Introduction

Thought I would write a quick one on this as I often need to look it up as it is incredibly helpful. Cisco ASA has the packet-tracer command for testing but netscreen firewalls have something a bit different. Debug flow is also very powerful as it will capture the flow of traffic through the firewall for troubleshooting purposes.

Solution

SSH to the netscreen firewall and turn on the dbuf buffer:

set console dbuf

set the parameters for debugging. Be specific. You do not want to capture too much information as there would be a risk of overloading the firewall.

set ffilter ?

dst-ip               flow filter dst ip 
dst-port             flow filter dst port 
ip-proto             flow filter ip proto 
src-ip               flow filter src ip 
src-port             flow filter src port

Use the the get and unset forms of this command to see what has been defined and if you need to remove a parameter. For example:

set ffilter src-ip 192.168.1.243 dst-ip 172.16.43.230

One parameters are set, we need to debug.

debug flow ?

basic
all
drop

For most cases debug flow basic is sufficient. Once you have initiated some traffic, disable the debug using:

undebug all

Obtain the output of the debug from the CLI

get dbuf stream

For example:

****** 15126366.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 11047(2b27), @2d7c5110
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:192.168.1.243/52545->172.16.43.230/53483,6, 5011(fin)
  existing session found. sess token 3
  flow got session.
  flow session id 43617
  flow_main_body_vector in ifp ethernet0/0 out ifp N/A
  flow vector index 0x123, vector addr 0x3d98084, orig vector 0x3d98084
  vsd 0 is active
  tcp seq check.
  flow_tcp_fin_vector()
  post addr xlation: 192.168.1.243->172.16.43.230.
  send packet to traffic shaping queue.
  flow_ip_send: 2b27:192.168.1.243->172.16.43.230,6 => ethernet1/2(40) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet1/2 (60)
****** 15126366.0: <DMZ/ethernet1/2> packet received [40]******
  ipid = 8188(1ffc), @2d499110
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet1/2:172.16.43.230/53483->192.168.1.243/52545,6, 5004(rst)
  existing session found. sess token 18
  flow got session.
  flow session id 43617
  flow_main_body_vector in ifp ethernet1/2 out ifp N/A
  flow vector index 0x123, vector addr 0x3d98084, orig vector 0x3d98084
  vsd 0 is active
  tcp seq check.
  flow_tcp_fin_vector()
  post addr xlation: 172.16.43.230->192.168.1.243.
  send packet to traffic shaping queue.
  flow_ip_send: 1ffc:172.16.43.230->192.168.1.243,6 => ethernet0/0(40) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/0 (60)

Very Useful and will find the answer very quickly to your blocked packets.

Juniper Netscreen Packet-Tracer Alternative (Debug Flow)
Tagged on:                 

You May Also Like

OSPFv3 Authentication Palo Alto to Cisco Router

Troubleshooting Interface Output Drops

Troubleshooting Interface Output Drops

Updating Netfilter Firewall Rules

Updating Netfilter Firewall Rules

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.