Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Interpreting the output of "debug session all" on ScreenOS devices

0

0

Article ID: KB3508 KB Last Updated: 08 Jan 2019Version: 4.0
Summary:

This article provides a sample output for the debug session all command on ScreenOS devices and explains how to interpret the output.

 

Solution:

The following command is used to find sessions created on the device. In the following output, sessions created for ICMP and TCP connections are demonstrated:

ICMP Traffic

ssg20-> get session                                
free tunnel session pool size 0 head 0x0
alloc 1/max 64064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 64063
id 64059/s**,vsys 0,flag 00000040/0000/0001/0000,policy 1,time 1, dip 0 module 0
if 0(nspflag 800801):10.141.222.124/5800->192.30.30.2/1024,1,0010dbfc1000,sess token 4,vlan 0,tun 0,vsd 0,route 7,seg 1
if 5(nspflag 800800):10.141.222.124/5800<-192.30.30.2/1024,1,54e032d187c5,sess token 3,vlan 0,tun 0,vsd 0,route 10, seg 0
Total 1 sessions shown

TCP Traffic

ssg20-> get session                                     
free tunnel session pool size 0 head 0x0
alloc 1/max 64064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 64063
id 64059/s**,vsys 0,flag 08000040/0000/0001/0000,policy 1,time 180, dip 0 module 0
if 0(nspflag 801801):10.141.222.124/36383->192.30.30.2/23,6,0010dbfc1000,sess token 4,vlan 0,tun 0,vsd 0,route 7,wsf 0,seg 1
if 5(nspflag 801800):10.141.222.124/36383<-192.30.30.2/23,6,54e032d187c5,sess token 3,vlan 0,tun 0,vsd 0,route 10,wsf 0, seg 0
Total 1 sessions shown
 

ICMP Traffic

A sample output for debug session all captured with debug flow basic for ICMP traffic is as follows:

ssg20-> get db st

****** 627451.0: <Untrust/ethernet0/0> packet received [128]******
  ipid = 1426(0592), @05da6174
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:10.141.222.124/5800->192.30.30.2/1024,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.141.222.124->192.30.30.2) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 10 for 192.30.30.2
  [ Dest] 10.route 192.30.30.2->192.30.30.2, to ethernet0/1
  routed (x_dst_ip 192.30.30.2) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/1
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.30.30.2, port 16778, proto 1)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1/0/0x1
  Permitted by policy 1
  No src xlate   choose interface ethernet0/1 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/1
  vsd 0 is active
  no loop on ifp ethernet0/1.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/0>, out <ethernet0/1>
## 2018-12-25 23:49:12 : INC: vsys Root, cur_nat_sess 1, free_pool 64063
## 2018-12-25 23:49:12 : alloc nat session from pool
## 2018-12-25 23:49:12 : nat(40): >>> Code (40) No NAT is triggered
## 2018-12-25 23:49:12 :  10.141.222.124/5800(10.141.222.124/5800)->192.30.30.2/1024(192.30.30.2/1024) >>> When the packet passes policy lookup session is generated
  existing vector list 21-78b2ee4.
  Session (id:64059) created for first pak 21
  flow_first_install_session ======>
  route to 192.30.30.2
  cached arp entry with MAC 54e032d187c5 for 192.30.30.2
  arp entry found for 192.30.30.2
  ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/1, 192.30.30.2->10.141.222.124) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
  cached route 7 for 10.141.222.124
  [ Dest] 7.route 10.141.222.124->10.141.222.124, to ethernet0/0
  route to 10.141.222.124
  cached arp entry with MAC 0010dbfc1000 for 10.141.222.124
  arp entry found for 10.141.222.124
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1 >>> Traffic is not passing via tunnel   
## 2018-12-25 23:49:12 :   no tunnel, get if operating mtu. >>> No tunnel, so it marks 0 for tunnel in the session
## 2018-12-25 23:49:12 : calculate session pmtu 1500
## 2018-12-25 23:49:12 :   no tunnel, get if operating mtu.
## 2018-12-25 23:49:12 : calculate session pmtu 1500
  flow got session.
  flow session id 64059
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/1
  flow vector index 0x21, vector addr 0x78b2ee4, orig vector 0x78b2ee4
  vsd 0 is active
  post addr xlation: 10.141.222.124->192.30.30.2.
  packet send out to 54e032d187c5 through ethernet0/1
****** 627451.0: <Trust/ethernet0/1> packet received [128]******
  ipid = 1970(07b2), @05da7174
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/1:192.30.30.2/1024->10.141.222.124/5800,1(0/0)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 64059
  flow_main_body_vector in ifp ethernet0/1 out ifp N/A
  flow vector index 0x21, vector addr 0x78b2ee4, orig vector 0x78b2ee4
  vsd 0 is active
  post addr xlation: 192.30.30.2->10.141.222.124.
  packet send out to 0010dbfc1000 through ethernet0/0
TR invalid session trace
: 007c3094 007c29d5 007c2f09 00116f03 00109c8e
## 2018-12-25 23:49:15 : --(1)nsp timeout: 10.141.222.124/5800, 192.30.30.2/1024, 1, 0, 0 3 >> Reverse traffic is sent so closing the session for ICMP
## 2018-12-25 23:49:15 :
TR invalid session trace
: 007c3094 007c29d5 007c2f09 00116f03 00109c8e
## 2018-12-25 23:49:17 : --(0)nsp timeout: 192.30.30.2/1024, 10.141.222.124/5800, 1, 0, 0 5 >> Reverse traffic is sent so closing the session for ICMP
## 2018-12-25 23:49:17 : free sess dip id:0
## 2018-12-25 23:49:17 : DEC: vsys Root, cur_nat_sess 0, free_pool 64064
 

Thus, when policy lookup is successful, a session is generated with a session ID. When the reverse traffic for ICMP passes through the firewall, the session is closed.

