https://live.paloaltonetworks.com/t5/general-topics/panos-4-0-8-how-to-determine-cause-of-drop/m-p/20553#M15011 <HTML><HEAD></HEAD><BODY><P>Very basic configuration, an any any rule and a PAT rule for nat... trust and untrust zones and a default route and an internal summary route... what is happening is that from a traffic log perspective its being ALLOWED, from a NAT perspective I can see the session built with two flows for each direction successfully and they go ACTIVE. However, the return traffic never comes back.</P><P></P><P>What I found when trying to dump pcaps on the box is that the traffic post-nat shows up in the DROP stage. However nothing in the default logs shows any drops at all caused from a policy perspective (again policy is very boilerplate)</P><P></P><P>Any way I can get more information on what is causing it to end up in DROP? additional dataplane debugs or something?</P><P><BR />Thanks,</P><P></P><P>- Josh</P></BODY></HTML> Thu, 29 Dec 2011 22:37:18 GMT joshstout 2011-12-29T22:37:18Z https://live.paloaltonetworks.com/t5/general-topics/panos-4-0-8-how-to-determine-cause-of-drop/m-p/20553#M15011 <HTML><HEAD></HEAD><BODY><P>Very basic configuration, an any any rule and a PAT rule for nat... trust and untrust zones and a default route and an internal summary route... what is happening is that from a traffic log perspective its being ALLOWED, from a NAT perspective I can see the session built with two flows for each direction successfully and they go ACTIVE. However, the return traffic never comes back.</P><P></P><P>What I found when trying to dump pcaps on the box is that the traffic post-nat shows up in the DROP stage. However nothing in the default logs shows any drops at all caused from a policy perspective (again policy is very boilerplate)</P><P></P><P>Any way I can get more information on what is causing it to end up in DROP? additional dataplane debugs or something?</P><P><BR />Thanks,</P><P></P><P>- Josh</P></BODY></HTML> Thu, 29 Dec 2011 22:37:18 GMT https://live.paloaltonetworks.com/t5/general-topics/panos-4-0-8-how-to-determine-cause-of-drop/m-p/20553#M15011 joshstout 2011-12-29T22:37:18Z https://live.paloaltonetworks.com/t5/general-topics/panos-4-0-8-how-to-determine-cause-of-drop/m-p/20554#M15012 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>Drop counters are your friend:</P><P></P><P><STRONG> Set a filter to control what traffic is counted</STRONG></P><P>debug dataplane packet-diag set filter match &lt;criteria&gt;</P><P>debug dataplane packet-diag set filter on </P><P></P><P><STRONG>Show the drop counters (absolute or relative to last time command was run) </STRONG></P><P>show counter global packet-filter yes | match drop</P><P>show counter global filter severity drop packet-filter yes delta yes</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Thu, 29 Dec 2011 23:07:36 GMT https://live.paloaltonetworks.com/t5/general-topics/panos-4-0-8-how-to-determine-cause-of-drop/m-p/20554#M15012 kbrazil 2011-12-29T23:07:36Z