login about faq

How can you debug Tectia Server in a production environment? I.e. you cannot shutdown the main service for debugging purposes.

asked Feb 01 '12 at 12:48

SSH%20KB's gravatar image

SSH KB ♦
509249246237


Sometimes you just cannot shutdown the main Tectia Server service because there are thousands of end users who are using the service on each and every moment.

How can you then debug these production Tectia Server environments? We have two ways how we can debug the production Tectia Server deployments:


Linux/Unix (scroll down for Windows instructions):

1) If end users can connect directly to another port number than the default production Tectia Server port (i.e. there are not firewalls in the middle which would block the connection):

The solution in this first case is then very easy: you can just start another temporary Tectia Server service listener which will then run in debug mode on some temporary port number, and you will ask an end user to connect to this temporary port (i.e. port 222).

alt text

The Linux/Unix command how to start Tectia Server service in debug mode to a temporary port is as follows:

/opt/tectia/sbin/ssh-server-g3 -l 222 -f /etc/ssh2/ssh-server-config.xml 2>Tectia_Server_debug.txt
  • You can keep the main Tectia Server service running while doing this, no needs to touch that service.
  • Debug log will be written to the .txt file in this case.

2) If there are firewalls between connecting clients and the Tectia Server machine and the firewalls will block SSH connections to other ports than 22, then we will do a small trick in order to get the debug output: we will tunnel the problematic end user connection via SSH tunnel and via main Tectia Server service to the debug mode Tectia Server listener, so there will be in total two Tectia Server services running at the same time on the same machine.

alt text

Here's how to do it:

A) Admin user will start another Tectia Server service (debug mode) to a temporary port

/opt/tectia/sbin/ssh-server-g3 -l 222 -f /etc/ssh2/ssh-server-config.xml 2>Tectia_Server_debug.txt

B) Admin user will then create a SSH tunnel that will tunnel end user's connection via main Tectia Server service to the debug mode Tectia Server service. This command is executed on admin user's workstation/laptop:

sshg3 -g -S -L 10000:localhost:222 admin@tectia.server.com
  • Admin user needs to be in the same network segment or a place where the end user can connect to the SSH tunnel.
  • Admin user should check that i.e. personal firewall will not block incoming connections to the SSH tunnel

C) The end user will then open the SSH connection normally, but to the admin user's laptop address and port number. The connection will be forwarded then via main Tectia Server service to the debug mode Tectia Server service. The admin user will then get Tectia Server's debug log from the connection attempt for further analysis.

alt text




Windows:

1) If end users can connect directly to another port number than the default production Tectia Server port (i.e. there are not firewalls in the middle which would block the connection):

The solution in this first case is then very easy: you can just start another temporary Tectia Server service listener which will then run in debug mode on some temporary port number, and you will ask an end user to connect to this temporary port (i.e. port 222).

  • You can keep the main Tectia Server service running while doing these operations!

A) Create debug mode Tectia Server service:

sc create DebugModeTectiaServer binPath= "C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Server\ssh-server-g3.exe --start-service"

B) Modify created Tectia Server service to include debug options

  • You can find more information about debug option strings from here

alt text

C) Download + start debug view program in order to see debug log information from the Tectia Server service:

http://download.sysinternals.com/Files/DebugView.zip

alt text

C) Start the debug mode Tectia Server service

alt text

D) Ask the end user to connect to debug mode Tectia Server listener address

alt text

  • You should now see connection information and possible system level error messages in the debug view log.

2) If there are firewalls between connecting clients and the Tectia Server machine and the firewalls will block SSH connections to other ports than 22, then we will do a small trick in order to get the debug output: we will tunnel the problematic end user connection via SSH tunnel and via main Tectia Server service to the debug mode Tectia Server listener, so there will be in total two Tectia Server services running at the same time on the same machine.

alt text

Here's how to do it:

A) Start debug mode Tectia Server listener on Windows as shown in the previous step #1

B) Download + start the "Debug View" program to see the debug output

http://download.sysinternals.com/Files/DebugView.zip

alt text

C) Follow the instructions how to create the SSH tunnel as shown in the Linux/Unix step #2B

sshg3 -g -S -L 10000:localhost:222 admin@tectia.server.com

D) Ask the end user to connect to Admin User's laptop address/port

alt text





Hopefully this will make your life easier!

--SamiM

link

answered Feb 02 '12 at 10:40

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×9

Asked: Feb 01 '12 at 12:48

Seen: 4,358 times

Last updated: Feb 02 '12 at 10:40

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.