SupportDocumentationSecurityProducts RecommendUSGQuick GuidesQuick Maintenance Guide

HiSecEngine USG12000 Series Quick Maintenance Guide

This document provides a guidance for you to quickly maintain the USG12000. You can quickly understand how to check the operating status of those storage systems and how to diagnose common system faults.

This document provides a guidance for you to quickly maintain the USG12000. You can quickly understand how to check the operating status of those storage systems and how to diagnose common system faults.

CLI: Checking the Session Table

CLI: Checking the Session Table

The session table is key to packet forwarding. If a service fault occurs, for example, traffic fails to be forwarded or is interrupted intermittently, you can run commands to query the session table to locate the module or phase where the fault occurs.

  • If a correct session entry has been created for the service and the service can be forwarded according to the security policy, but the service is still interrupted, the possible causes are as follows:
    • A hardware fault occurs on the outbound interface. For example, the interface card is damaged or the network cable is in poor contact.
    • The downstream device drops service packets.
    • The route configuration is incorrect. (To display the outbound interface and next hop, run the display firewall session table verbose command.)
    • The packet count on the outbound interface is incorrect. (To display traffic statistics, run the display interface command.)
    • Packets are lost due to the execution of some service-layer functions, such as bandwidth management and attack defense.
    • Other configuration issues exist.
  • If no session entry is created for the service, the possible causes are as follows:
    • Packets are not forwarded to the device due to faults on the upstream device or incorrect route configuration.
    • The security policy configured on the device does not permit service packets. For example, the action of the security policy is set to deny, or the source IP address of the service is added to the blacklist.
    • A hardware fault occurs on the inbound interface. For example, the interface card is damaged or the network cable is in poor contact.
    • Attack defense functions including the blacklist function cause packet loss.
    • Bandwidth management may limit the number of sessions. If the number of sessions exceeds the set threshold, new sessions cannot be established and packets are discarded.
    • Other configuration issues exist.

To view the session table using the CLI, run the following commands:

Only some common commands are listed here. For the complete command format, see the command reference.

  • Check the session table.
    display firewall session table
  • Check session table details.
    display firewall session table verbose
  • Check session entries of the specified virtual system.
    display firewall session table vsys vsys-name

  • Check information about unidirectional session entries.

    display firewall session table verbose unidirection
  • Check the IPv6 session table.
    display firewall ipv6 session table
  • A session table typically contains a large number of entries. Therefore, to narrow down the displayed entries and increase fault locating efficiency, the command provides multiple parameters (such as the address and port) for you to select the type of entries to be displayed.
  • For NAT64 sessions, if you query a session based on the source/destination address or port, you can use only the address or port before NAT, but not the address or port after NAT.
  • If the IP address before NAT is an IPv4 address, run the display firewall session table [ verbose ] command with one or more of the following parameters specified:
    • source inside start-ip-address [ to end-ip-address ]
    • destination global start-ip-address [ to end-ip-address ]
    • source-port inside port-number
    • destination-port global port-number

If you do not use verbose, only the brief session information is displayed as follows:
 Current Total Sessions : NUM
  TYPE  VPN:SRCVPN --> DSTVPN SRCIP --> DSTIP
If you use verbose, detailed session information is displayed as follows:
 Current Total Sessions : NUM 
  TYPE  VPN:SRCVPN --> DSTVPN  ID: ID-NUMBER          
  Zone: SRCZONE--> DSTZONE  Remote  TTL: TOTALTIME  Left: LEFTTIME
  Recv Interface:  RECVINTERFACE  Rev Slot: SLOTID  CPU: CPUID
  Interface: OUTINTERFACE  Nexthop: IP-ADDRESS 
  <-- packets:NUMBER bytes:BYTES   --> packets:NUMBER bytes:BYTES
  SRCIP --> DSTIP PolicyName: POLICYNAME
  TCP State: TCP State

Table 3-8 describes the meaning of each parameter. Parameters in italics vary based on actual situations.

Table 3-8 Session entry parameters

Parameter

Description

Current Total Sessions

Number of current session entries. If original connections are normal but new connections fail to be established, check whether the current number of session entries has reached the upper limit. If so, shorten the aging time of session entries to resolve this problem.

TYPE

Protocol type of the session. The value range of the parameter is the same as that of the protocol parameter in the display firewall session table command.

VPN:SRCVPN --> DSTVPN

Source and destination VPN instances of the session.

ID

ID of the session.

Zone: SRCZONE--> DSTZONE

Source and destination security zones of the session.

Remote

In a hot standby scenario, Remote indicates that the current session is a backup session, which is backed up from the peer device.

TTL

Lifetime of the session entry.

Left

Remaining lifetime of the session entry.

Recv Interface

Inbound interface ID of forward packets.

Rev Slot: SLOTID CPU: CPUID

Slot ID and CPU ID of the reverse session.

Interface:

Outbound interface ID of packets.

Nexthop

Next-hop IP address.

<-- packets:NUMBER bytes:BYTES

Reverse packets and bytes of the session.

<== indicates that hardware-based fast forwarding is implemented for the reverse packets of the session, and <-- indicates that hardware-based fast forwarding is not implemented for the reverse packets of the session.

--> packets:NUMBER bytes:BYTES

Forward packets and bytes of the session. In normal cases, the number of forward packets and bytes should be the same as those of the reverse packets and bytes. If the number of forward packets and bytes is smaller than that of the reverse packets and bytes, some packets are discarded.

==> indicates that hardware-based fast forwarding is implemented for the forward packets of the session, and --> indicates that hardware-based fast forwarding is not implemented for the forward packets of the session.

SRCIP --> DSTIP

Source IP address, source port, destination IP address, and destination port of the session.

The address format is x.x.x.x:portx[x.y.y.y:porty]-->z.z.z.z:portz, where portx is the source port and portz is the destination port. The address in the square brackets is the post-NAT IP address. If NAT is not implemented, the content in the square brackets is not displayed.

PolicyName

Name of the policy that packets match.

TCP State

TCP connection status. This field is displayed only for TCP sessions.

  • connecting: The device receives the first SYN packet, indicating that the TCP connection is being established.
  • established: The device receives an ACK packet, indicating that the TCP connection has been established.
  • fin-1: The device receives the first FIN packet, indicating that the TCP connection is being torn down.
  • close: The device receives the second FIN packet, indicating that the TCP connection has been torn down.
Translation
Favorite
Download
Update Date:2025-08-15
Document ID:EDOC1100343522
Views:8025
Downloads:194
Average rating:0.0Points

Related Documents

Digital Signature File

digtal sigature tool