Got it
Huawei Enterprise Support Community
Community Forums Security
Show packet processing

Show packet processing

Created: Nov 20, 2018 21:07:55Latest reply: Nov 22, 2018 07:51:16 1136 3 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#
Is there a debug command to show the packet processing the USG is doing, to see if it is gettting NAT'ed, which security policy is being applied, inbound and outbound interface?   So we know exactly where a problem lies when a session is not establishing.

The display firewall session table verbose  only shows established traffic, but how do we troubleshoot TCP sessions that are not establshing?  Having one debug output which shows the packet processing will be very useful. 


Like (0) Dislike (0) Favorite(0) Share Report
Previous: The error when the stp enable for USG 5500
Next: Question about the VPN user
Featured Answers

Best answer

(1) (0)
Mark.hu
Created Nov 22, 2018 07:51:16

If you don't have a session, you can use Quintuple Packet Capture to try to analyze what is causing this. Please see the link below for details.

Overview of Quintuple Packet Capture
Quintuple packet capture enables the FW to copy the passing packets and save or display them in a certain format on the FW.
Limitations and Precautions for Quintuple Packet Capture
This section describes the restrictions and precautions of the quintuple packet capture function.
Configuring Quintuple Packet Capture Using the Web UI
This section describes how to configure quintuple packet capture on the web UI.
Configuring Quintuple Packet Capture Using the CLI( USG6000 and NGFW Module)
This section describes how to use the CLI to configure quintuple packet capture, including setting the interface type and number, queue number, and IP address and port of the target host for receiving the captured packets.
Configuring Quintuple Packet Capture Using the CLI( USG9500)
This section describes how to use the CLI to configure quintuple packet capture for the USG9500 SPU and LPU.
Configuration Examples for Quintuple Packet Capture
This section provides quintuple packet capture configuration examples.

View more
  • x
  • convention:
All Answers
(0) (0)
2#
emontiel
emontiel Created Nov 20, 2018 21:45:56

Hello, you can set up a packet capture or port mirror for inbound or outbound traffic to verify the SYN TCP segments are reaching the USG and if they are arriving, then you can verify if USG is responding either with a SYN-ACK or RST and verify where the three-way handshake is failing.
Please find below a link with a guide for configuring both packet capture and port mirror for an USG6000 and 9500:
http://support.huawei.com/hedex/hdx.do?lib=EDOC1100013380AEH07301&docid=EDOC1100013380&lang=en&v=03&tocLib=EDOC1100013380AEH07301&tocV=03&id=sec_tro_0024&tocURL=resources%2ftro%2fsec%5ftro%5f0024%2ehtml&p=t&fe=1&ui=3&

Hope you find this information helpful.
View more
  • x
  • convention:
(0) (0)
3#
grayfox
grayfox Created Nov 21, 2018 18:05:31

What I'm specifically asking is an debug showing how the firewall is processing the traffic, thake this link for example from Juniper firewall, they have a debug option which shows how the firewall is processing the traffic and shows any errors why the traffic flow was not able to establish.

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110
View more
  • x
  • convention:
(1) (0)
4#
Mark.hu
Mark.hu Created Nov 22, 2018 07:51:16

If you don't have a session, you can use Quintuple Packet Capture to try to analyze what is causing this. Please see the link below for details.

Overview of Quintuple Packet Capture
Quintuple packet capture enables the FW to copy the passing packets and save or display them in a certain format on the FW.
Limitations and Precautions for Quintuple Packet Capture
This section describes the restrictions and precautions of the quintuple packet capture function.
Configuring Quintuple Packet Capture Using the Web UI
This section describes how to configure quintuple packet capture on the web UI.
Configuring Quintuple Packet Capture Using the CLI( USG6000 and NGFW Module)
This section describes how to use the CLI to configure quintuple packet capture, including setting the interface type and number, queue number, and IP address and port of the target host for receiving the captured packets.
Configuring Quintuple Packet Capture Using the CLI( USG9500)
This section describes how to use the CLI to configure quintuple packet capture for the USG9500 SPU and LPU.
Configuration Examples for Quintuple Packet Capture
This section provides quintuple packet capture configuration examples.

View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.