https://live.paloaltonetworks.com/t5/general-topics/some-vpn-packet-is-being-dropped-and-particular-counter/m-p/2349#M1738 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>I have a issue about the IPsecVPN tunnel.&nbsp; One side of IPsecVPN tunnel is slow for receiving traffic but opposite side is OK to receiving traffic.</P><P></P><P>flow_tunnel_activate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 info&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Number of packets that triggerred tunnel activation</P><P>flow_tunnel_decap_err&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 47373&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Packet dropped: tunnel decapsulation error</P><P>flow_tunnel_ipsec_replay_err&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 47372&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Packet dropped: header sequence number is a replay</P><P>flow_tunnel_ipsec_wrong_spi&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Packet dropped: IPsec SA for spi in packet not found</P><P></P><P>As you above that flow_tunnel_decap_err and flow_tunnel_ipsec_replay_err counter are being increased and I believe that dropped packet caused above counter that makes slow to tunneled traffic.</P><P></P><P>I also disabled the option the replay protection on IPsecVPN configuration as below. But flow_tunnel_ipsec_replay_err counter is being increased for now even if anti-replay option disabled.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;tunnel-monitor&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;enable&gt;no&lt;/enable&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/tunnel-monitor&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>&lt;anti-replay&gt;no&lt;/anti-replay&gt;</STRONG></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;copy-tos&gt;no&lt;/copy-tos&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;tunnel-interface&gt;tunnel.1&lt;/tunnel-interface&gt;</P><P></P><P>I cannot understand why above counter increasing and tunneled packet are being dropped. I read that similar case <A href="https://live.paloaltonetworks.com/docs/DOC-6679">IPSec Tunnel is up but Packet is Getting Dropped with Wrong SPI Counter Increase</A> but I cannot solve the my case.</P><P></P><P>Anybody knows about this issue? if yes, Please let me know and help.</P><P></P><P>Thanks.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Sun, 13 Jul 2014 08:53:36 GMT Retired Member 2014-07-13T08:53:36Z https://live.paloaltonetworks.com/t5/general-topics/some-vpn-packet-is-being-dropped-and-particular-counter/m-p/2349#M1738 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>I have a issue about the IPsecVPN tunnel.&nbsp; One side of IPsecVPN tunnel is slow for receiving traffic but opposite side is OK to receiving traffic.</P><P></P><P>flow_tunnel_activate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 info&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Number of packets that triggerred tunnel activation</P><P>flow_tunnel_decap_err&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 47373&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Packet dropped: tunnel decapsulation error</P><P>flow_tunnel_ipsec_replay_err&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 47372&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Packet dropped: header sequence number is a replay</P><P>flow_tunnel_ipsec_wrong_spi&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tunnel&nbsp;&nbsp;&nbsp; Packet dropped: IPsec SA for spi in packet not found</P><P></P><P>As you above that flow_tunnel_decap_err and flow_tunnel_ipsec_replay_err counter are being increased and I believe that dropped packet caused above counter that makes slow to tunneled traffic.</P><P></P><P>I also disabled the option the replay protection on IPsecVPN configuration as below. But flow_tunnel_ipsec_replay_err counter is being increased for now even if anti-replay option disabled.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;tunnel-monitor&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;enable&gt;no&lt;/enable&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/tunnel-monitor&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>&lt;anti-replay&gt;no&lt;/anti-replay&gt;</STRONG></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;copy-tos&gt;no&lt;/copy-tos&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;tunnel-interface&gt;tunnel.1&lt;/tunnel-interface&gt;</P><P></P><P>I cannot understand why above counter increasing and tunneled packet are being dropped. I read that similar case <A href="https://live.paloaltonetworks.com/docs/DOC-6679">IPSec Tunnel is up but Packet is Getting Dropped with Wrong SPI Counter Increase</A> but I cannot solve the my case.</P><P></P><P>Anybody knows about this issue? if yes, Please let me know and help.</P><P></P><P>Thanks.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Sun, 13 Jul 2014 08:53:36 GMT https://live.paloaltonetworks.com/t5/general-topics/some-vpn-packet-is-being-dropped-and-particular-counter/m-p/2349#M1738 Retired Member 2014-07-13T08:53:36Z https://live.paloaltonetworks.com/t5/general-topics/some-vpn-packet-is-being-dropped-and-particular-counter/m-p/2350#M1739 <HTML><HEAD></HEAD><BODY><P>Rather than just checking the config for the anti-replay status, can you check the live tunnel itself with the command,</P><P></P><PRE>show vpn flow name &lt;tunnel name&gt;</PRE><P></P><P>There is an "anti-replay check" field in the output of this command...</P></BODY></HTML> Sun, 13 Jul 2014 10:48:46 GMT https://live.paloaltonetworks.com/t5/general-topics/some-vpn-packet-is-being-dropped-and-particular-counter/m-p/2350#M1739 ajbool 2014-07-13T10:48:46Z https://live.paloaltonetworks.com/t5/general-topics/some-vpn-packet-is-being-dropped-and-particular-counter/m-p/2351#M1740 <HTML><HEAD></HEAD><BODY><P>Could you run through the phase 2 troubleshooting command outlined in the following document.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3671">How to Troubleshoot VPN Connectivity Issues</A></P></BODY></HTML> Sun, 13 Jul 2014 14:02:21 GMT https://live.paloaltonetworks.com/t5/general-topics/some-vpn-packet-is-being-dropped-and-particular-counter/m-p/2351#M1740 pulukas 2014-07-13T14:02:21Z