ON THIS PAGE
Operational Commands to Troubleshoot SSL Sessions
In the CLI, the operational commands provide information that can help with troubleshooting. You can use show commands to determine and analyze the statistical counters and metrics related to any traffic loss and take an appropriate corrective measure. This topic covers information for monitoring, displaying, and verifying of SSL-related issues using the operational mode commands.
Displaying Active SSL Sessions
Purpose
Display information about all the active SSL sessions on the device.
Action
Use the show security flow session ssl command.
user@host > show security flow session ssl
Output:
Session ID: 1, Policy name: default-permit/5, Timeout: 1746, Valid
In: 4.0.0.1/37369 --> 5.0.0.1/4433;tcp, Conn Tag: 0x0, If: xe-0/0/0.0, Pkts: 6, Bytes: 671,
Out: 5.0.0.1/4433 --> 4.0.0.1/37369;tcp, Conn Tag: 0x0, If: xe-0/0/1.0, Pkts: 7, Bytes: 1635, Meaning
The output shows all standard flow information including the session ID, timeout value for the session, the direction of the flow, the source address and port, the destination address and port, the IP protocol, and the interface used for the session. Example:
The policy name that allowed this traffic is default-permit.
The timeout value.
Both the source IP and the destination IP are displayed with their respective source/destination ports.
Session type.
The source interface and the destination interface for this session.
For details about the output fields of the command, see show security flow session ssl.
Displaying Active SSL Sessions Details
Purpose
Display detail information about the active SSL sessions on the device.
Action
From the operational mode, use the show security flow session extensive ssl command.
user@host > show security flow session extensive ssl
Output:
Session ID: 1, Status: Normal
Flags: 0x42/0x20000000/0x2/0x10103
Policy name: 1/5
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 1636
Session State: Valid
Start time: 587131, Duration: 163
In: 4.0.0.1/37369 --> 5.0.0.1/4433;tcp,
Conn Tag: 0x0, Interface: xe-0/0/0.0,
Session token: 0x7, Flag: 0x2621
Route: 0xa0010, Gateway: 4.0.0.1, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 6, Bytes: 671
Out: 5.0.0.1/4433 --> 4.0.0.1/37369;tcp,
Conn Tag: 0x0, Interface: xe-0/0/1.0,
Session token: 0x8, Flag: 0x2620
Route: 0xb0010, Gateway: 5.0.0.1, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 7, Bytes: 1635
Total sessions: 1Meaning
The output of the command displays extensive information about all the active sessions on the device.
Display information includes the session ID, the Network Address Translation (NAT) source pool (if source NAT is used), the configured timeout value for the session and its standard timeout, and the session start time and how long the session has been active, direction of the flow, the source address and port, the destination address and port, the IP protocol, and the interface used for the session.
Example:
The policy name that allowed this traffic is default-permit.
The maximum timeout and current timeout values.
Session type.
The source interface and the destination interface for the session
The next-hop gateway IP address
AppQoS rule set details.
For details about the output fields of the command, see show services ssl session.
Displaying Specific SSL Session Details
Purpose
Display information about the specific SSL session.
Action
Use the show services ssl session 56 command.
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
Session ID : 56
Connection Type : PROXY
SSL Profile : SSL_PROFILE
Resumed Session : No
One-crypto : Disabled
Async-crypto : Enabled
Renegotiation count : 0
Server Certificate Subject Name : /C=IN/ST=KA/L=BNG/O=JN/OU=XYZ/CN=server/emailAddress=ser
Server Cert verification status : OK
CRL check : Enabled
Action : Allow
SSL_T Details :
Key size : 2048
cipher : ECDHE-RSA-AES256-GCM-SHA384
TLS version : 1.2
SSL_I Details :
Key size : 2048
Cipher : ECDHE-RSA-AES256-GCM-SHA384
TLS version : 1.2
Meaning
You can get the detail information about the specific SSL session with this command. Example:
Session ID, connection type and SSL profile used for the session.
Server certificate subject name and verification status.
CRL check status and action.
SSL Initiation and termination details.
The source interface and the destination interface for this session.
For details about the output fields of the command, see show security flow session ssl.
Display SSL Certificates
Purpose
Display the digital certificates available on the device.
Action
From the operational mode, use the show services ssl certificate all command.
user@host > show services ssl certificate all
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
CertId
-----------------------------
ssl-inspect-ca
ssl-cert-4kMeaning
Display the list of all SSL certificates active on the device. SSL sessions use these certificates to establish a secure communication between a client and a server.
For details about the output fields of the command, see show services ssl certificate.
Display SSL Certificate Information
Purpose
Display brief information about the SSL certificate.
Action
From the operational mode, use the show services ssl certificate brief certificate-id certificate-identifier command. Following samples show command outputs for CA certificate and local certificates.
user@host > show services ssl certificate brief certificate-id trusted-ca
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
CertID : trusted-ca
Certificate Type : CA-CERT
Issuer : /C=IN/ST=KA/L=BNG/O=XYZ/OU=ABC/CN=5.0.0.1/emailAddress=newca@test.com
Subject : /C=IN/ST=KA/L=BNG/O=XYZ/OU=ABC/CN=5.0.0.1/emailAddress=newca@test.com
Public Key algorithm : rsaEncryptionuser@host> show services ssl certificate brief certificate-id ssl-inspect-ca
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
CertID : ssl-inspect-ca
Certificate Type : LOCAL-CERT
Issuer : /DC=dc/CN=xyz.com/OU=IT/O=abc/L=bng/ST=KA/C=IN
Subject : /DC=dc/CN=xyz.com/OU=IT/O=abc/L=bng/ST=KAC=IN
Validity :
Not before : Mon 02/18/2019 07:30:37 AM
Not after : Sat 02/17/2024 07:30:37 AM
Public Key algorithm : rsaEncryption
Meaning
Displays details about the certificate including certificate
ID, type, issuer of the certificate, and encryption algorithm used.
The type field displays the type of the certificate—That
is—CA-CERT or LOCAL-CERT. CA-Cert certificate is an authorized
certificate issued by trusted certificate authority and LOCAL-CERT
is a self-signed certificate.
Note that the output of the commands vary depending on the type of certificate.
For details about the output fields of the command, see show services ssl certificate.
Display SSL Certificate Details
Purpose
Display detail information about the SSL certificate.
Action
From the operational mode, use the show services ssl certificate detail certificate-identifier command.
user@host > show services ssl certificate detail certificate-id ssl-inspect-ca
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
CertID : ssl-inspect-ca
Certificate Type : LOCAL-CERT
cert modify time : Mon 02/18/2019 07:30:37 AM
key modify time : Mon 02/18/2019 07:30:23 AM
certificate version : 3
serial number : 72 a4 a8 12 0e a0 da 5f ee 27 47 d8 19 7c 76 b5
Issuer : /DC=dc/CN=xyz.com/OU=IT/O=xyz/L=blr/ST=KA/C=IN
Subject : /DC=dc/CN=xyz.com/OU=IT/O=xyz/L=blr/ST=KA/C=IN
Validity :
Not before : Mon 02/18/2019 07:30:37 AM
Not after : Sat 02/17/2024 07:30:37 AM
Public Key algorithm : rsaEncryption
Signature Algorithm : sha256WithRSAEncryption
user@host > show services ssl certificate detail certificate-id test
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
CertID : test
Certificate Type : CA-CERT
cert modify time : Mon 09/02/2019 09:47:48 PM
certificate version : 1
serial number : 21 a8 d6 00 eb 24 1f 78 9a e5 0e ec 6a 39 ce 65 66 42 8c 0a
Issuer : /C=IN/ST=KA/L=BLR/O=XYZ/OU=ABC/CN=5.0.0.1/emailAddress=newca@test.com
Subject : /C=IN/ST=KA/L=BLR/O=XYZ/OU=ABC/CN=5.0.0.1/emailAddress=newca@test.com
Public Key algorithm : rsaEncryption
Signature Algorithm : sha256WithRSAEncryption
CRL :
present : no
check : enabled
download-failed : true
check-on-download-fail : enabled
Meaning
Displays details about the certificate including certificate ID, type, last modified date, version, serial number, issuer, subject, validity, and encryption algorithm used.
Example:
Type of the certificate. The
typefield displays the type of the certificate—That is—CA-CERT or LOCAL-CERT. CA-Cert certificate is an authorized certificate issued by trusted certificate authority and LOCAL-CERT is a self-signed certificate.Subject and issuer of the certificate.
Certificate validity from-date and to-date.
