Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Example - How to analyze session information

0

0
Article ID: KB24728 KB Last Updated: 25 Apr 2015Version: 5.0 Summary:

This article explains how to analyze the output of get session.

Symptoms:

How do I analyze the output of get session?

Cause:

Solution:
Output of the get session command:
>get session
alloc 176/max 128000, alloc failed 0, di alloc failed 0
id 25599/s**,vsys 0,flag 00000040/0000/00,policy 1,time 6, dip 0
0(8801):192.168.1.10/4000->192.168.2.10/1024,1,0010db103040,2,vlan 0,tun 0,vsd 0,route 0
6(2800):192.168.1.10/4000<-192.168.2.10/1024,1,000000000000,3,vlan 0,tun 40000001,vsd 0,route 5

  • id: This field represents the session ID.

  •  vsys: This field determines the VSYS, to which the session is applicable (0 represents the Root system).

  • flag: Used by engineering to help determine the status of the session.

  • policy: This field refers to the policy ID that the session matched. In this example, the session matched the policy ID of 1.

  • time: This field refers to the session timeout value in ticks (1 tick = 10 seconds). In this example, the session is valid for 60 seconds (6 ticks x 10 seconds = 60 seconds).


If the policy NAT-src via DIPs has been applied to the traffic, you can determine which DIP pool was used by referring to the dip field. In this example, no policy NAT-src was applied.

The beginning of the session line displays the ingress interface and the session token number. In this instance, the first line refers to the Ethernet1/1 interface 0 (8801) and the second line refers to the Ethernet1/3 interface 6 (2800).

The first characters (here 0 and 6) in these line shows the interface number for the source interface of the traffic in that direction. Here 0 represents the interface number for Ethernet 1/1 and 6 represent the interface number for Ethernet 1/3.

The interface numbers for all the interfaces can be viewed with the get sys command. You can confirm the interface number with the get int <interface > command:
> get int e1/1
Interface ethernet1/1:
description ethernet1/1
number 0, if_info 229320, if_index 0, mode nat
link down, phy-link down, admin status up
status change:0
You can then observe the source IP, source port, destination IP, and destination port for the session. The next field displays the IP protocol being used for the session. In this example, it is IP protocol 1 (ICMP).

The next field displays the MAC address of the next-hop router. If a NetScreen device has been configured with Subinterfaces and VLANs, the VLAN ID of the packet is displayed in the vlan field. In this example, the packets have a VLAN ID of 2. The tun field refers to the VPN tunnel being used (if one is used). The vsd field refers to the VSD group, in which the interface resides, if the firewall is in a NSRP cluster. Finally, the route field displays the route ID, which was used to route traffic for the session.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search