No transmit/drop in capture

raji_toor — Wed, 28 Jul 2021 22:41:40 GMT

What are the reasons we don't see transmit or drop in capture and traffic log shows traffic is allowed to/from correct zones, and tcp as age-out in logs. Packets only show in receive/firewall stage. Alos checking flow basic, I do not see the packet at forwarding stage, although another firewall with same routes/policies and just different IP's works fine.

----------------------------------------------------------------

== 2021-07-28 15:31:42.692 -0700 ==
Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 62 port 16 interface 16 vsys 1
wqe index 22530 packet 0x0xc00f5bb440, HA: 0, IC: 0
Packet decoded dump:
L2: c0:d6:82:94:8a:81->00:0d:3a:e9:20:40, type 0x0800
IP: 172.23.5.4->172.23.4.6, protocol 6
version 4, ihl 5, tos 0x00, len 48,
id 7359, frag_off 0x4000, ttl 128, checksum 53372(0x7cd0)
TCP: sport 29701, dport 91, seq 2582910416, ack 0,
reserved 0, offset 7, window 8192, checksum 56811,
flags 0x02 ( SYN), urgent data 0, l4 data len 0
TCP option:
00000000: 02 04 05 8a 01 01 04 02 ........
Flow lookup, key word0 0x60001005b7405 word1 0 word2 0x40517acffff0000 word3 0x0 word4 0x60417acffff0000
* Dos Profile NULL (NO) Index (0/0) *
Session setup: vsys 1
No active flow found, enqueue to create session

== 2021-07-28 15:31:42.692 -0700 ==
Packet received at slowpath stage, tag 1409011658, type ATOMIC
Packet info: len 62 port 16 interface 16 vsys 1
wqe index 22530 packet 0x0xc00f5bb440, HA: 0, IC: 0
Packet decoded dump:
L2: c0:d6:82:94:8a:81->00:0d:3a:e9:20:40, type 0x0800
IP: 172.23.5.4->172.23.4.6, protocol 6
version 4, ihl 5, tos 0x00, len 48,
id 7359, frag_off 0x4000, ttl 128, checksum 53372(0x7cd0)
TCP: sport 29701, dport 91, seq 2582910416, ack 0,
reserved 0, offset 7, window 8192, checksum 56811,
flags 0x02 ( SYN), urgent data 0, l4 data len 0
TCP option:
00000000: 02 04 05 8a 01 01 04 02 ........
Session setup: vsys 1
Session setup: ingress interface ethernet1/1 egress interface ethernet1/1 (zone 1)
NAT policy lookup, matched rule index 4
Destination NAT, translated IP 172.22.20.5
PBF lookup (vsys 1) with application none
Session setup: egress zone 2 for natted IP
Translated IP in zone 2, egress id 17
Policy lookup, matched rule index 3,
TCI_INSPECT: Do TCI lookup policy - appid 0
Allocated new session 8181.
set exclude_video in session 8181 0xe1438d3f80 0 from work 0xe056915800 0
Rule: index=4 name=APPGTW-TEST-SITES-443, cfg_pool_idx=3 cfg_fallback_pool_idx=0
NAT Rule: name=APPGTW-TEST-SITES-443, cfg_pool_idx=3; Session: index=8181, nat_pool_idx=3
Packet matched vsys 1 NAT rule 'APPGTW-TEST-SITES-443' (index 5),
source translation 172.23.5.4/29701 => 172.23.68.6/59704
destination translation 172.23.4.6/91 => 172.22.20.5/443
Created session, enqueue to install. work 0xe056915800 exclude_video 0,session 8181 0xe1438d3f80 exclude_video 0

* Dos Profile NULL (NO) Index (0/0) *

== 2021-07-28 15:31:42.693 -0700 ==
Packet received at fastpath stage, tag 8181, type ATOMIC
Packet info: len 62 port 16 interface 16 vsys 1
wqe index 22530 packet 0x0xc00f5bb440, HA: 0, IC: 0
Packet decoded dump:
L2: c0:d6:82:94:8a:81->00:0d:3a:e9:20:40, type 0x0800
IP: 172.23.5.4->172.23.4.6, protocol 6
version 4, ihl 5, tos 0x00, len 48,
id 7359, frag_off 0x4000, ttl 128, checksum 53372(0x7cd0)
TCP: sport 29701, dport 91, seq 2582910416, ack 0,
reserved 0, offset 7, window 8192, checksum 56811,
flags 0x02 ( SYN), urgent data 0, l4 data len 0
TCP option:
00000000: 02 04 05 8a 01 01 04 02 ........
Flow fastpath, session 8181 c2s (set work 0xe056915800 exclude_video 0 from sp 0xe1438d3f80 exclude_video 0)
IP checksum valid
* Dos Profile NULL (NO) Index (0/0) *
* Dos Profile NULL (NO) Index (0/0) *
2021-07-28 15:31:42.693 -0700 pan_flow_process_fastpath(src/pan_flow_proc.c:4022): SESSION-DSCP: set session DSCP: 0x00
NAT session, run address/port translation
Syn Cookie: pan_reass(Init statete): c2s:0 c2s:nxtseq 2582910417 c2s:startseq 2582910417 c2s:win 0 c2s:st 3 c2s:newsyn 0 :: s2c:nxtseq 0 s2c:startseq 0 s2c:win 8192 s2c:st 0 s2c:newsyn 0 ack 0 nosyn 0 plen 0
CP-DENY TCP non data packet getting through
Forwarding lookup, ingress interface 16
L3 mode, virtual-router 2
Route lookup in virtual-router 2, IP 172.22.20.5
Route found, interface ethernet1/2, zone 2, nexthop 172.23.68.1
Resolve ARP for IP 172.23.68.1 on interface ethernet1/2
ARP entry found on interface 17
Transmit packet size 48 on port 17

Re: No transmit/drop in capture

reaper — Thu, 29 Jul 2021 10:50:27 GMT

it's sending packets out: Transmit packet size 48 on port 17

try adjusting your filter like this:

1. ip1 to ip2

2. ip3 to ip4

3. ip4 to ip3

4. ip2 to ip1

Re: No transmit/drop in capture

raji_toor — Fri, 30 Jul 2021 06:59:34 GMT

@reaper I found the issue with custom routes in Azure, traffic was sent by internal interface of PA1 but received by PA2. After the fix I was able to see normal traffic. Would this be the reason of not seeing the forwarding stage. Its bit hard to troubleshoot such issues in cloud.

Re: No transmit/drop in capture

lealr1 — Thu, 26 May 2022 20:11:11 GMT

Hi Raji,

Can you explain what was the cause of this issue, we are experiencing the same

Re: No transmit/drop in capture

raji_toor — Fri, 10 Jun 2022 21:09:16 GMT

@lealr1 For us it was the issue with id-manager and had to reset it

debug device-server reset id-manager type all

topic Re: No transmit/drop in capture in General Topics

No transmit/drop in capture

Re: No transmit/drop in capture

Re: No transmit/drop in capture

Re: No transmit/drop in capture

Re: No transmit/drop in capture