Packet drops in LAN interface,..

Reply
Highlighted
L4 Transporter

Packet drops in LAN interface,..

Hi All,

For a 5 minutes we are unable to access internet ( even not able to ping next hop router), We observed that there is a packet drops in PaloAlto LAN interface, below snap shows the same. Can any body give the reason for this packet drops?

Please help me to identify the root cause,.

Thank you,

Guru

1.png

kdd
L4 Transporter

Re: Packet drops in LAN interface,..

Hi Gururaj,

there are more information needed. Does anybody change something and is there something in the traffic- system- or configuration-log? Please let us know.

Cheers Klaus

L0 Member

Re: Packet drops in LAN interface,..

Hi everyone...

 

I have the same issue but i can't found some clue to have the diagnose, the counters on each interface are weird. in my case the disconnect occurs at least 15 seconds, maximum 30 seconds, but this is enough to make server applications get offline....

 

i suspect that the problem comes on the interface assigned for LAN connection because the ping don't respond when the problem occurs...

 

 

LAN interface.JPG

i tried to find answers in the system logs ,traffic logs and threat logs but there's nothing unusual. no information about some disconnected interface, some kind of threat DDos or a simple rule that deny the connections.

 

i need help......

L3 Networker

Re: Packet drops in LAN interface,..

Hi Guys,

 

It could be many reasons for this. 

 

The Difference Between Receive Errors for Hardware and Logical Interface Counters

 

https://live.paloaltonetworks.com/t5/Learning-Articles/The-Difference-Between-Receive-Errors-for-Har...

 

Packet Drop Counters in "Show Interface Ethernet ..." Display

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Drop-Counters-in-quot-Show-Interface-E...

 

Is it SFP interface. We had a similar issue before with bad SFP interface/module.

 

How to Check Interface Hardware Counters Including Errors

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Interface-Hardware-Counters-Incl...

 

Need a better picture of you topology set-up

L4 Transporter

Re: Packet drops in LAN interface,..

Hi,

 

Maybe your zone protection kicked in? Look for floods coming from IP address 0.0.0.0 and action "drop" in your threats logs.

 

Benjamin

Community Manager

Re: Packet drops in LAN interface,..

The moment the outage occurs you could also try to run

> show counter global filter delta yes severity drop

a couple of times. the delta filter will make sure you only see the counters that incremented after the first time you executed the command, so starting from the second time you should see which types of drops the system is seeing 'right now', this could help determine if the drops are caused by the system or are a result of an issue further down the stream (packets dropped because session is out of sync, not receiving syn packets, idle timeout , ...)


Help the community: Like helpful comments and mark solutions
Reaper out
asi
L0 Member

Re: Packet drops in LAN interface,..

Hi Daniel,

 

I have a similar issue, did you find the solution to this problem

 

Thanks

Hari

L0 Member

Re: Packet drops in LAN interface,..

i am also having the same issue for 1 month PA TAC is provided the RMA Device with out proper investigation, still having the same issue

Community Manager

Re: Packet drops in LAN interface,..

Hi @sudhakar050845

 

What kind of troubleshooting has been performed by yourself or TAC and what were your findings?

what version of PAN-OS are you one?

 

Although this post dates from 2016, the troubleshooting steps mentioned above could still prove useful, have you been able to try them and what drop counters did you see ?


Help the community: Like helpful comments and mark solutions
Reaper out
L0 Member

Re: Packet drops in LAN interface,..

Hi Team,

We found and resolve the issue today, we have 2 set of PA firewalls are configured in HA, in the same subnet with Simmilar HA group ID, today we have changed the HA group ID on the ping drop FIrewall, issue got resolved

 

So group ID has to be diffrent when there are more than one HA firewalls are placed in the same subnet.

 

Thanks

Sudhakar

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!