Packets Dropped Due to Missing Route When Number of Routes Exceeds System Capacity

Issue

If the total number of connect routes and static routes is over the system capacity, the Palo Alto Networks device may override the connect routes with static routes and impacting normal routing functionality.

Details

The following is the routing system capacity for each model.

The example below is for a PA-3050 device:Check the current total connect routes and static routes with the show routing summary command.

> show routing summary

GLOBAL ROUTING RESOURCE USAGE:

  ==========

  All     Routes (total):            5000

  All     Routes (active):           4986

  ==========

  Static  Routes (total):            4980

  Connect Routes (total):              20

  BGP     Routes (total):               0

  OSPF    Routes (total):               0

  RIP     Routes (total):               0

The following shows the flow_fwd_13_noroute global counter that appears when the errors occur:

> show counter global filter delta yes packet-filter yes

Elapsed time since last sampling: 47.244 seconds

name                   value    description

-----------------------------------------------------------------------------

pkt_sent                   9     Packets transmitted

pkt_outstanding           63     Outstanding packet to be transmitted

pkt_alloc                 83     Packets allocated

flow_fwd_l3_noroute        9     Packets dropped: no route

Cause

The issue is that the total routes, which includes the 5000 static routes and the directly connected routes, are exceeding the system capacity. The issue occurred because the fib entry of the static route is allowed to overwrites the entry of the connected route. This is the reason why the problematic connected route was in the routing engine but its FIB entry was gone.

Workaround

Reduce the number of static route entries in the Palo Alto Networks device configuration.

owner: kkondo