SecureXL Debug Procedure

By default, SecureXL writes the output debug information to the /var/log/messages file.

To collect the applicable SecureXL debug and to make its analysis easier, perform the steps below.

Note - For more information, see the R80.30SP Next Generation Security Gateway Guide - Chapter Kernel Debug on Security Group Members (for Chassis; for Maestro).

Important:

We strongly recommend to schedule a full maintenance window to minimize the impact on your production traffic.
We strongly recommend to connect over serial console to Security Group members.
This is to avoid a possible issue when you cannot work with the CLI because of a high load on the CPU.
Debug the specific SecureXL instance only when you are sure that only that SecureXL instance processes the traffic.

Procedure:

Step	Description
1	Connect to the command line on a Security Group member.
2	Log in to the Expert mode.
3	Reset all kernel debug flags in all kernel debug modules: `g_fw ctl debug 0`
4	Reset all the SecureXL debug flags in all SecureXL debug modules. For all SecureXL instances: `g_fwaccel dbg resetall` For a specific SecureXL instance: `g_fwaccel -i` <SecureXL ID> `dbg resetall`
5	Allocate the kernel debug buffer: `g_fw ctl debug -buf 8200 [-v {"<`List of VSIDs`>" \| all}]`
6	Make sure the Security Group member allocated the kernel debug buffer: `g_fw ctl debug \| grep buffer`
7	Configure the applicable kernel debug modules and kernel debug flags: `g_fw ctl debug -m <`Name of Kernel Debug Module`> {all \| + <`Kernel Debug Flags`>}`
8	Configure the applicable SecureXL debug modules and SecureXL debug flags. For all SecureXL instances: `g_fwaccel dbg -m <`Name of SecureXL Debug Module`> {all \| + <`SecureXL Debug Flags`>}` For a specific SecureXL instance: `g_fwaccel -i` <SecureXL ID> `dbg -m <`Name of SecureXL Debug Module`> {all \| + <`SecureXL Debug Flags`>}`
9	Examine the kernel debug configuration for kernel debug modules: `g_fw ctl debug`
10	Examine the SecureXL debug configuration for SecureXL debug modules. For all SecureXL instances: `g_fwaccel dbg list` For specific SecureXL instance: `g_fwaccel -i` <SecureXL ID> `dbg list`
11	Remove all entries from both the Firewall Connections table and SecureXL Connections table: `g_fw tab -t connections -x -y` Important: This step makes sure that you collect the debug of the real issue that is not affected by the existing connections. This command deletes all existing connections. This interrupts all connections, including the SSH. Run this command only if you are connected over a serial console to the Security Group member.
12	Remove all entries from the Firewall Templates table: `g_fw tab -t cphwd_tmpl -x -y` Note - This command does not interrupt the existing connections. This step makes sure that you collect the debug of the real issue that is not affected by the existing connection templates.
13	Start the kernel debug: `g_fw ctl kdebug -T -f > /var/log/kernel_debug.txt`
14	Replicate the issue, or wait for the issue to occur.
15	Stop the kernel debug: Press CTRL+C.
16	Reset all kernel debug flags in all kernel debug modules: `g_fw ctl debug 0`
17	Reset all the SecureXL debug flags in all SecureXL debug modules. For all SecureXL instances: `g_fwaccel dbg resetall` For specific SecureXL instance: `g_fwaccel -i` <SecureXL ID> `dbg resetall`
18	Examine the kernel debug configuration to make sure it returned to the default: `g_fw ctl debug`
19	Examine the SecureXL debug configuration to make sure it returned to the default. For all SecureXL instances: `g_fwaccel dbg list` For specific SecureXL instance: `g_fwaccel -i` <SecureXL ID> `dbg list`
20	Collect and analyze the debug output file from all Security Group members: `/var/log/kernel_debug.txt`