After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on dns-base application.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on dns-base application.

L2 Linker

After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on "dns-base" application.  In a 24-hour period, I'm seeing 5PBs+ of data coming through, which is way over our limits for our internal network (two DNS servers at 1GB NIC each) and external network.  Our ISP bandwidth is 500/500 Mbps.  So it's going way over our MAX capacity.  However, if you look at the Management Plane and the Data Plane, they are both under 25%.  I'm thinking it's just not showing the numbers properly.  The DNS Servers that supposedly are communicating with external DNS Servers (8.8.8.8, 1.1.1.1, OpenDNS, etc.) are not showing tons of traffic.

 

39 REPLIES 39

Benjamin,

 

I see in the Release Notes (PAN-234929), that the ACC issue should have been fixed.  I updated my firewall to 11.1.1 thinking it was fixing the issue but it didn't.  I'll resubmit the issue.

 

Regards,

 

Raul 

L1 Bithead

Hi Raul,

Thank you for the updates.

Please can you let us know TAC reply on this issue as it has been detected on several models and PAN-OS versions.

This issue PAN-234929 has been listed as an addresses issue in 10.2.7-h3 only.

Best regards,

L0 Member

Dear all,

 

We also we have experienced this issue with our PA-440 on 11.0.2 fixed by downgrading to 10.2.4h2.

Reading your comment it looks like that issue is still not fixed even on very recent version like 11.1.1.

 

That issue seems to be known as PAN-234929 supposed to be fixed on 10.2.6 but it appears all upper releases may be impacted by that bug ?

 

Do you know if 11.0.2-h2 which is known as "preferred release" is definitively fixing this issue ?

 

Thanks in advance for your reply.

The issue will be fixed on the following versions per case:

11.0.4 >>>>>>>>>02/22/202410.2.8 >>>>>>>>>01/25/2411.1.3 >>>>>>>>>>TBD10.2.7-h3 >>>>>>>>12/18/23 Released

 

Raul Trujillo

 

 

L1 Bithead

We're running 10.2.7-h3 and still seeing this issue. Does anyone know if 10.2.8 fixed this for them? I don't see any acknowledgement of the issue in the release notes.

 

There seems to be a miscalculation of total bytes. If we run a report of just bytes sent or bytes received, we will get accurate data. But if we use total bytes for dns-base, the numbers are wildly inflated.

 

We're seeing this on a 5250, but not a 450.

L1 Bithead

This is still broken in 10.2.9

L1 Bithead

I opened a TAC case on this. Sounds like Palo is aware of it:

 

Matches a known issue: PAN-242309
The root cause is that dp is not incrementing s2c in all cases. When we decrement a zero s2c counter, it is becoming -ve and displaying as a large number. Target Fix Version/s:
11.2.0, 11.1.3, 10.2.10, 10.2.11, 10.1.14, 11.0.7, 10.2.7-h7, 10.2.8-h3, 11.1.2-h4

I am using 10.2.8 but still facing the high dns logs in ACC tab. Still not fixed in 10.2.8

L0 Member

Hello,

even after upgrading to 10.2.10 the bug continues. Just waiting for a patch.

Somewhere in 11.1.x, it was fixed for the 11.1.x version.  I'm currently running 11.1.3 and it seems fine.

  • 18147 Views
  • 39 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!