https://live.paloaltonetworks.com/t5/general-topics/how-to-log-out-of-state-dropped-packets/m-p/33262#M24365 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Last week we've replaced an FWSM cluster with a PA-5050 cluster. After the migration there were intermittent problems with our CRM application. Allthough we had no used applications but only services in our security policy, the PAN was applying the predefined siebel-crm application time-out of 60 seconds.After increasing the app timeout to 300 seconds the issue was solved.</P><P></P><P>The only way to find this out was by taking multiple traces at client and server side, finally we saw the dropped packets in the PAN drop-stage packet-capture. We lost almost a day.</P><P></P><P></P><P>Some questions regarding the above :</P><P></P><P>1° How does it come that dropped out-of-state packets&nbsp; ( in this case of a timed-out session) are not logged ? <BR />All other firewalls I know of are logging these kind of dropped packets.</P><P></P><P>2° How can we see the timed-out sessions ? ( in particular application-timeouts ) There must be a counter somewhere I guess.</P><P></P><P></P><P>To be more precise, the dropped out-of-state packets in question were FIN-ACK's from the client to the server.</P><P>Since the session was already timed-out on the PAN, the PAN was silently dropping these packets, with any visible trace in the logfiles.</P><P></P><P>Many thanks ,</P><P>Bart</P></BODY></HTML> Mon, 26 Sep 2011 06:52:43 GMT Bart_Jocque 2011-09-26T06:52:43Z https://live.paloaltonetworks.com/t5/general-topics/how-to-log-out-of-state-dropped-packets/m-p/33262#M24365 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Last week we've replaced an FWSM cluster with a PA-5050 cluster. After the migration there were intermittent problems with our CRM application. Allthough we had no used applications but only services in our security policy, the PAN was applying the predefined siebel-crm application time-out of 60 seconds.After increasing the app timeout to 300 seconds the issue was solved.</P><P></P><P>The only way to find this out was by taking multiple traces at client and server side, finally we saw the dropped packets in the PAN drop-stage packet-capture. We lost almost a day.</P><P></P><P></P><P>Some questions regarding the above :</P><P></P><P>1° How does it come that dropped out-of-state packets&nbsp; ( in this case of a timed-out session) are not logged ? <BR />All other firewalls I know of are logging these kind of dropped packets.</P><P></P><P>2° How can we see the timed-out sessions ? ( in particular application-timeouts ) There must be a counter somewhere I guess.</P><P></P><P></P><P>To be more precise, the dropped out-of-state packets in question were FIN-ACK's from the client to the server.</P><P>Since the session was already timed-out on the PAN, the PAN was silently dropping these packets, with any visible trace in the logfiles.</P><P></P><P>Many thanks ,</P><P>Bart</P></BODY></HTML> Mon, 26 Sep 2011 06:52:43 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-log-out-of-state-dropped-packets/m-p/33262#M24365 Bart_Jocque 2011-09-26T06:52:43Z https://live.paloaltonetworks.com/t5/general-topics/how-to-log-out-of-state-dropped-packets/m-p/33263#M24366 <HTML><HEAD></HEAD><BODY><P>Hi Bart,</P><P></P><P>Did you try doing a "show counter global | match drop" and check to see which drop counters were increasing?&nbsp; This is one of my favorite troubleshooting commands.&nbsp; From there you can also filter the counters to narrow down whether that is the issue for the flows you are investigting.&nbsp; The counter names are typically pretty self explanitory, though I'm not sure how they would show up in this case.</P><P></P><P>Here's my cheat sheet:</P><P></P><UL><LI>Set a filter to control what traffic is counted <UL><LI> debug dataplane packet-diag set filter match &lt;criteria&gt; </LI><LI> debug dataplane packet-diag set filter on&nbsp; </LI></UL></LI><LI> Show the drop counters (absolute or relative to last time command was run) <UL><LI> show counter global packet-filter yes | match drop </LI><LI> show counter global filter severity drop packet-filter yes delta yes</LI></UL></LI></UL><P></P><P>Hope that helps,</P><P></P><P>Kelly</P></BODY></HTML> Mon, 26 Sep 2011 23:50:20 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-log-out-of-state-dropped-packets/m-p/33263#M24366 kbrazil 2011-09-26T23:50:20Z https://live.paloaltonetworks.com/t5/general-topics/how-to-log-out-of-state-dropped-packets/m-p/33264#M24367 <HTML><HEAD></HEAD><BODY><P>Hi Kelly,</P><P></P><P>Many many thanks !</P></BODY></HTML> Tue, 27 Sep 2011 07:12:43 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-log-out-of-state-dropped-packets/m-p/33264#M24367 Bart_Jocque 2011-09-27T07:12:43Z