https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24617#M17927 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Please look on:</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3938">https://live.paloaltonetworks.com/docs/DOC-3938</A></P><P></P><P>Does it make sense for your archie ?</P><P></P><P>Hope help.</P><P></P><P>V.</P></BODY></HTML> Mon, 28 Oct 2013 11:23:39 GMT VinceM 2013-10-28T11:23:39Z https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24616#M17926 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am having some issues with odd packet drops, and "show counter global filter severity drop" shows a lot of packets being dropped due to "Packets dropped: 802.1q tag not configured/Packets dropped: invalid interface" (same amount of packets dropped on both, so I assume these are related).</P><P>Are there any way of getting a log of what has been happening for flow_rcv_dot1q_tag_err and flow_no_interface?</P><P></P><P>Just knowing that the firewall is dropping packets doesn't help a lot when I'm unable to get any further information about the traffic.</P></BODY></HTML> Mon, 28 Oct 2013 09:01:37 GMT https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24616#M17926 arvesynd 2013-10-28T09:01:37Z https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24617#M17927 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Please look on:</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3938">https://live.paloaltonetworks.com/docs/DOC-3938</A></P><P></P><P>Does it make sense for your archie ?</P><P></P><P>Hope help.</P><P></P><P>V.</P></BODY></HTML> Mon, 28 Oct 2013 11:23:39 GMT https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24617#M17927 VinceM 2013-10-28T11:23:39Z https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24618#M17928 <HTML><HEAD></HEAD><BODY><P>Hi Vince,</P><P></P><P>Yes, it does make sense, as all the Cisco devices in our network are running pvst, but the few of our remaining Dell PowerConnect switches seems to be unable to handle pvst.</P><P>We are troubleshooting some major issues with the network, and I would like to see the traffic that the firewall is dropping to see if this is related.</P><P></P><P>Since the firewall is logging that the traffic is being dropped, it should also log the actual traffic?</P></BODY></HTML> Mon, 28 Oct 2013 13:45:12 GMT https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24618#M17928 arvesynd 2013-10-28T13:45:12Z https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24619#M17929 <HTML><HEAD></HEAD><BODY><P>Hi you can do the captures on the firewall to see what traffic is being dropped. However this should be used only for the troubleshooting purposes in short burst. If you leave it running the pcap exceeds certain limit a new pcap file will be generated. But again this is CPU intensive and should be used only for troubleshooting.</P><P>In captures there are 4 different stages recieve, transmit, Drop and firewall. The drop pcap should show you what is being dropped by the firewall. Here are some additional tips as well.</P><P></P><P style="font-family: Calibri; font-size: 11pt;">1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:</P><P style="font-family: Calibri; font-size: 11pt;">Navigate to Monitor--Packet Capture</P><P style="font-family: Calibri; font-size: 11pt;">Click 'Manage Filters'</P><P style="font-family: Calibri; font-size: 11pt;">Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )</P><P style="font-family: Calibri; font-size: 11pt;">Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)</P><P></P><P style="font-family: Calibri; font-size: 11pt;">2. Setup up the captures</P><P style="font-family: Calibri; font-size: 11pt;">Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)</P><P></P><P style="font-family: Calibri; font-size: 11pt;">3. Enable filters and captures </P><P style="font-family: Calibri; font-size: 11pt;">debug dataplane packet-diag set filter on</P><P style="font-family: Calibri; font-size: 11pt;">debug dataplane packet-diag set capture on</P><P></P><P style="font-family: Calibri; font-size: 11pt;">4. open 2 CLI windows</P><P style="font-family: Calibri; font-size: 11pt;">on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)</P><P style="font-family: Calibri; font-size: 11pt;">show counter global filter packet-filter yes delta yes</P><P></P><P style="font-family: Calibri; font-size: 11pt;">on the 2nd window run the following command to look at he sessions</P><P style="font-family: Calibri; font-size: 11pt;">show session all filter source &lt;ip address&gt; destination &lt;ip address&gt;</P><P></P><P style="font-family: Calibri; font-size: 11pt;">After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.</P><P style="font-family: Calibri; font-size: 11pt;">This will help you narrow down the issue.</P><P></P><P style="font-family: Calibri; font-size: 11pt;">Let us know if this helps you resolve the issue.</P><P style="font-family: Calibri; font-size: 11pt;">Thanks</P><P style="font-family: Calibri; font-size: 11pt;">Numan</P></BODY></HTML> Mon, 28 Oct 2013 15:33:07 GMT https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24619#M17929 mbutt 2013-10-28T15:33:07Z https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24620#M17930 <HTML><HEAD></HEAD><BODY><P>Hi mbutt,</P><P></P><P>Thanks for your reply. I am aware of the packet capture feature, and I have used it to some extent, but I still can't help but feel that this is a huge detour for a problem that the firewall has detected, and done something about.</P><P>When troubleshooting PANOS compared to other manufacturers, I feel like the PAN firewall is hiding a lot of what it's actually doing from me, and instead focusing on presenting the traffic that runs smoothly with nice graphs.</P></BODY></HTML> Tue, 29 Oct 2013 06:58:21 GMT https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24620#M17930 arvesynd 2013-10-29T06:58:21Z https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24621#M17931 <HTML><HEAD></HEAD><BODY><P>I completely agree with you. We were troubleshooting issues<BR />with packets being dropped and found it very hard to impossible to actually<BR />find out why a packet is dropped. If the firewall drops a packet I should be<BR />able to see a report or enter a CLI command to find out why and how many. I’m<BR />actually filing a feature request for this. It just seems so basic, I can’t believe<BR />it is so difficult. </P></BODY></HTML> Wed, 13 Nov 2013 23:53:58 GMT https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24621#M17931 ldavie 2013-11-13T23:53:58Z https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24622#M17932 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can follow this document and get a details information about any drop counter.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3199">How to Enable Logging for Global Counters?</A></P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">To enable logging for global counters, run the following command via CLI:</P><UL><LI><SPAN style="font-style: inherit; font-family: 'courier new', courier;"><SPAN class="GINGER_SOFATWARE_correct">debug</SPAN> <SPAN class="GINGER_SOFATWARE_correct">dataplane</SPAN> packet-<SPAN class="GINGER_SOFATWARE_correct">diag</SPAN> set log counter &lt;counter name Example:"<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><STRONG><EM>flow_rcv_dot1q_tag_err and flow_no_interface</EM></STRONG></SPAN>"&gt;</SPAN></LI></UL><P><SPAN style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"> <IMG __jive_id="9763" alt="global-counter.JPG.jpg" class="jive-image" height="99" src="https://live.paloaltonetworks.com/legacyfs/online/9763_global-counter.JPG.jpg" style="width: 916.1194029850747px; height: 99px;" width="916" /></SPAN></P><P></P><P><SPAN style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">You will be able to see the same logs under Monitor&gt;&gt; System logs.</SPAN></P><P><SPAN style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><BR /></SPAN></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">To disable logging, run:</P><UL><LI><SPAN style="font-style: inherit; font-family: 'courier new', courier;"><SPAN class="GINGER_SOFATWARE_correct">debug</SPAN> <SPAN class="GINGER_SOFATWARE_correct">dataplane</SPAN> packet-<SPAN class="GINGER_SOFATWARE_correct">diag</SPAN> clear log counter &lt;counter_name&gt;</SPAN></LI></UL><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Thanks</P></BODY></HTML> Thu, 14 Nov 2013 01:53:15 GMT https://live.paloaltonetworks.com/t5/general-topics/detailed-troubleshooting-of-drop-counters/m-p/24622#M17932 HULK 2013-11-14T01:53:15Z