Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] How to check and interpret 'flow sessions' installed in the SRX when troubleshooting NAT

1

0

Article ID: KB21719 KB Last Updated: 15 Jun 2020Version: 4.0
Summary:

This article describes the procedure for checking 'flow sessions' and how to interpret them when troubleshooting NAT.

The Resolution Guide for SRX NAT refers to this article.

 

Symptoms:

Goals:

  • When troubleshooting a NAT issue in KB21611 - Resolution Guide – SRX - Troubleshoot Static NAT, you want to determine if there is a flow session installed on the SRX device for the particular Source IP and Destination IP in question.
  • You want to learn how to interpret the fields of a flow session.

 

Solution:

Let's assume that the flow session you are trying to find has the following attributes:

  • Source IP:  192.168.5.12
  • Destination IP:  3.3.3.3
  • Protocol:  SSH
  • Source IP should be NAT'd to:  1.1.1.1   (i.e. 192.168.5.12 to 1.1.1.1)

Enter the following command to display the flow session for that particular source IP and destination IP address:

 user@srx> show security flow session source-prefix 192.168.5.12 destination-prefix 3.3.3.3 protocol tcp

The output of the command may look like this:

Session ID: 1234, Policy name: tcp-policy/1, Timeout: 1750, Valid
  In: 192.168.5.12/33758 --> 3.3.3.3/22;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 92 ##Ingress wing
  Out: 3.3.3.3/22 --> 1.1.1.1/49520;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 52 ##Egress wing

Summary of the 'flow session' output:

  • The (In:) line of the output, which is also referred to as the ingress wing, means:

    The packet is coming into the SRX device (ingress) via the ge-0/0/0 interface with a source IP address of 192.168.5.12 and is destined for the IP address 3.3.3.3.

  • The (Out:) line of the output, also referred to as the egress wing, means:

    The reply to the firewall (egress) is via the ge-1/0/0 interface and has a source IP address of 3.3.3.3 and is destined for the IP address 1.1.1.1.

  • Therefore, based on these two "wings," you can conclude that the source IP address was translated from 192.168.5.12 to 1.1.1.1.

Explanation of the 'flow session' output fields:

Session info:

Session Identifier = 1234
Security Policy used for this session = tcp-policy
Timeout value = 1800 Seconds
State of session = Valid

(In:) line (Ingress wing): This contains information on how the client packet looks when it enters the SRX ingress interface ge-0/0/0.0 and how many packets have passed on the session.

Incoming interface = ge-0/0/0.0
With Source IP/source port = 192.168.5.12/33758
and destination IP/destination port = 3.3.3.3/22
Pkts (packets received) = 2 with total bytes = 92

(Out:) line (Egress wing): This contains information on how the return packets should look, what interface they should arrive on, and how many packets have passed on the session.

Incoming interface = ge-1/0/0.0
With the Source IP/Source Port = 3.3.3.3/22
and destination IP/destination port = 1.1.1.1/49520 ##The Source IP/port = 192.168.5.12/33758 in the ingress wing has been source NAT'd to Source IP/port = 1.1.1.1/49520
Pkts = 1 with total bytes = 52

 

Note: If the (Out:) line (Egress wing) does not show any packet, it could be because of the following reasons:

  1. Reply does not arrive at the SRX device from the destination host.
  2. Traffic arrives at the SRX device in an asymmetric fashion. Asymmetric traffic occurs when packets egress an interface towards a destination from one interface but the replies from the same destination arrive at the SRX device on a different interface. In such a scenario, the SRX device will drop the traffic when the incoming interface is bound to a different security zone than the one that the egress interface belongs to. In order to confirm whether traffic is experiencing drops due to asymmetry, security flow traceoptions must be configured. Refer to SRX Getting Started -- Troubleshooting Traffic Flows and Session Establishment on how to configure such traceoptions.

The state of the session is Valid and will be used to pass the traffic with an inactivity timeout value of 1750 seconds. As soon as another similar packet hits the session with the id = 1234, the timeout resets to the default value, unless a custom timeout value is set in the application definition.

For TCP default is 1800 Sec

For UDP it is 60 Sec

Other examples:

 

Flow session output for Destination NAT

In the following flow session output, the Destination IP 1.1.1.1 port 25 is translated to IP 192.168.2.1.

Session ID: 1235, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/9898 --> 1.1.1.1/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.2.1/25 --> 2.2.2.2/9898;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 124
##Egress wing

Flow session output for Static NAT

In the following flow session output, the Destination IP 1.1.1.2 is translated to the IP 192.168.5.1. Ports are not considered by this type of NAT.

Session ID: 1236, Policy name: mail-policy/2, Timeout: 1800, Valid
In: 2.2.2.2/2323 --> 1.1.1.2/25;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 ##Ingress wing
Out: 192.168.5.1/25 --> 2.2.2.2/2323;tcp, If: ge-1/0/0.0, Pkts: 1, Bytes: 84
##Egress wing

 

Modification History:

2020-06-15: Article checked for accuracy; no changes made; article accurate and valid

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search