Network Mémos: debug

Showing posts with label debug. Show all posts

Monday, October 13, 2014

Command Line Tricks for HP Procurve Switchs

Below some helpful commands.

Display logs or debug on current session:

terminal monitor (Cisco)
debug destination session (HP Procurve)

By default HP Procurve switch don't display packets drops by queue. You can enable the monitoring only on 1 interface with the command below:

qos watch-queue xx out (where XX is the interface you want to monitor)

Obtain 'show tech':

copy command-output "show tech all" sftp user ftpuser 10.10.10.10 show-tech.txt

Filter a 'show runnning' command:

Like Cisco, it's possible to use '|' after the 'show running'

Switch# show running-config | include router

ip router-id 1.1.1.1

router ospf

router vrrp

Switch# show running-config | begin router

ip router-id 1.1.3.1

Friday, March 21, 2014

Troubleshoot OSPF neighbors (Hellos check)

In order to become neighbors, routers perform several checks. If this check fails, we have to troubleshoot and find the cause of this issue. You will find below several examples of neighbor failed. I have added logs messages and debug messages in order to easily find the cause.

Area mismatch:

Authentication key mismatch:

Duplicate Router-id:

Subnet/mask Mismatch:

Area Type Mismatch:

Tuesday, October 15, 2013

Find the plain text authentication of a peer RIP router

Followings commands can be useful if you need to use authenticated 'RIP updates' between 2 routers and whether you don't have access to the peer (you don't know the authentication message used by the peer). If it's a clear text, you can use the following debug:

access-list 100 permit udp any any eq rip
debug ip packet 100 dump

Normally, the password will appear in a clear text as below:

*Sep 4 17:27:54.815: IP: s=10.10.10.2 (FastEthernet/1), d=224.0.0.9, len 72, input feature
AC43C9C0: 0100 5E000009 AABBCC00 07030800 ..^...*;L.....
AC43C9D0: 45C00048 00000000 0111C4D0 0A0A0A02 E@.H......DP....
AC43C9E0: E0000009 02080208 003453BE 02020000 `........4S>....
AC43C9F0: FFFF0002 54455354 00000000 00000000 ....TEST........
AC43CA00: 00000000 00020000 0A010100 FFFFFF00 ................
AC43CA10: 00000000 00000001 ........
Router#, MCI Check(68), rtype 0, forus FALSE, sendself FALSE, mtu 0

Saturday, October 12, 2013

Track and modify a route with EEM!

This script EEM aims to add or delete a static ip route. Each 10 seconds a ping is sent to a host. If this ping fails a static route is deleted. If this host responds, a route is added. If this host responds and if the route is already in the routing table, no change is done.

event manager applet Route_redisribute
event tag 1.0 timer watchdog time 10
action 001 cli command "enable"
action 002 cli command "ping 10.1.37.3"
action 003 regexp "!!" "$_cli_result"
action 004 if $_regexp_result eq 1
action 005 cli command "show ip route static"
action 006 regexp "10.12.37.0/24" "$_cli_result"
action 007 if $_regexp_result ne 1
action 008 cli command "conf t"
action 009 cli command "ip route 10.12.37.0 255.255.255.0 10.1.37.8 tag 100"
action 010 end
action 011 else
action 012 continue
action 013 else
action 014 cli command "conf t"
action 015 cli command "no ip route 10.12.37.0 255.255.255.0 10.1.37.8 tag 100"
action 016 end
!
end

In order to debug this script, the following command is helpful:
debug event manager action cli

Friday, March 18, 2011

Debug firewall ISG

Faire un snoop sur un firewall juniper et récupérer les traces au format pcap est plutôt sympa. Cependant quand seulement le premier paquet (d'une session, càd le SYN) est récupéré dans le buffer du debug car les autres sont traités en ASICs, c'est moins facile pour investiguer. Par chance quelques commandes permettent d'éviter le passage en ASICs.

Il est conseillé d'activer des filtres si vous ne voulez pas être pollué ou pire (crash cpu)! Je ne détail les différents filtres, ils sont disponible dans le menu:
snoop filter XXXXX
Lancement du snoop en mode détail:
snoop detail
snoop
La commande magique qui permet de faire transiter les paquets dans la CPU a été appliquée au préalable sur une policy:
set policy id 3
set no-hw-sess
surtout ne pas oublier de désactiver cette commande une fois les traces prises.
Pour visualiser les flux il existe deux possibilités:
En direct sur la console par la commande: get db stream
Ou après transformation au format pcap et une lecture via un client wireshark sur votre poste. Pour se faire il faut récupérer les traces via TFTP:
get db stream > tftp XXX.XXX.XXX.XXX traces.pcap