Debug in CLI - Using Console to Access the Serial Port & Use Debug level 8 [Putty & TeraTerm]

This article shows how to use the CLI/Command line interface via console cable using USG FLEX, a VPN firewall, an XGS-Switch or even a professional access point like a WAX510D. It shows what console cable to use, how to login and gain console access via Putty & TeraTerm, access Web GUI CLI, and how to use the debug level 8 command [debug kernel console-level 8] for troubleshooting reboot/crash issues/problem.

 

The command-line interface is a management interface that can be reached via several ways, including SSH and serial cable/console cable connection. This guide will give you great insight into how to access your Zyxel device's CLI (Command Line Interface).

 

Table of Content

1) Using the Console Cable

1.1 The Software

1.2 CLI-access via Console Cable (using TeraTerm)

1.3 CLI-access via Web GUI (Web Interface)

1.4 What devices will these methods work on?

1.5 What can I do with the CLI?

2) Debug the Firewall after Reboot/Crash Issues

 

1) Using the Console Cable

1.1 The Software

You can either use a terminal console software such as PuTTY or TeraTerm. In this tutorial, we will use puTTY for SSH and TeraTerm for console connection. 

Disclaimer: We have no affiliation with neither puTTY nor TeraTerm and showcase the use of these programs for demonstration and learning purposes - use of these applications happen at your own risk.

 

1.2 CLI-access via Console Cable (using TeraTerm)

Use a USB-to-RS232 connector-cable (also known as "serial connection" or "SUB-D 9-pol") and connect to your PC as well as to the router - the serial cable should look like this

mceclip3.png

Some of our smaller firewalls have an RJ-45 console connection instead of the RS232-connection and have console cables within the packaging content:

mceclip1.png

Below you can see a picture of both an RS232 console port, mostly prominent on professional firewall and switch hardware, as well as the RJ-45 on our small business routers (such as a USG20W, e.g.):

mceclip2.pngmceclip0.png

For USG FLEX H Series

Default console parameter

Speed: 115200 bps

Data Bits : 8

Parity : None

Stop Bit : 1

Flow Control : Off

LAN1 Interface: 192.168.168.1/24

RJ-45 to DB-9 Rollover Cable -> Change Console Cable pin-out to general 

* USG FLEX H Console Cable is not compatible with ATP/USG FLEX Series Console cable

 

Now that the hardware side of things is clarified, let's move back to the software side.

Eventually, you might have to install additional drivers packaged with the USB-to-RS232 cable or install generic drivers for the application. Once this is done, within your device manager, in most cases, you can see a "COM" interface listed:

mceclip0.png

Once this is done, download TeraTerm using the above-listed link and install the application.

On TeraTerm, you will be prompted to choose the input - select the serial input and select the COM interface listed previously in the device manager: 

mceclip1.png

Make then sure to enter the menu

Setup > Serial port

mceclip2.png

In this menu, you can set different things regarding the serial port communication. We are, however, only interested in the speed; the rest stays as per default:
mceclip3.png

The speed is measured in baud, and the speed is also referred to as baud rate. A lot of our switches have a default baud rate of 9600, while all firewalls out of our portfolio and access points have a baud rate of 115200. Choose 115200 and click on "New Setting" to save the settings, and back in the Console menu (the black screen), press any button to reinitialize communication with the new baud rate. You then can enter your firewalls username and password (password will not show any character when you type in, so simply carry on typing and press "Enter" once you are done). Afterwards, you should be logged into the unit, which will show via 

Router>

mceclip4.png

You can start entering different CLI commands, which can be read within the CLI reference guide, available via https://download.zyxel.com.

 

 

1.2 CLI-access via Console Cable (using PuTTY)

Download puTTY via the above link and start the application. In the Hostname field, enter the IP-Address of the Firewall (usually the LAN1 interface, which by default is 192.168.1.1). Leave the port as 22 and also as an access method, leave SSH as it is by default and confirm by clicking on the "Open"-Button:

mceclip1.png

Open Session -> Logging and adjust the logging settings to get an output of our entered commands:
mceclip0.png

You will most likely if the certificate of the firewall has not been changed by you, receive this warning message:

mceclip6.png

The reason for this is that the firewall uses self-created key fingerprints as well as self-signed certificates. But this is no reason for concern; allow to proceed by clicking "Yes", "Accept", or similar and proceed. You then should be able to log in as admin-username and the password of the admin account (by default 1234) and should be again showing successful login by seeing this line:

Router>

As before, you now can proceed to type in different CLI commands.

 

1.3 CLI-access via Web GUI (Web Interface)

Many devices, especially our firewall portfolio, now also allow you to access the command line interface via a web browser. For this, log onto the unit, and click on the very left icon at the top icon bar:

mceclip0.png

This enables you to access the device' CLI without any additional software needed.

mceclip1.png

 

1.4 What devices will these methods work on?

These methods of accessing the CLI will work on nearly all of our professional devices, meaning NWA/WAC/WAX-Series on Access points, (X)GS1350/1900/1920/1930/2210/2220/3800/4600 for switches and nearly our entire current ZyWall/USG/USG FLEX/ATP/VPN-portfolio. For most devices, also their predecessor counterparts will work fine via CLI.

Please note: Due to a missing console connection on the AP, the AP CLI's accessibility is limited to SSH.

 

1.5 What can I do with the CLI?

The CLI will allow for more detailed analysis and debugging via relevant commands. But it also offers some nice quick things to check, such as packet-traces, firmware versions of different partitions, showing the currently applied configuration etc., among many other commands. You can see a list of helpful commands right here: Overview of Helpful CLI Commands for USG Series (Best Practice)

 

2) Debug the Firewall after Reboot/Crash Issues

For high level debugging cases, you can, in very easy steps, log your console Output in a text file, guided by screenshots. This section also helps you to create long-term debugging on Zyxel-Firewalls.

Enter your respective commands, enter the following command for high profile debug logs:

debug kernel console-level 8

mceclip0.png

Leave the session open until you have logged the respective traffic (in this example, we unfortunately had no issues happening, therefore no log is created)

 

After you have captured / reproduced the issue and the debug logs have been generated, you can  analyze/investigate and close the PuTTY-session:
mceclip1.png

Now you can access the text-file, which you have created and it will show you all entered commands and results:
mceclip2.png

Articles in this section

Was this article helpful?
9 out of 23 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.