cannot understand drop reason

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

cannot understand drop reason

hey

i have a client that connects to a remote site using  GP, and that site have s2s vpn to my site,

we have problems connecting to a server in that site, we can i cannot see and drops in the traffic or threat logs,

i have put filter on the ips and used tha show global couters shows this drops:

Global counters:

Elapsed time since last sampling: 5.880 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

flow_fwd_zonechange                        1        0 drop      flow      forward   Packets dropped: forwarded to different zone

--------------------------------------------------------------------------------

Total counters shown: 1

--------------------------------------------------------------------------------

i dont understand this drop error, but i have checked routes and have only one route to each direction and the s2s vpn is steady and up

pings between the client and server works fine

please help

thanks


Accepted Solutions
Highlighted
L4 Transporter

Minow,

      Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter.

Craig Stancill  |  Technical Support Engineer

Shift Time : 05:00 – 14:00 GMT

Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799

Palo Alto Networks  |  3300 Olcott Street  |  Santa Clara, CA 95054-3005, USA

https://support.paloaltonetworks.com/

View solution in original post


All Replies
Highlighted
L4 Transporter

i can see the SYN from the client to the server and then i can see the SYN-ACK from the server to the client on the stages: receive, firewall and drop on my paloalto

on the drop it is the same packets of the SYN-ACK (comparing the firewall and the drop pcaps

Highlighted
L7 Applicator

Hello Minow,

Could you please confirm whether outgoing SYN packet and incoming SYN-ACK packet is being received by the same physical interface and zone.It's looking like a assymetric routing situation. For testing perpose you can enable "assmetric-path-bypass= YES" "TCP non-syn reject=NO".

Thanks

Highlighted
L4 Transporter

yes i will try

but how can i see on which interface every packet received from and sent to

Highlighted
L4 Transporter

the weird thing is that there is only one route to the client and one route to the server

Highlighted
L4 Transporter

Minow,

      Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter.

Craig Stancill  |  Technical Support Engineer

Shift Time : 05:00 – 14:00 GMT

Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799

Palo Alto Networks  |  3300 Olcott Street  |  Santa Clara, CA 95054-3005, USA

https://support.paloaltonetworks.com/

View solution in original post

Highlighted
L4 Transporter

hi minow,

please try the command:

- test security-policy-match source xxx destination xxx protocol xxx show-all yes

- test security-policy-match source xxx destination xxx protocol xxx from xxx to xxx show-all yes (

protocol: for example 80 is the right number for http

from: source zone

to: destination zone

the result will show which rule is taken. I guess there is a mismatch between interface and zones.

Regards Klaus

Highlighted
L4 Transporter

kdd this is awesome! I just added these commands to our internal wiki

Highlighted
L4 Transporter

ericgearhart i like it too because it keeps a lot short

Highlighted
L4 Transporter

i will check and update by the way... protocol should be 6 for tcp, and add destination-port 80 for http

thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!