Versions Compared

Old Version 1

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.




what to trace?
configuration


Code Block
titleconfig
[edit security flow]
Netbox@SRX300-1-RL102# show
traceoptions {
    file selfpolicy size 1m;
    flag basic-datapath;
    packet-filter term1 {
        source-prefix 192.168.200.1/32;
        destination-prefix 192.168.200.2/32;
    }
    packet-filter term2 {
        source-prefix 192.168.200.2/32;
        destination-prefix 192.168.200.1/32;
    }
}


set security flow traceoptions file selfpolicy
set security flow traceoptions file size 1m
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter term1 source-prefix 192.168.200.1/32
set security flow traceoptions packet-filter term1 destination-prefix 192.168.200.2/32
set security flow traceoptions packet-filter term2 source-prefix 192.168.200.2/32
set security flow traceoptions packet-filter term2 destination-prefix 192.168.200.1/32


flag options


Code Block
titleflag option
Netbox@SRX300-1-RL102# set traceoptions flag ?
Possible completions:
  all                  All events
  basic-datapath       Basic packet flow
  fragmentation        Ip fragmentation and reassembly events
  high-availability    Flow high-availability information
  host-traffic         Flow host-traffic information
  multicast            Multicast flow information
  route                Route lookup information
  session              Session creation and deletion events
  session-scan         Session scan information
  tcp-basic            TCP packet flow
  tunnel               Tunnel information


show log


Code Block
titleshow log
[edit security flow]
Netbox@SRX300-1-RL102# run show log selfpolicy | last

Jul 30 11:58:11 11:58:11.574302:CID-0:RT:  flow got session.

Jul 30 11:58:11 11:58:11.574302:CID-0:RT:  flow session id 3655

Jul 30 11:58:11 11:58:11.574302:CID-0:RT: vector bits 0x8002 vector 0x68996258

Jul 30 11:58:11 11:58:11.574302:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jul 30 11:58:11 11:58:11.574302:CID-0:RT:mbuf 0x611b2c80, exit nh 0x5c1302

Jul 30 11:58:11 11:58:11.574302:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088c48 associated with mbuf 0x611b2c80

Jul 30 11:58:11 11:58:11.574302:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Jul 30 11:58:11 11:58:11.671703:CID-0:RT:<192.168.200.1/65261->192.168.200.2/22;6,0x0> matched filter term1:

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:packet [52] ipid = 34264, @0x5ee6439c

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x5ee64180, rtbl_idx = 8

Jul 30 11:58:11 11:58:11.671703:CID-0:RT: flow process pak fast ifl 78 in_ifp ae0.0

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:  ae0.0:192.168.200.1/65261->192.168.200.2/22, tcp, flag 10

Jul 30 11:58:11 11:58:11.671703:CID-0:RT: find flow: table 0x6531298, hash 7389(0xffff), sa 192.168.200.1, da 192.168.200.2, sp 65261, dp 22, proto 6, tok 32777, conn-tag 0x00000000, vrf-grp-id 0

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:Found: session id 0x156d. sess tok 32777

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:  flow got session.

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:  flow session id 5485

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:  refreshing session

Jul 30 11:58:11 11:58:11.671703:CID-0:RT: vector bits 0x8002 vector 0x68996258

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:pre-frag not needed: ipsize: 52, mtu: 9188, nsp2->pmtu: 9188

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:insert usp tag for apps

Jul 30 11:58:11 11:58:11.671703:CID-0:RT:mbuf 0x5ee64180, exit nh 0xfffb0006

Jul 30 11:58:11 11:58:11.671703:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)