dp-monitor.log entry meanings?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

dp-monitor.log entry meanings?

L4 Transporter

We are running 8.1.4 on a pair of 820's, and having been having some issues with certain traffic. After some help and digging, we are seeing random hits an (entry below) for the Max % utilization for 100% in one part of the file, but NOT on show running resource monitor OR SNMP. The Avg hovers around 4-20%. When I watch the GUI, or Pan(w)achrome - I never see the data plane spike over 5-20%. It never hits 100%. However, I do see the (entry below) in the "tail follow yes mp-log dp-monitor.log". SNMP shows no spikes on data plane, polling the OID of 1.3.6.1.2.1.25.3.3.1.2.2 shows no spikes in the DP cpu and a "show running resource monitor" shows no spikes . Out put below


2019-01-24 16:50:02.340 -0600 --- cpu
Last 180 seconds
Avg (%) Max (%)
1 3
Load Avg:
4.01 4.20 4.39 5/704 27550
-----------------------------

2019-01-24 16:53:02.360 -0600 --- cpu
Last 180 seconds
Avg (%) Max (%)
20 100
Load Avg:
4.42 4.23 4.37 5/705 28123

 

(show running resource monitor below)

 

CPU load (%) during last 5 minutes:
core 0 1 2 3 4 5 6 7
avg max avg max avg max avg max avg max avg max avg max avg max
* * 0 0 1 1 0 0 0 0 * * * * * *
* * 0 0 1 1 0 0 0 0 * * * * * *
* * 0 0 1 1 0 0 0 0 * * * * * *
* * 0 1 1 1 0 0 0 0 * * * * * *
* * 0 0 1 1 0 0 0 0 * * * * * *

Resource utilization (%) during last 5 minutes:
session (average):
0 0 0 0 0
session (maximum):
0 0 0 0 0
packet buffer (average):
0 0 0 0 0
packet buffer (maximum):
0 0 0 0 0
packet descriptor (average):
0 0 0 0 0
packet descriptor (maximum):
0 0 0 0 0
packet descriptor (on-chip) (average):
5 5 5 5 5
packet descriptor (on-chip) (maximum):
5 5 5 5 5

 

What am I missing here, and what are the first two entries for the Last 180 seconds, as I'm unable to correlate that with the "show running resource monitor minute/second last" cmd over that same time period for utilization.

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Start by turning on high DP log.

 

Device > Setup > Logging and Reporting Settings > Log Export and Reporting
Check "Enable Log on High DP Load"

 

This will log event into System log when DP is under load.

Then you can try to find pattern or correlate with traffic going through firewall at that time.

Unknown traffic is heavy on dataplane so if you have backup traffic that encrypts packets that fw can't inspect it might make sense to create application override for etc.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yup, did that already, never saw an entry in the GUI for high data plane.  however, I can go back in the dp-monitor.log and verify that there were mutlipe times where the MAX% under the "Last 180 seconds" was at 100%, but the AVG is way lower.   

 

 

Is this indeed saying that the DP processor was at 100%?

Maybe those links will help a bit.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVpCAK

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRTCA0

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 4597 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!