Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Language

EN

DE

Issue

Information

Cause

Samples

Solution

  1. First of all, how to stop / disable diag debug
    1. you can enter that commands in the running diag output!

      Code Block
      themeDJango
      diag debug disable   or "di de di" 
      diag debug reset  or "di de re" 


  2. Check the current diag setting state and reset

    1. Code Block
      themeDJango
      Firewall # diagnose settings
      reset    Reset all diagnose settings.
      info     Show all diagnose settings.
      
      Firewall # diagnose settings info
      debug output:           disable
      console timestamp:      disable
      console no user log message:    disable
      CLI debug level:        3
      sessionsync test level: 1
      ipsmonitor test level:  22
      reportd test level:     6
      quarantined test level: 1
      
      Firewall #
      Firewall # diagnose settings reset
      
      Firewall # diagnose settings info
      debug output:           disable
      console timestamp:      disable
      console no user log message:    disable
      CLI debug level:        3
      
      Firewall #


  3. Trace all network packets related to a IP address like 8.8.8.8
    1. Enter followfing diag debug commands

      Code Block
      themeDJango
      diag debug enable
      diag debug flow filter addr 8.8.8.8
      diag debug flow show console enable
      diag debug flow show function-name enable
      diag debug flow trace start 1000
      
      ### - sample 1 output - ###
      
      id=20085 trace_id=59 func=resolve_ip_tuple_fast line=4946 msg="Find an existing session, id-014d61fc, original direction"
      id=20085 trace_id=59 func=npu_handle_session44 line=905 msg="Trying to offloading session from internal1 to wan2, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
      id=20085 trace_id=59 func=__ip_session_run_tuple line=2842 msg="SNAT 192.168.11.22->192.168.11.4:57701"
      id=20085 trace_id=59 func=__ip_session_run_tuple line=2893 msg="run helper-dns-udp(dir=original)"
      id=20085 trace_id=60 func=print_pkt_detail line=4882 msg="vd-root received a packet(proto=1, 192.168.99.100:1003->8.8.8.8:2048) from internal4. type=8, code=0, id=1003, seq=0."
      id=20085 trace_id=60 func=init_ip_session_common line=5026 msg="allocate a new session-014d6512"
      id=20085 trace_id=60 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-48.18.3.1 via wan22"
      id=20085 trace_id=60 func=fw_forward_handler line=712 msg="Allowed by Policy-122: SNAT"
      id=20085 trace_id=60 func=__ip_session_run_tuple line=2842 msg="SNAT 192.168.99.100->48.18.3.1:62464"
      id=20085 trace_id=61 func=print_pkt_detail line=4882 msg="vd-root received a packet(proto=1, 8.8.8.8:62464->48.18.3.1:0) from wan2. type=0, code=0, id=62464, seq=0."
      
      
      -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
      
      
      diag debug reset
      diag debug flow filter clear
      diag debug flow filter addr 8.8.8.8
      diag debug flow show console enable
      diag debug flow show iprope enable
      diag debug flow show function-name enable
      diag debug console timestamp enable
      diag debug enable
      diag debug flow trace start 1000
      
      
      ### - sample 2 output - ###
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=print_pkt_detail line=4882 msg="vd-root received a packet(proto=1, 192.168.222.11:20->8.8.8.8:2048) from msc-guest. type=8, code=0, id=20, seq=1."
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=init_ip_session_common line=5026 msg="allocate a new session-0319942b"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=iprope_dnat_check line=4562 msg="in-[msc-guest], out-[]"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=iprope_dnat_tree_check line=835 msg="len=0"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=iprope_dnat_check line=4575 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-47.188.39.1 via wan2"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=iprope_fwd_check line=703 msg="in-[msc-guest], out-[wan2], skb_flags-00800000, vid-0"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=__iprope_check_one_policy line=1700 msg="checked gnum-100004 policy-97, ret-matched, act-accept"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=__iprope_user_identity_check line=1526 msg="ret-matched"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=get_new_addr line=2730 msg="find SNAT: IP-47.188.39.2(from IPPOOL), port-14933"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=__iprope_check_one_policy line=1896 msg="policy-97 is matched, act-accept"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=iprope_fwd_auth_check line=755 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-97"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=iprope_reverse_dnat_check line=914 msg="in-[msc-guest], out-[wan2], skb_flags-00800000, vid-0"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=fw_forward_handler line=712 msg="Allowed by Policy-97: SNAT"
      2018-02-15 09:42:28 id=20085 trace_id=5747 func=__ip_session_run_tuple line=2842 msg="SNAT 192.168.222.11->47.188.39.2:14933"
      
      
       




