05-26-2014 02:27 AM
I know PA-3050 stops processing traffic topic
According to my knowledge PA200 has virtualized hardware (hasn't ASICs) so it a bit different case.
Recently my device stoped responding for ping, stopped processing traffic. After power off/on started working OK.
In logs close to time when it failed nothing was special but there was a lot of:
1,2014/05/21 19:54:01,001606004641,SYSTEM,dnsproxy,0,2014/05/21 19:54:01,,resolve-fail,DNS_proxy_1,0,0,general,informational,Failed to resolve domain name:su.ff.avast.com after trying all attempts to name server(s): 192.168.1.254 192.168.1.253 ,244184,0x0
1,2014/05/21 19:54:01,001606004641,SYSTEM,dnsproxy,0,2014/05/21 19:54:01,,resolve-fail,DNS_proxy_2,0,0,general,informational,Failed to resolve domain name:android.clients.google.com after trying all attempts to name server(s): 192.168.1.254 192.168.1.253 ,244183,0x0
1,2014/05/21 19:54:00,001606004641,SYSTEM,dnsproxy,0,2014/05/21 19:54:00,,resolve-fail,DNS_proxy_2,0,0,general,informational,Failed to resolve domain name:daisy.ubuntu.com after trying all attempts to name server(s): 192.168.1.254 192.168.1.253 ,244182,0x0
The strange thing was that after the time when device stopped processing traffic still logged similar entries (resolve fail)
I had problem with dns proxy on 5.0.7 after I moved to 5.0.9 (as I remember 5.0.9 fixes dns proxy problems) problem gone.
Has anyone issues on 6.0.x with dns proxy?
Support can't find from tech support file the root cause of the issue.
05-26-2014 10:54 AM
It would be difficult to isolate the issue from above mentioned logs. There could be many reasons, while traffic was not through the PA-200 firewall.
I would suggest a few things to check if there would be another occurrence of the same issue.
> You may try to do an "nslookup" on one of the testing PC, see if it is resolving the IP address for an URL. After that, in the GUI --> Traffic log, you may use filters like ( addr.src in IP_ADD_OF_THE_TESTING_PC ) and ( addr.dst in IP_ADD_OF_THE_DESTINATION ) to check the security policy that the traffic hitting. Also you can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.
> If there is an session exist for the same traffic, then please apply CLI command PAN> show session id XYZ >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.
> verify the global counters, if a specific "DRP" counter is increasing rapidly. The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc. These counters are for all the traffic going through the device and are useful in troubleshooting issues; like poor performance, packet loss, latency etc. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.
For more information, you can follow the DOC What is the Significance of Global Counters?
> You can enable FLOW BASIC feature to understand the exact reason behind the failure:
> debug dataplane packet-diag clear all
> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION
> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination IP_ADD_OF_THE_TESTING_PC
> debug dataplane packet-diag set log feature flow basic
> debug dataplane packet-diag set log feature tcp all
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set log on
~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse a website ~~~~~~~~~~~~~~~~~~~~~~~~~
> debug dataplane packet-diag set log off
> debug dataplane packet-diag aggregate-logs
> less mp-log pan_packetdiag_log.log
For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!