Geekly Articles each Day
📜 ⬆️ ⬇️

The fate of the package. Cisco IOS XE


Many problems diagnosing a Cisco router with an IOS XE operating system can be started with Packet Trace . This is a packet processing trace inside the router that appeared not so long ago. Previously, such functionality was available only on ASA firewalls. Who used the packet-tracer on the ASA, agrees - a very convenient tool. Now its counterpart has appeared on modern routers (ISR 4000, ASR, CSR).

I will build a note on live examples. It's easier to get an idea of ​​the IOS-XE Packet Trace. Details can always be found on the website of the vendor. It is a pity that there is not much information on this subject. In the course of our immersion, you will understand what I mean.

As an experimental we have an ISR 4000 router (I already wrote about the specifics of ISR 4000 and IOS XE operation on Habré ). A number of technologies are configured on it: static routing, PfR, PBR, address translation (NAT), ZFW firewall, ACL on interfaces, Flexible NetFlow, NBAR2, IPSec, GRE, VTI and others. All this will make the trace more saturated and close to the actual operation.

There are many technologies and each has its own debugging method. In order not to waste time and immediately determine where to look for the cause of the problem, Packet Trace is just useful.
')
We will watch the ICMP packet (echo request) sent from 192.168.20.8 to 8.8.8.8.

Tracing activation consists of two parts. First, we launch a conditional debugger. It is in it that we indicate which packages interest us. In our case, this is the traffic described by ACL 199 and arriving at the router through the GigabitEthernet0 / 0/0 interface:

access-list 199 permit icmp host 192.168.20.8 host 8.8.8.8 debug platform condition interf GigabitEthernet0/0/0 ipv4 access-list 199 ingress debug platform condition start

The conditional debugger is used not only for the operation of the packet trace. This tool allows you to effectively filter log messages and debug messages (debug) at the stage of their generation. We can set the conditions and see the records that relate only to what we need.

Next, turn on the packet trace directly. Specify the buffer and trace depth. Minimum - 16 packages. Depth: base (path-trace) or extended (fia-trace). In the case of the extended we get a detailed conclusion of the work of all functions within the QFP process. That he is responsible for the transfer of packets (datapath).

 debug platform packet-trace packet 16 fia-trace debug platform packet-trace enable

Compared to ASA packet-tracer, the syntax is, of course, not so convenient.

ASA packet-tracer can generate packets for further tracing. IOS-XE Packet Trace can not do this. For his work, it is necessary that the package came from somewhere.
Commands for cleaning tails. It will be useful when we finish everything.

 no debug platform packet-trace enable clear platform packet-trace statistics clear platform condition all

Everything is set up. We launch ping so that the packet we need passes through the router.
We look at the general output for packets that fall into the packet trace.

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 FWD

He is alone with us. Came through the interface Gi0 / 0/0 and was passed on (state FWD) through Gi0 / 0 / 1.5.

We look at the trace of its processing
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 8 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 State : FWD Timestamp Start : 6495209991683323 ns (02/18/2017 11:59:43.176192 UTC) Stop : 6495209991814307 ns (02/18/2017 11:59:43.176323 UTC) Path Trace Feature: IPV4 <================= Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/0 <================= Source : 192.168.20.8 <================= Destination : 8.8.8.8 <================= Protocol : 1 (ICMP) <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 4960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 40160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1440 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 236 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 <================= tuple.dst_ip : 8.8.8.8 <================= tuple.src_port : 61609 <================= tuple.dst_port : 161 <================= tuple.vrfid : 0 tuple.l4_protocol : ICMP <================= tuple.l3_protocol : IPV4 <================= pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 236 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 226240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 66880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 236 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 236 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 21120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 119520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 3840 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 236 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 236 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 40640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR <================= Lapsed time : 34720 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS <================= Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/1.5 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <================= Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1280 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 218880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 4480 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1920 ns Feature: ZBFW <================= Action : Fwd <================= Zone-pair name : in-out1 <================= Class-map name : CM-FW_in-out <================= Input interface : GigabitEthernet0/0/0 <================= Egress interface: GigabitEthernet0/0/1.5 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 721760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 3680 ns Feature: NAT <================= Direction : IN to OUT <================= Action : Translate Source <================= Old Address : 192.168.20.8 00001 <================= New Address : 87.87.87.87 00033 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 54880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 960 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 238 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 87.87.87.87 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 238 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 137600 ns Feature: IPSec <================= Result : IPSEC_RESULT_DENY <================= Action : SEND_CLEAR <================= SA Handle : 0 Peer Addr : 8.8.8.8 <================= Local Addr: 87.87.87.87 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 50560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 7040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 7040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY Lapsed time : 13600 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL Lapsed time : 112800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT Lapsed time : 41440 ns

Tracing volume directly depends on the configured functions. If we only had routing, there would be significantly less data.

