Kernel Debug Procedure with Connection Life Cycle

Introduction

Connection Life Cycle is a debug tool.

This tool generates a formatted debug output file (in the Ruby format) that presents the debug messages hierarchically by connections and packets:

The first hierarchy level shows connections.
After you expand the connection, you see all the packets of this connection.

Important - You must use this tool in the Expert mode together with the regular kernel debug flags (see Kernel Debug Modules and Debug Flags).

Syntax for a Security Gateway / each Cluster Member

To start the debug capture:

conn_life_cycle.sh -a start -o /<Path>/<Name of Raw Debug Output File> [{-t | -T}] [[-f "<Filter1>"] [-f "<Filter2>"] [-f "<Filter3>] [-f "<Filter4>] [-f "<Filter5>"]]

To stop the debug capture and prepare the formatted debug output:

conn_life_cycle.sh -a stop -o /<Path>/<Name of Formatted Debug Output File>

Syntax for a Scalable Platform Security Group

To start the debug capture:

g_all conn_life_cycle.sh -a start -o /<Path>/<Name of Raw Debug Output File> [{-t | -T}] [[-f "<Filter1>"] [-f "<Filter2>"] [-f "<Filter3>] [-f "<Filter4>] [-f "<Filter5>"]]

To stop the debug capture and prepare the formatted debug output:

g_all conn_life_cycle.sh -a stop -o /<Path>/<Name of Formatted Debug Output File>

Parameters

Parameter

Description

-a start

-a stop

Mandatory.

Specifies the action:

start - Starts the debug capture based on the debug flags you enabled and debug filters you specified.
stop - Stops the debug capture, resets the kernel debug options, resets the kernel debug filters.

-t | -T

Optional.

Specifies the resolution of a time stamp in front of each debug message:

-t - Prints the time stamp in milliseconds.
-T - Prints the time stamp in microseconds.

Best Practice - Always use the "-T" option to make the debug analysis easier.

-f "<Filter>"

Optional.

Specifies which connections and packets to capture.

For additional information, see Kernel Debug Filters.

Important - If you do not specify filters, then the tool prints debug messages for all traffic. This causes high load on the CPU and increases the time to format the debug output file.

Each filter must contain these five numbers (5-tuple) separated with commas:

"<Source IP Address>,<Source Port>,<Destination IP Address>,<Destination Port>,<Protocol Number>"

Example of capturing traffic from IP 192.168.20.30 from any port to IP 172.16.40.50 to port 22 over the TCP protocol:

-f "192.168.20.30,0,172.16.40.50,22,6"

Notes:

The tool supports up to five of such filters.
The tool treats the value 0 (zero) as "any".
If you specify two or more filters, the tool performs a logical "OR" of all the filters on each packet.

If the packet matches at least one filter, the tool prints the debug messages for this packet.
"<Source IP Address>" and "<Destination IP Address>" - IPv4 or IPv6 address
"<Source Port>" and "<Destination Port>" - integers from 1 to 65535 (see IANA Service Name and Port Number Registry)
<Protocol Number> - integer from 0 to 254 (see IANA Protocol Numbers)

-o /<Path>/<Name of Raw Debug Output File>

Mandatory.

Specifies the absolute path and the name of the raw debug output file.

Example:

-o /var/log/kernel_debug.txt

-o /<Path>/<Name of Formatted Debug Output File>

Mandatory.

Specifies the absolute path and the name of the formatted debug output file (to analyze by an administrator).

Example:

-o /var/log/kernel_debug_formatted.txt

Procedure

Important - In cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must perform these steps on all the Cluster Members in the same way.

Examine the list of the debug flags that are enabled in the specified kernel modules

On the Security Gateway / each Cluster Member, run:

fw ctl debug -m <module>

On the Scalable Platform Security Group, run:

g_fw ctl debug -m <module>

Start the debug capture

On the Security Gateway / each Cluster Member, run:

conn_life_cycle.sh -a start -o /var/log/kernel_debug.txt -T -f "<Filter1>" [... [-f "<FilterN>"]]

On the Scalable Platform Security Group, run:

g_all conn_life_cycle.sh -a start -o /var/log/kernel_debug.txt -T -f "<Filter1>" [... [-f "<FilterN>"]]

Replicate the issue, or wait for the issue to occur

Replicate the issue if you know how, or wait for the issue to occur.

Stop the debug capture and prepare the formatted debug output

On the Security Gateway / each Cluster Member, run:

conn_life_cycle.sh -a stop -o /var/log/kernel_debug_formatted.txt

On the Scalable Platform Security Group, run:

g_all conn_life_cycle.sh -a stop -o /var/log/kernel_debug_formatted.txt

Transfer the output file to your computer

Transfer this file from the Security Gateway / each Cluster Member / each Security Group Member to your computer:

/var/log/kernel_debug.txt

Best Practice - Compress this file with the "tar -zxvf" command and transfer it from the Security Gateway / each Cluster Member / each Security Group Members to your computer. If you transfer to an FTP server, do so in the binary mode.

Analyze the output file on your computer

Examine the formatted debug output file in an advanced text editor like Notepad++ (click Language > R > Ruby), or any other Ruby language viewer.

