topic Re: PA 5220 Packet Descriptor Max value in General Topics

PA 5220 Packet Descriptor Max value

MP18 — Sat, 23 Nov 2019 04:05:07 GMT

When I run show running resource monitor. I see packet descriptor max value most of time above 80 like

in 90's. sometimes 100 100.

Packet descriptor average value is still under 80.

We have ssl decryption enabled on the PA.

Also we have decrypt mirror configured.

What can be reason that packet descriptor is going over 90 so often?

Mike

Re: PA 5220 Packet Descriptor Max value

BPry — Sun, 24 Nov 2019 09:18:52 GMT

@MP18

We would really need to dive into your setup, logs, and possibly netflow data to determine this with any real certainty. The only thing effecting your descriptor count would be the additional buffer and descriptor allocation happening for your decrypt mirror configuration.

Re: PA 5220 Packet Descriptor Max value

MP18 — Sun, 24 Nov 2019 16:24:32 GMT

We have netflow configured in solar.

When i check the decrypt mirror port it is 10gig and i see no errors.

When you say below

The only thing effecting your descriptor count would be the additional buffer and descriptor allocation happening for your decrypt mirror configuration.

For this should i configure the netflow for the decrypt mirror port?

Regards

Mike

Re: PA 5220 Packet Descriptor Max value

MP18 — Sun, 24 Nov 2019 16:27:02 GMT

Also let me know what next step i can take to isolate this?

Re: PA 5220 Packet Descriptor Max value

BPry — Mon, 25 Nov 2019 03:49:14 GMT

@MP18,

So I wouldn't get too hung up on the decrypt mirror port; I simply meant that to mean that you have increased load across your device and the additional load by configuring a decrypt mirror isn't helping things.

You'll need to try and see exactly what is causing your traffic load to spike and if its legitimate traffic that needs to be processed or something behaving poorly; it's quite possible that at times your device is simply under stress, and if you still average below 80% I wouldn't be overly concerned about it unless it starts causing issues.

To attempt to see what is flooding in while you notice the descriptor issue, you'll need to monitor what traffic is actually going across the device. Netflow certainly helps with that if you already have it configured, but you could also utilize the Chrome extension pan(w)achrome to see if you can spot where traffic is high to narrow down your search to a particular zone or interface so you have less information to search through.

What version of PAN-OS are you actually running; there have been plenty of software issues where you can see high descriptor counts due to bugs that you may be running into.

Re: PA 5220 Packet Descriptor Max value

MP18 — Mon, 25 Nov 2019 04:55:45 GMT

It is always pleasure to read you posts.

We are running PAN OS 8.1.9.

For Company users accessing Internet

we have INT. and EXT. zone. on each separate physical interface

We have one Internal Zone for our Corp Users and all Internet traffic for users flow via this.

Two separate Zone for Guest Internet traffic on separate ISP connection.

Top used rule is Corp Internal users accessing internet on port 80 and 443.

This rule is mostly used.

Any idea how can I narrow it down if I know the mostly used rule?

Also is it possible to get the email when Packet descriptor runs 100%

Re: PA 5220 Packet Descriptor Max value

BPry — Tue, 26 Nov 2019 03:42:24 GMT

@MP18,

I don't believe that the descriptor hitting 100% is something you can get an email for at the moment; likewise knowing the rule doesn't really tell you anything about why your buffer and descriptor would be rising. You might want to reach out to support and see if there is any additional logging they can enable to tell you exactly what is using the available descriptors.

Re: PA 5220 Packet Descriptor Max value

MP18 — Mon, 02 Dec 2019 17:27:31 GMT

Here is last 7 days reports of Packet Descriptor

Resource utilization (%) during last 7 days:
session (average):
1 1 2 2 2 2 2
session (maximum):
1 2 3 3 3 4 3
packet buffer (average):
1 1 1 1 1 1 1
packet buffer (maximum):
8 7 6 82 3 26 9
packet descriptor (average):
0 0 0 1 1 1 1
packet descriptor (maximum):
1 2 3 5 5 4 5
packet descriptor (on-chip) (average):
3 3 4 4 4 4 4
packet descriptor (on-chip) (maximum):
100 100 99 100 60 100 91

Will check with out SE

Re: PA 5220 Packet Descriptor Max value

MP18 — Tue, 03 Dec 2019 21:50:08 GMT

Opened case with PA as per them

we should not worry about Spike of Packet descriptor to 100%.

Worry about DP avergage cpu it it goes over 80% for extended period of time.

Q: Also any reason you know what can cause the PD spike to 100%?
A: The high DP (Dataplane) can be cause application usage, so we need to look at traffic patterns, in your case, the past 5 hours to understand spikes to 100%.