Some names are understandable. But there are stages that are not easy to decode. Documentation vendor while in this regard does not help much.

Highlight the most interesting moments.

1. Information identifying our data flow:

 Feature: CFT … tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4

Data is stored in the CFT (Common Flow Table) table. They are used by technologies that operate in their work with information about each stream (Netflow, NBAR, PfR, etc.). The CFT table is necessary not to store redundant information.

2. Definition of outgoing interface:

When a packet has just hit the router, the outgoing interface is undefined. Substitute the incoming:

 Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP)

After it is determined where to send the packet further (the routing function is executed), the outgoing interface changes:

  Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 4160 ns

3. Data processing packet firewall ZFW:

  Feature: ZBFW Action : Fwd Zone-pair name : in-out1 Class-map name : CM-FW_in-out Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.5

We immediately see between which zones the packet passed, and into which class it fell. This is quite convenient, as the ZFW configuration is often very confusing.

4. Address Broadcast Information:

  Feature: NAT Direction : IN to OUT Action : Translate Source Old Address : 192.168.20.8 00001 New Address : 87.87.87.87 00033

The destination address in the packet has been replaced by 87.87.87.87.

5. Since IPSec is configured on our router, it will be noted whether the packet got into it:

  Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 8.8.8.8 Local Addr: 87.87.87.87

No, did not hit.

There is a lot of additional information in traces. For example, IPV4_INPUT_PBR signals that the packet has passed through PBR. But we will not find any information whether PBR has been applied or the packet has been submitted for processing to standard routing rules. In our case, the package did not fall under the rules of PBR. The IPV4_INPUT_TCP_ADJUST_MSS entry indicates that the ip tcp adjust-mss command is configured on the interface. In this case, as in the previous example, we do not receive any details.

Most of the information displayed by the device is of no interest. However, the situation will change when something goes wrong with the package.

Situation number 1. Packet dropped ACL on input interface

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/0 DROP 8 (Ipv4Acl)

The packet was dropped (DROP) because the ACL (Ipv4Acl) worked.

Package processing tracing
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 35 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 State : DROP 8 (Ipv4Acl) Timestamp Start : 6515970748260480 ns (02/18/2017 17:45:43.568889 UTC) Stop : 6515970748313558 ns (02/18/2017 17:45:43.568942 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 6560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d8375c - STILE_LEGACY_DROP_EXT Lapsed time : 3680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b554 - INGRESS_MMA_LOOKUP_DROP_EXT Lapsed time : 63040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6e0f8 - INPUT_DROP_FNF_AOR_EXT Lapsed time : 8320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc44 - INPUT_FNF_DROP_EXT Lapsed time : 324800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6e6c8 - INPUT_DROP_FNF_AOR_RELEASE_EXT Lapsed time : 8320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81128ebc - INPUT_DROP_EXT <================= Lapsed time : 1920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL <================= Lapsed time : 794240 ns

INPUT_DROP_EXT and IPV4_INPUT_ACL report that the packet was dropped on the incoming interface. Traces turned out to be short, like package life.

Situation number 2. Packet dropped ACL on outbound interface

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 DROP 8 (Ipv4Acl)

Again, the packet was not transmitted (DROP) due to the ACL (Ipv4Acl). Now, however, Gi0 / 0 / 1.5 appears as the outgoing interface.

Package processing tracing
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 33 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 State : DROP 8 (Ipv4Acl) Timestamp Start : 6515547984424423 ns (02/18/2017 17:38:40.479689 UTC) Stop : 6515547984571057 ns (02/18/2017 17:38:40.479835 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 8320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 4320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 3520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 43360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1280 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 5 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 5 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 222240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 67200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 2240 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 5 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 5 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 22080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 136320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 5 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 5 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 40160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 39520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 4320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1920 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 274240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 2400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 2880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1600 ns Feature: ZBFW Action : Fwd Zone-pair name : in-out1 Class-map name : CM-FW_in-out Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.5 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 989760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 2720 ns Feature: NAT Direction : IN to OUT Action : Translate Source Old Address : 192.168.20.8 00001 New Address : 87.87.87.87 00036 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 36800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 3200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 1120 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 7 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 87.87.87.87 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 7 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 141920 ns Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 8.8.8.8 Local Addr: 87.87.87.87 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 46080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb8 - OUTPUT_DROP_EXT <================= Lapsed time : 3360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d4a144 - IPV4_OUTPUT_ACL <================= Lapsed time : 121760 ns

In the traces at the very end, we find information about the packet's fate: OUTPUT_DROP_EXT and IPV4_OUTPUT_ACL. The package almost broke out of the router, as evidenced by the passage of most of the processing stages.

Situation number 3. Package dropped by firewall

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 DROP 184 (FirewallPolicy)

Package dropped (DROP). The reason is firewall policies (FirewallPolicy).

