Knowledge Center Search


 

How to check and interpret the Flow Sessions installed in the SRX when troubleshooting NAT

  [KB21719] Show KB Properties

  [KB21719] Hide KB Properties

Categories:
Knowledge Base ID: KB21719
Last Updated: 30 Sep 2011
Version: 1.0

Summary:

This article describes the procedure of checking the flow sessions and how to interpret them when troubleshooting NAT.

The Resolution Guides for SRX NAT refer to this article.


Problem or Goal:

Goals:


Cause:

Solution:

Let's assume that the flow session you are trying to find has the following attributes: 

  • Source IP:  192.168.5.12
  • Destination IP:  3.3.3.3
  • Protocol:  icmp
  • Source IP should be NAT'd to:  1.1.1.1   (i.e. 192.168.5.12 to 1.1.1.1)

 
Enter the following command to display the flow session for that particular source IP and destination IP address:

 user@srx> show security flow session source-prefix 192.168.5.12 destination-prefix 3.3.3.3 protocol icmp

Resulting output of the command may look like this:

Session ID: 1234, Policy name: icmp-policy/1, Timeout: 2, Valid
  In: 192.168.5.12/0 --> 3.3.3.3/6036;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
  Out: 3.3.3.3/6036 --> 1.1.1.1/49520;icmp, If: ge-1/0/0.0, Pkts: 1, Bytes: 84 ##Egress wing



Summary of the 'flow session' output:

  • The (In:) line of the output, also referred to as the ingress wing, means:
    The packet is coming into the SRX device (ingress) via the ge-0/0/0 interface with a source IP address of 192.168.5.12 and is destined for the IP address 1.1.1.1.

  • The (Out:) line of the output, also referred to as the egress wing, means:
    The reply to the firewall (egress) is via the ge-1/0/0 interface and has a source IP address of 3.3.3.3 and is destined for the IP address 1.1.1.1.

  • Therefore, based on these two 'wings', you can conclude that the source IP address was translated from 192.168.5.12 to 1.1.1.1.


Explanation of the 'flow session' output fields:

Session info:

Session Identifier = 1234
Security Policy used for this session = icmp-policy
Timeout value = 2 Seconds
State of session = Valid

(In:) line (Ingress wing): This is how the packet looks when it enters the SRX ingress interface ge-0/0/0.0.

Incoming interface = ge-0/0/0.0
With Source IP/source port = 192.168.5.12/0
and destination IP/destination port = 3.3.3.3/6036
Pkts (packets received) = 1 with total bytes = 84

(Out:) line (Egress wing): This is how the packet is expected to enter the egress interface- ge-1/0/0.0 on its way back to the SRX device.

Incoming interface = ge-1/0/0.0
With the Source IP/Source Port = 3.3.3.3/6036
and destination IP/destination port = 1.1.1.1/49520 ##The Source IP/port = 192.168.5.12/0 in the ingress wing has been source NAT'd to Source IP/port = 1.1.1.1/49520
Pkts = 1 with total bytes = 84

The state of the session is valid and will be used to pass the traffic to and fro, with a timeout value of 2 seconds. As soon as another similar packet hits the session with the id = 1234, the timeout resets to the default value.

For TCP default is 1800 Sec
For UDP it is 60 Sec
For ICMP it is 2 Sec <needs verification>



Other examples:



Example 1:  Flow session output for Destination NAT

In the following flow session output, the Destination IP 1.1.1.1 port 25 is translated to IP 192.168.2.1.

Session ID: 1235, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/9898 --> 1.1.1.1/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.2.1/25 --> 2.2.2.2/9898;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 124
##Egress wing


Example 2:  Flow session output for Static NAT




In the following flow session output, the Destination IP 1.1.1.2 is translated to the IP 192.168.5.1. Ports are not considered by this type of NAT.

Session ID: 1236, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/2323 --> 1.1.1.2/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.5.1/25 --> 2.2.2.2/2323;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 84
##Egress wing

 

 

 

Purpose:
Implementation
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.