Troubleshooting traffic flow

Protocol numbers
Protocol number 1: ICMP
Protocol number 6: TCP
Protocol number 17: UDP

TCP Flags
[.] = Ack set

[S] = Syn set
[S.] = Syn set, Ack Set

[F] = Fin set
[F.] = Fin set, Ack Set

[R] = Reset set
[R.] = Reset set , Ack Set

diag sys session filter ?
vd Index of virtual domain. -1 matches all.
sintf Source interface.
dintf Destination interface.
src Source IP address.
nsrc NAT’d source ip address
dst Destination IP address.
proto Protocol number.
sport Source port.
nport NAT’d source port
dport Destination port.
policy Policy ID.
expire expire
duration duration
proto-state Protocol state.
session-state1 Session state1.
session-state2 Session state2.
ext-src Add a source address to the extended match list.
ext-dst Add a destination address to the extended match list.
ext-src-negate Add a source address to the negated extended match list.
ext-dst-negate Add a destination address to the negated extended match list.
clear Clear session filter.
negate Inverse filter.

If packets >=2, you have two way communications

diag sys session list | grep statistic
statistic(bytes/packets/allow_err): org=61/1/1 reply=77/2/1 tuples=4

diagnose sys session list

 

session info: proto=17 proto_state=01 duration=29 expire=150 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu route_preserve
statistic(bytes/packets/allow_err): org=147/1/1 reply=268/1/1 tuples=2
tx speed(Bps/kbps): 4/0 rx speed(Bps/kbps): 8/0
orgin->sink: org pre->post, reply pre->post dev=8->6/6->8 gwy=50.4.192.1/192.168.1.240
hook=post dir=org act=snat 192.168.1.240:63996->104.245.145.50:443(50.4.203.235:63996)
hook=pre dir=reply act=dnat 104.245.145.50:443->50.4.203.235:63996(192.168.1.240:63996)
src_mac=1c:6f:65:xx:xx:xx
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=0013a263 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id= 80000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04

session info: proto=6 proto_state=11 duration=888 expire=3594 timeout=3600 flags=00000000 socktype=0 sockport=443 av_idx=9 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=redir local may_dirty npu route_preserve
statistic(bytes/packets/allow_err): org=62142/101/1 reply=56830/170/1 tuples=3
tx speed(Bps/kbps): 70/0 rx speed(Bps/kbps): 76/0
orgin->sink: org pre->post, reply pre->post dev=8->6/6->8 gwy=50.4.192.1/192.168.1.240
hook=post dir=org act=snat 192.168.1.240:51212->52.205.160.176:443(50.4.203.235:51212)
hook=pre dir=reply act=dnat 52.205.160.176:443->50.4.203.235:51212(192.168.1.240:51212)
hook=post dir=reply act=noop 52.205.160.176:443->192.168.1.240:51212(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=1c:6f:65:xx:xx:xx
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=001392b1 tos=40/40 app_list=0 app=0 url_cat=0
rpdb_link_id= 80000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av

TCP:
State Value Expire Timer (default)
NONE 0 10 s
ESTABLISHED 1 3600 s
SYN_SENT 2 120 s
SYN & SYN/ACK 3 60 s
FIN_WAIT 4 120 s
TIME_WAIT 5 120 s
CLOSE 6 10 s
CLOSE_WAIT 7 120 s
LAST_ACK 8 30 s
LISTEN 9 120 s

UDP:
State Value
UDP Reply not seen 0
UDP Reply seen 1

ICMP:
There are no states for ICMP, it always shows proto_state=00.

 

 

diag sniffer packet any ‘host 192.168.1.240 and icmp’ 4
interfaces=[any]
filters=[host 192.168.1.240 and icmp]
13.564435 dmz in 192.168.1.240 -> 172.16.1.200: icmp: echo request
13.564597 internal2 out 192.168.1.240 -> 172.16.1.200: icmp: echo request
14.564647 dmz in 192.168.1.240 -> 172.16.1.200: icmp: echo request
14.564719 internal2 out 192.168.1.240 -> 172.16.1.200: icmp: echo request