    1. Code Block
      themeDJango
      diag debug enable
      diag debug application dnsproxy -1
      
      
      ### - sample output - ###
      
      udp_receive_request()-1991
      handle_dns_request()-1395: id:0x9b0e pktlen=44, qr=0 req_type=3
      get_intf_policy()-848: ifindex=7
      dns_parse_message()-654
      dns_nat64_update_request()-270
      dns_local_lookup()-2107: vfid=0 qname=docs.google.com, qtype=1, qclass=1, offset=33, map#=3 max_sz=512
      dns_lookup_aa_zone()-496: vfid=0, fqdn=docs.google.com
      dns_forward_request()-930
      dns_send_resol_request()-762: id=0xc089 domain=docs.google.com
      dns_find_best_server()-366: vfid=0 profiled=0
      dns_send_resol_request()-849: Send 44B to 62.72.64.237:53 via fd=16 request:1 dns_num:2
      udp_receive_request()-1991
      batch_on_read()-2317
      udp_receive_response()-2198
      udp_receive_response()-2217: vd-0: len=60, addr=62.72.64.237:53
      handle_dns_response()-1791: id:0xc089 domain=docs.google.com pktlen=60
      dns_set_min_ttl()-163: QR: docs.google.com
      dns_set_min_ttl()-171: Offset of 1st RR: 33 Number of RR's: 2
      dns_set_min_ttl()-181: RR TTL: 170
      dns_set_min_ttl()-181: RR TTL: 32768
      dns_cache_response()-246: Min ttl = 170
      dns_forward_response()-1131
      dns_secure_forward_response()-1077: category=255 profile=none
      dns_visibility_log_hostname()-235: vd=0 pktlen=60
      hostname_entry_insert()-140: af=2 domain=docs.google.com
      __dns_forward_response()-989
      __dns_forward_response()-995: vd-0 Send 60B via fd=13, family=2
      __dns_forward_response()-998: set svf of fd to 0
      dns_query_delete()-398: id:0xc089 active tcp_req=(nil)
      udp_receive_response()-2198
      udp_receive_request()-1991
      handle_dns_request()-1395: id:0x3349 pktlen=65, qr=0 req_type=3
      get_intf_policy()-848: ifindex=7
      dns_parse_message()-654
      dns_nat64_update_request()-270
      dns_local_lookup()-2107: vfid=0 qname=p24-keyvalueservice.fe.apple-dns.net, qtype=1, qclass=1, offset=54, map#=4 max_sz=512
      dns_lookup_aa_zone()-496: vfid=0, fqdn=p24-keyvalueservice.fe.apple-dns.net
      dns_forward_request()-930
      dns_send_resol_request()-762: id=0xc0da domain=p24-keyvalueservice.fe.apple-dns.net
      dns_find_best_server()-366: vfid=0 profiled=0
      dns_send_resol_request()-849: Send 65B to 62.72.64.237:53 via fd=16 request:1 dns_num:2
      udp_receive_request()-1991
      batch_on_read()-2317
      udp_receive_response()-2198
      udp_receive_response()-2217: vd-0: len=330, addr=62.72.64.237:53
      handle_dns_response()-1791: id:0xc0da domain=p24-keyvalueservice.fe.apple-dns.net pktlen=330
      dns_set_min_ttl()-163: QR: p24-keyvalueservice.fe.apple-dns.net
      dns_set_min_ttl()-171: Offset of 1st RR: 54 Number of RR's: 13
      dns_set_min_ttl()-181: RR TTL: 178
      dns_set_min_ttl()-181: RR TTL: 178
      dns_set_min_ttl()-181: RR TTL: 7562
      dns_set_min_ttl()-181: RR TTL: 32768
      dns_cache_response()-246: Min ttl = 178
      dns_forward_response()-1131
      dns_secure_forward_response()-1077: category=255 profile=none
      dns_visibility_log_hostname()-235: vd=0 pktlen=330
      hostname_entry_insert()-140: af=2 domain=p24-keyvalueservice.fe.apple-dns.net
      hostname_entry_insert()-140: af=2 domain=p24-keyvalueservice.fe.apple-dns.net
      hostname_entry_insert()-140: af=2 domain=p24-keyvalueservice.fe.apple-dns.net
      __dns_forward_response()-989
      __dns_forward_response()-995: vd-0 Send 330B via fd=13, family=2
      __dns_forward_response()-998: set svf of fd to 0
      __dns_forward_response()-1033: vd=0 send 330B response 192.168.10.254:53=>192.168.10.22:57872
      dns_query_delete()-398: id:0xc0da active tcp_req=(nil)
      udp_receive_response()-2198
      handle_hostname_add_msg()-545
      dns_visibility_log_hostname()-235: vd=0 pktlen=182
      hostname_entry_insert()-140: af=2 domain=p24-keyvalueservice.fe.apple-dns.net
      hostname_entry_insert()-140: af=2 domain=p24-keyvalueservice.fe.apple-dns.net
      hostname_entry_insert()-140: af=2 domain=p24-keyvalueservice.fe.apple-dns.net
      batch_on_read()-2317
      udp_receive_request()-1991
      udp_receive_request()-2045: vd=0, intf=7, len=48, alen=16, 192.168.10.22:57588=>192.168.10.254
      handle_dns_request()-1395: id:0xe831 pktlen=48, qr=0 req_type=3
      get_intf_policy()-848: ifindex=7
      dns_parse_message()-654
      dns_nat64_update_request()-270
      dns_local_lookup()-2107: vfid=0 qname=s-0001.s-msedge.net, qtype=1, qclass=1, offset=37, map#=3 max_sz=512
      dns_lookup_aa_zone()-496: vfid=0, fqdn=s-0001.s-msedge.net
      
      



Workaround

Notes

...