SRX Services Gateway
Highlighted
SRX Services Gateway

Troubleshooting flow SRX

‎10-27-2008 02:01 AM

Troubleshooting flow


    trust-zone   10.1.2.1/24     1.1.1.3/24     untrust-zone
         PC==========DUT==========SERVER
                         ge-0/0/1     ge-0/0/0

Flow debugging can be enabled as a traceoptions file in JUNO-ES.  
The traceoption file can be the viewed at the later time or in real time.

An example commands to enable debug and create traceoption file .
The file is stored under /var/logs/ directory

[edit]
root@sunnyvale# set security flow traceoptions file flow-trace
root@sunnyvale# set security flow traceoptions flag all

In this example, “flow-trace” is the filename

To view the file
[edit]
root@sunnyvale# run file show /var/log/flow-trace
or
 run show log flow-trace

To view in real time
[edit]
root@sunnyvale# monitor start flow-trace

To clear the logs
 root@sunnyvale# run clear log flow-trace



Creating flow filters:

Flow filters can be created to match
1.    Source IP address
2.    Source Port
3.    Destination IP address
4.    Destination port
5.    Protocol
6.    interface


Configuring flow filter
[edit]
root@sunnyvale#
set security flow traceoptions packet-filter f0 destination-port 80 destination-prefix 1.1.1.1/32

In this example “ f0” is the name of the filter


Below is an example of a device 10.1.2.100 in trust zone initiating ping to device 1.1.1.1 in the untrust zone


Sep 11 05:35:09 05:35:08.1004550:CID-0:RT:

****<10.1.2.100/2048->1.1.1.1/16220;1> : <trust/ge-0/0/1.0> packet [60] ipid = 60188, @48d8f8ce ****

Sep 11 05:35:09 05:35:08.1004574:CID-0:RT:  ge-0/0/1.0:10.1.2.100->1.1.1.1, icmp, (8/0)
Sep 11 05:35:09 05:35:08.1004580:CID-0:RT: find flow: table 0x4a93bcb8, hash 133743(0x3ffff), sa 10.1.2.100, da 1.1.1.1, sp 2816, dp 768, proto 1, tok 10
Sep 11 05:35:09 05:35:08.1004597:CID-0:RT:  flow_first_sanity_check: in <ge-0/0/1.0>, out <N/A>
Sep 11 05:35:09 05:35:08.1004608:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A>
Sep 11 05:35:09 05:35:08.1004611:CID-0:RT:  flow_first_in_dst_nat: dst_adr 0x01010101, lports 0x0003000b
Sep 11 05:35:09 05:35:08.1004618:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
Sep 11 05:35:09 05:35:08.1004622:CID-0:RT:  flow_first_routing: Before route-lookup ifp: in <ge-0/0/1.0>, out <N/A>
Sep 11 05:35:09 05:35:08.1004626:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 6402010a, x_dst_ip 1010101, ifp ge-0/0/1.0, sp 11, dp 3, i
Sep 11 05:35:09 05:35:08.1004636:CID-0:RTSmiley Very Happyoing DESTINATION addr route-lookup

Sep 11 05:35:09 05:35:08.1004639:CID-0:RT:flow_ipv4_rt_lkup in VR-id: 0

Sep 11 05:35:09 05:35:08.1004646:CID-0:RT:flow_ipv4_rt_lkup: Found route entry 0x0x53b264d8,nh id 0x1ce, out if 0x43

Sep 11 05:35:09 05:35:08.1004654:CID-0:RT:flow_ipv4_rt_lkup: nh word 0x30010

Sep 11 05:35:09 05:35:08.1004659:CID-0:RT:Route-lookup for 1.1.1.1, yielded: iifl 0x44, oifl 0x43

Sep 11 05:35:09 05:35:08.1004666:CID-0:RTSmiley Very Happyoing SOURCE addr route-lookup

Sep 11 05:35:09 05:35:08.1004669:CID-0:RT:flow_ipv4_rt_lkup in VR-id: 0

Sep 11 05:35:09 05:35:08.1004672:CID-0:RT:flow_ipv4_rt_lkup: Found route entry 0x0x53b26cbc,nh id 0x1cf, out if 0x44

Sep 11 05:35:09 05:35:08.1004679:CID-0:RT:flow_ipv4_rt_lkup: nh word 0x40010

Sep 11 05:35:09 05:35:08.1004683:CID-0:RT:Route-lookup for 10.1.2.100, yielded: iifl 0x44, oifl 0x44

Sep 11 05:35:09 05:35:08.1004689:CID-0:RT:  routed (x_dst_ip 1.1.1.1) from ge-0/0/1.0 (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop: 1.1.1.1

Sep 11 05:35:09 05:35:08.1004696:CID-0:RT:  policy search from zone (trust) 6-> zone (untrust) 7

Sep 11 05:35:09 05:35:08.1004703:CID-0:RT:   policy found 2

Sep 11 05:35:09 05:35:08.1004705:CID-0:RTSmiley Tongueermitted by policy 2

Sep 11 05:35:09 05:35:08.1004711:CID-0:RT:No src xlate

Sep 11 05:35:09 05:35:08.1004713:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if

Sep 11 05:35:09 05:35:08.1004717:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 1.1.1.1, rtt_idx:0

Sep 11 05:35:09 05:35:08.1004723:CID-0:RT: Using app_id from service lookup 0

Sep 11 05:35:09 05:35:08.1004726:CID-0:RT:  session application type 0, name (null),  timeout 60sec, alg 0

Sep 11 05:35:09 05:35:08.1004731:CID-0:RT:  service lookup identified service 0.

Sep 11 05:35:09 05:35:08.1004735:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>

Sep 11 05:35:09 05:35:08.1004739:CID-0:RT:In flow_first_create_session

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
1 REPLY 1
Highlighted
SRX Services Gateway

Re: Troubleshooting flow SRX

‎07-30-2011 03:35 AM

Good post.

 

Is there any enhancements done for the traceoption flow-logs to have more understanding and debugging prospective?  

 

alex.