No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI USG6000, USG9500, and NGFW Module V500 Troubleshooting Guide

This document provides maintenance guides for the USG6000 series, USG9500 series, and NGFW Module of the V500 version, including troubleshooting guides, typical troubleshooting cases, and FAQs.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Tracing Packets

Tracing Packets

You can use packet tracing to locate faults in the following scenarios:

  1. It is suspected that the processing of traffic on the FW is abnormal: You can use the packet tracing function to view a packet's processing result in each process on the FW and locate the fault accordingly.
  2. Check the processing of traffic on the FW: The internal processing of traffic on the FW varies according to the traffic type. To confirm the processing of traffic on the FW and identify flows that may be abnormal, perform packet tracing on the FW.

Web UI

  1. On the web UI, choose Monitor > Diagnosis Center > Policy Tracing and set the diagnosis mode to Existing network traffic.
  2. Set the parameters required for packet tracing. Set diagnosis parameters in a refined manner based on actual troubleshooting requirements to prevent excessive CPU usage and unstable device running due to an overly large diagnosis scope.

  3. Check whether packets reach the FW, whether they are properly forwarded, and whether they are discarded according to the debugging information. You can also export the results for analysis.

CLI

  1. Configure an ACL that contains only the packets to be traced.

    <sysname> system-view 
    [sysname] acl number 3333
    rule permit ip source 192.168.1.11 0 destination 192.168.1.225 0
    [sysname-acl-adv-3333] quit
    [sysname] quit

  2. Enable packet tracing. After the debugging of data plane packet tracing is enabled, the debugging information shows that packets are discarded because they fail to pass the interface access management check.

    <sysname> debugging dataplane trace acl 3333 number 1
    <sysname> terminal debugging
    <sysname> terminal monitor
    <sysname> 
    # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0  
    Layer 3 dispatch 
    PASS: New packet arrived. 
    
    # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0  
    Hook station process  
    PASS: Flow match pre-hook hook station done 
    
    # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0  
    Service_manager_packet_filter  // Indicates that traffic passes the interface access management check. You can perform troubleshooting according to relevant configurations.
    Srvmanage ipv4 packet in:next-hop=-1062731295, value=191 
    
    # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0  
    Layer 3 process  
    packet filter recv packet 
    
    # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0  
    packet filter process  
    DROP: packet filter lc deny 
    
    # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0  
    Layer 3 process  
    PASS: Layer 3 Flow process done 
    
    # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0  
    Layer 3 process  
    DROP: Packet drop reason: PACKET FILTER //Indicates that packet loss is caused by a security policy. You need to check whether the security policy is correctly configured.

Translation
Download
Updated: 2019-04-03

Document ID: EDOC1000179232

Views: 172532

Downloads: 508

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next