Verifying Session Establishment On Internet Traffic

Purpose

Verify if in this example configuration, sessions are established when traffic is transmitted to the Internet.

Action

To verify if traffic to the Internet is using flow-based forwarding and sessions are established, perform the following tasks:

  1. On device R1, enter the operational mode command clear security flow session all in the CLI to clear all existing security flow sessions.
  2. On device R0, enter the operational mode command ping in the CLI to transmit traffic to device R2.
  3. On device R1, with traffic transmitting from R0 to R2 through R1, enter the operational mode command show security flow session in the CLI.

Note: To verify established sessions, make sure to enter the show security flow session command while the ping command is sending and receiving packets.

Sample Output


user@R0> ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=63 time=2.326 ms
64 bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=2.569 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=2.565 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=2.563 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=63 time=2.306 ms
64 bytes from 1.1.1.2: icmp_seq=5 ttl=63 time=2.560 ms
64 bytes from 1.1.1.2: icmp_seq=6 ttl=63 time=4.130 ms
64 bytes from 1.1.1.2: icmp_seq=7 ttl=63 time=2.316 ms
...

user@R1>show security flow session
Session ID: 50522, Policy name: Internet-traffic/4, Timeout: 2
  In: 10.1.1.2/12 --> 1.1.1.2/2827;icmp, If: ge-0/0/1.0
  Out: 1.1.1.2/2827 --> 10.1.1.2/12;icmp, If: ge-0/0/3.0

Session ID: 50523, Policy name: Internet-traffic/4, Timeout: 2
  In: 10.1.1.2/13 --> 1.1.1.2/2827;icmp, If: ge-0/0/1.0
  Out: 1.1.1.2/2827 --> 10.1.1.2/13;icmp, If: ge-0/0/3.0

2 sessions displayed

Meaning

The output shows traffic transmitting from devices R0 to R1 and established sessions. In this example, you did not apply the bypass-flow-filter with the packet-mode action modifier on interface Internet for your company’s Internet traffic. This output verifies that the traffic to the Internet is correctly using flow-based forwarding and hence sessions are established.

Transmit traffic from device R3 to R2 and use the commands in this section to verify established sessions.

Related Topics

For more information about the show security flow session command, see the Junos OS CLI Reference.

For information about the ping command, see the Junos OS Administration Guide for Security Devices or the Junos System Basics Configuration Guide.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.