Sometimes you may have problems configuring the virtual router when port forwarding is not working and there may be problems like configuring the rules themselves. Or you need to get the logs of the router, check the channel operation, perform network diagnostics. This article describes how to solve possible problems without contacting technical support.
This article describes how to solve possible problems by the client itself, without contacting technical support.
First of all, we need to configure access to the virtual router - EDGE. To do this, enter its services and go to the appropriate tab - EDGE Settings, where we enable SSH Status, set a password, and save the changes.
If we use strict Fierwall rules when everything is denied by default, then we add rules that allow connections to the router itself on an SSH port:
Then connect to any SSH client, such as PuTTY, and get to the console.
the commands become available, let's move on to their description. To see the list of all available commands, use:
list
The list of useful commands
show interface – displays available interfaces and set IP addresses on them
show log – shows router logs
show log follow – allows you to watch the log in real time with constant updating. Each rule, either NAT or Fierwall, has an Enable logging option, when enabled events will be logged to allow for diagnostic purposes.
show flowtable – displays the entire table of established connections and their parameters
1: tcp 6 21599 ESTABLISHED src=9X.107.69.XXXX dst=178.170.172.XXX sport=59365 dport=22 pkts=293 bytes=22496 src=178.170.172.XXXX dst=91.107.69.173 sport=22 dport=59365 pkts=206 bytes=83569 [ASSURED] mark=0 rid=133427 use=1.
show flowtable topN 10 - allows you to display the desired number of lines, in this example 10
show flowtable topN 10 sort-by pkts - help sort connections by number of packets from less to more
show flowtable topN 10 sort-by-bytes - helps sort connections by the number of transmitted bytes from less to more
show flowtable rule-id ID topN 10 - will display connections by the required rule ID
show flowtable flowspec SPEC - for more flexible connection selection, where SPEC - sets the necessary filtering rules, for example proto=tcp:srcip=9X.107.69.XXXX:sport=59365, for selection via TCP and IP source adress 9X.107.69.XX from sender port 59365.
Example:
> show flowtable flowspec proto=tcp:srcip=90.107.69.171:sport=59365
1: tcp 6 21599 ESTABLISHED src=9X.107.69.XX dst=178.170.172.xxx sport=59365 dport=22 pkts=1659 bytes=135488 src=178.170.172.xxx dst=xx.107 .69.xxx sport=22 dport=59365 pkts=1193 bytes=210361 [ASSURED] mark=0 rid=133427 use=1
Total flows: 1
show packet drops - allows you to view statistics on packages
show firewall flows - shows the firewall's packet counters along with the packet flows.
In the same way we can use basic network diagnostics tools directly from the EDGE router:
ping ip WORD
ping ip WORD size SIZE count COUNT nofrag – ping the size of transmitted data and the number of checks, as well as prohibit fragmentation of the installed package size.
traceroute ip WORD
Firewall diagnostic sequence on Edge
1) Run the show firewall and see the set custom filtering rules in the usr_rules table.
2) Watch the POSTROUTIN chain and control the number of packets dropped in the DROP field. If there is a problem with asymmetric routing, fix the rise in values.
Let's do some additional checks:
the ping will work in one direction and not in the opposite.
ping will work, but TCP sessions will not be installed.
3) See IP address information output - show ipset
4) Enable logging on the firewall rule in Edge services
5) Watch the events by log - show log follow
6) Check the connections by the required rule_id - show flowtable rule_id.
7) Using show flowstats, compare the current Current Flow Entries connections with the maximum allowed (Total Flow Capacity) connections in the current configuration. For available configurations and limits see NSX Edge - features, performance.
For details on capturing traffic on EDGE, see Part 2.