PA 5220 Packet Descriptor Max value

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PA 5220 Packet Descriptor Max value

Cyber Elite
Cyber Elite

 

When I run show running resource monitor. I see packet descriptor max value most of time above 80 like

 

in 90's. sometimes 100 100.

 

Packet descriptor average value is still under 80.

We have ssl decryption enabled on the  PA.

Also we have decrypt mirror configured.

 

What can be reason that packet descriptor is going over 90 so often?

 

 

Mike

 

 

 

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

Opened case with PA as per them

 

we should not worry about Spike of Packet descriptor to 100%.

Worry about DP avergage cpu it it goes over 80% for extended period of time.

 

Q: Also any reason you know what can cause the PD spike to 100%?
A: The high DP (Dataplane) can be cause application usage, so we need to look at traffic patterns, in your case, the past 5 hours to understand spikes to 100%.

MP

Help the community: Like helpful comments and mark solutions.

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

@MP18 

We would really need to dive into your setup, logs, and possibly netflow data to determine this with any real certainty. The only thing effecting your descriptor count would be the additional buffer and descriptor allocation happening for your decrypt mirror configuration.  

We have netflow configured in solar.

When i check the decrypt mirror port it is 10gig and i see no errors.

 

When you say below

The only thing effecting your descriptor count would be the additional buffer and descriptor allocation happening for your decrypt mirror configuration.

 

For this should i configure the netflow for the decrypt mirror port?

 

Regards

Mike

MP

Help the community: Like helpful comments and mark solutions.

Also let me know what next step i can take to isolate this?

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

So I wouldn't get too hung up on the decrypt mirror port; I simply meant that to mean that you have increased load across your device and the additional load by configuring a decrypt mirror isn't helping things. 

You'll need to try and see exactly what is causing your traffic load to spike and if its legitimate traffic that needs to be processed or something behaving poorly; it's quite possible that at times your device is simply under stress, and if you still average below 80% I wouldn't be overly concerned about it unless it starts causing issues. 

 

To attempt to see what is flooding in while you notice the descriptor issue, you'll need to monitor what traffic is actually going across the device. Netflow certainly helps with that if you already have it configured, but you could also utilize the Chrome extension pan(w)achrome to see if you can spot where traffic is high to narrow down your search to a particular zone or interface so you have less information to search through.

 

What version of PAN-OS are you actually running; there have been plenty of software issues where you can see high descriptor counts due to bugs that you may be running into. 

It is always pleasure to read you posts.

We are running PAN OS 8.1.9.

 

For Company users  accessing Internet 

 

we have INT. and EXT. zone.  on each separate  physical interface 

We have one Internal Zone for our Corp Users and all Internet traffic for users flow via this.

 

 

Two separate Zone for Guest Internet traffic on separate  ISP connection.

Top used rule is Corp Internal users accessing internet  on port 80 and 443.

This rule is mostly used.

 

Any idea how can I narrow it down if I know the mostly used rule?

Also is it possible to get the email when Packet descriptor runs 100%

 

 

 

 

 

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

I don't believe that the descriptor hitting 100% is something you can get an email for at the moment; likewise knowing the rule doesn't really tell you anything about why your buffer and descriptor would be rising. You might want to reach out to support and see if there is any additional logging they can enable to tell you exactly what is using the available descriptors.

Here is last 7 days reports of Packet Descriptor

 

Resource utilization (%) during last 7 days:
session (average):
1 1 2 2 2 2 2
session (maximum):
1 2 3 3 3 4 3
packet buffer (average):
1 1 1 1 1 1 1
packet buffer (maximum):
8 7 6 82 3 26 9
packet descriptor (average):
0 0 0 1 1 1 1
packet descriptor (maximum):
1 2 3 5 5 4 5
packet descriptor (on-chip) (average):
3 3 4 4 4 4 4
packet descriptor (on-chip) (maximum):
100 100 99 100 60 100 91

 

Will check with out SE

MP

Help the community: Like helpful comments and mark solutions.

Opened case with PA as per them

 

we should not worry about Spike of Packet descriptor to 100%.

Worry about DP avergage cpu it it goes over 80% for extended period of time.

 

Q: Also any reason you know what can cause the PD spike to 100%?
A: The high DP (Dataplane) can be cause application usage, so we need to look at traffic patterns, in your case, the past 5 hours to understand spikes to 100%.

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 7034 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!