- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-28-2021 03:37 PM - edited 07-28-2021 03:41 PM
What are the reasons we don't see transmit or drop in capture and traffic log shows traffic is allowed to/from correct zones, and tcp as age-out in logs. Packets only show in receive/firewall stage. Alos checking flow basic, I do not see the packet at forwarding stage, although another firewall with same routes/policies and just different IP's works fine.
----------------------------------------------------------------
== 2021-07-28 15:31:42.692 -0700 ==
Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 62 port 16 interface 16 vsys 1
wqe index 22530 packet 0x0xc00f5bb440, HA: 0, IC: 0
Packet decoded dump:
L2: c0:d6:82:94:8a:81->00:0d:3a:e9:20:40, type 0x0800
IP: 172.23.5.4->172.23.4.6, protocol 6
version 4, ihl 5, tos 0x00, len 48,
id 7359, frag_off 0x4000, ttl 128, checksum 53372(0x7cd0)
TCP: sport 29701, dport 91, seq 2582910416, ack 0,
reserved 0, offset 7, window 8192, checksum 56811,
flags 0x02 ( SYN), urgent data 0, l4 data len 0
TCP option:
00000000: 02 04 05 8a 01 01 04 02 ........
Flow lookup, key word0 0x60001005b7405 word1 0 word2 0x40517acffff0000 word3 0x0 word4 0x60417acffff0000
* Dos Profile NULL (NO) Index (0/0) *
Session setup: vsys 1
No active flow found, enqueue to create session
== 2021-07-28 15:31:42.692 -0700 ==
Packet received at slowpath stage, tag 1409011658, type ATOMIC
Packet info: len 62 port 16 interface 16 vsys 1
wqe index 22530 packet 0x0xc00f5bb440, HA: 0, IC: 0
Packet decoded dump:
L2: c0:d6:82:94:8a:81->00:0d:3a:e9:20:40, type 0x0800
IP: 172.23.5.4->172.23.4.6, protocol 6
version 4, ihl 5, tos 0x00, len 48,
id 7359, frag_off 0x4000, ttl 128, checksum 53372(0x7cd0)
TCP: sport 29701, dport 91, seq 2582910416, ack 0,
reserved 0, offset 7, window 8192, checksum 56811,
flags 0x02 ( SYN), urgent data 0, l4 data len 0
TCP option:
00000000: 02 04 05 8a 01 01 04 02 ........
Session setup: vsys 1
Session setup: ingress interface ethernet1/1 egress interface ethernet1/1 (zone 1)
NAT policy lookup, matched rule index 4
Destination NAT, translated IP 172.22.20.5
PBF lookup (vsys 1) with application none
Session setup: egress zone 2 for natted IP
Translated IP in zone 2, egress id 17
Policy lookup, matched rule index 3,
TCI_INSPECT: Do TCI lookup policy - appid 0
Allocated new session 8181.
set exclude_video in session 8181 0xe1438d3f80 0 from work 0xe056915800 0
Rule: index=4 name=APPGTW-TEST-SITES-443, cfg_pool_idx=3 cfg_fallback_pool_idx=0
NAT Rule: name=APPGTW-TEST-SITES-443, cfg_pool_idx=3; Session: index=8181, nat_pool_idx=3
Packet matched vsys 1 NAT rule 'APPGTW-TEST-SITES-443' (index 5),
source translation 172.23.5.4/29701 => 172.23.68.6/59704
destination translation 172.23.4.6/91 => 172.22.20.5/443
Created session, enqueue to install. work 0xe056915800 exclude_video 0,session 8181 0xe1438d3f80 exclude_video 0
* Dos Profile NULL (NO) Index (0/0) *
== 2021-07-28 15:31:42.693 -0700 ==
Packet received at fastpath stage, tag 8181, type ATOMIC
Packet info: len 62 port 16 interface 16 vsys 1
wqe index 22530 packet 0x0xc00f5bb440, HA: 0, IC: 0
Packet decoded dump:
L2: c0:d6:82:94:8a:81->00:0d:3a:e9:20:40, type 0x0800
IP: 172.23.5.4->172.23.4.6, protocol 6
version 4, ihl 5, tos 0x00, len 48,
id 7359, frag_off 0x4000, ttl 128, checksum 53372(0x7cd0)
TCP: sport 29701, dport 91, seq 2582910416, ack 0,
reserved 0, offset 7, window 8192, checksum 56811,
flags 0x02 ( SYN), urgent data 0, l4 data len 0
TCP option:
00000000: 02 04 05 8a 01 01 04 02 ........
Flow fastpath, session 8181 c2s (set work 0xe056915800 exclude_video 0 from sp 0xe1438d3f80 exclude_video 0)
IP checksum valid
* Dos Profile NULL (NO) Index (0/0) *
* Dos Profile NULL (NO) Index (0/0) *
2021-07-28 15:31:42.693 -0700 pan_flow_process_fastpath(src/pan_flow_proc.c:4022): SESSION-DSCP: set session DSCP: 0x00
NAT session, run address/port translation
Syn Cookie: pan_reass(Init statete): c2s:0 c2s:nxtseq 2582910417 c2s:startseq 2582910417 c2s:win 0 c2s:st 3 c2s:newsyn 0 :: s2c:nxtseq 0 s2c:startseq 0 s2c:win 8192 s2c:st 0 s2c:newsyn 0 ack 0 nosyn 0 plen 0
CP-DENY TCP non data packet getting through
Forwarding lookup, ingress interface 16
L3 mode, virtual-router 2
Route lookup in virtual-router 2, IP 172.22.20.5
Route found, interface ethernet1/2, zone 2, nexthop 172.23.68.1
Resolve ARP for IP 172.23.68.1 on interface ethernet1/2
ARP entry found on interface 17
Transmit packet size 48 on port 17
07-29-2021 03:50 AM
it's sending packets out: Transmit packet size 48 on port 17
try adjusting your filter like this:
1. ip1 to ip2
2. ip3 to ip4
3. ip4 to ip3
4. ip2 to ip1
07-29-2021 11:59 PM
@reaper I found the issue with custom routes in Azure, traffic was sent by internal interface of PA1 but received by PA2. After the fix I was able to see normal traffic. Would this be the reason of not seeing the forwarding stage. Its bit hard to troubleshoot such issues in cloud.
05-26-2022 01:11 PM
Hi Raji,
Can you explain what was the cause of this issue, we are experiencing the same
06-10-2022 02:09 PM
@lealr1 For us it was the issue with id-manager and had to reset it
debug device-server reset id-manager type all
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!