Public key algorithms used.
Algorithm used by the certificate authority to sign the certificate.
CRL-related updates (CA certificates only)
For details about the output fields of the command, see show services ssl certificate.
SSL Proxy Counters All
Purpose
Display all the statistical counters for the SSL proxy sessions.
Action
From the operational mode, use the show services ssl proxy counters all command.
user@host > show services ssl proxy counters all
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
session create failed 0
non SSL sessions recieved 0
Memory failures 0
session dropped 0
sessions matched 0
sessions created 0
sessions destroyed 0
sessions ignored 0
sessions ignored : backup only 0
sessions whitelisted : IP based 0
sessions whitelisted : url based 0
crl : data added 0
crl : certificate revoked 0
crl : no crl info present 0
crl : no CA certificate 0
SSL sessions 0
SMTP over STARTTLS 0
IMAP over STARTTLS 0
POP3 over STARTTLS 0
SMTP sessions 0
IMAP sessions 0
POP3 sessions 0
Server not supporting STARTTLS 0
Client not supporting STARTTLS 0
Unified policy : default profile hit 0
Unified policy : no default profile 0
Meaning
The output display the counters details related to SSL proxy sessions. These counters generally increment whenever there is some activity such as session matched, session created, and so on.
Example:
Count of sessions created, matched, ignored or destroyed.
Number of sessions allowlisted based on IP address and URL categories.
Session counts based on CRL-related information such as new updates done or certificates revoked, no CRL present, or no CA certificate present.
Number of sessions matching default SSL proxy profile in unified policy.
Number of sessions dropped because of absence of default SSL proxy profile.
For details about the output fields of the command, see show services ssl proxy counters .
SSL Proxy Counters Information
Purpose
Display statistical counters for the SSL proxy session to provide information about the sessions.
Action
From the operational mode, use the show services ssl proxy counters info command.
user@host > show services ssl proxy counters info
Lsys Name : root-logical-system
PIC:fpc0 ------
sessions matched 0
sessions created 0
sessions destroyed 0
sessions ignored 0
sessions ignored : backup only 0
sessions whitelisted : IP based 0
sessions whitelisted : url based 0
crl : data added 1
crl : certificate revoked 0
crl : no crl info present 0
crl : no CA certificate 0
SSL sessions 0
SMTP over STARTTLS 0
IMAP over STARTTLS 0
POP3 over STARTTLS 0
SMTP sessions 0
IMAP sessions 0
POP3 sessions 0
Server not supporting STARTTLS 0
Client not supporting STARTTLS 0
Unified policy : default profile hit 0
Unified policy : no default profile 0 Meaning
The output display the counters details related SSL proxy session. These counters generally increment whenever there is some activity such as session matched, session created, and so on.
Example:
Count of sessions created, matched, ignored or destroyed.
Number of sessions allowlisted.
Session counts based on CRL-related information such as new updates done, certificates revoked, no CRL present, or no CA certificate present.
Number of sessions matching default SSL proxy profile in unified policy.
Number of sessions dropped because of absence of default SSL proxy profile.
For details about the output fields of the command, see show services ssl proxy counters .
SSL Proxy Counters Errors
Purpose
Display statistical counters for the errors encountered in SSL proxy session.
Action
From the operational mode, use the show services ssl proxy counters errors command.
user@host > show services ssl proxy counters errors
Lsys Name : root-logical-system
PIC:fpc0 ------
Session create failed 0
non SSL sessions received 0
memory failures 0
session dropped 7 Meaning
The output display the counters details for the errors encountered in an SSL proxy session. Example:
Number of failed sessions.
Number of non-SSL sessions received on the system.
Number of dropped sessions.
For details about the output fields of the command, see show services ssl proxy counters .
Display SSL Proxy Profile Details
Purpose
Display information about the SSL proxy profile.
Action
From the operational mode, use the show services ssl proxy profile profile-name command.
user@host > show services ssl proxy profile profile-name
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
Profile: ssl-proxy
enable-tracing: false
root-ca expired: false
allow non-ssl session: true
ssl-termination-id: 65537
ssl-initiation-id: 65537
Number of whitelist entries: 0 Meaning
Output of the command displays the details of the SSL proxy profile. Example:
The number of sessions that are allowlisted.
Whether the non SSL sessions are allowed.
