Knowledge Search


×
 

[J/SRX] How to check and interpret 'flow sessions' installed in the SRX when troubleshooting NAT

  [KB21719] Show Article Properties


Summary:

This article describes the procedure for checking 'flow sessions' and how to interpret them when troubleshooting NAT.

The Resolution Guide for SRX NAT refers to this article.

Symptoms:

Goals:

Solution:

Let's assume that the flow session you are trying to find has the following attributes: 

  • Source IP:  192.168.5.12
  • Destination IP:  3.3.3.3
  • Protocol:  SSH
  • Source IP should be NAT'd to:  1.1.1.1   (i.e. 192.168.5.12 to 1.1.1.1)



Enter the following command to display the flow session for that particular source IP and destination IP address:

 user@srx> show security flow session source-prefix 192.168.5.12 destination-prefix 3.3.3.3 protocol tcp

The output of the command may look like this:

Session ID: 1234, Policy name: tcp-policy/1, Timeout: 1750, Valid
  In: 192.168.5.12/33758 --> 3.3.3.3/22;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 92 ##Ingress wing
  Out: 3.3.3.3/22 --> 1.1.1.1/49520;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 52 ##Egress wing

Summary of the 'flow session' output:

  • The (In:) line of the output, also referred to as the ingress wing, means:
    The packet is coming into the SRX device (ingress) via the ge-0/0/0 interface with a source IP address of 192.168.5.12 and is destined for the IP address 3.3.3.3.

  • The (Out:) line of the output, also referred to as the egress wing, means:
    The reply to the firewall (egress) is via the ge-1/0/0 interface and has a source IP address of 3.3.3.3 and is destined for the IP address 1.1.1.1.

  • Therefore, based on these two 'wings', you can conclude that the source IP address was translated from 192.168.5.12 to 1.1.1.1.


Explanation of the 'flow session' output fields:

Session info:

Session Identifier = 1234
Security Policy used for this session = tcp-policy
Timeout value = 1800 Seconds
State of session = Valid

(In:) line (Ingress wing): This contains information on how the client packet looks when it enters the SRX ingress interface ge-0/0/0.0 and how many packets have passed on the session.

Incoming interface = ge-0/0/0.0
With Source IP/source port = 192.168.5.12/33758
and destination IP/destination port = 3.3.3.3/22
Pkts (packets received) = 2 with total bytes = 92

(Out:) line (Egress wing): This contains information on how the return packets should look, what interface they should arrive on, and how many packets have passed on the session.

Incoming interface = ge-1/0/0.0
With the Source IP/Source Port = 3.3.3.3/22
and destination IP/destination port = 1.1.1.1/49520 ##The Source IP/port = 192.168.5.12/33758 in the ingress wing has been source NAT'd to Source IP/port = 1.1.1.1/49520
Pkts = 1 with total bytes = 52



Note: If (Out:) line (Egress wing) doesn't show any packet, it could be because of the following reasons:

  1. Reply doesn't arrive at the SRX from destination host.
  2. Traffic arrives at the SRX in an asymmetric fashion. Asymmetric traffic occurs when packets egress an interface towards a destination from one interface but the replies from the same destination arrive at the SRX on a different interface. In such a scenario, the SRX will drop the traffic when the incoming interface is bound into a different security zone than the one that the egress interface belongs to. In order to confirm whether traffic is experiencing drops due to asymmetry, security flow traceoptions most be configured. Please refer to SRX Getting Started -- Troubleshooting Traffic Flows and Session Establishment on how to configure such traceoptions.

The state of the session is Valid and will be used to pass the traffic with an inactivity timeout value of 1750 seconds. As soon as another similar packet hits the session with the id = 1234, the timeout resets to the default value, unless a custom timeout value is set in the application definition.

For TCP default is 1800 Sec
For UDP it is 60 Sec


Other examples:


Flow session output for Destination NAT

In the following flow session output, the Destination IP 1.1.1.1 port 25 is translated to IP 192.168.2.1.

Session ID: 1235, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/9898 --> 1.1.1.1/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.2.1/25 --> 2.2.2.2/9898;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 124
##Egress wing


Flow session output for Static NAT



In the following flow session output, the Destination IP 1.1.1.2 is translated to the IP 192.168.5.1. Ports are not considered by this type of NAT.

Session ID: 1236, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/2323 --> 1.1.1.2/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.5.1/25 --> 2.2.2.2/2323;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 84
##Egress wing
Related Links: