Lets see how to monitor for and clear a specific session.
Using the same flow from the last blog Logs and Debug, lets find the session and then clear it.
FG1 (VDOM1) # diagnose sys session filter clear
FG1 (VDOM1) # diagnose sys session filter src 192.168.250.50
FG1 (VDOM1) # diagnose sys session filter dst 192.168.100.220
FG1 (VDOM1) # diagnose sys session list
Sunday, May 31, 2020
Logs and Debugs.
In this blog we will look at log entries via the cli along with some more debugging.
We will be trying to ssh from VDOM1 IP 192.168.250.50 to a device in the root VDOM on IP 192.168.100.220.
The connection is failing. Below are a few things to look at in regards troubleshooting this scenario.
CHECK DEBUG FLOW FILTER.
FG1 (VDOM1) # diagnose debug flow filter saddr 192.168.250.50
FG1 (VDOM1) # diagnose debug flow filter daddr 192.168.100.220
FG1 (VDOM1) # diagnose debug enable
FG1 (VDOM1) # diagnose debug flow trace start
FG1 (VDOM1) # id=20085 trace_id=1 func=print_pkt_detail line=5517 msg="vd-VDOM1:0 received a packet(proto=6, 192.168.250.50:49988->192.168.100.220:22) from port4. flag [S], seq 2872570577, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=5682 msg="allocate a new session-00018033"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.1.1.1 via IVL_VDOM1"
id=20085 trace_id=1 func=fw_forward_handler line=753 msg="Allowed by Policy-3:"
FG1 (VDOM1) #
Looks good from a routing and policy perspective in VDOM1.
We will be trying to ssh from VDOM1 IP 192.168.250.50 to a device in the root VDOM on IP 192.168.100.220.
The connection is failing. Below are a few things to look at in regards troubleshooting this scenario.
CHECK DEBUG FLOW FILTER.
FG1 (VDOM1) # diagnose debug flow filter saddr 192.168.250.50
FG1 (VDOM1) # diagnose debug flow filter daddr 192.168.100.220
FG1 (VDOM1) # diagnose debug enable
FG1 (VDOM1) # diagnose debug flow trace start
FG1 (VDOM1) # id=20085 trace_id=1 func=print_pkt_detail line=5517 msg="vd-VDOM1:0 received a packet(proto=6, 192.168.250.50:49988->192.168.100.220:22) from port4. flag [S], seq 2872570577, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=5682 msg="allocate a new session-00018033"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.1.1.1 via IVL_VDOM1"
id=20085 trace_id=1 func=fw_forward_handler line=753 msg="Allowed by Policy-3:"
FG1 (VDOM1) #
Looks good from a routing and policy perspective in VDOM1.
Subscribe to:
Posts (Atom)