Package processing tracing
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 36 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 State : DROP 184 (FirewallPolicy) Timestamp Start : 6516783739710881 ns (02/18/2017 17:59:16.560339 UTC) Stop : 6516783739809427 ns (02/18/2017 17:59:16.560438 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 8800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 47360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1440 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 135 cft_bucket_number : 875224 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 56789 tuple.dst_port : 514 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 135 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 202560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 63360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 4640 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 135 cft_bucket_number : 875224 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 56789 tuple.dst_port : 514 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 135 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 20640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 127360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2720 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 135 cft_bucket_number : 875224 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 56789 tuple.dst_port : 514 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 135 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 43840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 37120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 4800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1760 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 255680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 2240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1760 ns Feature: ZBFW <================= Action : Drop <================= Reason : ICMP policy drop:classify result <================= Zone-pair name : in-out1 <================= Class-map name : class-default <================= Input interface : GigabitEthernet0/0/0 <================= Egress interface: GigabitEthernet0/0/1.5 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb8 - OUTPUT_DROP_EXT <================= Lapsed time : 640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT <================= Lapsed time : 639200 ns

OUTPUT_DROP_EXT IPV4_OUTPUT_INSPECT , , . ZFW:

 Feature: ZBFW Action : Drop Reason : ICMP policy drop:classify result Zone-pair name : in-out1 Class-map name : class-default Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.5

Reason , , ICMP. , , — class-default.

№4. PBR

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.6 FWD

(FWD). Gi0/0/1.6.

 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 36 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 State : FWD Timestamp Start : 6517659109765260 ns (02/18/2017 18:13:51.930393 UTC) Stop : 6517659109927732 ns (02/18/2017 18:13:51.930556 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 10400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 265600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 3680 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 69 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 69 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 223360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 85440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 3040 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 69 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 69 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 19680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 153600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 69 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 69 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 49600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR <================= Lapsed time : 69760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/1.6 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 7840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1600 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 280480 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 3840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 3840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 5440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: ZBFW Action : Fwd Zone-pair name : in-out2 Class-map name : CM-FW_in-out Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.6 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 789120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 11200 ns Feature: NAT Direction : IN to OUT Action : Translate Source Old Address : 192.168.20.8 New Address : 62.62.62.62 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 38400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 4000 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 800 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 71 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 62.62.62.62 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 71 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 140160 ns Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 8.8.8.8 Local Addr: 62.62.62.62 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 66400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 3840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 13440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 2240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY Lapsed time : 18720 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL Lapsed time : 113440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT Lapsed time : 43680 ns

( ) PBR, . , , NAT'.

№5. VTI

172.28.0.1.

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 FWD

(FWD). Gi0/0/1.5.

 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 50 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 State : FWD Timestamp Start : 6665377802839987 ns (02/20/2017 11:15:48.257340 UTC) Stop : 6665377803172303 ns (02/20/2017 11:15:48.257673 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 172.28.0.1 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 5600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 3040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 19840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1280 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 172.28.0.1 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 296480 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 43040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 172.28.0.1 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 20160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 134400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 3840 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 172.28.0.1 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 45440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 14080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : Tunnel1 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <================= Lapsed time : 5920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1600 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 245440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 1760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 3040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: ZBFW <================= Action : Fwd <================= Zone-pair name : N/A <================= Class-map name : N/A <================= Input interface : GigabitEthernet0/0/0 <================= Egress interface: Tunnel1 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 30080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 7360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6e1b8 - IPV4_TUNNEL_OUTPUT_FNF_AOR Lapsed time : 3520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6d8e4 - IPV4_TUNNEL_OUTPUT_FNF_FINAL Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6e640 - IPV4_TUNNEL_OUTPUT_FNF_AOR_RELEASE Lapsed time : 800 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86ce8 - IPV4_TUNNEL_OUTPUT_FINAL Lapsed time : 20640 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86d30 - IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT <================= Lapsed time : 7200 ns Feature: IPSec <================= Result : IPSEC_RESULT_SA <================= Action : ENCRYPT <================= SA Handle : 98 <================= Peer Addr : 188.188.188.188 <================= Local Addr: 87.87.87.87 <================= Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY_EXT Lapsed time : 44480 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d7641c - IPV4_OUTPUT_IPSEC_DOUBLE_ACL_EXT Lapsed time : 11200 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT Lapsed time : 4960 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x8113ac50 - IPV4_OUTPUT_IPSEC_INLINE_FRAG_CHK_EXT Lapsed time : 7680 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d7635c - IPV4_OUTPUT_IPSEC_TUNNEL_RERUN_JUMP_EXT Lapsed time : 4480 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d764ac - IPV4_OUTPUT_IPSEC_POST_PROCESS_EXT Lapsed time : 12160 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT Lapsed time : 1600 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT Lapsed time : 1440 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86cec - IPV4_TUNNEL_GOTO_OUTPUT Lapsed time : 11680 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86d98 - IPV4_TUNNEL_FW_CHECK_EXT Lapsed time : 15040 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x81131e60 - IPV4_INPUT_DST_LOOKUP_ISSUE_EXT Lapsed time : 8480 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x81131eb8 - IPV4_INPUT_ARL_EXT Lapsed time : 5760 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x81131e6c - IPV4_INTERNAL_DST_LOOKUP_CONSUME_EXT Lapsed time : 2880 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86dc8 - IPV4_TUNNEL_ENCAP_FOR_US_EXT Lapsed time : 5600 ns Feature: FIA_TRACE Input : Tunnel1 <================= Output : GigabitEthernet0/0/1.5 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <================= Lapsed time : 4000 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131f20 - IPV4_TUNNEL_ENCAP_GOTO_OUTPUT_FEATURE_EXT Lapsed time : 11520 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1440 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 5120 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 2240 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 6400 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 1440 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 800 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01004104 triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 100 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 87.87.87.87 tuple.dst_ip : 188.188.188.188 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : 50 tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ipsec Classification ID: [CANA-L7:9] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 138080 ns Feature: IPSec <================= Result : IPSEC_RESULT_DENY <================= Action : SEND_CLEAR <================= SA Handle : 0 Peer Addr : 188.188.188.188 <================= Local Addr: 87.87.87.87 <================= Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 27840 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 2880 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 7520 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 16800 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x8111ea94 - L2_REWRITE_AFTER_FRAG_WITHOUT_CLIP_EXT Lapsed time : 11520 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY Lapsed time : 12000 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL Lapsed time : 108320 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT Lapsed time : 49120 ns

