HUAWEI USG6000E, USG6000, USG9500, and NGFW Module V500, V600 Troubleshooting Guide
Checking the Session Table
This section describes how to check the session table to locate faults.
You can check the session table to locate faults.
- If a session entry has been established and traffic is permitted by security policies, the possible causes of service interruptions include but are not limited to:
- Hardware faults on the outgoing interface (such as physical damage of an interface card or bad cable connections)
- Packet drop on the downstream device.
- Incorrect routing configuration.
- Incorrect packet count on the outgoing interface.
- Administratively denied packets (packets dropped due to bandwidth management and attack defense policies)
- Configuration errors.
- If no session entry is established for a service, possible causes include but are not limited to the following:
- Packets are not forwarded to the FW because of faults on an upstream device or incorrect route configuration.
- The security policy configured on the FW blocks the packets. For example, the security policy action is configured as Deny, or the source IP address is blacklisted.
- A hardware fault occurs at the incoming interface. For example, an interface card is damaged, or a network cable is not securely connected.
- Attack defense functions, except blacklist, discard packets.
- The bandwidth management function restricts the number of sessions. When the number of sessions exceeds the upper threshold, new sessions cannot be established, and packets are therefore discarded.
- Configuration errors.
- Choose .
- View information about session entries on the Session Table page.
- Click Advanced Search and select query conditions to display session entries that meet the conditions.
Condition
Description
Virtual System
Displays session entries of a specified virtual system.
Protocol
Displays session entries of a specified protocol.
Application
Displays session entries of a specified application.
Source Zone/Destination Zone
Displays session entries of a specified source or destination security zone.
Source Address/Destination Address
Displays session entries of a specified source/destination address or address range.
NAT Source Address/NAT Destination Address
Displays session entries of a specified NATed source/destination address or address range.
Source Port/Destination Port
Displays session entries of a specified source/destination port.
NAT Source Port/NAT Destination Port
Displays session entries of a specified NATed source/destination port.
Security Policy
Displays session entries that match a specified security policy.
User Name
Displays session entries of a specified user.
Time Range
Displays session entries created within a specified time range.
For example, if the time range is 5 minutes, session entries created in the last 5 minutes are displayed.NOTE:Only sessions that are currently alive can be displayed. If a session is soon deleted or aged after being created, information about this session is not displayed.
Outbound Interface
Displays session entries of a specified outbound interface.
Packets
Displays session entries whose number of forward packets, number of reverse packets, or number of two-way packets is no smaller than, smaller than, or equal to a specified value.
Forward refers to the direction same as the direction from the source security zone to the destination security zone in the session entry. Reverse refers to the direction opposite to the direction from the source security zone to the destination security zone in the session entry.
NOTE:Only the USG6000 and NGFW Module support filtering based on the number of two-way packets.
![]()
- For the USG9500: If session entry filtering based on the number of forward packets or number of reverse packets is configured, detailed information of a session entry may fail to be displayed due to the fact that this entry has been aged.
- For NAT64 sessions, if you query a session based on the source/destination address or port, you can use only the address or port before NAT, but not the address or port after NAT.
The session table of a specified time range is displayed as follows:
Figure 5-4 The session table of a specified time range is displayed![]()
Click
![]()
in the Details column to view details on the session table. The following table lists the meaning of each field.Field
Description
Creation Time
Time for creating the session.
Protocol
Protocol type of the session.
Source Virtual System/Destination Virtual System
Source and destination virtual system of the session.
Source Zone/Destination Zone
Source and destination security zones of the session.
Source Address/Destination Address
Source and destination IP addresses of the session.
NAT Source Address/NAT Destination Address
Source and destination NAT addresses of the session.
Source Port/Destination Port
Source and destination port of the session.
NAT Source Port/NAT Destination Port
Source and destination NAT port of the session.
Forward Packets/Forward Bytes
Number of packets and bytes in the forward direction of the session
Reverse Packets/Reverse Bytes
Number of packets and bytes in the reverse direction of the session
Outbound Interface/MAC Address
Outbound interface of a session or MAC address of the outbound interface
Next Hop
Next-hop IP address of the session.
Security Policy
Security policy that session matches.
Application
Type of application of the session.
User name
User name of the session.
Session Timeout
Aging time of the session.
Time Left
Remaining lifetime of the session.
in the Details column to view details on the session table. The following table lists the meaning of each field.Checking the Session Table-CLI
- Access the system view.
system-view
- Display the session table.
- display firewall session table [ verbose ] [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection ] *
- display firewall session tableverbose [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpestart-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpucpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] *
- display firewall session table [ verbose ] all-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | serviceservice-type | vlanvlan-id | created-intime | long-link | { local | remote } ] *
- display firewall session tableverboseall-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ toend-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpucpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | { local | remote } | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] *
- display firewall session table [ verbose ] slb [ destination { vip start-vip-address [ to end-vip-address ] | rip start-rip-address [ to end-rip-address ] } | source start-source-address [ to end-source-address ] | destination-port { vport vport-number | rport rport-number } | source-port source-port-number | slot slot-id cpucpu-id ] *
- display firewall session table [ verbose ] session-id session-id
In the dual system hot backup environment, you can run the display firewall session table command with local or remote to display the session table on the local or remote device.
A session table typically contains a large number of entries. Therefore, to narrow down the displayed entries and increase fault locating efficiency, the following command provides multiple parameters for you to select the type of entries to be displayed.