Whether the root certificate is active or expired.
For details about the output fields of the command, see show services ssl proxy profile .
Display SSL Proxy Profiles
Purpose
Display all the SSL proxy profiles configured on the device.
Action
From the operational mode, use the show services ssl proxy profile all command.
user@host > show services ssl proxy profile all
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
ID Name
10 p1
11 p2
Meaning
The output displays the list of SSL proxy profiles available on the device.
For details about the output fields of the command, see show services ssl proxy profile .
Display SSL Proxy Session Cache Statistics
Purpose
Display the data for the SSL proxy session cache.
Action
From the operational mode, use the show services ssl proxy session-cache statistics command.
user@host > show services ssl proxy session-cache statistics
Lsys Name : root-logical-system
PIC: fpc0 fpc[0] pic[0]------------
Session cache hit : 0
Session cache miss : 0
Session cache full : 0
Meaning
Command output displays SSL proxy session cache statistics. You can get the details such as number of times the information related to an SSL session is found in the cache or the number of times the information related to an SSL session is missing in the cache, and number of times the session cache limit is reached.
For details about the output fields of the command, see show services ssl proxy session-cache statistics.
Display SSL Proxy Session Cache Summary
Purpose
Display brief information about the entries stored in the SSL proxy session cache.
Action
From the operational mode, use the show services ssl proxy session-cache entries summary command.
user@host > show services ssl proxy session-cache entries summary
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
Hash Entry 1
Status: ACTIVE, Time to expire 294 seconds
Session Id Length: 32
Session Id: 1b 2a 9f 5f d8 6e d2 cd 6b b8 89 e8 88 07 75 80 32 c2 54 5a c7 9b 12 a2 e6 5c f0 6d 85 c5 40 4b
Dst IP: 5.0.0.1, Dst Port: 20753
SSL-T Profile Id: 2, SSL-I Profile Id: 2 Meaning
Command output displays SSL proxy session cache entries details such as session information saved in the cache, session status, session ID, and length of the session ID, destination IP address and port details, and SSL initiation and SSL termination profile IDs.
For details about the output fields of the command, see show services ssl proxy session-cache entries.
Display SSL Proxy Session Cache Details
Purpose
Display detail information about the entries stored in the SSL proxy session cache.
Action
From the operational mode, use the show services ssl proxy session-cache entries detail command.
user@host> show services ssl proxy session-cache entries detail
Lsys Name : root-logical-system
PIC: fpc0 fpc[0] pic[0
Hash Entry: 1
Status: ACTIVE, Time to expire 294 seconds
Session Id Length: 32
Session Id: c1 6e 88 65 43 9f 57 2f 0f 06 f7 4b 03 c5 38 58 74 b4 4f 43 66 9a 6f c7 a6 2a ae 22 ab f8 b4 ce
Dst IP: 5.0.0.1, Dst Port: 4433
SSL-T Profile Id: 2, SSL-I Profile Id: 2
Session Info:
Interdicted cert type [0x0]: CA issued, Authentication failed
Server cert verification result: unable to get local issuer certificate [0x14]
Server name extn len: 0, name: None
Server cert chain hash: b5 3d cd cb ca 35 81 5a db 6f 83 ab 5e a0 19 73
SSL-TERM session:
SSL ver: 0x303
Compression Method: 0
Cipher Id: 0x3000004
Master Key Length: 48
SSL-INIT session:
SSL ver: 0x303
Compression Method: 0
Cipher Id: 0x3000004
Master Key Length: 48
Hash Entry:2
Status: EXPIRED
Session Id Length: 32
Session Id: 1b 2a 9f 5f d8 6e d2 cd 6b b8 89 e8 88 07 75 80 32 c2 54 5a c7 9b 12 a2 e6 5c f0 6d 85 c5 40 4b
Dst IP: 5.0.0.1, Dst Port: 4433,
SSL-T Profile Id: 2, SSL-I Profile Id: 2
Session Info:
-------------
Interdicted cert type [0x0]: CA issued, Authentication failed
Server cert verification result: unable to get local issuer certificate [0x14]
Server name extn len: 0, name: None
Server cert chain hash: b5 3d cd cb ca 35 81 5a db 6f 83 ab 5e a0 19 73
SSL-TERM session:
----------------
SSL ver: 0x303
Compression Method: 0
Cipher Id: 0x3000004
Master Key Length: 48
SSL-INIT session:
----------------
SSL ver: 0x303
Compression Method: 0
Cipher Id: 0x3000004
Master Key Length: 48
Stale entry in cache: 1 Meaning
Command output displays cached SSL proxy session entries details. Example:
Status of the cache entry with time to expire. Because the cache entries are valid only for short interval.
