<strong>Data</strong> <strong>Center</strong> <strong>LAN</strong> <strong>Migration</strong> <strong>Guide</strong> OSI Layer 4-7: Transport to Application Troubleshooting This type of problem is most likely to occur on firewalls or on routers secured with firewall filters. Below are some important things to remember when troubleshooting Layer 4-7 issues: • Standard troubleshooting tools such as ping and traceroute may not work. Generally, ping and traceroute are not enabled through a firewall except in specific circumstances. • Firewalls are routers too, In addition to enforcing stateful policies on traffic, firewalls also have the responsibility of routing packets to their next hop. To do this, firewalls must have a working and complete routing table statically or dynamically defined. If the table is incomplete or incorrect, the firewall will not be able to forward traffic correctly. • Firewalls are stateful and build state for every session that has passed through the firewall. If a non-SYN packet comes to the firewall and the firewall does not have a session open for that packet, it is considered an “out of state” packet. This can be the sign of an attack or an application that is dormant beyond the firewall session timeout duration attempting to send traffic. • By definition, stateful firewalls enforce traffic though their policy based on the network and transport layers of the OSI model. In addition, firewalls may also do protocol anomaly checks and signature matches on the application layer for selected protocols. • This function is implemented by ALGs. ALGs recognize application-specific sequences, change the application layer to make protocols compatible with Port Address Translation (PAT) attempting to send traffic and Network Address Translation (NAT), and deliver higher layer content to deep inspection (DI), antivirus, URL filter, and spam filter features, if enabled. • If you experience a problem that involves the passing or blocking of traffic, the very first place to look is the firewall logs. Often the log messages will give strong hints about the problem. Tools Junos OS has embedded script tools to simplify and automate some tasks for network engineers. Commit scripts, operation (op) scripts, and event scripts provide self monitoring, self diagnosing, and self healing capabilities to the network. The apply-macro command feeds a commit script to extend and customize the router configuration based on user-defined data and templates. Together, these tools offer an almost infinite number of applications to reduce downtime, minimize human error, accelerate service deployment, and reduce overall operational costs. For more information, refer to: www.juniper.net/us/en/community/junos/script-automation. Troubleshooting Summary Presenting an exhaustive and complete troubleshooting guide falls outside the scope of this <strong>Data</strong> <strong>Center</strong> <strong>LAN</strong> <strong>Migration</strong> <strong>Guide</strong>. Presented in this section is a methodology to understand the factors contributing to a problem and a logical approach to the diagnostics needed to investigate root causes. This method relies on the fact that IP networks are modeled around multiple layered architectures. Each layer depends on the services of the underlying layers. From the physical network topology comprised of access, aggregation, and core tiers to the model of IP communication founded on the 7 OSI layers, matching symptoms to the root cause layer is a critical step in the troubleshooting methodology. <strong>Juniper</strong> platforms have also implemented a layered architecture by integrating separate control and forwarding planes. Once the root cause layer is correctly identified, the next steps are to isolate the problem and to take the needed corrective action at that specific layer. For more details on platform specifics, please refer to the <strong>Juniper</strong> technical documentation that can be found at: www.juniper.net/techpubs. 62 Copyright © 2012, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Copyright © 2010, <strong>Juniper</strong> <strong>Networks</strong>, Inc. Chapter 5: Summary and Additional Resources