PA dropping packets on their return path

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA dropping packets on their return path

L3 Networker

Hi

I have a simple L3 setup.

E1/1 connected to a router (default gateway to the internet). IP 192.168.119.2, untagged Zone VLAN1

E1/2.2 connected to a switch (VLAN 2 tagged). IP 10.2.2.1 (default gateway for the 10.2.2.0/24 network), Zone VLAN2

I have a default allow all rule, no nat (VLAN2 to VLAN1)

A ping from 10.2.2.51 to 8.8.8.8 doesn't work, so I started troubleshooting.

Monitor shows 10.2.2.51 to 8.8.8.8, Application "ping" allow

It does not mention any drops.

I did a tcp dump on the internet gateway and I do see request and reply getting in and out. All correct source / destination.

I did a tcp dump on the PA. I see the following in the 4 pcap files:

Receive: Echo request and reply

Transmit: only Echo Request

Firewall: Echo Request and reply

Drop: Echo reply

So, the question which drives me crazy is: Why is the PA dropping the echo reply packets and why is it not telling me that it has done so?

Thanks a lot in advance.

Andre

1 accepted solution

Accepted Solutions

While I'm confident, that the problem is in my clan configuration, I juts can't get it to work.

I've read the admin guide and several docs here but nothing fits.

Attached is my config ,maybe someone is so kind to bring some light in my dark?

Only traffic out of VLAN2 will reach the PA. VLAN 1 Traffic is bypassing the PA (VLAN1 blocked on the switch Trunk to the PA)

as a side note: I followed Scenario 1 in this document:

View solution in original post

5 REPLIES 5

L3 Networker

ok, a quick debug with drop counter shows that th following counters do increment:

flow_rcv_dot1q_tag_err                  8632        0 drop      flow      parse     Packets dropped: 802.1q tag not configured

flow_no_interface                       8709        0 drop      flow      parse     Packets dropped: invalid interface

looks like my VLAN Config is wrong on the "lan" side ....

While I'm confident, that the problem is in my clan configuration, I juts can't get it to work.

I've read the admin guide and several docs here but nothing fits.

Attached is my config ,maybe someone is so kind to bring some light in my dark?

Only traffic out of VLAN2 will reach the PA. VLAN 1 Traffic is bypassing the PA (VLAN1 blocked on the switch Trunk to the PA)

as a side note: I followed Scenario 1 in this document:

I restarted from scratch (the 1000th time) and whatever I did different than then times before, it's working now. I followed the above mentioned document.

If you are lucky you have a backup of running-config from when it didnt work which you run a diff against your now working running config (and get back with the results)?

right, didn't thought about this...

will do when I'm back home next week

Andre

  • 1 accepted solution
  • 8289 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!