Note: If NAT(40) is mentioned in the output, no NAT occurs. However, if NAT(00) is mentioned in the output, then source NAT occurs.

 

TCP Traffic

A sample output for debug session all captured with debug flow basic for TCP traffic is as follows:

ssg20-> get db st

****** 627159.0: <Untrust/ethernet0/0> packet received [44]******
  ipid = 1419(058b), @0593f974
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:10.141.222.124/36383->192.30.30.2/23,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.141.222.124->192.30.30.2) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 10 for 192.30.30.2
  [ Dest] 10.route 192.30.30.2->192.30.30.2, to ethernet0/1
  routed (x_dst_ip 192.30.30.2) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/1
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.30.30.2, port 23, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1/0/0x1
  Permitted by policy 1
  No src xlate   choose interface ethernet0/1 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/1
  vsd 0 is active
  no loop on ifp ethernet0/1.
  session application type 10, name TELNET, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/0>, out <ethernet0/1>
## 2018-12-25 23:44:20 : INC: vsys Root, cur_nat_sess 1, free_pool 64063
## 2018-12-25 23:44:20 : alloc nat session from pool
## 2018-12-25 23:44:20 : nat(40): >> Code (40) No NAT is triggered
## 2018-12-25 23:44:20 :  10.141.222.124/36383(10.141.222.124/36383)->192.30.30.2/23(192.30.30.2/23) >>> When the packet passes policy lookup, session is generated
  existing vector list 123-3edc064.
  Session (id:64059) created for first pak 123
  flow_first_install_session======>
  route to 192.30.30.2
  cached arp entry with MAC 54e032d187c5 for 192.30.30.2
  arp entry found for 192.30.30.2
  ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/1, 192.30.30.2->10.141.222.124) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
  cached route 7 for 10.141.222.124
  [ Dest] 7.route 10.141.222.124->10.141.222.124, to ethernet0/0
  route to 10.141.222.124
  cached arp entry with MAC 0010dbfc1000 for 10.141.222.124
  arp entry found for 10.141.222.124
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1 >>> Traffic is not passing via tunnel   
## 2018-12-25 23:44:20 :   no tunnel, get if operating mtu. >>> No tunnel, so it marks 0 for tunnel in the session
## 2018-12-25 23:44:20 : calculate session pmtu 1500
## 2018-12-25 23:44:20 :   no tunnel, get if operating mtu.
## 2018-12-25 23:44:20 : calculate session pmtu 1500
  flow got session.
  flow session id 64059
  flow_main_body_vector in ifp ethernet0/0 out ifp ethernet0/1
  flow vector index 0x123, vector addr 0x3edc064, orig vector 0x3edc064
  vsd 0 is active
  tcp seq check.
  Got syn, 10.141.222.124(36383)->192.30.30.2(23), nspflag 0x801801, 0x800800
  post addr xlation: 10.141.222.124->192.30.30.2.
  packet send out to 54e032d187c5 through ethernet0/1
****** 627159.0: <Trust/ethernet0/1> packet received [44]******
  ipid = 1817(0719), @05940174
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/1:192.30.30.2/23->10.141.222.124/36383,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 64059
  flow_main_body_vector in ifp ethernet0/1 out ifp N/A
  flow vector index 0x123, vector addr 0x3edc064, orig vector 0x3edc064
  vsd 0 is active
  tcp seq check.
  Got syn_ack, 192.30.30.2(23)->10.141.222.124(36383), nspflag 0x801800, 0x801801
  post addr xlation: 192.30.30.2->10.141.222.124.
  packet send out to 0010dbfc1000 through ethernet0/0
****** 627170.0: <Trust/ethernet0/1> packet received [40]******
  ipid = 29833(7489), @05969174
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/1:192.30.30.2/23->10.141.222.124/36383,6, 5004(rst)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 64059
  flow_main_body_vector in ifp ethernet0/1 out ifp N/A
  flow vector index 0x123, vector addr 0x3edc064, orig vector 0x3edc064
  vsd 0 is active
  tcp seq check.
  flow_tcp_fin_vector()
  post addr xlation: 192.30.30.2->10.141.222.124.
  packet send out to 0010dbfc1000 through ethernet0/0
TR invalid session trace
: 007c3094 007c29d5 007c2f09 00116f03 00109c8e
## 2018-12-25 23:44:33 : --(1)nsp timeout: 10.141.222.124/36383, 192.30.30.2/23, 6, 0, 0 13  >>> TCP connection closed as RST/FIN by client or server; session closed for TCP
## 2018-12-25 23:44:33 :
TR invalid session trace
: 007c3094 007c29d5 007c2f09 00116f03 00109c8e
## 2018-12-25 23:44:35 : --(0)nsp timeout: 192.30.30.2/23, 10.141.222.124/36383, 6, 0, 0 15  >>> TCP connection closed as RST/FIN by client or server; session closed for TCP
## 2018-12-25 23:44:35 : not configure notify option in policy 1/0  >>> Policy ID 1 is not configured with "notify-conn-close" 
## 2018-12-25 23:44:35 : free sess dip id:0
## 2018-12-25 23:44:35 : DEC: vsys Root, cur_nat_sess 0, free_pool 64064
 

Thus, when policy lookup is successful, a session is generated with a session ID. When the TCP connection terminated with RST/FIN passes through the firewall, the session is closed.

Note: If notify-conn-close is enabled, ScreenOS sends a TCP notification ACK to both the client and the server when the session is closed following a session timeout or by executing the clear session command. The notify-conn-close option is disabled by default.

 

Modification History:

2019-01-08: Article modified, and additional details added for output for debug session all

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search