maintenance
The following sections describe how to monitor and maintain your SunScreen.
Using the ssadm logdump Command
ssadm logdump is based on the Solaris snoop program and has similar characteristics. In addition to the packet information available with snoop, SunScreen's logging mechanisms add information such as the interface on which the packet was received and the reason that the packet was logged. Any filtering language operation that works in snoop will work in logdump.
For details about ssadm logdump, see Chapter 11, Logging and the ssadm-logdump man page.
To run ssadm logdump and display packets in a saved log file:
# ssadm logdump -i logfile |
Where log_file is a log file that is downloaded from the Screen.
Note -
Except for the differences detailed in Chapter 11, Logging, logdump uses the same filter language as the snoop(1m) program. Note also that logdump does not handle IPv6.
Using the ssadm debug_level Command
If you have access to the console on your SunScreen (through a serial line or directly connected keyboard and display), you can use the ssadm debug_level command to control the printing of command debugging information from the SunScreen kernel.
Typing ssadm debug_level with no arguments displays the current debug-level mask. By default, this mask is 1, which means it only reports significant errors.
If you specify a hex number as an argument for ssadm debug_level, the kernel debugging mask is set to that level. To get a list of debugging bit choices, type:
# ssadm debug_level ? |
You select a ssadm debug_level mask by setting all of the debugging bits in which you are interested.
Probably the most useful of the ssadm debug_level debugging bit is DEFAULT_DROP. For example, if you type:
# ssadm debug_level 1001 |
any packets being dropped by SunScreen because they do not match any rule are reported. This is a quick way to see if the SunScreen is passing packets that you expect it to pass. You can also achieve this same result by setting the default action on the interface to LOG_SUMMARY or LOG_DETAIL and examine the logs.
Another useful debugging bit to set is STATE_CHANGE. This causes the kernel to report any additions or deletions from its internal state tables.
Some of the debugging bits produce a very large amount of output on a production Screen and should be used with caution. An example is ACTION, which reports execution of any PFL action.
TIP: it is often useful to employ a pair of ssadm debug_levelcommands, separated by the Solaris sleep(1) command, especially for levels which generate large amounts of output:
# ssadm debug_level Current debug level is: 00000001<> # ssadm debug_level 1c01 ; sleep 30 ; ssadm debug_level 1 |
This would ensure that only 30 seconds of debug would be logged. This also avoids the mistake of leaving debugging enabled by accident.
Gathering Information From Your System to Report Support Issues
If you have any support issues, call your authorized service provider. For further information about support, use the following URL to contact Enterprise Services: http://www.sun.com/service/support/index.html.
For the most efficient help, first gather information describing your configuration. This information can be collected by saving the output of the following SunScreen support command. You invoke these commands to gather information that is useful in troubleshooting through the ssadm lib/support command.
The support command has the form: ssadm [ -r Screen_Name ] lib/support function parameters...
- © 2010, Oracle Corporation and/or its affiliates