SSG session/flow troubleshooting
1. get session info
Home-SSG5-> get session src-ip x.x.x.x dst-ip y.y.y.y
alloc 11/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 8053
id 8048/s**,vsys 0,flag 00000040/0080/0021/0000,policy 320002,time 180, dip 0 module 0
if 0(nspflag 800601):192.168.2.173/4471->192.168.2.5/22,6,902b34859902,sess token 4,vlan 0,tun 0,vsd 0,route 1,wsf 0
if 3(nspflag 2002010):192.168.2.173/4471<-192 .168.2.5="" 0="" 5="" br="" route="" sess="" token="" tun="" vlan="" vsd="" wsf="">Total 1 sessions shown
Home-SSG5->-192>
2. Debug flow basic
Home-SSG5-> get session src-ip x.x.x.x dst-ip y.y.y.y
alloc 11/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 8053
id 8048/s**,vsys 0,flag 00000040/0080/0021/0000,policy 320002,time 180, dip 0 module 0
if 0(nspflag 800601):192.168.2.173/4471->192.168.2.5/22,6,902b34859902,sess token 4,vlan 0,tun 0,vsd 0,route 1,wsf 0
if 3(nspflag 2002010):192.168.2.173/4471<-192 .168.2.5="" 0="" 5="" br="" route="" sess="" token="" tun="" vlan="" vsd="" wsf="">Total 1 sessions shown
Home-SSG5->-192>
2. Debug flow basic
1) get ffilter - see if an filters
have been set already, if they have you use 'unset ffilter' to remove,
repeat the steps until you remove all the filters
2) set ffilter src-ip 10.1.1.5 dst-ip 1.1.70.250 -
allows you to limit the traffic that you capture using src-ip,
src-port, dst-ip, dst-port & etc... Recommeded as debug flow basic
can be intensive on the firewall especially if it is under heavy load.
3) debug flow basic - turns on flow debuging with a level of basic logging
4) clear db - make sure there is nothing in the debug buffer from previous debugs
5) Begin the test, do a ping or try to access the resource that you are having problems with.
6) undebug all or press Esc key - turns off debug
7) get db str - reads the debug buffer and outputs.
8) unset ffilter - remove ffilters when finished
9) clear db - make sure there is nothing in the debug buffer from previous debugs
3. Snoop
Home-SSG5-> snoop filter ip 2.2.2.222 - set a filter to limit the traffic that you capture.
Home-SSG5-> snoop filter id 1 delete - delete a filter
Home-SSG5-> snoop info - check whether the filter is applied properly.
Home-SSG5-> snoop - "switch on" the snoop and initiate the traffic.
Home-SSG5-> snoop off or press Esc key - "Turn off" the snoop
Home-SSG5-> get dbuf stream - check the output of the snoop
Home-SSG5-> clear db - clear the buffer
other snoop commands:
snoop detail ~~~~~~~~~only available for root
snoop detail len 1514
You can save the output directly to a tftp-server with the command
"get dbuf stream > tftp "
You can read that file using WireShark
Home-SSG5-> snoop filter ip 2.2.2.222 - set a filter to limit the traffic that you capture.
Home-SSG5-> snoop filter id 1 delete - delete a filter
Home-SSG5-> snoop info - check whether the filter is applied properly.
Home-SSG5-> snoop - "switch on" the snoop and initiate the traffic.
Home-SSG5-> snoop off or press Esc key - "Turn off" the snoop
Home-SSG5-> get dbuf stream - check the output of the snoop
Home-SSG5-> clear db - clear the buffer
other snoop commands:
snoop detail ~~~~~~~~~only available for root
snoop detail len 1514
You can save the output directly to a tftp-server with the command
"get dbuf stream > tftp
You can read that file using WireShark
Comments
Post a Comment