コマンド ラインでのカウンターを用いたトラブルシューティング方法

Printer Friendly Page

※この記事は以下の記事の日本語訳です。

How to Troubleshoot Using Counters via the CLI

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXOCA0

 

カウンターはパロアルトネットワークス ファイアウォールにおいて、プロセス群、パケット フロー、そしてセッション管理における大変有用な指標です。トラブルシューティングの際は様々な状況で大変強力なツールとなります。

 

パケット ドロップのトラブルシューティング

以下はパケット ドロップが疑われる状況で有効なコマンドです。パケット ドロップの理由は問題原因の絞込の一助となります。

 

> show counter global filter severity drop

Global counters:

Elapsed time since last sampling: 34.999 seconds

 

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

flow_rcv_err                              98        0 drop      flow      parse     Packets dropped: flow stage receive error

flow_rcv_dot1q_tag_err                     1        0 drop      flow      parse     Packets dropped: 802.1q tag not configured

flow_no_interface                        263        0 drop      flow      parse     Packets dropped: invalid interface

flow_ipv6_disabled                     30622        0 drop      flow      parse     Packets dropped: IPv6 disabled on interface

flow_policy_nat_land                    6732        0 drop      flow      session   Session setup: source NAT IP allocation result in LAND attack

flow_fwd_l3_mcast_drop                  2756        0 drop      flow      forward   Packets dropped: no route for IP multicast

flow_fwd_l3_ttl_zero                       4        0 drop      flow      forward   Packets dropped: IP TTL reaches zero

flow_fwd_l3_noroute                        5        0 drop      flow      forward   Packets dropped: no route

flow_fwd_l3_noarp                          1        0 drop      flow      forward   Packets dropped: no ARP

flow_action_reset                          1        0 drop      flow      pktproc   TCP clients reset via responding RST

flow_arp_rcv_err                         162        0 drop      flow      arp       ARP receive error

flow_host_decap_err                      412        0 drop      flow      mgmt      Packets dropped: encapsulation error to control plane

flow_host_service_deny                153865        0 drop      flow      mgmt      Device management session denied

flow_host_service_unknown               2762        0 drop      flow      mgmt      Session discarded: unknown application to control plane

flow_tunnel_encap_err                     33        0 drop      flow      tunnel    Packet dropped: tunnel encapsulation error

appid_lookup_invalid_flow                  1        0 drop      appid     pktproc   Packets dropped: invalid session state

proxy_offload_check_err                 1030        0 drop      proxy     pktproc   The number offload proxy setup check failed because of not SYN or no certificate

url_request_pkt_drop                     204        0 drop      url       pktproc   The number of packets get dropped because of waiting for url category request

--------------------------------------------------------------------------------

Total counters shown: 18

--------------------------------------------------------------------------------

 

上記のコマンドは差分(Delta)オプションとともに使用できます。前回のコマンド実行時からの差分のみ確認することができます。

> show counter global filter delta yes severity drop

 

Global counters:

Elapsed time since last sampling: 55.446 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

flow_ipv6_disabled                         3        0 drop      flow      parse     Packets dropped: IPv6 disabled on interface

flow_fwd_l3_mcast_drop                     2        0 drop      flow      forward   Packets dropped: no route for IP multicast

flow_host_service_deny                    26        0 drop      flow      mgmt      Device management session denied

flow_host_service_unknown                  2        0 drop      flow      mgmt      Session discarded: unknown application to control plane

--------------------------------------------------------------------------------

Total counters shown: 4

--------------------------------------------------------------------------------

 

severity dropの他にも、状況に応じた様々なseverity(重大度)が定義されています。例としてerror、informational、そしてwarningがあります。

 

 

マネジメント サーバー統計情報に関するトラブルシューティング

カウンターはマネジメント サーバー統計情報も確認することができます(内部のログの追記に伴い、各マネジメント サーバー関連プロセスに関連付けられたカウンターが変化します)。

 

RMAによる交換対応の必要性が疑われるような状況で、下記のコマンドは有効です。

 

> show counter management-server

Log action not taken            :          0

Logs dropped because not logging:          0

User information from AD read   :          2

Certificates information read   :          0

License information fetched from update server:          0

Sighash refcount                :          1

Tunnelhash refcount             :          1

URLcat refcount                 :          1

ip2loc refcount                 :          1

 

管理用インターフェイスの統計

管理用インターフェイスもまた統計情報を持ち、接続性の問題の確認に有効な情報です。

 

> show counter interface management

Interface: Management Interface

-------------------------------------------------------------------------------

Logical interface counters:

-------------------------------------------------------------------------------

bytes received                    505700037

bytes transmitted                 295080711

packets received                  772181

packets transmitted               874087

receive errors                    0

transmit errors                   0

receive packets dropped           0

transmit packets dropped          0

multicast packets received        0

-------------------------------------------------------------------------------

 

データプレーン インターフェイス統計情報

show counter interfaceコマンドは各ポートの統計情報を表示します。 

 

> show counter interface tunnel.51

Interface: tunnel.51

--------------------------------------------------------------------------------

Logical interface counters read from CPU:

