cannot understand drop reason

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

cannot understand drop reason

L4 Transporter

hey

i have a client that connects to a remote site using  GP, and that site have s2s vpn to my site,

we have problems connecting to a server in that site, we can i cannot see and drops in the traffic or threat logs,

i have put filter on the ips and used tha show global couters shows this drops:

Global counters:

Elapsed time since last sampling: 5.880 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

flow_fwd_zonechange                        1        0 drop      flow      forward   Packets dropped: forwarded to different zone

--------------------------------------------------------------------------------

Total counters shown: 1

--------------------------------------------------------------------------------

i dont understand this drop error, but i have checked routes and have only one route to each direction and the s2s vpn is steady and up

pings between the client and server works fine

please help

thanks

1 accepted solution

Accepted Solutions

Minow,

      Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter.

Craig Stancill  |  Technical Support Engineer

Shift Time : 05:00 – 14:00 GMT

Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799

Palo Alto Networks  |  3300 Olcott Street  |  Santa Clara, CA 95054-3005, USA

https://support.paloaltonetworks.com/

View solution in original post

11 REPLIES 11

L4 Transporter

i can see the SYN from the client to the server and then i can see the SYN-ACK from the server to the client on the stages: receive, firewall and drop on my paloalto

on the drop it is the same packets of the SYN-ACK (comparing the firewall and the drop pcaps

Hello Minow,

Could you please confirm whether outgoing SYN packet and incoming SYN-ACK packet is being received by the same physical interface and zone.It's looking like a assymetric routing situation. For testing perpose you can enable "assmetric-path-bypass= YES" "TCP non-syn reject=NO".

Thanks

L4 Transporter

yes i will try

but how can i see on which interface every packet received from and sent to

the weird thing is that there is only one route to the client and one route to the server

Minow,

      Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter.

Craig Stancill  |  Technical Support Engineer

Shift Time : 05:00 – 14:00 GMT

Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799

Palo Alto Networks  |  3300 Olcott Street  |  Santa Clara, CA 95054-3005, USA

https://support.paloaltonetworks.com/

L4 Transporter

hi minow,

please try the command:

- test security-policy-match source xxx destination xxx protocol xxx show-all yes

- test security-policy-match source xxx destination xxx protocol xxx from xxx to xxx show-all yes (

protocol: for example 80 is the right number for http

from: source zone

to: destination zone

the result will show which rule is taken. I guess there is a mismatch between interface and zones.

Regards Klaus

kdd this is awesome! I just added these commands to our internal wiki

ericgearhart i like it too because it keeps a lot short

L4 Transporter

i will check and update by the way... protocol should be 6 for tcp, and add destination-port 80 for http

thanks

It PBR policy routing ACK to a different zone.

thanks

Hello minow,

There is this doc where it explains taking packet level logs known as flow basic. This would give details results if there is a drop at what stage what is the reason and so on to understand.

Packet Based Troubleshooting - Configuring Packet Captures and Debug Logs

Thanks

  • 1 accepted solution
  • 11697 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!