Controller Based WLANs

Understand the 'C' flag and 'Y' flag in the 'show datapath session' command output

Aruba Employee

This article applies to all Aruba controller platforms and all AOS versions.

During troubleshooting, some time we may want to check if the user traffic is indeed received by the controller. Other than sniff the packet which is some time not possible/feasible, the 'show datapath session' is your friend.

In Aruba controller datapath session table, there's 'C' and 'Y' flag,
Example:

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP

'C': if this is set, then this is the session initiated from the client.

'Y': If this is set, then that means the controller has yet to see a packet to match that session.

You might wonder how could this be possible. if there's no packet, then why there's a session? Here's why.

When the controller receives a packet from wireless client that does NOT match any existing session and it's allowed by the user policy, The controller will create a session. Since it's a stateful firewall, the session will have 2 'wings'. one wing is for the incoming wireless traffic goes to the corp network/Internet. The controller will mark it with 'C' flag meaning this is client initiated wing. the other wing is the return traffic coming back from the corp network/Internet. However, at this moment, the 2nd wing will have a Y flag since there's no return packet yet.

One way to test and see this behavior is to point the DNS server on the wirless client to a non-exist host so the dns response will never come back and you have enough time to catch this by using 'show datapath session table <client IP address>' command .

Example:


(c1-10) # show datapath session table 10.168.121.196

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
          D - deny, R - redirect, Y - no syn
          H - high prio, P - set prio, T - set ToS
          C - client, M - mirror, V - VOIP

Source IP          Destination IP   Prot SPort  DPort Cntr Prio ToS Age Destination Flags
--------------              --------------      ----   -----      -----     ----   ----  ---   ---     -----------      -----
10.168.121.196       1.1.1.1         17  2059    53        0     0      0     0       3/0        FC
10.168.121.196       1.1.1.1         17  1032    53        0     0      0     1       3/0        FC
1.1.1.1             10.168.121.196   17    53    1032      0     0      0     1       3/0        FY
1.1.1.1             10.168.121.196   17    53    2059      0     0      0     0       3/0        FY

 

Version history
Revision #:
1 of 1
Last update:
‎07-06-2014 07:36 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.