Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] TCP flags in vRouter Agent TCP flows explained with examples



Article ID: KB33567 KB Last Updated: 24 Dec 2018Version: 1.0

When a vRouter Agent builds TCP flows, it uses different variables to indicate flow status. A "TCP flag" is one of the variables reflected in the flow table, which is updated whenever a new TCP flag is received in the flow during TCP interaction.

This article ‚Äčexplains some of the commonly seen flags in TCP flow entries.



Some of the commonly seen TCP flags in a TCP flow entry are as follows:

  • S: Sync Received

  • Sr: Reverse Sync Received

  • E: Established

  • Er: Reverse Flow Established

  • F: Fin Received

  • Fr: Reverse Fin Received

  • C: TCP Half Close



When a TCP flow gets established, the TCP flags show SSr, which indicates that bidirectional TCP SYN has been received. When a session is fully established, its status is indicated by the EEr flag in the flow entry.

Example flow entry

Listing flows matching ([]:22)

    Index                Source:Port/Destination:Port                      Proto(V)
   387368<=>516872                                       6 (1)
(Gen: 1, K(nh):13, Action:F, Flags:, TCP:SSrEEr, E:1, QOS:-1, S(nh):0,

 Stats:759/53415,  SPort 62432, TTL 0, Sinfo
   516872<=>387368                                        6 (1)
(Gen: 1, K(nh):13, Action:F, Flags:, TCP:SSrEEr, QOS:-1, S(nh):0,  Stats:750/80453,
 SPort 56830, TTL 0, Sinfo

S or Sr Only

When there is only TCP:S in the flow, it indicates that the TCP SYN flag has been received, but no ack has come for it yet. It means that the flow is still waiting to be fully established. The reverse flow will show the corresponding TCP:Sr flag.


root@comp106:~# flow --match ""
Flow table(size 80609280, entries 629760)

Entries: Created 431960 Added 431960 Deleted 863738 Changed 863738 Processed 431960 Used Overflow entries 0
(Created Flows/CPU: 149 312 528 19760 1225 57799 592 18899 539 12487 583 7534 237 261830 197 5231 2182 4647 1491 3088 1303 19875 1576 9896)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
 Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
 Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

Listing flows matching ([]:*)

    Index                Source:Port/Destination:Port                      Proto(V)
    17896<=>426212                                      6 (8)
(Gen: 13, K(nh):70, Action:F, Flags:, TCP:S, QOS:-1, S(nh):0,  Stats:4/296,
 SPort 51482, TTL 0, Sinfo

   426212<=>17896                                        6 (8)
(Gen: 21, K(nh):70, Action:F, Flags:, TCP:Sr, QOS:-1, S(nh):0,  Stats:0/0,
 SPort 56177, TTL 0, Sinfo

FFr and FFrC

When a TCP FIN is received, the flow entry is updated with an additional "F" flag, which is followed by a wait for the reverse FIN packet's arrival. When the reverse FIN is received, another flow flag update is triggered with Fr, which is followed by a wait for the TCP disconnection process to be finished (HalfClose).

In normal scenarios, the whole TCP disconnection process completes very fast and the flow entry is cleared immediately. In this case, you may not be able to see the flows with the TCP FIN flags.

However, in some cases (for example, if VNF or the vRouter Agent has problems), you will see the transient status for a while. In a lab environment, these transient statuses can be observed by using a firewall filter to hold some of the TCP packets with certain flags.


Listing flows matching ([]:179, []:*)

  Index                Source:Port/Destination:Port                     Proto(V)
  522980<=>64576                              6 (0->1)
(Gen: 117, K(nh):5, Action:N(SDPd), Flags:, TCP:SSrEErFFr, E:0, QOS:-1, S(nh):0,
Stats:597/37664,  SPort 60187, TTL 0, Sinfo

Listing flows matching ([]:179, []:*)

    Index                Source:Port/Destination:Port                      Proto(V)
    64576<=>522980                                     6 (1->0)
(Gen: 4, K(nh):90, Action:N(SPsD), Flags:, TCP:SSrEErFFrC, QOS:-1, S(nh):0,
 Stats:587/44901,  SPort 50499, TTL 255, Sinfo

Listing flows matching (Protocol TCP)

    Index                Source:Port/Destination:Port                      Proto(V)
   278108<=>522980                                     6 (1->0)
(Gen: 1, K(nh):89, Action:N(SPsD), Flags:, TCP:SSrEErFFrC, QOS:-1, S(nh):0,
 Stats:19/1681,  SPort 49837, TTL 255, Sinfo

   522980<=>278108                                  6 (0->1)
(Gen: 134, K(nh):5, Action:N(SDPd), Flags:, TCP:SSrEErFFr, E:1, QOS:-1, S(nh):0,
 Stats:29/2687,  SPort 57514, TTL 0, Sinfo

No flags

Non-TCP flows will not have any TCP flags in the flow.

Sometimes, a TCP flow may have no TCP flags at all. This is normal if the TCP traffic has stopped for a while and is starting again. In this case, the old flow times out and a new flow is triggered by the TCP packet, which carries no TCP flags.


Listing flows matching ([]:22)

    Index                Source:Port/Destination:Port                      Proto(V)
     1916<=>21800                                        6 (1)
(Gen: 4, K(nh):13, Action:F, Flags:, TCP:, QOS:-1, S(nh):0,  Stats:76/7504,
 SPort 52277, TTL 0, Sinfo

    21800<=>1916                                       6 (1)
(Gen: 4, K(nh):13, Action:F, Flags:, TCP:, E:1, QOS:-1, S(nh):0,  Stats:113/8998,
 SPort 56861, TTL 0, Sinfo


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search