Checking the Session Table

This section describes how to check the session table using the CLI for fault locating.

Context

You can check the session table to locate faults.

If a session entry has been established and traffic is permitted by security policies, the possible causes of service interruptions include but are not limited to:
- Hardware faults on the outgoing interface (such as physical damage of bad cable connections)
- Packet drop on the downstream device
- Incorrect routing configuration (To display the outgoing interface and next hop, run the display firewall session table verbose or display firewall ipv6 session table verbose command.)
- Incorrect packet count on the outgoing interface (To display traffic statistics, run the display interface command.)
- Administratively denied packets (packets dropped due to bandwidth management and attack defense policies)
- Configuration errors
If no session entry is established for a service, possible causes include but are not limited to the following:
- Packets are not forwarded to the FW because of faults on an upstream device or incorrect route configuration.
- The security policy configured on the FW blocks the packets. For example, the security policy action is configured as Deny, or the source IP address is blacklisted.
- A hardware fault occurs at the incoming interface. For example, an interface card is damaged, or a network cable is not securely connected.
- Attack defense functions, except blacklist, discard packets.
- The bandwidth management function restricts the number of sessions. When the number of sessions exceeds the upper threshold, new sessions cannot be established, and packets are therefore discarded.
- Configuration errors

Procedure

Access the system view.
system-view

Check IPv4 session table information.

display firewall session table [ verbose ] [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection ] ^*
display firewall session table verbose [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] ^*
display firewall session table [ verbose ] all-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | { local | remote } ] ^*
display firewall session table verbose all-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | { local | remote } | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] ^*
display firewall session table [ verbose ] slb [ destination { vip start-vip-address [ to end-vip-address ] | rip start-rip-address [ to end-rip-address ] } | source start-source-address [ to end-source-address ] | destination-port { vport vport-number | rport rport-number } | source-port source-port-number | slot slot-id cpu cpu-id ] ^*
display firewall session table [ verbose ] session-id session-id

In the dual system hot backup environment, you can run the display firewall session table command with local or remote to display the session table on the local or remote device.

A session table typically contains a large number of entries. Therefore, to narrow down the displayed entries and increase fault locating efficiency, the following command provides multiple parameters for you to select the type of entries to be displayed.

For NAT64 sessions, if you query a session based on the source/destination address or port, you can use only the address or port before NAT, but not the address or port after NAT.

If the IP address is an IPv4 address before NAT, use the display firewall session table [ verbose ] command and one or more of the following parameters for a query: source inside start-ip-address [ to end-ip-address ], destination global start-ip-address [ to end-ip-address ], source-port inside port-number, and destination-port global port-number

If you do not use parameter verbose, only the abbreviated session information is displayed, as shown in the following screenshot:

 Current Total Sessions : NUM
  TYPE  VPN:SRCVPN --> DSTVPN SRCIP --> DSTIP

If you use parameter verbose, as shown in the following screenshot:

 Current Total Sessions : NUM
  TYPE  VPN:SRCVPN --> DSTVPN  ID: ID-NUMBER        
  Zone: SRCZONE--> DSTZONE  Remote  TTL: TOTALTIME  Left: LEFTTIME
  Interface: OUTINTERFACE  Nexthop: IP-ADDRESS  MAC: MACADDRESS 
  <-- packets:NUMBER bytes:BYTES   --> packets:NUMBER bytes:BYTES
  SRCIP --> DSTIP PolicyName: POLICYNAME
  TCP State: TCP State

Table 1 shows the meaning of each parameter. Parameters in italics can very under actual situations.

