Troubleshoot traffic simulation queries
Relevant for: AFA administrators only
If you ran a group device query and received unexpected results, you can troubleshoot those results by providing the expected results. AFA will make a recommendation to help you make the traffic traverse correctly.
Query Visualizer
The Query Visualizer helps you to better understand your network routing. In addition to showing the resulting TSQ path on the map, you can set the map to show additional paths that were found, but were disqualified.
To distinguish between path types, the path lines in query visualizations are color coded, as follows:
Path line color | Explanation |
blue | The resulting path of the query |
red | The path is disqualified due to: loop, no route to destination, or dead end |
yellow | The path is valid but disqualified due to the PrioritizeFIPDestination configuration parameter setting (to choose subnets over cloud destinations) |
For example:
The Query Visualizer map includes these additional icons:
Icon | Explanation |
Dead end: Destination was not found behind cloud | |
Routing loop: path loops through the same device | |
No route to destination: device does not know where to route traffic |
Note: To use the Query Visualizer you must have permissions to see All FIREWALLS and the map.
To enable the Query Visualizer
Note: If there are no TSQ results (traffic not routed), you won't see the other paths when you enable the Query Visualizer.
Troubleshoot traffic not routed
This procedure describes how to troubleshoot a situation where a traffic simulation query was run and the user received a messages that the traffic is not routed. For example:
Note: This procedure should be used only when the routes from the source to destintation and vice versa are symmetrical. This is true in most cases.
Do the following:
-
Verify that the source and destination addresses are directly connected to a device in the AFA map. In the map, run a search for the specific IP addresses. For example, for the source IP 10.150.18.3 and destination IP 10.138.6.66:
Source:
Destination:
-
The screen shots in the previous step show 15 possible devices, and that 14 of them are clouds.
This means that there is only 1 result that is directly connected for both the source and destination.
Tip: If, in your case, there are only clouds shown, you may be missing devices in AFA. Try to find out which devices are missing and refresh their AFA configuration.
In our case, the source is behind the pvgazc03-extfw node, and the destination is behind ps-R80 node.
-
Run a Routing Query from the map, on the pvgazc03-extfw source device to search for the destination address.
An unreachable result is expected. This message will display the IP address of the dead-end, 10.150.17.6:
-
Ideally, we should add the device 10.150.17.6 to AFA, but this may not be possible. Instead, we'll bridge it with another stub.
To find the other stub-router, perform another Routing Query, from the ps-R80 destination device back towards the source:
-
Once you've discovered both dead-ends, you can bridge them by selecting both stub-routers and merging them.
For details, see Merge routers.
-
Re-run the query to see the newly merged stubs as part of the path. In this following example, it's shown as the NewBridge device:
Note: NAT is not considered when performing a Routing Query via the map.
If there is NAT in the middle of your path, manually change your query. For more details, see Troubleshoot a traffic simulation query with NAT.
Troubleshoot a traffic simulation query with NAT
This section describes how to troubleshoot a traffic simulation query when NAT is in the network path.
Tip: If you aren't sure whether NAT is in the network path, use the NAT discovery utility to verify. For details, see Find NAT values.
Group queries: Update routing information with a NAT destination for downstream devices
In group queries where a device performs NAT for the destination, AFA must have the translated address to determine the path to the destination.
Do the following:
-
Run /home/afa/.fa-history
-
Search for your group query ID, and then search for prints from getDstNatFromDB. For example:
[30276] [o20g] [2019-06-20 13:53:46,136] [INFO ] [FwaUtil.pm
::print_log :3821] Route lookup from device 25 () to 52.128.31.10, source interface [Serial1/0][30276] [o20g] [2019-06-20 13:53:46,353] [INFO ] [FwaUtil.pm
::print_log :3821] getDstNatFromDB: Destination 52.128.31.10 is translated to address 52.128.20.4 on device teak_f5 (NAT)[30276] [o20g] [2019-06-20 13:53:46,354] [INFO ] [FwaUtil.pm
::print_log :3821] Destination 52.128.31.10 is being translated (NAT) to 52.128.20.4 in device 144 (), assume proxy arp[30276] [o20g] [2019-06-20 13:53:46,354] [INFO ] [FwaUtil.pm
::print_log :3821] Found path to next device 144 () via gateway IP 52.128.31.10 on possible route to destination 52.128.31.10[30276] [o20g] [2019-06-20 13:53:46,358] [INFO ] [FwaUtil.pm
::print_log :3821] getDstNatFromDB: Destination 52.128.31.10 is translated to address 52.128.20.4 on device teak_f5 (NAT)[30276] [o20g] [2019-06-20 13:53:46,358] [INFO ] [FwaUtil.pm
::print_log :3821] updateDstWithNAT: Device 144 () translates destination 52.128.31.10 to 52.128.20.4 (NAT)[30276] [o20g] [2019-06-20 13:53:46,358] [INFO ] [FwaUtil.pm
::print_log :3821] Route lookup from device 144 () to 52.128.20.4In this example the highlighted lines show that the original destination is 52.128.31.10, and that the device 144 (teak_f5) translates 52.128.31.10 to 52.128.20.4.
In the last line, we can see that the route lookup from device 144 was updated to the post-NAT address. At this point, AFA will look for a path using the updated address.
Tip: Further downstream devices can also perform NAT, so you may need to keep tracking these prints.
Single devices: Check your single-device query source or destination
When running a single-device query to determine whether the device allows or blocks the requested traffic, both source and destination NAT is taken into account.
However, if you are using the Routing Query tool from the device's network map, NAT is not considered. If you search for a path using the Routing Query tool, you'll need to change the IP address to the post-translation address manually.
To verify whether NAT was considered for your query, do the following:
-
Run
/home/afa/.fa-history
-
Search for your device query ID, and then search for prints that include Creating post-NAT definitions.
These indicate that the source or destination were updated for the single device query, and it will now run with the new values.
This can also be viewed in AFA when looking at query result details.
â See also: