多核防火墙基础debug使用Word格式文档下载.docx
《多核防火墙基础debug使用Word格式文档下载.docx》由会员分享,可在线阅读,更多相关《多核防火墙基础debug使用Word格式文档下载.docx(12页珍藏版)》请在冰豆网上搜索。
![多核防火墙基础debug使用Word格式文档下载.docx](https://file1.bdocx.com/fileroot1/2022-10/9/e99a3bbf-57f3-4e3e-8905-dcf5467a5eca/e99a3bbf-57f3-4e3e-8905-dcf5467a5eca1.gif)
debugdpbasic查看流量的进出zone、ip和下一跳
debugdproute查看详细的路由debug信息
DHCP问题排查
Debugdhcpserver
Debugdhcp
IPSec问题排查
Showisakmppeer
Showisakmpsa
Showtunnelipsecauto
Showipsecsa
Debugvpnike查看ipsec协商过程
Debugdpbasic|debugdpipsecpacket查看数据包加密
认证、snmp、ldap问题排查
Debugaaa
Debugwebauth
Debugsnmpd
HA问题排查
Showhaxxx
debugha
Showsessiongeneric查看session同步状态两台设备同时使用对比。
防火墙对三层数据包的处理过程
详细信息见用户手册。
Debug基本操作
1.开启debug信息功能:
DCFW-1800#debugxxx
DCFW-1800[DBG]#
2.开启数据平面debug基本信息:
DCFW-1800#debugdpbasic
3.开启数据平面debug丢弃数据信息:
DCFW-1800#debugdpdrop
4.开启DP的debug过滤信息:
DCFW-1800#debugdpfilter?
application
Application
core
Core
dst-ip
DestinationIPaddress
dst-port
DestinationPort
ingress
Ingress
ipv4
Ipv4
ipv6
Ipv6
l2-type
Layer2type
proto
Protocol
src-ip
SourceIP
src-port
SourcePort
vid
VID
vrouter
Vroutername
5.关闭Debug信息:
DCFW-1800[DBG]#undebugall|双击两次“ESC”
undebg信息关闭是有一定的延迟,应为需要缓存debug的信息,保存完才会真正推出debug模式;
6.查看开启那些debug信息:
DCFW-1800[DBG]#showdebug
dp:
basic,enabled
http,enabled
interface,enabled
7.查看开启那些debug过滤信息:
Showdp-filter
8.删除debug过滤信息:
undebugdpfilteridX
9.查看抓取到的debug信息:
Showloggingdebug
10.清楚抓取到的debug信息:
Clearloggingdebug
Debug数据包信息
例1:
没有session时数据的处理过程
该示例是通过开启debugdpbasic,抓取到SSLVPN拨入的数据包处理过程。
普通的数据包没有解封装过程;
2015-07-0915:
45:
39,DEBUG@FLOW:
core0(sysup0x398ed3070ms):
Receivework0x8000
000412094780paklen138,grp0,qos0,tag16773765
msw_dsa_tag_decap_forward:
Receivedpacketwithtag0cos0frominterfaceethernet0
/3
[eth_hwif_decap]setnext_proctorx_handle_prepare.
rx_handle_prepare:
30e4.db91.43bf->
0003.0f17.0303,size134,type0x800,vid0,port
ethernet0/3
dp_prepare_if_for_pak
Switchidis11(interfaceethernet0/3)portethernet0/3
Switchidis11(interfaceethernet0/3)portethernet0/3,pakiif=ethernet0/3
rx_handle_preparei_ifisethernet0/3
rx_handle_preparecallingdp_sanityethernet0/3
Startl3forward
//对封装的数据包做第一次解封
————————————————————————————————————
Packet:
10.1.144.53->
10.1.145.242,id:
1022,ipsize120,prot:
17(UDP):
63188->
4433
ad_vector_for_fast_flow:
zonenameer,proto_flag[1]0,proto17
dp_prepare_pak_lookupsrcip:
10.1.144.53,dstip:
10.1.145.242,prot17
Foundthesession83773
session:
id83773,prot17,flag020,flag10,created15449574,life65535
flow0(ifid:
11flowid:
167546flag:
200950):
10.1.144.53:
63188
->
10.1.145.242:
flow1(ifid:
0flowid:
167547flag:
1):
0.0.0.0:
32768
8.76.143.152:
4
Packetbelongstotunnel,needdecap.
Finishdecap
//对封装的数据包做第二次解封装
1022,ipsize112,prot:
50
10.1.145.242,prot50
Foundthesession82318
id82318,prot50,flag020,flag10,created15449574,life65535
164636flag:
351
22617
164637flag:
8.76.176.184:
//数据包的处理过程
172.16.2.176->
183.61.224.110,id:
60926,ipsize60,prot:
6(TCP):
28672-
>
80
172.16.2.176,dstip:
183.61.224.110,prot6
Nosessionfound,trytocreatesession
dp_first_crt_sess_init_flow0_from_pak_iif:
setcpuid0
-----------------Firstpathcreatingnewsession-----------------
dp_sess_sm_transtion:
Dosessionstatemachinetranstion,state:
0,event:
0!
allocatependingsessionandinstallflow0
matchappstaticsignatureid2(#1)appTCP-ANY
IdentifiedasappTCP-ANY(prot=6).timeout1800.
--------VR:
trust-vrstart--------
172.16.2.176:
28672->
183.61.224.110:
80
NoDNATmatches,skipDNAT
Getnexthopif_id:
9,flags:
0,nexthop:
2.2.2.1
Foundthereverserouteforforceorpreferrevs-routesetting
MatchedsourceNAT:
snatruleid:
6
sourceport28672->
port28672
trust-vrend--------
Startpolicylookup.
Paksrczonescvpn2,dstzoneuntrust,prot6,dst-port80.
Policy2matches,===PERMIT===
crt_sess->
flow0_io_cpuid0
flow0src172.16.2.176-->
dst183.61.224.110withnexthop2.2.2.1ifindex9
flow1tunnel,id=300
flow1src183.61.224.110-->
dst2.2.2.2nexthopnotlookuporinvalid
flow0'
snexthop:
172.16.2.176flow1'
revs_rres