, . :

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 5920 ns

. , ( zone-pair):

 Feature: ZBFW Action : Fwd Zone-pair name : N/A Class-map name : N/A Input interface : GigabitEthernet0/0/0 Egress interface: Tunnel1

, .

 IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT Feature: IPSec Result : IPSEC_RESULT_SA Action : ENCRYPT SA Handle : 98 Peer Addr : 188.188.188.188 Local Addr: 87.87.87.87

, .

  Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT Lapsed time : 4000 ns

, IPSec ( crypto-map). , IPSec .

 Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 188.188.188.188 Local Addr: 87.87.87.87

№6. next-hop ( )

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 internal0/0/rp:0 PUNT 10 (Incomplete adjacency)

PUNT , CEF' (process switching). – adjacency next-hop (Incomplete adjacency). , .

 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 55 Summary Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 State : PUNT 10 (Incomplete adjacency) Timestamp Start : 6668916530895154 ns (02/20/2017 12:14:46.985396 UTC) Stop : 6668916530979351 ns (02/20/2017 12:14:46.985480 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 9760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 3200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 15040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1440 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 74 cft_bucket_number : 769995 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 55391 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 74 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 252800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 48960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 4000 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 74 cft_bucket_number : 769995 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 55391 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 74 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 20640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 127520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 74 cft_bucket_number : 769995 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.7 tuple.src_port : 443 tuple.dst_port : 55391 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 74 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 39360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 43680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/1 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <================= Lapsed time : 135360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : internal0/0/rp:0 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <================= Lapsed time : 30240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL_EXT Lapsed time : 8640 ns Feature: OCE_TRACE Type : OCE_ADJ_PUNT Feature: OCE_TRACE Type : OCE_ADJ_PUNT Feature: OCE_TRACE Type : OCE_ADJ_PUNT Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL_EXT Lapsed time : 277600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE_EXT Lapsed time : 6720 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS_EXT Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE_EXT Lapsed time : 11200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81131ef4 - IPV4_INTERNAL_ARL_SANITY_EXT Lapsed time : 10560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT_EXT Lapsed time : 12160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE_EXT Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81131e9c - IPV4_VFR_REFRAG_EXT Lapsed time : 2240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY_EXT Lapsed time : 24320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : internal0/0/rp:0 <================= Entry : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT <================= Lapsed time : 137440 ns

:

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 135360 ns

CEF , (internal0/0/rp:0):

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT Lapsed time : 30240 ns

, (INTERNAL_TRANSMIT):

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT Lapsed time : 137440 ns

Packet Trace QFP. , , . debug ip packet. .

Conclusion

, IOS XE Packet Trace , . , , , show debug.

– (packet capture). IOS XE IOS.

Packet capture
:
 monitor capture CAP access-list 199 monitor capture CAP interface GigabitEthernet0/0/0 in monitor capture CAP start
, , :
 monitor capture CAP stop monitor capture CAP export tftp://10.0.0.1/CAP.pcap no monitor capture CAP

Source: https://habr.com/ru/post/323080/

More articles:


All Articles