Session ID, and length of the session ID.
Destination IP address and destination port details.
SSL initiation and SSL termination session details.
Server certificate validation, interdicted certificate details.
For details about the output fields of the command, see show services ssl proxy session-cache entries.
Display SSL Proxy Certificate Cache Entry Statistics
Purpose
Display data for the SSL proxy certificate cache.
Action
From operational mode, use the show services ssl proxy certificate–cache statistics command.
user@host > show services ssl proxy certificate–cache statistics
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
cert cache hit 0
cert cache miss 0
cert cache full Meaning
Command output displays SSL proxy certificate cache statistics such as number of times the match is available in cache, number of times an entry is not found in cache, or the number of times that cache was full.
For details about the output fields of the command, see show services ssl proxy certificate–cache statistics.
Display SSL Proxy Certificate Cache Entry Summary
Purpose
Display brief information about the entries stored in the SSL proxy certificate cache.
Action
From operational mode, use the show services ssl proxy certificate-cache entries summary command.
user@host > show services ssl proxy certificate-cache entries summary
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
Cache Entries : 1
Serial number : 0x12345678
SSL-I Profile Id: 1
Num of CRL updates: 0Meaning
Command output displays certificate cache statistics such number of cache entries, serial number, profile ID, and CRL updates.
For details about the output fields of the command, see show services ssl proxy certificate-cache entries.
Display SSL Proxy Certificate Cache Entry Details
Purpose
Display detail information about the entries stored in the SSL proxy certificate cache.
Action
From operational mode, use the show services ssl proxy certificate-cache entries detail command.
user@host > show services ssl proxy certificate-cache entries detail
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
Cache entrie : 1
Serial number : 0x12345678
SSL-I Profile Id: 1
Num of CRL updates: 0
Status: Active: Time to expire 570 seconds
Cert Info:
-------------
Interdicted cert type [0x0]: CA issued, Authentication failed
Server cert verification result: unable to get local issuer certificate [0x14]
Cert reference count: 2
Subject: /C=IN/ST=KA/O=XYZ Inc/CN=ABC Inc Root CA/emailAddress=newca@test.com
Issuer: /CN=SSL-PROXY:DUMMY_CERT:GENERATED DUE TO SRVR AUTH FAILURE Meaning
You can get the detail information about the cached SSL proxy certificate entries with this command. Example:
Number of entries present in the certificate-cache.
Number of times the CRL updates done till the interdicted certificate was added to the certificate-cache.
Cached interdicted certificate and the server certificate verification results.
Subject and issuer of the interdicted certificate.
For details about the output fields of the command, see show services ssl proxy certificate-cache entries.
Display SSL Proxy Status
Purpose
Display the status of the SSL proxy session.
Action
From operational mode, use the show services ssl proxy status command.
user@host > show services ssl proxy status
PIC:fwdd0 fpc[0] pic[0] ------
One-Crypto : Enable
Async Crypto : disable
Proxy-activation : Only if interested svcs configured
Local Logging : disable
SSLFP-PKID Link : UP
Certificate cache : -
Certificate Cache activated : yes
Invalidate certificate cache on CRL update : Disabled
Max cert cache nodes : 4000
Cert cache node in use : 0
Session cache : -
Session cache activated : Activated
Max session cache node : 19660
Session cache node in use : 0
Meaning
The command displays the overall status of the SSL proxy. Example:
Crypto status, proxy activation status.
Certificate cache details such as whether certificate cache is activated, CRL configuration, certificate cache size, number of certificates in certificate cache currently used.
Session cache details such as whether session cache is activated, size of the session cache, number of sessions in session cache currently used.
For details about the output fields of the command, see show services ssl proxy status.
Display SSL Termination Counter Details
Purpose
Display statistical counter details for the SSL termination sessions.
