topic Re: How to Interpret Traffic Monitor Output in General Topics

How to Interpret Traffic Monitor Output

Weese — Wed, 14 Aug 2013 16:14:16 GMT

I have traffic going over a VPN tunnel. There is a rule alllowing the traffic and routing isn't a problem.

A source host isn't connecting to a host across the tunnel. In monitor I'm seeing entries that say the packet is allowed but in the application column the entry says "insufficient data". What does that mean? Where can I find a list of expected entries for that column and what they mean?

Thanks for any help.

Re: How to Interpret Traffic Monitor Output

Phoenix — Wed, 14 Aug 2013 16:18:16 GMT

Hello Wesse,

Insufficient data in the application field

Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.

https://live.paloaltonetworks.com/docs/DOC-1549

Re: How to Interpret Traffic Monitor Output

mbutt — Wed, 14 Aug 2013 20:12:49 GMT

Please verify on the tunnel you have created you have proxy id setup for the subnet traffic that needs to go through the tunnel. However if you have both sides as palo alto then you do not need to set proxy id.

Here is a doc which explains why proxy ids are needed.

https://live.paloaltonetworks.com/docs/DOC-3073

Also if you still see the issue after verifying this you can use the following steps to troubleshoot

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.

This will help you narrow down the issue.

Let us know if this helps you resolve the issue.

Thanks

Numan