Palo Alto - dot1q tag Errors with Meraki switch

JouniF — Thu, 24 Mar 2022 09:32:50 GMT

Hi,

First post on the Palo Alto side for me. Used to post a lot on the Cisco Support Community forums 🙂

I thought I would ask around here if anyone had any ideas what might be causing this problem before I go ahead with some more troubleshooting myself.

I have a Palo Alto PA-220 firewall that is connected to a Cisco Meraki switch. The switch is used downstairs to connect some home equipment but also 4G and 5G devices. While adding a new 5G test device to its own access port on the Meraki I ran straight into connectivity problems. I eventually narrowed these problems down to a situation where a couple of global error counters go up while the connectivity problems is ongoing.

The error mentioned are the following

flow_rcv_dot1q_tag_err 19043 0 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 19043 0 drop flow parse Packets dropped: invalid interface

The configuration is very basic. 5G device has an access port with Vlan ID 5 and this is allowed on the Trunk port on the Meraki towards Palo Alto. Palo Alto has this tag used in its subinterface. The existing 4G device is connected in the very same way with its own access port using Vlan ID 4 and it has had no problems before I introduced the 5G. Currenlty though the 4G is stable.

What is also strange is that the 5G connection works when i clear ARP from the Palo Alto. I set the global ARP timeout to the minimum of 60 seconds which also corrects the problems when the ARP information times out. The above error counters go up while the connectivity to 5G is down and for some reason clearing ARP corrects the problem.

I should also mention that originally both 4G and 5G had subinterface as DHCP Clients on the Palo Alto. I used Policy Based Routing to select the connection for certain LAN networks. There was also a brief problem having 2x DHCP Client WAN interface as sometimes it seemed that the 4G dropped completely. The 4G connection seemed fine but the Palo Alto could not resolve the ARP of the 4G device anymore. Again, I have no idea what could cause this. It is almost as if there is some kind of packet classification problem on the Palo Alto firewall since I don't see any problem on the Meraki.

If I am not able to solve the problem I will probably either change the topology a bit or replace all the devices with some other lab devices I have.

Here is the System log messages related at least to the other counter above. I was manage to activate them through CLI with the help of one old post here on the community

What confuses me is that to me it seems that the log message mentions the correct Vlan tag 200. NOTICE, I changed the vlan ID 5 to Vlan ID 200 as one troubleshooting test. Its configured as the access port for 5G and added to the Trunk towards Palo Alto. Palo Alto also has the subinterface tag changed to 200. Same problems continues though.

PS. Does anyone know what the port 18 and interface 0 means in the description? They do not match anything on the device. The device has 8 ports and to my understanding no port is designated as 0 either. (Not to mention port 18)

Re: Palo Alto - dot1q tag Errors with Meraki switch

reaper — Mon, 28 Mar 2022 09:33:34 GMT

the logs mention tag 200 while you mention the 5G device is on an access port on VLAN ID 5, is it possible you have a loop/bridge in your network somewhere that causes the MAC address to be learned on a different VLAN ID (ie. a link between VLAN 5 and 200 so the palo sees the mac on vlan200)

topic Re: Palo Alto - dot1q tag Errors with Meraki switch in General Topics

Palo Alto - dot1q tag Errors with Meraki switch

Re: Palo Alto - dot1q tag Errors with Meraki switch