Action
From operational mode, use the show services ssl termination counters all command.
user@host > show services ssl termination counters all
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
Memory errors 0
Handshake errors 0
Cert Cache errors 0
Server Protection errors 0
Proxy errors 0
Crypto errors 0
Certificate errors 0
One-Crypto errors 0
Async-Crypto errors 0
Mirror errors 0
handshakes started 0
handshakes completed 0
active sessions 0
Interdicted cert generated 0
proxy: sessions created 0
proxy: sessions active 0
proxy: sessions ignored 0
proxy: renegotiation ignored 0
proxy: session resumption 0
proxy: secure renegotiation 0
proxy: insecure renegotiation 0
proxy: multiple renegotiation 0
proxy: reneg after resumption 0
init: passthrough requests 0
init: start requests 0
proxy: ECDSA based srvr auth 0
proxy: RSA based srvr auth 0
Meaning
You can get useful information about the SSL termination counters with this command. Example:
Number of errors related to memory, handshake, certificate, server protection, proxy and crypto
Number of sessions initiated handshake and completed handshake.
Number of active sessions.
Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.
For details about the output fields of the command, see show services ssl termination counters.
Display SSL Termination Counters Errors
Purpose
Display statistical counters for the errors encountered in SSL termination session.
Action
From operational mode, use the show services ssl termination counters error command.
user@host > show services ssl termination counters error
Lsys Name : root-logical-system
PIC:fpc0 ------
Memory errors 0
Handshake errors 0
Cert Cache errors 0
Server Protection errors 0
Proxy errors 0
Crypto errors 0
Certificate errors 0
One-Crypto errors 0
Async-Crypto errors 0
Mirror errors 0Meaning
The output of the command displays number of errors related to memory, handshake, certificate, server protection, proxy and crypto, and SSL decryption mirroring functionality.
For details about the output fields of the command, see show services ssl termination counters.
Display SSL Termination Counters Handshake
Purpose
Display statistical counters for the SSL termination handshake.
Action
From operational mode, use the show services ssl termination counters handshake command.
user@host > show services ssl termination counters handshake
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
handshakes started 0
handshakes completed 0
active sessions 0
Interdicted cert generated 0
proxy: sessions created 0
proxy: sessions active 0
proxy: sessions ignored 0
proxy: renegotiation ignored 0
proxy: session resumption 0
proxy: secure renegotiation 0
proxy: insecure renegotiation 0
proxy: multiple renegotiation 0
proxy: reneg after resumption 0
init: passthrough requests 0
init: start requests 0
proxy: ECDSA based srvr auth 0
proxy: RSA based srvr auth 0Meaning
You can get useful information about the SSL termination counters with this command. Example:
Number of sessions initiated handshake and completed handshake.
Number of active sessions
Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.
For details about the output fields of the command, see show services ssl termination counters.
Display SSL Termination Profile
Purpose
Display all SSL termination profiles available on the device.
Action
From operational mode, use the show services ssl termination profile all command.
user@host > show services ssl termination profile all
Lsys Name : root-logical-system
PIC:fwdd0 fpc[0] pic[0] ------
ID Name
65536 p1_65536_proxy_t
65537 p2_65537_proxy_t
Meaning
The output of the command displays the list of all SSL termination profiles available on the device.
For details about the output fields of the command, see show services ssl termination profile .
Display SSL Termination Profile Summary
Purpose
Display the brief information about the SSL termination profiles.
Action
From operational mode, use the show services ssl termination profile brief profile-name command.
user@host > show services ssl termination profile brief profile-name
Lsys Name : root-logical-system
PIC: fwdd0 fpc[0] pic[0] ----------
Profile: ssl-termination
allow non-ssl session: true
preferred-ciphers: medium
Num of url categories configured: NIL
Number of whitelist entries: 0 Meaning
Displays the details of the SSL termination profile.
You can get useful information about the SSL initiation profile with this command. Example:
Whether the root certificate is active or expired.
Preferred SSL cipher with key strength.
Whether the non SSL sessions are allowed.
Number of URL categories configured.
Number of allowlisted sessions.
For details about the output fields of the command, see show services ssl termination profile .
Display SSL Termination Profile Details
Purpose
Display the detail information about the SSL termination profile.
