01-08-2013 12:34 AM
Hi folks,
By chance (okay, we were troubleshooting another issue) we found a potentially strange issue on our active PA-2050 (there is a secondary (HA passive) PA-2050 in place as well).
1) We issue the following command on the prompt: show counter global filter delta yes severity drop
2) We get the following output:
Global counters:
Elapsed time since last sampling: 561.912 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_rcv_err 8 0 drop flow parse Packets dropped: flow stage receive error
flow_rcv_dot1q_tag_err 120 0 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 120 0 drop flow parse Packets dropped: invalid interface
flow_ipv6_disabled 234 0 drop flow parse Packets dropped: IPv6 disabled on interface
flow_policy_deny 3560 6 drop flow session Session setup: denied by policy
flow_tcp_non_syn_drop 1144 2 drop flow session Packets dropped: non-SYN TCP without session match
flow_fwd_l3_mcast_drop 26653 47 drop flow forward Packets dropped: no route for IP multicast
flow_parse_l4_tcpfin 1 0 drop flow parse Packets dropped: invalid TCP flags (FIN only)
flow_parse_l4_tcpsynfin 7 0 drop flow parse Packets dropped: invalid TCP flags (SYN+FIN+*)
flow_action_close 506 0 drop flow pktproc TCP sessions closed via injecting RST
flow_host_service_deny 13 0 drop flow mgmt Device management session denied
flow_host_service_unknown 26654 47 drop flow mgmt Session discarded: unknown application to control plane
flow_host_ha_encap_err 465431 828 drop flow mgmt Packets dropped: encapsulation error to control plane's HA agent
flow_lion_rcv_err 8 0 drop flow offload Packets dropped: receive error from offload processor
appid_lookup_invalid_flow 1 0 drop appid pktproc Packets dropped: invalid session state
tcp_drop_decrypt_packets 43 0 drop tcp pktproc number of decrypted packets get dropped
proxy_url_request_pkt_drop 2 0 drop proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy
url_request_pkt_drop 91 0 drop url pktproc The number of packets get dropped because of waiting for url category request
--------------------------------------------------------------------------------
Total counters shown: 18
--------------------------------------------------------------------------------
What concerns us is the line marked red above. It looks like it's abnormal... Does anyone have a clue how we could troubleshoot this issue to find the cause for it? We don't see any System logs indicating a problem with HA... The Switch ports look good (all interfaces in 1000 FD mode and 0 errors/discards, etc.).
The HA settings (active/passive mode) are attached.
Thanks a lot!
Oliver
01-08-2013 01:20 AM
my bad i saw the word " secondary device " and thought this is active/active setup. Just give a shot changing the mode to l3 on ha 2 interface/
01-08-2013 12:38 AM
The output in the main post shows only the delta rate, the output below shows the absolute value and it looks quite high...
PAN(active)> show counter global | match flow_host_ha_encap_err
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_host_ha_encap_err 2039219767 841 drop flow mgmt Packets dropped: encapsulation error to control plane's HA agent
01-08-2013 01:06 AM
How does your packet forwarding settings for ha look like ? do you have primary device or first packet ? Can u switch this option and see if that makes any difference ? also how is your ha 2 ? is it L2 ethernet or L3 . Can you make L3 it is not already and see if it makes any diff.
-Sandeep
01-08-2013 01:16 AM
We don't have a packet forwarding setting in active/passive mode. I think this option is only available in active/active mode.
The ha2 is currently setup with "ethernet" as transport. I'll change it to L3 next Sunday (maintenance window) and report back when done. Thanks for the hint!
-Oliver
01-08-2013 01:20 AM
my bad i saw the word " secondary device " and thought this is active/active setup. Just give a shot changing the mode to l3 on ha 2 interface/
01-13-2013 04:24 AM
That's it. I just tested it with "IP" as transport type and the errors are gone. Thanks a lot for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
