Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

0

0

Article ID: KB21757 KB Last Updated: 29 Jun 2020Version: 4.0
Summary:

This article describes the output of the Flow TraceOptions for NAT troubleshooting.

The Resolution Guides for SRX NAT refer to this article.

Symptoms:

While troubleshooting a NAT issue on the SRX, you may have to analyze the Flow Traceoptions / debug output. 

This article explains the Flow Traceoptions output with a number of examples for Source NAT, Destination NAT, and Static NAT.
Solution:

Examples provided:

  • Example Traceoption Setup
  • Example Traceoption output for Source NAT
  • Example Traceoption output for Destination NAT
  • Example Traceoption output for Static NAT


Example Traceoption Setup

The following Traceoption configuration was used to capture the logs:
user@srx# show security flow 
traceoptions {
    file debugfile;
    flag basic-datapath;
    packet-filter pf1 {
        protocol icmp;
        source-prefix 192.168.5.2/32;
        destination-prefix 192.168.2.1/32;
    }
    packet-filter pf2 {
        protocol tcp;
        destination-prefix 1.1.1.1/32;
        destination-port 80;
    }
}
The logs can be displayed using the command:
user@srx> show log debugfile
 

Example Traceoption output for Source NAT

  1. In this example, the policy allowed the packet and the Source NAT translation was performed:

    Aug 30 21:13:50 21:13:49.1442835:CID-0:RT:  policy search from zone trust-> zone untrust (0x0,0x25a7,0x25a7) ## Policy search direction
    
    Aug 30 21:13:50 21:13:49.1442882:CID-0:RT:  app 0, timeout 60s, curr ageout 60s   ## Indicates that the policy has been found
    
    Aug 30 21:13:50 21:13:49.1442882:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Aug 30 21:13:50 21:13:49.1442934:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 2/32770, pst_nat: False.## source nat being hit
    
    Aug 30 21:13:50 21:13:49.1442934:CID-0:RT:  dip id = 2/1, 192.168.5.2/0->192.168.100.1/14777   ## source nat translation from 192.168.5.2 to 192.168.100.1    
    
  2. In this example, the policy allowed the packet but the Source NAT translation was NOT not performed:

    Aug 30 21:26:24 21:26:24.741224:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Aug 30 21:26:24 21:26:24.741224:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False. ## no source rule being hit.
    
    Aug 30 21:26:24 21:26:24.741224:CID-0:RT:  dip id = 0/0, 192.168.5.2/0->192.168.5.2/0  ## no translation of source ip address
    
    
    

Example Traceoption ouptut for Destination NAT

  1. In this example, Destination NAT translation was performed, and the policy allowed the packet:

    Aug 30 20:13:50 20:13:50.1442820:CID-0:RT:  flow_first_rule_dst_xlate: DST xlate: 1.1.1.1(80) to 192.168.5.1(80), rule/pool id 1/1
    
    Aug 30 20:13:50 20:13:50.1442835:CID-0:RT:  policy search from zone untrust-> zone trust (0x0,0x16a5,0x00a7) ## Policy search direction
    
    Aug 30 20:13:50 20:13:50.1442882:CID-0:RT:  app 0, timeout 60s, curr ageout 60s ## Indicates that the policy has been found
    
    
  2. In this example, Destination NAT translation was not done, and the policy allowed the packet:

    Aug 30 20:13:50 20:13:50.1442821:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 1.1.1.1(80) ## There Destination NAT that has happenned
    
    Aug 30 20:13:50 20:13:50.1442843:CID-0:RT:  policy search from zone untrust-> zone trust (0x0,0x16a5,0x00a7) ## Policy search direction
    
    Aug 30 20:13:50 20:13:50.1442880:CID-0:RT:  app 0, timeout 60s, curr ageout 60s ## Indicates that the policy has been found   
    
  3. In this example, the Policy denied/dropped the packet (Destination NAT translation occurs; but the policy is for the older untranslated IP and so the packet is dropped):

    Aug 31 20:53:13 20:53:12.1248581:CID-0:RT:flow_first_rule_dst_xlate: DST xlate: 1.1.1.1(80) to 192.168.5.1(80), rule/pool id 1/1 ##Destination NAT has happenned
    
    Aug 31 20:53:13 20:53:12.1248581:CID-0:RT:  policy search from zone untrust-> zone untrust (0x110,0xd1ea0050,0x50)
    
    Aug 31 20:53:13 20:53:12.1248581:CID-0:RT:  app 6, timeout 1800s, curr ageout 20s
    
    Aug 31 20:53:13 20:53:12.1249082:CID-0:RT:  packet dropped, denied by policy ##Packet has been dropped because the policy was made for the destination IP 1.1.1.1
    
    Aug 31 20:53:13 20:53:12.1249082:CID-0:RT:  packet dropped,  policy deny.    ##Had it been for 192.168.5.1, there would have been no policy drop
    
 

Example Traceoption output for Static NAT

  1. In this example, Static NAT translation is performed, and the policy allowed the packet:

    Aug 30 20:13:50 20:13:50.1442835:CID-0:RT:flow_first_rule_dst_xlate: packet 2.2.2.2->1.1.1.1 nsp2 0.0.0.0->192.168.5.1 ## Static NAT has been done from 1.1.1.1 to 192.168.5.1
    
    Aug 30 20:13:50 20:13:50.1442835:CID-0:RT:  policy search from zone untrust-> zone trust (0x0,0x16a5,0x00a7) ## Policy search direction
    
    Aug 30 20:13:50 20:13:50.1442882:CID-0:RT:  app 0, timeout 60s, curr ageout 60s ## Indicates that the policy has been found   
    
  2. In this example, Static NAT translation is NOT performed, and the policy allowed the packet:  

    For Static NAT rule doing Destination NAT
    Aug 31 21:31:19 21:31:18.1051030:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.0.2->2.2.2.1 nsp2 0.0.0.0->2.2.2.1 ## NSP2 indicates the Static NAT

 
Modification History:
2020-06-27: Removed J-Series references.
2020-03-27: Article reviewed for accuracy; it is valid and accurate.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search