04-03-2025 01:12 AM - edited 04-03-2025 01:15 AM
I am running a set of vm-series VMs on Azure. From time to time there is packet loss for traffic going through one of these VMs, I am trying to find a metric to monitor that.
I could not find a metric exposed through SNMP, but looking at the global counters that increase during TCP retransmission, I found "tcp_case_2" global counter seems to match. I could not find any documentation about it:
admin@PA-VM(active)> show counter global name tcp_case_2
Name: tcp_case_2
Value: 0
Severity: Informational
Category: tcp
Aspect: pktproc
Description: tcp reassembly case 2this counter looks to match the TCP retransmissions that hit the reassembly process, from the debug logs:
admin@PA-VM(active)> grep pattern rcv_nxt=4147433711 mp-log pan_task_1.log
2025-04-02 01:12:44.751 +0200 debug: pan_tcp_reass(pan_reass.c:3448): REASS: session=11 in seq seqno=4147433709 tcplen=2 rcv_nxt=4147433711
2025-04-02 01:12:44.959 +0200 debug: pan_tcp_reass(pan_reass.c:3457): REASS: session=11 in seqno=4147433709 rcv_nxt=4147433711 size of oo_q[0].=0
2025-04-02 01:12:44.959 +0200 debug: pan_tcp_reass(pan_reass.c:3570): REASS: session=11 case 2 seqno=4147433709 tcplen=2 rcv_nxt=4147433711
2025-04-02 01:12:45.167 +0200 debug: pan_tcp_reass(pan_reass.c:3457): REASS: session=11 in seqno=4147433709 rcv_nxt=4147433711 size of oo_q[0].=0
2025-04-02 01:12:45.167 +0200 debug: pan_tcp_reass(pan_reass.c:3570): REASS: session=11 case 2 seqno=4147433709 tcplen=2 rcv_nxt=4147433711
2025-04-02 01:12:45.575 +0200 debug: pan_tcp_reass(pan_reass.c:3457): REASS: session=11 in seqno=4147433709 rcv_nxt=4147433711 size of oo_q[0].=0
2025-04-02 01:12:45.575 +0200 debug: pan_tcp_reass(pan_reass.c:3570): REASS: session=11 case 2 seqno=4147433709 tcplen=2 rcv_nxt=4147433711
2025-04-02 01:12:46.407 +0200 debug: pan_tcp_reass(pan_reass.c:3457): REASS: session=11 in seqno=4147433709 rcv_nxt=4147433711 size of oo_q[0].=0
2025-04-02 01:12:46.407 +0200 debug: pan_tcp_reass(pan_reass.c:3570): REASS: session=11 case 2 seqno=4147433709 tcplen=2 rcv_nxt=4147433711
2025-04-02 01:12:48.071 +0200 debug: pan_tcp_reass(pan_reass.c:3457): REASS: session=11 in seqno=4147433709 rcv_nxt=4147433711 size of oo_q[0].=0
2025-04-02 01:12:48.071 +0200 debug: pan_tcp_reass(pan_reass.c:3570): REASS: session=11 case 2 seqno=4147433709 tcplen=2 rcv_nxt=4147433711
2025-04-02 01:12:51.335 +0200 debug: pan_tcp_reass(pan_reass.c:3457): REASS: session=11 in seqno=4147433709 rcv_nxt=4147433711 size of oo_q[0].=0
2025-04-02 01:12:51.335 +0200 debug: pan_tcp_reass(pan_reass.c:3570): REASS: session=11 case 2 seqno=4147433709 tcplen=2 rcv_nxt=4147433711the same packet was seen multiple times, and a "case 2" is logged when it's already been seen before.
Is there some documentation on what tcp_case_2 counter means?
Could we have this exposed through SNMP?
04-08-2025 04:37 AM
Hi @frigault ,
As far as I know this is a drop due to an error in reassembly:
If a SYN packet goes through the Palo Alto Networks firewall, but SYN-ACK never goes through the firewall and the firewall receives an ACK. The firewall will drop the packets because of a failure in the TCP reassembly.
Source:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhsCAC
Are you possibly running into this issue ?
https://live.paloaltonetworks.com/t5/general-topics/tcp-fast-open-and-palo-alto/td-p/586608
Hope this helps,
Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
