Stop managing your network one node at a time!
[Home] [Download] [Project Page] [Bugs] [SVN] [email Lists] [Tutorials] [Screenshots]

NET-POLICY Debugging

This page is broken into several sections. Click on a link to jump directly to that section. The sections are:

NET-SNMP
iptables
np-plutoplus
MySQL
Web GUI

NET-SNMP Master Agent

Verifying authentication

To verify that the net-policy server and the net-snmp master agent agree on authentication parameters, run the v3test script from the net-policy/test directory. This script will output the init line that should have been placed in the snmpd.conf file, and the complete snmpget command, with all parameters specified, used to verify communications. If authentication works, the sysContact information will be printed.

dev $ ./v3test -u SQLUER -p SQLPASS west/var/net-snmp/snmpd.conf init='createUser netpolicy MD5 SNMPAUTH DES SNMPPASS
snmpget -r 0 -t 5 -v 3 -l authNoPriv -u netpolicy -a MD5 -A SNMPAUTH -x DES -X SNMPPASS west sysContact.0
sysContact.0 = STRING: root@revelstone.com

Turning on debugging

One of the things you may be asked to to is to turn on debugging for the net-snmp master agent on a client machine. To do this, edit the snmpd.conf file (ususally found at /usr/local/share/snmp/snmpd.conf) and add the following two lines:

[snmp] doDebugging 1 [snmp] debugTokens agent,result

You will then need to restart snmpd.

Anatomy of /var/log/snmpd.log

Master Agent startup

After starting the master agent, the log will look something like this:


trace: read_config(): read_config.c, 592: read_config: Switching to new context: (this line only) snmp
trace: read_config(): read_config.c, 615: read_config: /usr/local/share/snmp/snmpd.conf:13 examining: [snmp] debugTokens agent,result
trace: run_config_handler(): read_config.c, 345: read_config: Found a parser.  Calling it: debugTokens / agent,result
2003-02-04 11:26:16 Turning on AgentX master support.
2003-02-04 11:26:16 Note this is still experimental and shouldn't be used on critical systems.
2003-02-04 11:26:16 agentx/config/timeout: 600
2003-02-04 11:26:16 agentx/master: initializing...
2003-02-04 11:26:16 agentx/master: initializing...   DONE
2003-02-04 11:26:16 NET-SNMP version 5.0.6

np-plutoplus Startup

After starting np-plutoplus, the log will contain may agentx registrations, which will look like this:


2003-02-04 11:52:50 agentx/master: handle pdu (req=0x31a47785,trans=0x0,sess=0x0)
2003-02-04 11:52:50 agentx/master: open 0x8135d28
2003-02-04 11:52:50 agentx/master: opened 0x81466c8 = 6 with flags = a0
2003-02-04 11:52:50 agentx/master: send response, stat 0 (req=0x31a47785,trans=0x0,sess=0x0)
2003-02-04 11:52:50 agentx_build: packet built okay
2003-02-04 11:52:50 agentx/master: handle pdu (req=0x31a47786,trans=0x0,sess=0x6)
2003-02-04 11:52:50 agentx/master: in register_agentx_list
2003-02-04 11:52:50 agentx/master: registered ok
2003-02-04 11:52:50 agentx/master: send response, stat 0 (req=0x31a47786,trans=0x0,sess=0x6)
2003-02-04 11:52:50 agentx_build: packet built okay
...

np-plutoplus Activity

Once np-plutoplus is up and running, request to the agent will also be logged. Here is an example from a log where np-distd is configuring a client:

2003-02-04 11:59:57 agent_set: doing set mode = 0 (SET_RESERVE1)
2003-02-04 11:59:57 agentx/master: agentx master handler starting, mode = 0x00
2003-02-04 11:59:57 agentx/master: request for variable (IPSEC-POLICY-MIB::ihfType."is telnet")
2003-02-04 11:59:57 agentx/master: request for variable (IPSEC-POLICY-MIB::ihfIPVersion."is telnet")
2003-02-04 11:59:57 agentx/master: request for variable (IPSEC-POLICY-MIB::ihfDstLowPort."is telnet")
2003-02-04 11:59:57 agentx/master: request for variable (IPSEC-POLICY-MIB::ihfDstHighPort."is telnet")
2003-02-04 11:59:57 agentx/master: request for variable (IPSEC-POLICY-MIB::ihfProtocol."is telnet")
2003-02-04 11:59:57 agentx/master: request for variable (IPSEC-POLICY-MIB::ihfStorageType."is telnet")
2003-02-04 11:59:57 agentx/master: request for variable (IPSEC-POLICY-MIB::ihfRowStatus."is telnet")
2003-02-04 11:59:57 agentx: sending pdu (req=0x4,trans=0x3,sess=0x6)
2003-02-04 11:59:57 agentx_build: packet built okay
2003-02-04 11:59:57 agent_set: did set mode = 0, status = 0
2003-02-04 11:59:57 results: request results (status = 0):
2003-02-04 11:59:57 results:    IPSEC-POLICY-MIB::ihfType."is telnet" = BITS: 01 7
2003-02-04 11:59:58 results:    IPSEC-POLICY-MIB::ihfIPVersion."is telnet" = INTEGER: ipv4(1)
2003-02-04 11:59:58 results:    IPSEC-POLICY-MIB::ihfDstLowPort."is telnet" = Gauge32: 23
2003-02-04 11:59:58 results:    IPSEC-POLICY-MIB::ihfDstHighPort."is telnet" = Gauge32: 23
2003-02-04 11:59:58 results:    IPSEC-POLICY-MIB::ihfProtocol."is telnet" = INTEGER: 6
2003-02-04 11:59:58 results:    IPSEC-POLICY-MIB::ihfStorageType."is telnet" = INTEGER: nonVolatile(3)
2003-02-04 11:59:58 results:    IPSEC-POLICY-MIB::ihfRowStatus."is telnet" = INTEGER: createAndGo(4)
2003-02-04 11:59:58 agentx/master: got response errstat=0, (req=0x4,trans=0x3,sess=0x6)
2003-02-04 11:59:58 agentx/master: handle_agentx_response() finishing...

iptables

flushing existing fules

You may be asked to flush your iptables rules. To do this, run the following commands as the root user:

# iptables -t ipsec -F
# iptables -t ipsec -X
# iptables -F

displaying current rules

You may be asked to send us your iptables rules. To do this, run the following commands as the root user:

# iptables -L | grep -v ^target
# iptables -t ipsec -L -n | grep -v ^target

The results should look something like this:


[root@west root]# iptables -t ipsec -L -n | grep -v ^target
Chain PREROUTING (policy ACCEPT)
#pg_np-core  all  --  0.0.0.0/0            0.0.0.0/0          

Chain POSTROUTING (policy ACCEPT)
#pg_np-core  all  --  0.0.0.0/0            0.0.0.0/0          

Chain #and (0 references)

Chain #ih_is telnet (0 references)
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23 

Chain #ik1_ (0 references)
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:500 OFFSET=26 OPERATOR== VALUE=2 

Chain #ik2_ (0 references)
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:500 OFFSET=26 OPERATOR== VALUE=32 

Chain #in_Psf9ae0001_#ih_is telnet (1 references)
ACTION     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23 ACTION: mode: 2 subaction: preconf argument: .13.101.115.112.45.115.104.97.45.49.50.104.114.115

Chain #in_np-accept_#tf_ (1 references)
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain #or (0 references)

Chain #pg_np-core (2 references)
#pr_np-accept  all  --  0.0.0.0/0            0.0.0.0/0          PRIORITY = 65536

Chain #pr_Psf9ae0001 (0 references)
#in_Psf9ae0001_#ih_is telnet  all  --  0.0.0.0/0            0.0.0.0/0          

Chain #pr_np-accept (1 references)
#in_np-accept_#tf_  all  --  0.0.0.0/0            0.0.0.0/0          

Chain #tf_ (0 references)
DROP       all  --  0.0.0.0/0            0.0.0.0/0


    

    
    
    
np-plutoplus

    
    deleting persistent data
    
    To delete persistent data, you must first stop np-plutoplus. You can do
    this, as root, with the following command:
    # killall -TERM np-plutoplus
    
Edit the file /var/net-snmp/np-plutoplus.conf
    
Delete all lines except the engineBoots and 
       oldEngineID lines. Save the file and exit the editor.
    
Run the flushing existing rules commands from the iptables
       section, above.
    
restart np-plutoplus
    

    
    Enabling debugging
    To enable debugging for np-plutoplus, open a new terminal window for
    np-plutoplus to run in. In this new window, run np-plutoplus:
    # np-plutoplus -b 1 -Dpp,policy


    
    
    MySQL

    
    Re-initializing the database
    From the net-policy directory, run:
    $ ./np-setup -x -M -u SQLUSER -pSQLPASS -X SNMPPASS -A SNMPAUTH -U SNMPUSER

    
    Dumping the database
    Run:
    $ mysqldump -u SQLUSER -pSQLPASS 
         netpolicy | grep ^INSERT

    
    Inserting data to the database from a file
    Run:
    $ mysql -u SQLUSER -pSQLPASS 
         netpolicy < FILE


    
    
    Web GUI

    
    Turning on debugging
    To turn on debugging for the Web GUI, we recommend that you add a new
    Location directive with debugging enabled, and leave the original
    as is. That way you can simply change the URL in your browser, instead
    of having to edit the httpd.conf file and restart httpd. (The usual
    location for the conf file is /etc/httpd/conf/httpd.conf)
          <Location /net-policy-debug>
              SetHandler perl-script
              PerlHandler  NetPolicy::htmlmanager
	      PerlSetVar sql_user SQLUSER
	      PerlSetVar sql_pass SQLPASS
              PerlSetVar debug 1
      </Location>

    This will send debug output to /var/log/httpd/error_log.


    
    
    

    Please send comments, suggestions or (heaven forbid) corrections to
    the net-policy-users mailing list. Click
    here for
    more information.
    

    $Id:$
    



Last modified: Wed Feb  5 10:36:21 EST 2003


Powered by: