Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

Tracing IPsec Operations

Trace operations track IPsec events and record them in a log file in the /var/log directory. By default, this file is named /var/log/kmd.

To trace IPsec operations, include the traceoptions statement at the [edit services ipsec-vpn] hierarchy level:

[edit services ipsec-vpn]traceoptions {file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>;flag flag;level level;no-remote-trace;}

You can specify the following IPsec tracing flags:

  • all—Trace everything.
  • certificates—Trace certificates events.
  • database—Trace security associations database events.
  • general—Trace general events.
  • ike—Trace IKE module processing.
  • parse—Trace configuration processing.
  • policy-manager—Trace policy manager processing.
  • routing-socket—Trace routing socket messages.
  • snmp—Trace SNMP operations.
  • timer—Trace internal timer events.

The level statement sets the key management process (kmd) tracing level. The following values are supported:

  • all—Match all levels.
  • error—Match error conditions.
  • info–Match informational messages.
  • notice—Match conditions that should be handled specially.
  • verbose—Match verbose messages.
  • warning—Match warning messages.

Disabling IPsec Tunnel Endpoint in Traceroute

If you include the no-ipsec-tunnel-in-traceroute statement at the [edit services ipsec-vpn] hierarchy level, the IPsec tunnel is not treated as a next hop and TTL is not decremented. Also, if the TTL reaches zero, an ICMP time exceeded message is not generated.

[edit services ipsec-vpn]no-ipsec-tunnel-in-traceroute;

Note: This functionality is also provided by the passive-mode-tunneling statement described in Configuring IPsec Service Sets. You can use the no-ipsec-tunnel-in-traceroute statement in specific scenarios in which the IPsec tunnel should not be treated as a next hop and passive mode is not desired.

Tracing IPsec PKI Operations

Trace operations track IPsec PKI events and record them in a log file in the /var/log directory. By default, this file is named /var/log/pkid.

To trace IPsec PKI operations, include the traceoptions statement at the [edit security pki] hierarchy level:

[edit security pki]traceoptions {file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;flag flag (all | certificate-verification | enrollment | online-crl-check);}

You can specify the following PKI tracing flags:

  • all—Trace everything.
  • certificates—Trace certificates events.
  • database—Trace security associations database events.
  • general—Trace general events.
  • ike—Trace IKE module processing.
  • parse—Trace configuration processing.
  • policy-manager—Trace policy manager processing.
  • routing-socket—Trace routing socket messages.
  • snmp—Trace SNMP operations.
  • timer—Trace internal timer events.

Published: 2012-11-27

Supported Platforms

Published: 2012-11-27

Previous Page Next Page