When setting up a pair of firewall devices in an NSRP Active / Passive configuration, it is always a good idea to check or test if traffic is passing through the firewalls before fully deploying the configuration. This check should also be performed after testing the NSRP failover function.

This article is designed to provide a general idea of the commands that are helpful to confirm/monitor traffic running through a device.

 

The "snoop" function provides information about how a device deals with a packet. However, without a proper filter configured, the buffer log could be huge and it would be hard to focus on the flow that you may be interested in. An example of such a filter configuration is described below.

Setup

In the article, a host with IP address 1.1.1.1 is connected to interface ethernet1 in the Untrust zone, and another host with IP address 2.2.2.2 is connected to interface ethernet2 in the Trust zone (see diagram below).                                                                             

                Untrust      |       Trust
[PC1]-----------<eth1>[FW]<eth2>------------[PC2]
1.1.1.1                                   2.2.2.2

Notes to Consider

• Confirming whether traffic is passing through a device is usually done by monitoring at the application level of PC1 or PC2.

• In addition to Debug and snoop, the Interface Statistic counter (which describes how many packets are coming in to and how many packet going out from the device) provides helpful information for identifying the interface at which the traffic stops. 

• Optionally, during the test,  get session src-ip <PC1> dst-ip <PC2> can be issued to show sessions of the traffic that you are interested in.

• Last, after the test finishes, it is recommended to redirect get dbuf stream via a TFTP server to a file when the size of dbuf is huge.

Check / Monitor Traffic

To initially prepare the device, unset any debugs and clear the debug buffer.  For additional snoop information, consult: KB5411 - How do you use Snoop for Troubleshooting?

undebug all
clear dbuf

  Set up snoop filters to narrow the data capture by using the following commands:

snoop filter ip src-ip 1.1.1.1 dst-ip 2.2.2.2
snoop filter ip src-ip 2.2.2.2 dst-ip 1.1.1.1

  Verify the snoop setup:

snoop info

  Monitor the interface counter before (and after) the test:

get counter statistics interface ethernet1 | include "in packets"
get counter statistics interface ethernet2 | include "in packets"

or in short:

get count sta int eth1 | i "in packet"
get count sta int eth2 | i "in packet"

Example: PING from PC1 to PC2 is the traffic that we are interested in. After 4 PING packets complete, both "in packets" and "out packet" will increase by 4 equally.

Before start of 4 PINGs

in packets          1746 | out packets          469 | late frame             0
in packets          1746 | out packets          469 | tear drop              0

After 4 PINGs complete

in packets          1750 | out packets          473 | late frame             0
in packets          1750 | out packets          473 | tear drop              0

  Enter the command "snoop" to start capturing data.

snoop  
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n Y

  Generate traffic through the firewall device. Typically pinging from PC1 to PC2 will work, but if ping is blocked then run any other application between PC1 and PC2.

  To monitor related session during the test, run the command shown below.

get session src-ip 1.1.1.1 dst-ip 2.2.2.2
get session src-ip 2.2.2.2 dst-ip 1.1.1.1

If a session is not displayed in the output, traffic is not passing through the device. A policy could be blocking the traffic. Troubleshoot why the traffic is not passing.

  Stop the snoop trace and view the log after the test:

snoop off
get dbuf stream

(or when the dbuf size is large (i.e. if 'set db size' is set to 4096))

get dbuf stream > tftp [IP address] [Filename]

Sample Output

11763889.0: ethernet1(i) len=74:0015582744c2->0010db739082/0800
              1.1.1.1 -> 2.2.2.2/1
              vhl=45, tos=00, id=61429, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0
 
11763889.0: ethernet2(o) len=74:0010db739081->00005e000881/0800
              1.1.1.1 -> 2.2.2.2/1
              vhl=45, tos=00, id=61429, frag=0000, ttl=127 tlen=60
              icmp:type=8, code=0

In the Sample Output above, the ICMP packet with ID 61429 is coming in interface ethernet1 and going out interface ethernet2.

Note:  On ISG-1000, ISG-2000, and NS-5000 devices, you will not see the outgoing packet in the Snoop output for TCP-based applications because the session is running in the ASIC; this is expected behavior so you may need an external packet sniffer to see those packets.  However, you will see the outgoing packet on these devices for ICMP sessions.

For additional assistance with reading the Snoop output, consult KB6708 - How do I interpret the snoop output?

  Check the Monitor interface counters once again (same as in Step 4) and confirm whether the number of IN and OUT packets are incrementing.

get counter statistics interface ethernet1 | include "in packets"
get counter statistics interface ethernet2 | include "in packets"

 

2020-09-15: Article checked for accuracy; article valid and relevant; no changes required