**Table 1** Parameters of a session entry
Parameter	Description
TYPE	Protocol type of the session. The value range of the parameter is the same as that of the protocol parameter in the display firewall session table command.
VPN:SRCVPN --> DSTVPN	Source and destination VPN instances of the session
ID: ID-NUMBER	ID number of the session.
Zone: SRCZONE--> DSTZONE	Source and destination security zones of the session
Remote	In a hot standby scenario, Remote indicates that the current session is a backup session, which is backed up from the peer device.
TTL: TOTALTIME	Lifetime of the session entry
Left: LEFTTIME	Remaining lifetime of the session entry
Interface: OUTINTERFACE	Outgoing interface
Nexthop: IP-ADDRESS	Next-hop IP address
MAC: MACADDRESS	Next-hop MAC address
<-- packets:NUMBER bytes:BYTES	Reverse packets and bytes of the session <== indicates that hardware-based fast forwarding is implemented for the reverse packets of the session, and <-- indicates that hardware-based fast forwarding is not implemented for the reverse packets of the session.
--> packets:NUMBER bytes:BYTES	Forward packets and bytes of the session. In normal cases, the numbers of forward packets and bytes would be the same as those of the reverse packets and bytes. If the numbers of forward packets and bytes are smaller than those of the reverse packets and bytes, some packets are discarded. ==> indicates that hardware-based fast forwarding is implemented for the forward packets of the session, and --> indicates that hardware-based fast forwarding is not implemented for the forward packets of the session.
SRCIP --> DSTIP	Source IP address, source port, destination IP address, and destination port of the session The address format is x.x.x.x:portx[y.y.y.y:porty], where portx is the source port and porty the destination port. The address in the square brackets is the post-NAT IP address. If NAT is not implemented, no content is displayed in the square brackets.
PolicyName: POLICYNAME	Packet matching policy name.
TCP State	TCP connection status. This field is displayed only for TCP sessions. connecting: The device receives the first SYN packet, indicating that the TCP connection is being established. Established: The device receives an ACK packet, indicating that the TCP connection has been established. fin-1: The device receives the first FIN packet, indicating that the TCP connection is being torn down. close: The device receives the second FIN packet, indicating that the TCP connection has been torn down.

Display the IPv6 session table.
- display firewall ipv6 session table [ vsys vsys ] [ source-zone source-zone | destination-zone destination-zone| { default-policy | policy policy-name } | source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | application application-type | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | slot slot-id cpu cpu-id ] ^*
- display firewall ipv6 session table verbose [ vsys vsys ] [ source-zone source-zone | destination-zone destination-zone| { default-policy | policy policy-name } | source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | application application-type | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | slot slot-id cpu cpu-id | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] ^*
- display firewall ipv6 session table all-systems [ source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | { local | remote } | slot slot-id cpu cpu-id ] ^*
- display firewall ipv6 session table verbose all-systems [ source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | { local | remote } | slot slot-id cpu cpu-id | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] ^*
- display firewall ipv6 session table [ verbose ] session-id session-id
For NAT64 sessions, if you query a session based on the source/destination address or port, you can use only the address or port before NAT, but not the address or port after NAT.

If the IP address is an IPv6 address before NAT, use the display firewall ipv6 session table [ verbose ] command and one or more of the following parameters for a query: source inside start-ipv6-address [ to end-ipv6-address ], destination global start-ipv6-address [ to end-ipv6-address ], source-port inside port-number, and destination-port global port-number
Configure the device to send session details to the specified FTP server (such as a PC).
export firewall session table ftp-server server-address username password file-name

All models except USG6635E/6655E, USG6680E and USG6712E/6716E support this command.

The FTP server must use the default port number 21. Otherwise, session messages fail to be sent.

Example

The format of abbreviated session information is as follows:

<FW> display firewall session table service telnet
 Current Total Sessions : 2 
  telnet  VPN:public --> public 10.18.196.2:1952-->10.18.196.200:23
  telnet  VPN:public --> public 10.18.196.25:1517-->10.18.196.200:23

In this example, using the service parameter displays only Telnet sessions. There are two Telnet sessions in total. 10.18.196.200 is the IP address of the device. Two Telnet users are connected to the device. The user at 10.18.196.2 uses port 1952. The user at 10.18.196.25 uses port 1517.

The format of detailed session information is as follows:

<FW> display firewall session table verbose
 Current total sessions: 1           
  icmp  VPN:public --> public  ID: a48f3648905d02c0553591da1        
  Zone: local--> trust  Remote  TTL: 00:00:20  Left: 00:00:08    
  Interface: GigabitEthernet0/0/1  Nexthop: 10.1.1.1  MAC: 000f-e225-db4f    
  <-- packets:6 bytes:390   --> packets:8 bytes:340     
  10.1.1.1:43981-->10.1.1.10:43981 PolicyName: test

This example shows the session from port 43981 at 10.1.1.1 in the Local zone to port 43981 at 10.1.1.10 in the Trust zone.

The format of abbreviated IPv6 session information is as follows:

<FW> display firewall ipv6 session table
 Current Total IPv6 Sessions : 1
---------------------------------------------------------------------
  Source Address      : 2043::53
  Destination Address : 3001:2001:1001:101:11::38
  Source Port         : 43988
  Destination Port    : 2048
  Protocol            : ICMP6