07-12-2023 10:41 AM
After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on "dns-base" application. In a 24-hour period, I'm seeing 5PBs+ of data coming through, which is way over our limits for our internal network (two DNS servers at 1GB NIC each) and external network. Our ISP bandwidth is 500/500 Mbps. So it's going way over our MAX capacity. However, if you look at the Management Plane and the Data Plane, they are both under 25%. I'm thinking it's just not showing the numbers properly. The DNS Servers that supposedly are communicating with external DNS Servers (8.8.8.8, 1.1.1.1, OpenDNS, etc.) are not showing tons of traffic.
12-27-2023 06:08 AM
Benjamin,
I see in the Release Notes (PAN-234929), that the ACC issue should have been fixed. I updated my firewall to 11.1.1 thinking it was fixing the issue but it didn't. I'll resubmit the issue.
Regards,
Raul
01-02-2024 06:27 AM
Hi Raul,
Thank you for the updates.
Please can you let us know TAC reply on this issue as it has been detected on several models and PAN-OS versions.
This issue PAN-234929 has been listed as an addresses issue in 10.2.7-h3 only.
Best regards,
01-10-2024 06:32 AM - edited 01-10-2024 06:34 AM
Dear all,
We also we have experienced this issue with our PA-440 on 11.0.2 fixed by downgrading to 10.2.4h2.
Reading your comment it looks like that issue is still not fixed even on very recent version like 11.1.1.
That issue seems to be known as PAN-234929 supposed to be fixed on 10.2.6 but it appears all upper releases may be impacted by that bug ?
Do you know if 11.0.2-h2 which is known as "preferred release" is definitively fixing this issue ?
Thanks in advance for your reply.
01-19-2024 01:28 PM
The issue will be fixed on the following versions per case:
11.0.4 >>>>>>>>>02/22/2024
10.2.8 >>>>>>>>>01/25/24
11.1.3 >>>>>>>>>>TBD
10.2.7-h3 >>>>>>>>12/18/23 Released
Raul Trujillo
03-25-2024 07:10 AM - edited 03-25-2024 07:34 AM
We're running 10.2.7-h3 and still seeing this issue. Does anyone know if 10.2.8 fixed this for them? I don't see any acknowledgement of the issue in the release notes.
There seems to be a miscalculation of total bytes. If we run a report of just bytes sent or bytes received, we will get accurate data. But if we use total bytes for dns-base, the numbers are wildly inflated.
We're seeing this on a 5250, but not a 450.
04-19-2024 11:25 PM
This is still broken in 10.2.9
04-20-2024 02:31 PM
I opened a TAC case on this. Sounds like Palo is aware of it:
Matches a known issue: PAN-242309
The root cause is that dp is not incrementing s2c in all cases. When we decrement a zero s2c counter, it is becoming -ve and displaying as a large number. Target Fix Version/s:
11.2.0, 11.1.3, 10.2.10, 10.2.11, 10.1.14, 11.0.7, 10.2.7-h7, 10.2.8-h3, 11.1.2-h4
04-28-2024 11:49 PM
I am using 10.2.8 but still facing the high dns logs in ACC tab. Still not fixed in 10.2.8
07-22-2024 05:31 AM
Somewhere in 11.1.x, it was fixed for the 11.1.x version. I'm currently running 11.1.3 and it seems fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