Action
From operational mode, use the show services ssl termination profile detail profile-name command.
user@host > show services ssl termination profile detail profile-name
Lsys Name : root-logical-system
PIC: fwdd0 fpc[0] pic[0] ----------
Profile : p1_65536_proxy_t
allow non-ssl session : true
preferred-ciphers : medium
Num of url categories configured : 0
Protocol version : all
Client Authentication : notset
Server Authentication : Required
Crypto Mode : hw-sync
Session Resumption : Enabled
CRL check : Enabled
Certficate RSA : p_5
Renegotiation : only secure allowed
Custom ciphers : 0
Server cert : 0
Decrypt Mirror : Disabled
Trusted CA : 0
handshakes started 0
handshakes completed 0
active sessions 0
total handshake errors 0
Data Errors 0
session resumption 0
secure renegotiation 0
insecure renegotiation 0
multiple renegotiation 0
reneg after resumption 0
no_reneg alert by peer 0
drop on reneg 0
Meaning
You can get useful information about the SSL termination profile with this command. Example:
Profile name.
Whether the non-SSL sessions are allowed.
Category of the preferred cipher.
Number of URL categories configured.
Protocol version.
Status of the various functionality such as client and server authentication, certificate revocation actions, session resumption, session renegotiation.
Trusted CA and custom cipher details.
SSL decryption mirror status.
SSL termination per profile statistics or counters.
For details about the output fields of the command, see show services ssl termination profile .
Display SSL Initiation Counter Details
Purpose
Display statistical counters for the SSL initiation session.
Action
From operational mode, use the show services ssl initiation counters all command.
user@host > show services ssl initiation counters all
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
Memory errors 0
Handshake errors 0
Cert Cache errors 0
Server Protection errors 0
Proxy errors 0
Crypto errors 0
Certificate errors 0
One-Crypto errors 0
Async-Crypto errors 0
Mirror errors 0
handshakes started 0
handshakes completed 0
active sessions 0
Interdicted cert generated 0
proxy: sessions created 0
proxy: sessions active 0
proxy: sessions ignored 0
proxy: renegotiation ignored 0
proxy: session resumption 0
proxy: secure renegotiation 0
proxy: insecure renegotiation 0
proxy: multiple renegotiation 0
proxy: reneg after resumption 0
init: passthrough requests 0
init: start requests 0
proxy: ECDSA based srvr auth 0
proxy: RSA based srvr auth 0
Meaning
You can get useful information about the SSL initiation counters with this command. Example:
Number of errors related to memory, handshake, certificate, server protection, proxy and crypto.
Number of sessions initiated handshake and completed the handshake.
Number of active sessions.
Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.
For details about the output fields of the command, see show services ssl initiation counters.
Display SSL initiation Counter Handshake
Purpose
Display statistical counters for the SSL initiation handshake.
Action
From operational mode, use the show services ssl initiation counters handshake command.
user@host > show services ssl initiation counters handshake
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
handshakes started 0
handshakes completed 0
active sessions 0
Interdicted cert generated 0
proxy: sessions created 0
proxy: sessions active 0
proxy: sessions ignored 0
proxy: renegotiation ignored 0
proxy: session resumption 0
proxy: secure renegotiation 0
proxy: insecure renegotiation 0
proxy: multiple renegotiation 0
proxy: reneg after resumption 0
init: passthrough requests 0
init: start requests 0
proxy: ECDSA based srvr auth 0
proxy: RSA based srvr auth 0 Meaning
You can get useful information about the SSL initiation counters with this command. Example:
Number of sessions initiated handshake and completed handshake.
Number of active sessions.
Number of SSL proxy sessions such as sessions created, active sessions, ignored sessions, renegotiated sessions, sessions with different authentication methods and so on.
For details about the output fields of the command, see show services ssl initiation counters.
Display SSL Initiation Counter Errors
Purpose
Display statistical counters for the errors encountered in SSL initiation session.
Action
From operational mode, use the show services ssl initiation counters error command.
user@host > show services ssl initiation counters error
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
Memory errors 0
Handshake errors 0
Cert Cache errors 0
Server Protection errors 0
Proxy errors 0
Crypto errors 0
Certificate errors 0
One-Crypto errors 0
Async-Crypto errors 0
Mirror errors 0Meaning
The output of the command displays number of errors related to memory, handshake, certificate, server protection, proxy and crypto, and SSL decryption mirroring functionality.
For details about the output fields of the command, see show services ssl initiation counters.
Display SSL Initiation Profile
Purpose
Display all SSL initiation profiles available on the device.
