This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Dropped traffic - no log

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dropped traffic - no log

bdeschut
L4 Transporter

‎11-15-2013 05:42 AM

Hey,

Setup:

LAN network on interface eth1/2, security device on interface eth1/3 and vpn on interface tunnel.1.

Zone L3-LAN contains eth1/2

Zone L3-VPN contains eth1/3 and tunnel.1

Traffic flow:

A client in the LAN sends a packet to a device behind the VPN tunnel. A PBF rule is in place that traffic originating from eth1/2 to a network behind the VPN is first send to a security device (eth1/3). This security device sends the exact same packet back tot he Palo Alto which should route it through the tunnel.

A security rule is in place to allow traffic from L3-LAN to L3-VPN.

If have not yet created a rule allowing traffic from L3-VPN to L3-VPN the traffic is blocked and visible in the traffic monitor!

When I create a rule to allow the traffic, I see no logs in the traffic monitor anymore! (And the traffic does not go into the tunnel)

When I check the global counters:

When i perform a debug flow basic then this is the only entry I get multiple times:

---__pan_debug_tag=2---pan_sys_up_ticks=3602846579449316---
Cannot de-NAT v4 packet, no port match

When I create a new zone L3-SEC so I have the following:

Zone L3-LAN contains eth1/2

Zone L3-SEC contains eth1/3

Zone L3-VPN contains tunnel.1

and adjust my policy rulebase, it all works fine.

Can someone explain this behavior?

Thanks in advance!

Kind regards,

Bob

2 REPLIES 2

Phoenix
L4 Transporter

‎11-15-2013 08:25 AM

Here are some good tips on debugging packet drops

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. Enable filters and captures

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

4. open 2 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.

This will help you narrow down the issue.

Let us know if this helps you resolve the issue.

bdeschut
L4 Transporter
In response to Phoenix

‎11-18-2013 12:13 AM

The result of my show counter global did not get in my post for some reason:

> show counter global filter delta yes packet-filter yes

Global counters:

Elapsed time since last sampling: 22.240 seconds

name                                   value     rate severity  category aspect    description

--------------------------------------------------------------------------------

pkt_recv                                9952      447 info      packet pktproc   Packets received

pkt_sent                                 100        4 info      packet pktproc   Packets transmitted

pkt_outstanding                          100        4 info      packet pktproc   Outstanding packet to be transmitted

flow_rcv_dot1q_tag_err                     9        0 drop      flow parse     Packets dropped: 802.1q tag not configured

flow_no_interface                          9        0 drop      flow parse     Packets dropped: invalid interface

flow_host_pkt_rcv                        107        4 info      flow mgmt      Packets received from control plane

flow_host_pkt_xmt                        100        4 info      flow mgmt      Packets transmitted to control plane

flow_host_ha_encap_err                    14        0 drop      flow mgmt      Packets dropped: encapsulation error to control plane's HA agent

ha_msg_recv                               14        0 info      ha system    HA: messages received

ha_err_decap                              14        0 error     ha system    Packets dropped: HA message decapsulation error

--------------------------------------------------------------------------------

Total counters shown: 10

--------------------------------------------------------------------------------

The packet capture did not show any useful information.

My issue has already been resolved as mentioned in my post, by creating a third zone.

Kind regards,

Bob

0 Likes Likes
  • 5755 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks