Wednesday, August 24, 2016

Aerohive AP packet trace using CLI

In Aerohive HiveOS you can do a packet trace to see whether the packets sent by wifi clients are forwarded to the ethernet port or dropped by the AP for some reason. This is a very useful tool for troubleshooting. To enter these commands either you need to SSH in to the AP or use console cable. To forward these logs to a syslog server enter the command below,


logging server syslog server IP level debug 








Lets say that you want to see whether the ICMP (ping) request sent by the wifi client is forwarded to the ethernet interface of the AP and to the router,

1) Create a filter that match the pkt you would like to trace


_ff id 1 src-ip 172.16.1.49 dst-ip 172.16.1.1 protocol 1 bidirectional 


_ff  : is the command to create a filter

id 1 : is the filter ID, you can create several filters with different ID numbers 

protocol : UDP:17; TCP:6; ICMP:1


2) Enable forwarding engine debug to print the pkts that match the filter we created in step 1. 

_kdebug fe basic 


3) Enter the command "clear log all" , ping from wifi client to 172.16.1.1 and the enter the command "show log buffered" to display the pkt trace,


clear log all

ping 172.16.1.1 from the PC 

show log buffered


defc3c80::L*: (i) wifi1.1 172.16.1.49->172.16.1.1(60810) ttl(64) icmp-echo-req(35330/2) 84 bytes
--> This line shows that icmp request is coming in from wifi1.1 interface

defc3c80::L*: (o) eth0 172.16.1.49->172.16.1.1(60810) ttl(64) icmp-echo-req(35330/2) 98 bytes

--> This line shows that icmp request was forwarded to ethernet interface

dede0560::L*: (i) eth0 172.16.1.1->172.16.1.49(39153) ttl(64) icmp-echo-reply(35330/2) 84 bytes
-->This line shows that icmp reply came in from ethernet interface

dede0560::L*: (o) wifi1.1 172.16.1.1->172.16.1.49(39153) ttl(64) icmp-echo-reply(35330/2) 98 bytes
--> This line shows that icmp reply was sent to the wifi client via wifi1.1 interface

*** check the time stamps to read the log messages in order 



(i) = pkt coming in
(o) = pkt going out
(!) = pkt dropped





Friday, August 5, 2016

Juniper SSG20 firewall DNS proxy

I got a used Juniper SSG20 and trying to use it as my Internet gateway device. I did a factory reset (https://kb.juniper.net/InfoCenter/index?page=content&id=KB4749&actp=search), followed the wizard and setup PPPoE, DMZ and two subnets. Usually when this is done the DNS proxy works by default in most home router type devices I have worked with, but not in SSG20 (and SSG20 is not a home router),




This is how to enable DNS proxy using GUI,