topic Re: flow_tcp_non_syn_drop - packet capture on this counter? in General Topics

flow_tcp_non_syn_drop - packet capture on this counter?

H.Tendrup — Fri, 10 Oct 2025 17:54:06 GMT

Hello,

I know this topic has been covered in a fair number of posts. Since I haven't read of anyone discussing this, I'm skeptical that it's an option. ....but I'm still going to post about it and ask directly.

I have my non_syn tcp counter incrementing pretty much all of the time. I'd like to know if there is a way to setup a packet capture filter based on traffic that matches this counter. I don't have specific flows that are reportedly not working, so I'm kind of shooting in the dark. Are there legitimate reasons for this counter to increment that I'm not thinking of?

user@fw(active)> show counter global filter severity drop delta yes | match syn\|name\|---\|samp
Elapsed time since last sampling: 5.336 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_tcp_non_syn_drop 342 62 drop flow session Packets dropped: non-SYN TCP without session match
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------

Re: flow_tcp_non_syn_drop - packet capture on this counter?

reaper — Mon, 13 Oct 2025 09:38:56 GMT

you can set packet-diag to track this counter

> debug dataplane packet-diag set log counter flow_tcp_non_syn_drop

you'll need to enable logging, keep track of your dataplane resources to make sure you're not overloading your system, and then once a few seconds have passed (assuming the rate in your pasted output is 62 all the time) disable logging again, aggregate your captures and then check the aggregated file

reaper@PA-440> debug dataplane packet-diag set log counter flow_tcp_non_syn_drop reaper@PA-440> debug dataplane packet-diag clear log log reaper@PA-440> debug dataplane packet-diag set log on Packet log is enabled. WARNING: Enabling of debug commands could result in network outage. Not recommended if dataplane CPU is above 60%. reaper@PA-440> reaper@PA-440> reaper@PA-440> reaper@PA-440> show counter global filter delta yes | match flow_tcp_non_syn_drop flow_tcp_non_syn_drop 52 2 drop flow session Packets dropped: non-SYN TCP without session match reaper@PA-440> reaper@PA-440> debug dataplane packet-diag set log off Packet log is disabled reaper@PA-440> debug dataplane packet-diag aggregate-logs pan_packet_diag.log is aggregated reaper@PA-440> less mp-log pan_packet_diag.log

Re: flow_tcp_non_syn_drop - packet capture on this counter?

H.Tendrup — Mon, 13 Oct 2025 17:40:16 GMT

Excellent! thank you so much. In my case the files were located in the sXdpY-log folders, i.e.
less s2dp0-log pan_packet_diag.log

This will give me a whole lot more to sift through as I try to determine if I have asymmetric routing through my FWs or if there's something else going on. THanks again!