Supported Platforms
Troubleshooting Security Policies
Synchronizing Policies Between Routing Engine and Packet Forwarding Engine
Problem
Description: Security policies are stored in both the Routing Engine and the Packet Forwarding Engine. After you modify a policy, you commit the configuration on the Routing Engine, and it is synchronized to the Packet Forwarding Engine.
Environment: The policies in the Routing Engine and Packet Forwarding Engine must be in sync for the configuration to be committed. However, under certain circumstances, policies in the Routing Engine and the Packet Forwarding Engine might be out of sync, which causes the commit to fail.
Symptoms: The following error message appears if you attempt to commit a configuration when the policies in the Routing Engine and Packet Forwarding Engine are out of sync: Policy is out of sync between RE and PFE <SPU-name(s)> Please resync before commit.
Solution
Synchronize the policies as follows:
- Reboot the device (standalone)
- Reboot the devices (chassis cluster)
Checking a Security Policy Commit Failure
Problem
Description: Most policy configuration failures occur during a commit or runtime.
Commit failures are reported directly on the CLI when you execute the CLI command commit-check in configuration mode. These errors are configuration errors, and you cannot commit the configuration without fixing these errors.
Solution
To fix these errors, do the following:
- Review your configuration data.
- Open the file /var/log/nsd_chk_only. This file is overwritten each time you perform a commit check and contains detailed failure information.
Verifying a Security Policy Commit
Problem
Description: Upon performing a policy configuration commit, if you notice that the system behavior is incorrect, use the following steps to troubleshoot this problem:
Solution
- Operational show Commands—Execute the operational commands for security policies and verify that the information shown in the output is consistent with what you expected. If not, the configuration needs to be changed appropriately.
- Traceoptions—Set the traceoptions command
in your policy configuration. The flags under this hierarchy can be
selected as per user analysis of the show command output.
If you cannot determine what flag to use, the flag option all can be used to capture all trace logs. user@host# set security policies traceoptions <flag all>
You can also configure an optional filename to capture the logs.
If you specified a filename in the trace options, you can look in the /var/log/<filename> for the log file to ascertain if any errors were reported in the file. (If you did not specify a filename, the default filename is eventd.) The error messages indicate the place of failure and the appropriate reason.
After configuring the trace options, you must recommit the configuration change that caused the incorrect system behavior.
Debugging Policy Lookup
Problem
Description: When you have the correct configuration, but some traffic was incorrectly dropped or permitted, you can enable the lookup flag in the security policies traceoptions. The lookup flag logs the lookup related traces in the trace file.
