Knowledge Center Search


 

[J/SRX] How to check and interpret 'flow sessions' installed in the SRX when troubleshooting NAT

  [KB21719] Show KB Properties

  [KB21719] Hide KB Properties

Categories:
Knowledge Base ID: KB21719
Last Updated: 20 Aug 2014
Version: 2.0

Summary:

This article describes the procedure of checking the 'flow sessions' and how to interpret them when troubleshooting NAT.

The Resolution Guides for SRX NAT refer to this article.


Problem or Goal:

Goals:


Cause:

Solution:

Let's assume that the flow session you are trying to find has the following attributes: 

  • Source IP:  192.168.5.12
  • Destination IP:  3.3.3.3
  • Protocol:  icmp
  • Source IP should be NAT'd to:  1.1.1.1   (i.e. 192.168.5.12 to 1.1.1.1)



Enter the following command to display the flow session for that particular source IP and destination IP address:

 user@srx> show security flow session source-prefix 192.168.5.12 destination-prefix 3.3.3.3 protocol tcp

Resulting output of the command may look like this:

Session ID: 1234, Policy name: tcp-policy/1, Timeout: 1750, Valid
  In: 192.168.5.12/33758 --> 3.3.3.3/22;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 92 ##Ingress wing
  Out: 3.3.3.3/22 --> 1.1.1.1/49520;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 52 ##Egress wing

Summary of the 'flow session' output:

  • The (In:) line of the output, also referred to as the ingress wing, means:
    The packet is coming into the SRX device (ingress) via the ge-0/0/0 interface with a source IP address of 192.168.5.12 and is destined for the IP address 1.1.1.1.

  • The (Out:) line of the output, also referred to as the egress wing, means:
    The reply to the firewall (egress) is via the ge-1/0/0 interface and has a source IP address of 3.3.3.3 and is destined for the IP address 1.1.1.1.

  • Therefore, based on these two 'wings', you can conclude that the source IP address was translated from 192.168.5.12 to 1.1.1.1.


Explanation of the 'flow session' output fields:

Session info:

Session Identifier = 1234
Security Policy used for this session = tcp-policy
Timeout value = 60 Seconds
State of session = Valid

(In:) line (Ingress wing): This contains information on how the client packet looks when it enters the SRX ingress interface ge-0/0/0.0 and how many packets have passed on the session.

Incoming interface = ge-0/0/0.0
With Source IP/source port = 192.168.5.12/33758
and destination IP/destination port = 3.3.3.3/22
Pkts (packets received) = 2 with total bytes = 92

(Out:) line (Egress wing): This contains information on how the return packets should look, what interface they should arrive on, and how many packets have passed on the session.

Incoming interface = ge-1/0/0.0
With the Source IP/Source Port = 3.3.3.3/22
and destination IP/destination port = 1.1.1.1/49520 ##The Source IP/port = 192.168.5.12/33758 in the ingress wing has been source NAT'd to Source IP/port = 1.1.1.1/49520
Pkts = 1 with total bytes = 52

The state of the session is valid and will be used to pass the traffic with an inactivity timeout value of 1750 seconds. As soon as another similar packet hits the session with the id = 1234, the timeout resets to the default value.

For TCP default is 1800 Sec
For UDP it is 60 Sec


Other examples:


Flow session output for Destination NAT

In the following flow session output, the Destination IP 1.1.1.1 port 25 is translated to IP 192.168.2.1.

Session ID: 1235, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/9898 --> 1.1.1.1/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.2.1/25 --> 2.2.2.2/9898;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 124
##Egress wing


Flow session output for Static NAT



In the following flow session output, the Destination IP 1.1.1.2 is translated to the IP 192.168.5.1. Ports are not considered by this type of NAT.

Session ID: 1236, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/2323 --> 1.1.1.2/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.5.1/25 --> 2.2.2.2/2323;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 84
##Egress wing

 

 

 

Purpose:
Implementation
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.