Action
From operational mode, use the show services ssl initiation profile all command.
user@host > show services ssl initiation profile allLsys Name : root-logical-system PIC: fwdd0 fpc[0] pic[0] ---------- ID Name 65536 SSL_PROFILE_65536_proxy_i
Meaning
The output of the command displays the list of all SSL initiation profiles available on the device.
For details about the output fields of the command, see show services ssl initiation profile .
Display SSL Initiation Profile Summary
Purpose
Display the summary of the SSL initiation profile.
Action
From operational mode, use the show services ssl initiation profile brief profile-name command.
user@host > show services ssl initiation profile brief profile-name
Lsys Name : root-logical-system
PIC: fpc0 fpc[0] pic[0] ----------
Profile : SSL_PROFILE_65536_proxy_i
allow non-ssl session : true
preferred-ciphers : medium
Num of url categories configured : 0
Meaning
Displays the details of the SSL initiation profile such as profile name, whether the non-SSL sessions ar allowed, prefered-ciphers, and number of URL categories configured.
For details about the output fields of the command, see show services ssl initiation profile .
Display SSL Initiation Profile Details
Purpose
Display the detail information about the SSL initiation profile.
Action
From operational mode, use the show services ssl initiation profile detail profile-name command.
user@host > show services ssl initiation profile detail profile-name
Lsys Name : root-logical-system
PIC: fpc0 fpc[0] pic[0] ----------
Profile : SSL_PROFILE_65536_proxy_i
allow non-ssl session : true
preferred-ciphers : medium
Num of url categories configured : 0
Protocol version : all
Client Authentication : notset
Server Authentication : Ignore Failure
Crypto Mode : sw
Session Resumption : Enabled
CRL check : Enabled
Certficate RSA : ssl-inspect-ca
Renegotiation : only secure allowed
Custom ciphers : 0
Server cert : 0
Decrypt Mirror : Disabled
Trusted CA : 1
handshakes started 8
handshakes completed 8
active sessions 0
total handshake errors 0
Data Errors 0
session resumption 5
secure renegotiation 0
insecure renegotiation 0
multiple renegotiation 0
reneg after resumption 0
no_reneg alert by peer 0
drop on reneg 0
Meaning
You can get useful information about the SSL initiation profile with this command. Example:
Whether the non SSL sessions are allowed.
Preferred SSL cipher
Number of URL categories configured.
Status of the various functionality such as client and server authentication, certificate revocation actions, session resumption, session renegotiation.
Trusted CA, chain certificates details.
SSL decryption mirror status
SSL initiation session counters
For details about the output fields of the command, see show services ssl initiation profile .
Display SSL Drop Log Details
Purpose
Display information about SSL drop logs.
Action
From operational mode, use the show services ssl droplogs command.
user@host > show services ssl droplogs
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0]-------
===========log mesg for cpu 0
===========log mesg for cpu 1
log mesg is File: ../../../../../../../../../src/junos/jsf/plugin/ssl/jssl_common.c Function: jssl_X509_verify_cert Line: 3767 Message: unable to get local issuer certificate C2S plugin chain : [Plugin junos-jdpi: action: ignore]-> [Plugin junos-tcp-svr-emul: action: none]-> [Plugin junos-ssl-proxy: action: ignore]-> [Plugin junos-ssl-term: action: none]-> [Plugin junos-dpi-stream: action: none]-> [Plugin junos-idp-stream: action: ignore]-> [Plugin junos-ssl-init: action: none]-> [Plugin junos-tcp-clt-emul: action: none] S2C plugin chain: [Plugin junos-jdpi: action: ignore]-> [Plugin junos-tcp-clt-emul: action: none]-> [Plugin junos-ssl-init: action: none]-> [Plugin junos-dpi-stream: action: none]-> [Plugin junos-idp-stream: action: ignore]-> [Plugin junos-ssl-term: action: none]-> [Plugin junos-ssl-proxy: action: ignore]-> [Plugin junos-tcp-svr-emul: action: none] SourceIP:5.0.0.1 DestIP:4.0.0.1 Source Port:40281 Dest Port:443 source interface:ge-0/0/1.0 Destination interface:ge-0/0/0.0 source zone:untrust destination Zone:trustMeaning
Output of the command displays the denied/dropped session details. You can use the command output to understand the issue why session was dropped.