Example

Collecting the kernel debug for TCP connection from IP 172.20.168.15 (any port) to IP 192.168.3.53 and port 22

[Expert@GW:0]# fw ctl debug -m fw + conn drop 
Updated kernel's debug variable for module fw 
Debug flags updated. 
[Expert@GW:0]# 
[Expert@GW:0]# fw ctl debug -m fw 
Kernel debugging buffer size: 50KB 
HOST: 
Module: fw 
Enabled Kernel debugging options: error warning conn drop 
Messaging threshold set to type=Info freq=Common 
[Expert@GW:0]# 
[Expert@GW:0]# conn_life_cycle.sh -a start -o /var/log/kernel_debug.txt -T -f "172.20.168.15,0,192.168.3.53,22,6" 
Set operation succeeded 
Set operation succeeded 
Set operation succeeded 
Set operation succeeded 
Set operation succeeded 
Set operation succeeded 
Set operation succeeded 
Initialized kernel debugging buffer to size 8192K 
Set operation succeeded 
Capturing started... 
[Expert@GW:0]# 
 
... ... Replicate the issue, or wait for the issue to occur ... ...
 
[Expert@GW:0]# 
[Expert@GW:0]# conn_life_cycle.sh -a stop -o /var/log/kernel_debug_formatted.txt 
Set operation succeeded 
Defaulting all kernel debugging options 
Debug state was reset to default. 
Set operation succeeded 
doing unification... 
Openning host debug file /tmp/tmp.KiWmF18217... OK 
New unified debug file: /tmp/tmp.imzMZ18220... OK 
prepare unification 
performing unification 
Done :-) 
doing grouping... 
wrapping connections and packets... 
Some of packets lack description, probably because they were already handled when the feature was enabled. 
[Expert@GW:0]# 
[Expert@GW:0]# fw ctl debug -m fw 
Kernel debugging buffer size: 50KB 
HOST: 
Module: fw 
Enabled Kernel debugging options: error warning 
Messaging threshold set to type=Info freq=Common 
[Expert@GW:0] 
[Expert@GW:0] ls -l /var/log/kernel_debug.* 
-rw-rw---- 1 admin root 40960 Nov 26 13:02 /var/log/kernel_debug.txt 
-rw-rw---- 1 admin root 24406 Nov 26 13:02 /var/log/kernel_debug_formatted.txt 
[Expert@GW:0]

Opening the kernel debug in Notepad++

Everything is collapsed:

   Connection with 1st packet already in handling so no conn details

[+]{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Opened the first hierarchy level to see the connection:

   Connection with 1st packet already in handling so no conn details

[-]{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

;26Nov2018 13:02:06.736016;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is  INBOUND;

[+]{---------------------------------------------------------- packet begins ------------------------------------------------------

Opened the second hierarchy level to see the packets of this connection:

   Connection with 1st packet already in handling so no conn details
[-]{+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
;26Nov2018 13:02:06.736016;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is  INBOUND;
[-]{---------------------------------------------------------- packet begins ------------------------------------------------------
;26Nov2018 13:02:06.736021;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering  CHAIN_MODULES_ENTER;
;26Nov2018 13:02:06.736035;[cpu_2];[fw4_1];#fwconn_lookup_cache: conn <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22 IPP 6>;
;26Nov2018 13:02:06.736046;[cpu_2];[fw4_1];#<1c001,44000,2,1e2,0,UUID: 5bfbc2a2-0000-0000-c0-a8-3-35-1-0-0-c0, 1,1,ffffffff,ffffffff,40800,0,80,OPQS:[0,ffffc20033d220f0,0,0,0,0,ffffc20033958648,0,0,0,ffffc200325d57b0,0,0,0,0,0],0,0,0,0,0,0,0,0,0,0,0,0,0,0> 
;26Nov2018 13:02:06.736048;[cpu_2];[fw4_1];CONN LIFE CYCLE: lookup: found;
;26Nov2018 13:02:06.736053;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering  VM_ENTER;
;26Nov2018 13:02:06.736055;[cpu_2];[fw4_1];#
;26Nov2018 13:02:06.736060;[cpu_2];[fw4_1];#Before VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 (ifn=1) (first seen) (looked up) ;
;26Nov2018 13:02:06.736068;[cpu_2];[fw4_1];#After  VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 ;
;26Nov2018 13:02:06.736071;[cpu_2];[fw4_1];#VM Final action=ACCEPT;
;26Nov2018 13:02:06.736072;[cpu_2];[fw4_1];# -----  Stateful VM inbound Completed -----
;26Nov2018 13:02:06.736075;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting  VM_EXIT;
;26Nov2018 13:02:06.736081;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering  POST VM_ENTER;
;26Nov2018 13:02:06.736083;[cpu_2];[fw4_1];#
;26Nov2018 13:02:06.736085;[cpu_2];[fw4_1];#fw_post_vm_chain_handler: (first_seen 32, new_conn 0, is_my_ip 0, is_first_packet 0);
;26Nov2018 13:02:06.736089;[cpu_2];[fw4_1];#Before POST VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 (ifn=1) (first seen) (looked up) ;
;26Nov2018 13:02:06.736095;[cpu_2];[fw4_1];#After  POST VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 ;
;26Nov2018 13:02:06.736097;[cpu_2];[fw4_1];#POST VM Final action=ACCEPT;
;26Nov2018 13:02:06.736098;[cpu_2];[fw4_1];# -----  Stateful POST VM inbound Completed -----
;26Nov2018 13:02:06.736101;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting  POST VM_EXIT;
;26Nov2018 13:02:06.736104;[cpu_2];[fw4_1];#fwconnoxid_msg_get_cliconn: warning - failed to get connoxid message.;
;26Nov2018 13:02:06.736107;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering  CPAS_ENTER;
;26Nov2018 13:02:06.736110;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting  CPAS_EXIT;
;26Nov2018 13:02:06.736113;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting  CHAIN_MODULES_EXIT;
;26Nov2018 13:02:06.736116;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is  ACCEPTED;
}
;26Nov2018 13:02:06.770652;[cpu_2];[fw4_1];Packet 0xffff8101ea128580 is  INBOUND;