MattF,
The bidirectional "session" is always built in anticipation of return traffic. If that traffic is not returned, there is a "Y" flag that indicates that there is "No Syn". A successful return of traffic does NOT have a Y as a flag:
Successful: Nslookup
$ nslookup
> server 4.2.2.2
Default server: 4.2.2.2
Address: 4.2.2.2#53
> www.yahoo.com
Server: 4.2.2.2
Address: 4.2.2.2#53
Non-authoritative answer:
www.yahoo.com canonical name = fd-fp3.wg1.b.yahoo.com.
fd-fp3.wg1.b.yahoo.com canonical name = ds-fp3.wg1.b.yahoo.com.
ds-fp3.wg1.b.yahoo.com canonical name = ds-any-fp3-lfb.wa1.b.yahoo.com.
ds-any-fp3-lfb.wa1.b.yahoo.com canonical name = ds-any-fp3-real.wa1.b.yahoo.com.
Name: ds-any-fp3-real.wa1.b.yahoo.com
Address: 98.139.180.149
Name: ds-any-fp3-real.wa1.b.yahoo.com
Address: 98.139.183.24
Name: ds-any-fp3-real.wa1.b.yahoo.com
Address: 206.190.36.45
Name: ds-any-fp3-real.wa1.b.yahoo.com
Address: 206.190.36.105
Successful NSlookup
(192.168.1.3) #show datapath session table 4.2.2.2
Fri Feb 14 03:14:54 2014
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
4.2.2.2 192.168.1.76 17 53 63131 0/0 0 0 0 tunnel 16 6 0 0 FI
192.168.1.76 4.2.2.2 17 63131 53 0/0 0 0 1 tunnel 16 6 0 0 FCI
(192.168.1.3) #show datapath session table 4.2.2.8
Unsuccessful Nslookup:
> server 4.2.2.8
Default server: 4.2.2.8
Address: 4.2.2.8#53
> www.yahoo.com
;; connection timed out; no servers could be reached
> www.zdnet.com
;; connection timed out; no servers could be reached
Unsuccessful Nslookup
(192.168.1.3) #show datapath session table 4.2.2.8
Fri Feb 14 03:19:00 2014
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
4.2.2.8 192.168.1.76 17 53 58514 0/0 0 0 0 tunnel 16 9 0 0 FYI <---------No Return Traffic (Y Flag)
192.168.1.76 4.2.2.8 17 58514 53 0/0 0 0 0 tunnel 16 9 1 59 FCI
Successful Ping: (No Y Flag)
(192.168.1.3) #show datapath session table 4.2.2.2
Fri Feb 14 03:45:22 2014
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
192.168.1.76 4.2.2.2 1 3 2048 0/0 6 0 0 tunnel 16 8 1 84 FCI
192.168.1.76 4.2.2.2 1 2 2048 0/0 6 0 0 tunnel 16 9 1 84 FCI
192.168.1.76 4.2.2.2 1 1 2048 0/0 6 0 0 tunnel 16 a 0 0 FCI
192.168.1.76 4.2.2.2 1 0 2048 0/0 6 0 0 tunnel 16 b 0 0 FCI
192.168.1.76 4.2.2.2 1 6 2048 0/0 6 0 0 tunnel 16 4 1 84 FCI
192.168.1.76 4.2.2.2 1 4 2048 0/0 6 0 0 tunnel 16 7 1 84 FCI
192.168.1.76 4.2.2.2 1 5 2048 0/0 6 0 0 tunnel 16 5 1 84 FCI
4.2.2.2 192.168.1.76 1 2 0 0/0 0 0 0 tunnel 16 9 1 84 FI
4.2.2.2 192.168.1.76 1 3 0 0/0 0 0 0 tunnel 16 8 1 84 FI
4.2.2.2 192.168.1.76 1 0 0 0/0 0 0 0 tunnel 16 b 0 0 FI
4.2.2.2 192.168.1.76 1 1 0 0/0 0 0 0 tunnel 16 b 0 0 FI
4.2.2.2 192.168.1.76 1 6 0 0/0 0 0 0 tunnel 16 5 1 84 FI
4.2.2.2 192.168.1.76 1 5 0 0/0 0 0 0 tunnel 16 6 1 84 FI
4.2.2.2 192.168.1.76 1 4 0 0/0 0 0 0 tunnel 16 8 1 84 FI
(192.168.1.3) #
Unsuccessful Ping:
(192.168.1.3) #show datapath session table 4.4.4.8
Fri Feb 14 03:46:35 2014
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
4.4.4.8 192.168.1.3 1 43 0 0/0 0 0 1 local 11 0 0 FYI <-------------No Syn
4.4.4.8 192.168.1.3 1 45 0 0/0 0 0 1 local 10 0 0 FYI <-------------No Syn
4.4.4.8 192.168.1.3 1 44 0 0/0 0 0 1 local 11 0 0 FYI <-------------No Syn
192.168.1.3 4.4.4.8 1 43 2048 0/0 0 0 1 local 11 0 0 FCI
192.168.1.3 4.4.4.8 1 44 2048 0/0 0 0 1 local 11 0 0 FCI
192.168.1.3 4.4.4.8 1 45 2048 0/0 0 0 1 local 10 0 0 FCI
(192.168.1.3) #