This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

debug dataplane packet-diag causes PA5050 to stop working? PAN-OS 4.1.7

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

debug dataplane packet-diag causes PA5050 to stop working? PAN-OS 4.1.7

sebastian
L0 Member

‎11-26-2012 07:27 AM

Hi,

today i tried to debug a packet flow via the "debug dataplane packet-diag" command.

I did that by using this guide.

Unfortunately this causes our PA5050 Active/Passive Cluster to complete stop working for a few minutes. :smileyangry:

Is this a known bug in PAN-OS 4.1.7?

I used a packet filter so cpu can't/should not be an issue.

Here my debug settings

> debug dataplane packet-diag show setting

DP 0:

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

  Enabled:                   no

  Match pre-parsed packet:   yes           

  Index 1: 10.100.1.37[0]->10.242.3.22[80], proto 6

           ingress-interface any, egress-interface any, exclude non-IP

--------------------------------------------------------------------------------

Logging

  Enabled:                   no

  Log-throttle:              yes

  Aggregate-to-single-file:  yes           

  Output file size:          10489183 of 10485760 Bytes (full)

  Features:

    flow    : basic

  Counters:

--------------------------------------------------------------------------------

Packet capture

  Enabled:                   no

  Snaplen:                   0           

--------------------------------------------------------------------------------

DP 1:

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

  Enabled:                   no

  Match pre-parsed packet:   yes           

  Index 1: 10.100.1.37[0]->10.242.3.22[80], proto 6

           ingress-interface any, egress-interface any, exclude non-IP

--------------------------------------------------------------------------------

Logging

  Enabled:                   no

  Log-throttle:              yes

  Aggregate-to-single-file:  yes           

  Output file size:          4869970 of 10485760 Bytes

  Features:

    flow    : basic

  Counters:

--------------------------------------------------------------------------------

Packet capture

  Enabled:                   no

  Snaplen:                   0           

--------------------------------------------------------------------------------

Labels:
0 Likes Likes
2 REPLIES 2

kfindlen
L4 Transporter

‎11-26-2012 08:30 AM

Hello,

It appears that the packet filter was defined, but not enabled.  This would cause the filter to be ignored and all traffic to be logged.  To enable the filter use the command:

debug dataplane packet-diag set filter on

A helpful step to avoid load issues when doing captures and packet-diag logging is to always view counter output against the packet filter prior to enabling either a capture or log.  You can do this with the command:

show counter global filter delta yes packet-filter yes

Run the above command a few times and look at the pkt_recv rate.  Any value above 500 for logging, or above 1000 for a capture could potentially cause load issues on a 5000 series firewall.  You should refine the filter to decrease the number of sessions being captured or logged to reduce the rate.

Thanks,

-- Kevin

sebastian
L0 Member
In response to kfindlen

‎11-27-2012 05:39 AM

Hello Kevin,

sorry sent the wrong screenshot.

The filter is/was on.

But I tried that now again to doublecheck, same issue.

It seems that the packet filtering doesnt work.

Take a look at the counter:

show counter global filter packet-filter yes

Global counters:

Elapsed time since last sampling: 205.860 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

pkt_recv                            14991383    27660 info      packet    pktproc   Packets received

pkt_sent                               60788      103 info      packet    pktproc   Packets transmitted

In the releasenotes for 4.1.9 there is an issue solved, maybe thats my problem.
• 41347 – Packet capture filters were not filtering information accurately. The fix ensures that the pcap filters match the criteria defined on the device and accurately capture all relevant frames in the session.


Sebastian

0 Likes Likes
  • 2941 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks