topic Re: Packet drop counter increment normal? in General Topics

Packet drop counter increment normal?

OMatlock — Fri, 07 Jul 2017 13:55:54 GMT

Hi folks,

We had a Lync meeting yesterday that was reported with poor performance and dropped calls.

The Lync Monitor dashboard indicates dropped packets and jitter in that time frame.

I checked the Lync server and the LAN switch its ESXi host is connected to, no alerts or reports of packet loss.

I see that all of our PA 3020 interfaces have a packet drop counter that is incrementing.

Is this normal?

This is example of ethernet 1/1 our public facing interface, but they are all doing it, including internal.

I did a catch all packet capture and opened the drop.pcap file in wireshark, small sample looks like this. Is this normal for networks to drop these packets and increment the packet drop counter?

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Drop-Counters-in-quot-Show-Interface-Ethernet-quot/ta-p/51978

Re: Packet drop counter increment normal?

reaper — Fri, 07 Jul 2017 14:11:49 GMT

this packetcpture may not capture all the dropped packets seen in the interface

a little bckground

the dropped packets on the interface are usually malformed packets the interface wont accept (too large frames, broken, missing header, ...)

the packets seen in the packet-diag are packets discarded by the packet processing CPU, which is after the interface.packets dropped by the processor appear in the global counters

you'll want to run > show counter global filter delta yes (optionally 'packet-filter yes' if you added packet-diag filters)

and see which drop counters increment there

it looks like you set a manual link speed and duplex, did you also set this speed on the connected switch? if not, you'll want to change the firewall to auto-auto or set the switch to 100/full. a mismatch in auto/static will also cause packet drops due to negotiation mishaps

Re: Packet drop counter increment normal?

OMatlock — Fri, 07 Jul 2017 17:58:40 GMT

Thanks reaper,

The 1/1 interface is set to 100 and full. It's other end goes to a small box on the wall representing our Internet provider. I am assuming there must have been a requirement for it to be setup that way. I would have to call the ISP to verify I guess. Thanks for noticing...

I ran the command you reference, but do not see nearly the drop number(s) I see when running the show interface command. Of course I am a newbie and trying to understand what is relevant. Still confusing on how to monitor packet loss.

Re: Packet drop counter increment normal?

reaper — Fri, 07 Jul 2017 18:19:32 GMT

well the good thing is that there usually is not a lot of 'low level' packetloss, most of the time that happens when you have a faulty cable or incorrect speed/duplex setting, everything else usually happens in the processing layer where packets are either discarded due to policy (security policy, security profile, QoS, DoS protection , ....) or because the system is overloaded

these commands will help you pinpoint 'system overload'

>show running resource-monitor

when the packet descriptor (buffers) are extremely high (past 85% packetloss may occur)

(don't worry too much about cpu or processes running 100%, some are pre-spun to 100%, others are perfectly ok at 100% as long as the buffers and pools are 'free')

> debug dataplane pool statistics

when the software/harware memory pools run dry

at first glance you have a very low amount of dropped packets in the system, thats good. Please check with your ISP, usually a 'box on the wall means a regular routing/modem device that has automatic settings which will fix your bad quality voip issue when you set the firewall to comply, else try switching out the cable just to make sure

if that doesn;t fix the issue you could also try transplanting your configuration on a different firewall interface so you can exclude a faulty hardware port also