Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

Understand the 'C' flag and 'Y' flag in the 'show datapath session' command output 

Jul 06, 2014 10:36 AM

This article applies to all Aruba controller platforms and all AOS versions.

During troubleshooting, some time we may want to check if the user traffic is indeed received by the controller. Other than sniff the packet which is some time not possible/feasible, the 'show datapath session' is your friend.

In Aruba controller datapath session table, there's 'C' and 'Y' flag,
Example:

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP

'C': if this is set, then this is the session initiated from the client.

'Y': If this is set, then that means the controller has yet to see a packet to match that session.

You might wonder how could this be possible. if there's no packet, then why there's a session? Here's why.

When the controller receives a packet from wireless client that does NOT match any existing session and it's allowed by the user policy, The controller will create a session. Since it's a stateful firewall, the session will have 2 'wings'. one wing is for the incoming wireless traffic goes to the corp network/Internet. The controller will mark it with 'C' flag meaning this is client initiated wing. the other wing is the return traffic coming back from the corp network/Internet. However, at this moment, the 2nd wing will have a Y flag since there's no return packet yet.

One way to test and see this behavior is to point the DNS server on the wirless client to a non-exist host so the dns response will never come back and you have enough time to catch this by using 'show datapath session table <client IP address>' command .

Example:


(c1-10) # show datapath session table 10.168.121.196

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
          D - deny, R - redirect, Y - no syn
          H - high prio, P - set prio, T - set ToS
          C - client, M - mirror, V - VOIP

Source IP          Destination IP   Prot SPort  DPort Cntr Prio ToS Age Destination Flags
--------------              --------------      ----   -----      -----     ----   ----  ---   ---     -----------      -----
10.168.121.196       1.1.1.1         17  2059    53        0     0      0     0       3/0        FC
10.168.121.196       1.1.1.1         17  1032    53        0     0      0     1       3/0        FC
1.1.1.1             10.168.121.196   17    53    1032      0     0      0     1       3/0        FY
1.1.1.1             10.168.121.196   17    53    2059      0     0      0     0       3/0        FY

 

Statistics
0 Favorited
16 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.