![]()
For NAT64 sessions, if you query a session based on the source/destination address or port, you can use only the address or port before NAT, but not the address or port after NAT.
If the IP address is an IPv4 address before NAT, use the display firewall session table [ verbose ] command and one or more of the following parameters for a query: source inside start-ip-address [ to end-ip-address ], destination global start-ip-address [ to end-ip-address ], source-port inside port-number, and destination-port global port-number
If you do not use parameter verbose, only the abbreviated session information is displayed, as shown in the following screenshot:
Current Total Sessions : NUM TYPE VPN:SRCVPN --> DSTVPN SRCIP --> DSTIP
If you use parameter verbose, detailed session information of as an example is displayed, as shown in the following screenshot:
Current Total Sessions : NUM TYPE VPN:SRCVPN --> DSTVPN ID: ID-NUMBER Zone: SRCZONE--> DSTZONE Remote TTL: TOTALTIME Left: LEFTTIME Interface: OUTINTERFACE Nexthop: IP-ADDRESS MAC: MACADDRESS <-- packets:NUMBER bytes:BYTES --> packets:NUMBER bytes:BYTES SRCIP --> DSTIP PolicyName: POLICYNAME
Table1 shows the meaning of each parameter. Parameters in italics can very under actual situations.
Table 5-6 Parameters of a session entryParameter
Description
TYPE
Protocol type of the session. The value range of the parameter is the same as that of the protocol parameter in the display firewall session table command.
VPN:SRCVPN --> DSTVPN
Source and destination VPN instances of the session
ID: ID-NUMBER
ID number of the session.
Zone: SRCZONE--> DSTZONE
Source and destination security zones of the session
Remote
- In a hot standby scenario, Remote indicates that the current session is a backup session, which is backed up from the peer device.
- For the USG9500, Remote indicates that the session is synchronized from the active CPU in a CPU backup scenario.
TTL: TOTALTIME
Lifetime of the session entry
Left: LEFTTIME
Remaining lifetime of the session entry
Interface: OUTINTERFACE
Outgoing interface
Nexthop: IP-ADDRESS
Next-hop IP address
MAC: MACADDRESS
Next-hop MAC address
<-- packets:NUMBER bytes:BYTES
Reverse packets and bytes of the session
--> packets:NUMBER bytes:BYTES
Forward packets and bytes of the session. In normal cases, the numbers of forward packets and bytes would be the same as those of the reverse packets and bytes. If the numbers of forward packets and bytes are smaller than those of the reverse packets and bytes, some packets are discarded.
SRCIP --> DSTIP
Source IP address, source port, destination IP address, and destination port of the session
The address format is x.x.x.x:portx[y.y.y.y:porty], where portx is the source port and porty the destination port. The address in the square brackets is the post-NAT IP address. If NAT is not implemented, no content is displayed in the square brackets.
PolicyName: POLICYNAME
Packet matching policy name.
TCP State
TCP connection status. This field is displayed only for TCP sessions.
- connecting: The device receives the first SYN packet, indicating that the TCP connection is being established.
- Established: The device receives an ACK packet, indicating that the TCP connection has been established.
- fin-1: The device receives the first FIN packet, indicating that the TCP connection is being torn down.
- close: The device receives the second FIN packet, indicating that the TCP connection has been torn down.
- Display the IPv6 session table.
- display firewall ipv6 session table [ verbose ] [ vsysvsys ] [ source-zone source-zone | destination-zone destination-zone| { default-policy | policy policy-name } | source start-ipv6-address [ to end-ipv6-address ] | destination start-ipv6-address [ to end-ipv6-address ] | application application-type | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port port-number | destination-port port-number | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | slot slot-idcpucpu-id ] *
- display firewall ipv6 session tableverbose [ vsysvsys ] [ source-zone source-zone | destination-zone destination-zone| { default-policy | policy policy-name } | source start-ipv6-address [ to end-ipv6-address ] | destination start-ipv6-address [ to end-ipv6-address ] | application application-type | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port port-number | destination-port port-number | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | slot slot-idcpucpu-id | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] *
- display firewall ipv6 session table [ verbose ] all-systems [ source start-ipv6-address [ to end-ipv6-address ] | destination start-ipv6-address [ to end-ipv6-address ] | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port port-number | destination-port port-number | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | { local | remote } | slot slot-id cpucpu-id ] *
- display firewall ipv6 session tableverboseall-systems [ source start-ipv6-address [ to end-ipv6-address ] | destination start-ipv6-address [ to end-ipv6-address ] | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port port-number | destination-port port-number | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | { local | remote } | slot slot-idcpucpu-id | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] *
- display firewall ipv6 session table [ verbose ] session-id session-id
![]()
For NAT64 sessions, if you query a session based on the source/destination address or port, you can use only the address or port before NAT, but not the address or port after NAT.
If the IP address is an IPv4 address before NAT, use the display firewall session table [ verbose ] command and one or more of the following parameters for a query: source inside start-ip-address [ to end-ip-address ], destination global start-ip-address [ to end-ip-address ], source-port inside port-number, and destination-port global port-number
- Configure the device to send session details to the specified FTP server (such as a PC).export firewall session table ftp-server server-address username password file-name
![]()
All models except USG6635E/6655E, USG6680E, USG6712E/6716E and USG9500 support this command.
The FTP server must use the default port number 21. Otherwise, session messages fail to be sent.