Hello Checkmates

iam also curious about this values and codes .. .furthermore to bring all my traffic to Accelerated Path, not just PXL.

i have seen this:

10.1.14.39 50038 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.22.20 50076 6 ...AC..S...... 1/8 8/1 0 0
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.100.100 55559 10.1.24.1 62061 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.3.65 49161 6 ...AC..S...... 1/8 8/1 1 0
10.1.14.63 50266 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.22.23 50067 6 ...AC..S...... 1/8 8/1 1 0

what does ......P....... stand for?

what are the number at the end?

i have excluded the TCP Port 55559 from any IPS inspection in the hope have it at Accelerated Path ... but it still all at PXL ...
honestly i dont know what kind of traffic is inside TCP/55559, it must be some kind of database traffic.

any idea what P is ... and how does Accelerated Path woul look like?

best regards
Thomas.

Hello, 

update to my question:

......P....... will most likey stand for a dropped/failed/ connection 

[Expert@SDAZFW01(active)]# fwaccel conns | grep 10.1.20.103
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.20.103 50082 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50082 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50077 6 ......P....... -/- -/- 2 0

just saw it in the logs

so my qustion is ...AC..S...... just PXL or Accelerated Path?

P indicates the connection is "partial", which means it exists in the Firewall Worker connections state table but not in the SecureXL connections table.  This can happen if a connection already existed when a state change occurred in SecureXL (disabled then enabled, or if other SecureXL features like NAT Templates or Drop Templates had their configuration changed).  This is normal and just keeps SecureXL from accidentally dropping those packets, to ensure they reach a Firewall Worker for correct handling; obviously that traffic will not be fully accelerated by SecureXL.

Fully accelerated traffic will normally have no flags set, but A (Accounting), N (NAT), and C (encrypted) may appear depending on the connection attributes and it will still be fully accelerated.  Generally speaking the presence of any flags other than these three indicates the connection is not fully accelerated and being handled on a Firewall Worker in the PXL/F2F/QXL paths.  So your "...AC..S......" connections are Medium Path (PXL). I don't know what the numbers mean at the end of the line.

You said "I have excluded the TCP Port 55559 from any IPS inspection".  If you used an IPS/TP exception to do this it will have no effect on acceleration status; an exception simply changes the decision rendered after inspection.  You need to use what I call a "null profile" to make that traffic eligible to be fully accelerated, in your TP policy create a rule matching the 55559 traffic and match it to a TP profile action that has IPS completely unchecked.  Even if you do so, there may still be some other blade keeping the traffic from being fully accelerated depending on your configuration.

Dependent on the minor version of your gateway and Jumbo HFA level you may also be able to force the 55559 traffic to be fully accelerated with the "fast_accel" directive, but this option should be exercised with caution.

Hi Timothy,

Thank you for your explanation.

In this example in attachement, what does the F.N flag means ?

N for NAT that's OK, but F for Firewall ?

Yes, the "F" flag means Firewall/F2F path.  You can run fwaccel conns -h to see all the possible flags, or see here: sk31404: How to Debug SecureXL.

I ran fwaccel conns -h but I didn't see the flags before I posted my question.

Despite this, thank you.

CUT>>>
...AC..S...... 1/8 8/1 0 0
<<<CUT

A       = Shows accounted connections (for which SecureXL counted the number of packets and bytes).
C       = Shows encrypted (VPN) connections.
S       = Shows connections that undergo PXL.

1/8    =  Client to Server interface index 1 in and 8 out
8/1    =  Server to Client interface index 8 in and 1 out
0        =  Instance
0        =  Identity

Available filter flags are:

A - Shows accounted connections (for which SecureXL counted the number of packets and bytes).
a - Shows not accounted connections.
C - Shows encrypted (VPN) connections.
c - Shows clear-text (not encrypted) connections.
F - Shows connections that SecureXL forwarded to Firewall.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
f - Shows cut-through connections (which SecureXL accelerated).
Note - In R80.30/R80.40, SecureXL does not support this parameter.
H - Shows connections offloaded to the SAM card.
Note - R80.30/R80.40, does not support the SAM card (Known Limitation PMTR-18774).
h - Shows connections created in the SAM card.
Note - R80.30/R80.40, does not support the SAM card (Known Limitation PMTR-18774).
L - Shows connections, for which SecureXL created internal links.
l - Shows connections, for which SecureXL did not create internal links.
N - Shows connections that undergo NAT.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
n - Shows connections that do not undergo NAT.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
Q - Shows connections that undergo QoS.
q - Shows connections that do not undergo QoS.
S - Shows connections that undergo PXL.
s - Shows connections that do not undergo PXL.
U - Shows unidirectional connections.
u - Shows bidirectional connections.
P - Shows partial
p - Shows not partial

Hi @Thomas_Eichelbu,

to your question:

P - Shows partial
p - Shows not partial