topic Re: Packet capture drop stage shows production traffic in General Topics

Packet capture drop stage shows production traffic

mjensen40400 — Thu, 08 Apr 2021 20:50:35 GMT

I have been troubleshooting a intermittent issue where a device that sits behind my Palo Alto running 10.0.0.3 is frequently losing it's connection for UDP port 2156 traffic.

Today I ran a packet capture on the PA using the "drop stage" while the connectivity was lost and there was my missing traffic, right there in that capture.

When connectivity restored itself I ran the "drop stage" capture again and the interesting traffic was no longer present.

How can I investigate further to determine the reason why this traffic is getting dropped by the firewall? When I look in the monitor > traffic logs I do not see this traffic as being dropped.

Re: Packet capture drop stage shows production traffic

OtakarKlier — Thu, 08 Apr 2021 21:44:24 GMT

Hello,

In the policy, make sure you are logging the traffic. Also when it cones to UDP traffic, the session stays open so it might not show in the traffic logs immediately. I would suggest checking the Session Browser as that is showing all active sessions and is better for looking at UDP traffic.

However the traffic logs should show why the session ended and the policy that allowed/blocked the traffic.

Regards,

Re: Packet capture drop stage shows production traffic

aleksandar.astardzhiev — Fri, 09 Apr 2021 11:32:52 GMT

Hi @mjensen40400

Try to check the global counters as described here - How to check global counters for a specific source and destinat... - Knowledge Base - Palo Alto Networks
- Set the same filter you have set for the packet capture

- Run the command >show counter global filter packet-filter yes delta yes (note that with the option delta the output will show only the difference between last and previous execution of the show command. )

Re: Packet capture drop stage shows production traffic

mjensen40400 — Fri, 09 Apr 2021 13:00:56 GMT

Hello,

I ran a debug:

> debug dataplane packet-diag set log feature flow basic 
> debug dataplane packet-diag set log on

debug dataplane packet-diag aggregate-logs
packet-diag.log is aggregated

but I am not able to view the packet-diag.log which probably contains my answers.
Do you know how I can view the contents of the .log?

Re: Packet capture drop stage shows production traffic

mjensen40400 — Fri, 09 Apr 2021 14:17:58 GMT

What is messed up is when I look in traffic logs and query for the traffic in question logs come up from days ago and nothing current. For example this morning I can only see traffic logs for the interesting traffic from April 5th!

The security policy rules are set to log.

I know for sure this traffic has successfully passed through the firewall since the 5th as this problem is intermitent and the traffic flow does work sometimes.

Re: Packet capture drop stage shows production traffic

OtakarKlier — Fri, 09 Apr 2021 14:51:38 GMT

Hello,

In the drop logs, what is the reason it gives for the drop traffic?

Regards,

Re: Packet capture drop stage shows production traffic

mjensen40400 — Fri, 09 Apr 2021 19:00:55 GMT

Using the global counters method I discovered the drop reason is due to arp.

Using the "show arp all" command I was able to determine that the firewall has a "incomplete" arp entry for it's default gateway during times the traffic stops and it has a actual full entry when traffic is flowing as it should.

I do have a static source NAT and I followed kb "FIREWALL IS DROPPING PACKETS FROM LAN FOR NO ARP" @ https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmm8CAC&lang=en_US%E2%80%A9.

My static NAT was a host IP without a netmask so I put a /32 at the end of it and that didn't make a difference.