https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22723#M16612 <HTML><HEAD></HEAD><BODY><P>We suggest confirming the routing on the remote side of the vpn, however this does not explain why this is failing intermittently.</P><P>This may require further investigation, you may need to open a case with support. </P></BODY></HTML> Wed, 23 Mar 2011 01:38:13 GMT gsamuels 2011-03-23T01:38:13Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22722#M16611 <HTML><HEAD></HEAD><BODY><P>Hi everybody,</P><P></P><P>Device: PA-500</P><P>Software: 3.1.7</P><P></P><P>we have a problem with our vpn tunnels. The tunnels are up and running,</P><P>but when I try to connect or ping a system over the tunnel we are getting timeouts.</P><P></P><P>To figure out what happens, I did a packet flow all and a packet capture and here I get </P><P>an entry which I can not explain.</P><P></P><P>"L2 broadcast cannot be forwarded in L3 mode"</P><P></P><P>I'm getting this entry after ther route lookup for the vpn peer gateway.</P><P></P><P>== Mar 22 09:08:47 ==<BR />Packet received at forwarding stage<BR />Packet info: len 1042 port 16 interface 16<BR />&nbsp; wqe index 229211 packet 0x0x8000000416ff00ce<BR />Packet decoded dump:<BR />L2:&nbsp;&nbsp;&nbsp;&nbsp; 00:24:73:79:43:81-&gt;00:1b:17:13:2e:10, type 0x0800<BR />IP:&nbsp;&nbsp;&nbsp;&nbsp; 10.x.x.x-&gt;192.168.x.x, protocol 1<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; version 4, ihl 5, tos 0x00, len 1028,<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id 61358, frag_off 0x0000, ttl 127, checksum 32071<BR />ICMP:&nbsp;&nbsp; type 8, code 0, checksum 64558, id 512, seq 21553<BR />Forwarding lookup, ingress interface 16<BR />L3 mode, virtual-router 2<BR />Route lookup in virtual-router 2, IP 192.168.x.x<BR />Route found, interface tunnel.21, zone 6<BR />Packet enters tunnel encap stage, tunnel interface tunnel.21<BR />Resolved tunnel 3<BR />Forwarding lookup, ingress interface 23<BR />L3 mode, virtual-router 2<BR />Route lookup in virtual-router 2, IP x.x.x.x (external)<BR />L2 broadcast cannot be forwarded in L3 mode</P><P>For example the next packet is working fine:</P><P></P><P>== Mar 22 09:08:52 ==<BR />Packet received at forwarding stage<BR />Packet info: len 1042 port 16 interface 16<BR />&nbsp; wqe index 229109 packet 0x0x8000000416fdf0ce<BR />Packet decoded dump:<BR />L2:&nbsp;&nbsp;&nbsp;&nbsp; 00:24:73:79:43:81-&gt;00:1b:17:13:2e:10, type 0x0800<BR />IP:&nbsp;&nbsp;&nbsp;&nbsp; 10.x.x.x-&gt;192.168.x.x, protocol 1<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; version 4, ihl 5, tos 0x00, len 1028,<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id 61429, frag_off 0x0000, ttl 127, checksum 32000<BR />ICMP:&nbsp;&nbsp; type 8, code 0, checksum 64302, id 512, seq 21809<BR />Forwarding lookup, ingress interface 16<BR />L3 mode, virtual-router 2<BR />Route lookup in virtual-router 2, IP 192.168.x.x</P><P>Route found, interface tunnel.21, zone 6<BR />Packet enters tunnel encap stage, tunnel interface tunnel.21<BR />Resolved tunnel 3<BR />Forwarding lookup, ingress interface 23<BR />L3 mode, virtual-router 2<BR />Route lookup in virtual-router 2, IP x.x.x.x</P><P>Route found, interface ethernet1/8, zone 4, nexthop y.y.y.y</P><P>Resolve ARP for IP y.y.y.y on interface ethernet1/8<BR />ARP entry found on interface 23</P><P>After this, the packet is dropped, but sometimes its working and the route lookup works fine!</P><P></P><P>Has somebody a hint for me!</P><P></P><P>Regards</P><P>Christian</P></BODY></HTML> Tue, 22 Mar 2011 08:49:42 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22722#M16611 indevis 2011-03-22T08:49:42Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22723#M16612 <HTML><HEAD></HEAD><BODY><P>We suggest confirming the routing on the remote side of the vpn, however this does not explain why this is failing intermittently.</P><P>This may require further investigation, you may need to open a case with support. </P></BODY></HTML> Wed, 23 Mar 2011 01:38:13 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22723#M16612 gsamuels 2011-03-23T01:38:13Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22724#M16613 <HTML><HEAD></HEAD><BODY><P>Thanks for you answer.</P><P></P><P>But the problem is, that we had changed the hardware one week ago.</P><P>Because we had some issues in the logs, that the memory is corrupted.</P><P>We made a RMA, a now the new machine is running.</P><P></P><P>The config and the software release is the same as before.</P><P></P><P>And, what should I say, before we changed it it was working with no timeouts or connection lose.</P><P>The other side of the VPN were not changed in any way.</P><P></P><P>Now we have updated to 3.1.8 but with no success, this weired behavior is still happening.</P><P></P><P>I think there is no other chance to open a case.</P></BODY></HTML> Wed, 23 Mar 2011 09:06:05 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22724#M16613 indevis 2011-03-23T09:06:05Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22725#M16614 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm seeing the exact same thing on one of our PA-500s running 3.1.9</P><P></P><P>"L2 broadcast cannot be forwarded in L3 mode"</P><P></P><P>I cannot figure out why it is saying this, as the ICMP type 8 packet entering the firewall interface is routed through 2 routers before it hits the firewall, hence it cannot be a L2 packet.</P><P></P><P>Is there a hotfix or workaround for this issue?</P><P></P><P></P><P>Regards,</P><P></P><P>Hans</P></BODY></HTML> Tue, 28 Jun 2011 13:32:19 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22725#M16614 hmklette 2011-06-28T13:32:19Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22726#M16615 <HTML><HEAD></HEAD><BODY><P>Hi Hans,</P><P></P><P>in our scenario this happens in conjunction with VPN Tunnels.</P><P>And it seems that in some scenarios with the releases 3.1.7+8+9</P><P>can be some problems.</P><P>For sure, this is not happening in all implementations.</P><P></P><P>But when it happens, you can make a downgrade to 3.1.6</P><P>to solve this problem.</P><P></P><P>In our scenario the downgrade to 3.1.6 works fine.</P><P></P><P>Regards</P><P>Christian</P></BODY></HTML> Wed, 29 Jun 2011 10:42:04 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22726#M16615 indevis 2011-06-29T10:42:04Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22727#M16616 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the reply,</P><P></P><P>Yes it happens in VPN tunnels from one particular box and towards 5 other ones also running 3.1.9.</P><P>The other 5 PA500 boxes also have VPNs between them, but we see no packetloss on those VPNs.</P><P></P><P>So I guess the quickfix to this, is to downgrade to 3.1.6, as I don't want to go for 4.0.2.</P><P></P><P>Regards,</P><P></P><P>Hans</P></BODY></HTML> Wed, 29 Jun 2011 10:51:09 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22727#M16616 hmklette 2011-06-29T10:51:09Z https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22728#M16617 <HTML><HEAD></HEAD><BODY><P>This issue is resolved in 4.0.3 and affect release 3.1.7, 3.18 and 3.1.9.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 29 Jun 2011 19:00:09 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-flow-question/m-p/22728#M16617 mrajdev 2011-06-29T19:00:09Z