Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amorales
New Contributor II

Trying to have a better understanding of #diagnose sys session list output

Hello,

 

I am currently trying to troubleshoot an issue where an external client cannot connect to an internal server. i have follow this documentation guide but I do not understand 100% the output of the #diagnose sys session list command:

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30042

 

 

FW (FW_VDOM_1) # diagnose sys session list

session info: proto=6 proto_state=01 duration=83 expire=3576 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=3969/32/1 reply=16481/45/1 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 1/0 orgin->sink: org pre->post, reply pre->post dev=37->41/41->37 gwy=172.16.40.19/0.0.0.0 hook=pre dir=org act=dnat 81.63.141.211:53466->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:53466(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e45821 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy

session info: proto=6 proto_state=01 duration=49 expire=3600 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=362913/9006/1 reply=19642544/17980/1 tuples=2 tx speed(Bps/kbps): 7400/59 rx speed(Bps/kbps): 400541/3204 orgin->sink: org pre->post, reply pre->post dev=37->41/41->37 gwy=172.16.40.19/0.0.0.0 hook=pre dir=org act=dnat 81.63.141.211:15327->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:15327(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e81f2b tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy

session info: proto=6 proto_state=01 duration=49 expire=3600 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log dirty may_dirty f00 statistic(bytes/packets/allow_err): org=200472/939/1 reply=41068/921/1 tuples=2 tx speed(Bps/kbps): 4061/32 rx speed(Bps/kbps): 832/6 orgin->sink: org pre->post, reply pre->post dev=37->0/0->37 gwy=0.0.0.0/192.168.12.5 hook=pre dir=org act=dnat 81.63.141.211:49266->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:49266(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e81f12 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: dirty disabled-by-policy

session info: proto=6 proto_state=01 duration=84 expire=3576 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log dirty may_dirty f00 statistic(bytes/packets/allow_err): org=12952/56/1 reply=6388/54/1 tuples=2 tx speed(Bps/kbps): 153/1 rx speed(Bps/kbps): 75/0 orgin->sink: org pre->post, reply pre->post dev=37->0/0->37 gwy=0.0.0.0/192.168.12.5 hook=pre dir=org act=dnat 81.63.141.211:15299->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:15299(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e8184c tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: dirty disabled-by-policy total session 4

 

 

 

My questions:

 

1- Which is the difference between proto_state=01 and proto_state=11? I understand the the first digit (0) belong to the original direction and the second (1) is the reply direction but, why sometimes I see 01 and other 11?.

2- proto_state=01 means NONE/ESTABLISHED according to proto_state table but I am connected to the internal server and using a netstat command i cannot see any established connection. So, why the Fortinet is saying that there is an established connection? I am using the FW in proxy mode, is maybe the session established between the client and the Forti? If it is the case, How could i see if the session between the Forti and the server is established too?

 

Thank you very much.

 

Best regards.

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

As in the KB, the first digit is for original direction and the second is of reply. So "01" means the initiator side didn't see proper replies completed while the responder side saw all and accepted. Their might be some packet loss somewhere between the FGT and the initiator in the direction: responder->initiator.

In those cases, continuous/large-size packet pinging would reveal the cause.

 

pmandava_FTNT

Hi amorales,

 

1- Which is the difference between proto_state=01 and proto_state=11? I understand the the first digit (0) belong to the original direction and the second (1) is the reply direction but, why sometimes I see 01 and other 11?.

 

01 - session established for non-proxy traffic

11 - client-side session established (pc->fgt), and server-side session established (fgt->server)

 

The first digit will always be 0 for non-proxy traffic. It will only change when the traffic is being proxied, and will denote the state of the client-side session state.

2- proto_state=01 means NONE/ESTABLISHED according to proto_state table but I am connected to the internal server and using a netstat command i cannot see any established connection. So, why the Fortinet is saying that there is an established connection? I am using the FW in proxy mode, is maybe the session established between the client and the Forti? If it is the case, How could i see if the session between the Forti and the server is established too?

 

Since you are running in proxy mode, the connections on your PC will show only sessions to the FGT, not the destination server. If you want to see the state of the session between the FGT and the server, the proto_state is a good place. You can also test connectivity from your PC to the server.

 

I hope that helps, and let us know if you need more info.

 

-prithvi

Mat17

The first digit is about security inspection. It is not related only to proxy sessions. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors