SRX Services Gateway
SRX Services Gateway

Troubleshooting flow SRX

‎10-27-2008 02:01 AM

Troubleshooting flow

    trust-zone     untrust-zone
                         ge-0/0/1     ge-0/0/0

Flow debugging can be enabled as a traceoptions file in JUNO-ES.  
The traceoption file can be the viewed at the later time or in real time.

An example commands to enable debug and create traceoption file .
The file is stored under /var/logs/ directory

root@sunnyvale# set security flow traceoptions file flow-trace
root@sunnyvale# set security flow traceoptions flag all

In this example, “flow-trace” is the filename

To view the file
root@sunnyvale# run file show /var/log/flow-trace
 run show log flow-trace

To view in real time
root@sunnyvale# monitor start flow-trace

To clear the logs
 root@sunnyvale# run clear log flow-trace

Creating flow filters:

Flow filters can be created to match
1.    Source IP address
2.    Source Port
3.    Destination IP address
4.    Destination port
5.    Protocol
6.    interface

Configuring flow filter
set security flow traceoptions packet-filter f0 destination-port 80 destination-prefix

In this example “ f0” is the name of the filter

Below is an example of a device in trust zone initiating ping to device in the untrust zone

Sep 11 05:35:09 05:35:08.1004550:CID-0:RT:

****<>;1> : <trust/ge-0/0/1.0> packet [60] ipid = 60188, @48d8f8ce ****

Sep 11 05:35:09 05:35:08.1004574:CID-0:RT:  ge-0/0/1.0:>, icmp, (8/0)
Sep 11 05:35:09 05:35:08.1004580:CID-0:RT: find flow: table 0x4a93bcb8, hash 133743(0x3ffff), sa, da, sp 2816, dp 768, proto 1, tok 10
Sep 11 05:35:09 05:35:08.1004597:CID-0:RT:  flow_first_sanity_check: in <ge-0/0/1.0>, out <N/A>
Sep 11 05:35:09 05:35:08.1004608:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A>
Sep 11 05:35:09 05:35:08.1004611:CID-0:RT:  flow_first_in_dst_nat: dst_adr 0x01010101, lports 0x0003000b
Sep 11 05:35:09 05:35:08.1004618:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
Sep 11 05:35:09 05:35:08.1004622:CID-0:RT:  flow_first_routing: Before route-lookup ifp: in <ge-0/0/1.0>, out <N/A>
Sep 11 05:35:09 05:35:08.1004626:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 6402010a, x_dst_ip 1010101, ifp ge-0/0/1.0, sp 11, dp 3, i
Sep 11 05:35:09 05:35:08.1004636:CID-0:RTSmiley Very Happyoing DESTINATION addr route-lookup

Sep 11 05:35:09 05:35:08.1004639:CID-0:RT:flow_ipv4_rt_lkup in VR-id: 0

Sep 11 05:35:09 05:35:08.1004646:CID-0:RT:flow_ipv4_rt_lkup: Found route entry 0x0x53b264d8,nh id 0x1ce, out if 0x43

Sep 11 05:35:09 05:35:08.1004654:CID-0:RT:flow_ipv4_rt_lkup: nh word 0x30010

Sep 11 05:35:09 05:35:08.1004659:CID-0:RT:Route-lookup for, yielded: iifl 0x44, oifl 0x43

Sep 11 05:35:09 05:35:08.1004666:CID-0:RTSmiley Very Happyoing SOURCE addr route-lookup

Sep 11 05:35:09 05:35:08.1004669:CID-0:RT:flow_ipv4_rt_lkup in VR-id: 0

Sep 11 05:35:09 05:35:08.1004672:CID-0:RT:flow_ipv4_rt_lkup: Found route entry 0x0x53b26cbc,nh id 0x1cf, out if 0x44

Sep 11 05:35:09 05:35:08.1004679:CID-0:RT:flow_ipv4_rt_lkup: nh word 0x40010

Sep 11 05:35:09 05:35:08.1004683:CID-0:RT:Route-lookup for, yielded: iifl 0x44, oifl 0x44

Sep 11 05:35:09 05:35:08.1004689:CID-0:RT:  routed (x_dst_ip from ge-0/0/1.0 (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop:

Sep 11 05:35:09 05:35:08.1004696:CID-0:RT:  policy search from zone (trust) 6-> zone (untrust) 7

Sep 11 05:35:09 05:35:08.1004703:CID-0:RT:   policy found 2

Sep 11 05:35:09 05:35:08.1004705:CID-0:RTSmiley Tongueermitted by policy 2

Sep 11 05:35:09 05:35:08.1004711:CID-0:RT:No src xlate

Sep 11 05:35:09 05:35:08.1004713:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if

Sep 11 05:35:09 05:35:08.1004717:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr:, rtt_idx:0

Sep 11 05:35:09 05:35:08.1004723:CID-0:RT: Using app_id from service lookup 0

Sep 11 05:35:09 05:35:08.1004726:CID-0:RT:  session application type 0, name (null),  timeout 60sec, alg 0

Sep 11 05:35:09 05:35:08.1004731:CID-0:RT:  service lookup identified service 0.

Sep 11 05:35:09 05:35:08.1004735:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>

Sep 11 05:35:09 05:35:08.1004739:CID-0:RT:In flow_first_create_session

Follow me on Twitter @anwar_raheel

If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
SRX Services Gateway

Re: Troubleshooting flow SRX

‎07-30-2011 03:35 AM

Good post.


Is there any enhancements done for the traceoption flow-logs to have more understanding and debugging prospective?