Wan interface on PA-3020 to ISP disconnected frequently

Reply
Highlighted
L3 Networker

Wan interface on PA-3020 to ISP disconnected frequently

Hi All,

Wan interface on PA-3020 with static IP connected to ISP router.

Since two days, we're facing continue ping drop of WAN interface 3 to 4 times a day, doesn't reestablish the connectivity until reboot the firewall.

Then, We had checked with the alternate modem device and monitored whole day, no ping drop and no network down issues we faced.

Twice confirmed with the ISP, but didn't find a problem from ISP end. Device running on PAN OS-6.0.2 . Please suggest. Thanks


L7 Applicator

Re: Wan interface on PA-3020 to ISP disconnected frequently

Hello Javith,

It looks like PAN FW is connected with a Modem and that modem connected with ISP. There could be many reasons, while traffic was not through . Hence i would suggest you below mentioned steps to narrow down the problem, if packets are getting dropped at PAN FW:

------ Verify the ARP table, there should be a valid entry for the next hop ISP router.

------  Check if firewall is building new sessions for incoming traffic. Make sure the firewall not reached to the max limit.

CLI command

>show session info

>show session meter

------  Verify the real time session in the CLI by using '>show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.

------ Verify the available resources on the PAN firewall

> debug dataplane pool statistics

> show running resource-monitor

>debug dataplane memory status

------ Verify the global counters, if a specific "DRP" counter is increasing rapidly. The command show counter global provides information about the processes/actions taken on the packets going through the device;  These counters are for all the traffic going through the device and are useful in troubleshooting issues; like poor performance, packet loss, latency etc. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.

For more information, you can follow the DOC: What is the Significance of Global Counters?

>show counter global filter delta yes

>show counter interface all

>show statistics

----- If above mentioned steps, doesn't throw any clue, then you can enable FLOW BASIC feature to understand the exact reason behind the failure: ( If packets are getting dropped at PAN FW)

> debug dataplane packet-diag clear all

> debug dataplane packet-diag set filter match source  IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION

> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination  IP_ADD_OF_THE_TESTING_PC

> debug dataplane packet-diag set log feature flow basic

> debug dataplane packet-diag set log feature tcp all

> debug dataplane packet-diag set filter on

> debug dataplane packet-diag set log on

~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse a website ~~~~~~~~~~~~~~~~~~~~~~~~~

> debug dataplane packet-diag set log off

> debug dataplane packet-diag aggregate-logs

> less mp-log pan_packetdiag_log.log

For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands

Hope this helps.

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!