topic Re: cannot understand drop reason in General Topics

cannot understand drop reason

minow — Mon, 10 Mar 2014 10:35:04 GMT

hey

i have a client that connects to a remote site using GP, and that site have s2s vpn to my site,

we have problems connecting to a server in that site, we can i cannot see and drops in the traffic or threat logs,

i have put filter on the ips and used tha show global couters shows this drops:

Global counters:

Elapsed time since last sampling: 5.880 seconds

name value rate severity category aspect description

--------------------------------------------------------------------------------

flow_fwd_zonechange 1 0 drop flow forward Packets dropped: forwarded to different zone

--------------------------------------------------------------------------------

Total counters shown: 1

--------------------------------------------------------------------------------

i dont understand this drop error, but i have checked routes and have only one route to each direction and the s2s vpn is steady and up

pings between the client and server works fine

please help

thanks

Re: cannot understand drop reason

minow — Mon, 10 Mar 2014 10:45:49 GMT

i can see the SYN from the client to the server and then i can see the SYN-ACK from the server to the client on the stages: receive, firewall and drop on my paloalto

on the drop it is the same packets of the SYN-ACK (comparing the firewall and the drop pcaps

Re: cannot understand drop reason

HULK — Mon, 10 Mar 2014 16:24:09 GMT

Hello Minow,

Could you please confirm whether outgoing SYN packet and incoming SYN-ACK packet is being received by the same physical interface and zone.It's looking like a assymetric routing situation. For testing perpose you can enable "assmetric-path-bypass= YES" "TCP non-syn reject=NO".

Thanks

Re: cannot understand drop reason

minow — Tue, 11 Mar 2014 08:55:15 GMT

yes i will try

but how can i see on which interface every packet received from and sent to

Re: cannot understand drop reason

minow — Tue, 11 Mar 2014 08:55:48 GMT

the weird thing is that there is only one route to the client and one route to the server

Re: cannot understand drop reason

cstancill — Tue, 11 Mar 2014 11:13:28 GMT

Minow,

Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter.

Craig Stancill | Technical Support Engineer

Shift Time : 05:00 – 14:00 GMT

Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799

Palo Alto Networks | 3300 Olcott Street | Santa Clara, CA 95054-3005, USA

https://support.paloaltonetworks.com/

Re: cannot understand drop reason

kdd — Tue, 11 Mar 2014 11:57:23 GMT

hi minow,

please try the command:

- test security-policy-match source xxx destination xxx protocol xxx show-all yes

- test security-policy-match source xxx destination xxx protocol xxx from xxx to xxx show-all yes (

protocol: for example 80 is the right number for http

from: source zone

to: destination zone

the result will show which rule is taken. I guess there is a mismatch between interface and zones.

Regards Klaus

Re: cannot understand drop reason

ericgearhart — Tue, 11 Mar 2014 13:47:16 GMT

kdd this is awesome! I just added these commands to our internal wiki

Re: cannot understand drop reason

kdd — Tue, 11 Mar 2014 16:10:19 GMT

ericgearhart i like it too because it keeps a lot short

Re: cannot understand drop reason

minow — Wed, 12 Mar 2014 07:17:31 GMT

i will check and update by the way... protocol should be 6 for tcp, and add destination-port 80 for http

thanks

Re: cannot understand drop reason

minow — Thu, 20 Mar 2014 07:59:41 GMT

It PBR policy routing ACK to a different zone.

thanks

Re: cannot understand drop reason

Phoenix — Thu, 20 Mar 2014 15:41:19 GMT

Hello minow,

There is this doc where it explains taking packet level logs known as flow basic. This would give details results if there is a drop at what stage what is the reason and so on to understand.

Packet Based Troubleshooting - Configuring Packet Captures and Debug Logs

Thanks