Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

show security flow session session-identifier

Syntax

Description

Display detailed information for the identified session.

Options

session-identifier —Identifier of the session about which to display information.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security flow session session-identifier command. Output fields are listed in the approximate order in which they appear.

Table 1: show security flow session session-identifier Output Fields

Field Name

Field Description

Session ID

A unique number that a server assigns a specific user for the duration of that session.

Flags

Internal flag depicting the state of the session, used for debugging purposes. It is internal. The three available flags are:

Flags: 0x42/0x0/0x1/0x8103

  • natflag:

  • natflag2:

  • natflag3:

  • flag:

Policy name

Name and ID of the policy that the first packet of the session matched and that permitted the traffic.

Session log entries are tied to policy configuration. Each main session event—create, close, and deny—creates a log entry if the controlling policy has enabled logging.

Source NAT pool

The name of the source pool where NAT is used.

A NAT pool is a user-defined set of IP addresses that are used for translation. Unlike static NAT, where there is a one-to-one mapping that includes destination IP address translation in one direction and source IP address translation in the reverse direction, with source NAT, the original source IP address is translated to an IP address in the address pool.

Source NAT is used to allow hosts with private IP addresses to access a public network.

Dynamic application

Dynamic application: INCONCLUSIVE.

If the dynamic application has yet to be determined, the output indicates Pending. If the dynamic application cannot be determined, the output indicates junos: UNKNOWN.

Traffic with an application ID of junos: UNKNOWN matches a dynamic application of junos: UNKNOWN. If there is no such rule defined, the default rule is applied.

The term junos: UNKNOWN is a reserved keyword.

Encryption

Type of encryption, if the application traffic is encrypted.

Encryption:  Unknown.

Application traffic control rule-set

Name of the application traffic control rule set.

Application traffic control rule-set: INVALID.

Maximum timeout

Maximum session timeout, in seconds.

Session state

Session state: Valid.

Start time

Time, in seconds, when the session was created, offset from the system start time.

In

For the input flow:

  • Source and destination addresses, ports, and protocol tuple for the input flow.

  • Interface: Input flow interface.

  • Session token: Internal token derived from the virtual routing instance.

  • Flag: Internal debugging flags.

  • Route: Internal next hop of the route to be used by the flow.

  • Gateway: Next-hop gateway of the flow.

  • Tunnel: Used for internal debugging. If the flow is going into a tunnel, the decimal format of the tunnel ID, plus the tunnel type. Otherwise, 0 (zero). See Table 2 for tunnel type identification.

  • Port Sequence, FIN sequence, FIN state, Cookie: Internal TCP state tracking information.

  • Pkts, Bytes, CP Session ID: Packets and bytes matched on the wing, and the associated CP session ID of the wing.

  • Conn tag: Session connection tag for GRPS tunneling protocol, user plane (GTP-U) flow sessions and Stream Control Transmission Protocol (SCTP) flow sessions.

Out

For the reverse flow:

  • Source and destination IP addresses, and application protocol for the reverse flow.

  • Interface: Reverse flow interface.

  • Session token: Internal token derived from the virtual routing instance.

  • Flag: Internal debugging flags.

  • Route: Internal next hop of the route to be used by the flow.

  • Gateway: Next-hop gateway of the flow.

  • Tunnel: Tunnel type identifier. Used for internal debugging.

    If the flow is going into a tunnel, species the decimal format of the tunnel ID, plus the tunnel type. Otherwise, 0 (zero). See Table 2 for tunnel type identification.

  • Port Sequence, FIN sequence, FIN state, Cookie: Internal TCP state tracking information.

  • Pkts, Bytes, CP Session ID: Packets and bytes matched on the wing, and the associated CP session ID of the wing.

  • Conn tag: Session connection tag for GRPS tunneling protocol, user plane (GTP-U) flow sessions and Stream Control Transmission Protocol (SCTP) flow sessions.

Status

Session status:

  • Auth (NAT flag with NAT_AUTH)

  • Transparent (NAT flag with NAT_TRANSPARENT)

  • Expired (NAT flag with NAT_INVALID)

  • Normal (no flag)

Virtual system

Virtual system to which the session belongs (it is optional).

Application

Application match for applying the rule.

Application: junos-http/6.

Rule

Name of the application traffic control rule.

Rule: INVALID.

Current timeout

Remaining time for the session unless traffic exists in the session.

Duration

Length of time, in seconds, for which the session is active.

Client

Name of the ALG, if there is resource manager.

Group

Group identification number, if there is resource manager.

Resource

Resource identification number, if there is resource manager.

Table 2: Tunnel Type Identification

Binary (first 3 bits)

Hexadecimal (the first 4 bits)

Tunnel Type

0x000

0x0

no tunnel

0x001

0x2

TUNNEL_TYPE_IPSEC

0x010

0x4

TUNNEL_TYPE_L2TP

0x011

0x6

TUNNEL_TYPE_NATT

0x100

0x8

TUNNEL_TYPE_DS_LITE

0x101

0xa

TUNNEL_TYPE_MCNH

Sample Output

show security flow session session-identifier 20595

Release Information

Command introduced in Junos OS Release 8.5. Output changed to support natflag2 and flag in Junos OS Release 12.3X48-D10.

Related Documentation