For a 5 minutes we are unable to access internet ( even not able to ping next hop router), We observed that there is a packet drops in PaloAlto LAN interface, below snap shows the same. Can any body give the reason for this packet drops?
Please help me to identify the root cause,.
there are more information needed. Does anybody change something and is there something in the traffic- system- or configuration-log? Please let us know.
I have the same issue but i can't found some clue to have the diagnose, the counters on each interface are weird. in my case the disconnect occurs at least 15 seconds, maximum 30 seconds, but this is enough to make server applications get offline....
i suspect that the problem comes on the interface assigned for LAN connection because the ping don't respond when the problem occurs...
i tried to find answers in the system logs ,traffic logs and threat logs but there's nothing unusual. no information about some disconnected interface, some kind of threat DDos or a simple rule that deny the connections.
i need help......
It could be many reasons for this.
The Difference Between Receive Errors for Hardware and Logical Interface Counters
Packet Drop Counters in "Show Interface Ethernet ..." Display
Is it SFP interface. We had a similar issue before with bad SFP interface/module.
How to Check Interface Hardware Counters Including Errors
Need a better picture of you topology set-up
Maybe your zone protection kicked in? Look for floods coming from IP address 0.0.0.0 and action "drop" in your threats logs.
The moment the outage occurs you could also try to run
> show counter global filter delta yes severity drop
a couple of times. the delta filter will make sure you only see the counters that incremented after the first time you executed the command, so starting from the second time you should see which types of drops the system is seeing 'right now', this could help determine if the drops are caused by the system or are a result of an issue further down the stream (packets dropped because session is out of sync, not receiving syn packets, idle timeout , ...)
What kind of troubleshooting has been performed by yourself or TAC and what were your findings?
what version of PAN-OS are you one?
Although this post dates from 2016, the troubleshooting steps mentioned above could still prove useful, have you been able to try them and what drop counters did you see ?
We found and resolve the issue today, we have 2 set of PA firewalls are configured in HA, in the same subnet with Simmilar HA group ID, today we have changed the HA group ID on the ping drop FIrewall, issue got resolved
So group ID has to be diffrent when there are more than one HA firewalls are placed in the same subnet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!