--------------------------------------------------------------------------------

bytes received                           0

bytes transmitted                        0

packets received                         0

packets transmitted                      0

receive errors                           0

packets dropped                          0

packets dropped by flow state check      0

forwarding errors                        0

no route                                 0

arp not found                            0

neighbor not found                       0

neighbor info pending                    0

mac not found                            0

packets routed to different zone         0

land attacks                             0

ping-of-death attacks                    0

teardrop attacks                         0

ip spoof attacks                         0

mac spoof attacks                        0

ICMP fragment                            0

layer2 encapsulated packets              0

layer2 decapsulated packets              0

--------------------------------------------------------------------------------

 

レイヤー2接続性のトラブルシューティング

レイヤー2のトラブルシューティングはARPエントリーの異常として現れます。以下のコマンドにてグローバル カウンターのarp 関連項目を確認することができます。

> show counter global filter aspect arp

 

Global counters:

Elapsed time since last sampling: 8.330 seconds

 

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

flow_arp_pkt_rcv                       42685        0 info      flow      arp       ARP packets received

flow_arp_pkt_xmt                        1875        0 info      flow      arp       ARP packets transmitted

flow_arp_pkt_replied                    6995        0 info      flow      arp       ARP requests replied

flow_arp_pkt_learned                      17        0 info      flow      arp       ARP entry learned

flow_arp_rcv_gratuitous                  494        0 info      flow      arp       Gratuitous ARP packets received

flow_arp_rcv_err                         162        0 drop      flow      arp       ARP receive error

flow_arp_resolve_xmt                    1843        0 info      flow      arp       ARP resolution packets transmitted

--------------------------------------------------------------------------------

Total counters shown: 7

 

 

他の有用な統計情報

トラブルシューティングにおいて様々なカウンターを使用できます。以下はその例です。

 

anatrajan@PAN_WICH_52> show counter global name

  aho_alloc_lookup_failed              warn      failed to alloc regex lookup

  aho_fpga                             info      The total requests to FPGA for AHO

  aho_fpga_invalid_wqe                 error     when getting result from fpga, wqe index was not valid

  aho_fpga_ret_error                   error     Dropped results from FPGA caused by unexecpted type

  aho_fpga_ret_invalid_fid             error     Dropped results from FPGA caused by invalid flow id

  aho_fpga_ret_length_error            error     Dropped results from FPGA caused by short length

  aho_fpga_ret_multi_bufs              info      Aho fpga result with multiple buffers

  aho_fpga_ret_offset_error            error     Dropped results from FPGA caused by invalid offset

  aho_fpga_ret_wrong_size              error     Dropped results from FPGA caused by wrong packet size

  aho_fpga_state_verify_failed         info      when getting result from fpga, session's state was changed

  aho_fpga_unmatched_type              error     when getting result from fpga, type in session was not matched

  aho_fpga_unmatched_wqe               warn      when getting result from fpga, wqe was not matched in session

  aho_match_overflow                   info      number of aho matches overflow

  aho_sw                               info      The total usage of software for AHO

  aho_sw_fpga_fail                     warn      Usage of software AHO caused by failure for sending fpga request

  aho_sw_fpga_full                     info      Usage of software AHO caused by fpga requests threshold

  aho_sw_fpga_unavailable              warn      Usage of software AHO caused by fpga unavailable

  aho_too_many_matches                 info      too many signature matches within one packet

  aho_too_many_mid_res                 info      too many signature middle results within one packet

  appid_dfa_invalid_result             error     The invalid dfa result for appid

  appid_exceed_pkt_limit               warn      App. identification failed caused by limitation of total queued packe

  appid_exceed_queue_limit             warn      App. identification failed caused by limitation of session queued pac

  appid_exceed_queue_limit_post        warn      App. identification failed caused by limitation of session queued pac

  appid_fini_with_wqe_2_fpga           info      session ends with wqe in fpga

  appid_flow_state_fail                info      The session's state was changed

  appid_ident_by_cache                 info      Application identified by cache

  appid_ident_by_dport                 info      Application identified by L4 dport

  appid_ident_by_dport_first           info      Application identified by L4 dport first

  appid_ident_by_heuristics            info      Application identified by heuristics

  appid_ident_by_icmp                  info      Application identified by icmp type

  appid_ident_by_ip                    info      Application identified by ip protocol

  appid_ident_by_sport                 info      Application identified by L4 sport

  appid_ident_by_sport_first           info      Application identified by L4 sport first

  appid_ident_by_supernode             info      Application identified by supernode

  appid_lookup_invalid_flow            drop      Packets dropped: invalid session state

  appid_match_overflow                 info      The dfa matches overflow

  appid_no_policy                      error     App. identification failed because of no policy

  appid_override                       info      Application identified by override rule

  appid_proc                           info      The number of packets processed by Application identification

  appid_reset_sess_tcp_reass           error     reset sess failed at tcp reassembly

  appid_result_id_changed              info      The session's appid status was changed

  appid_result_no_policy               info      The session's policy was changed during appid proc

  appid_skip_terminal                  info      The dfa result is terminal

  appid_ssl_no_cert_no_reset           info      ssl sessions with unknown server certificate but no previous reset

  appid_stop_by_ager                   info      Application identification terminated by session ager

  appid_stop_by_ager_nopkts            info      Ager can't stop appid because no packets were queued

  appid_unknown_by_stop                info      The number of unknown applications because of being stopped

 

著者: anatrajan

タグ(1)