Packet capture drop stage shows production traffic

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mjensen40400
L1 Bithead

Packet capture drop stage shows production traffic

I have been troubleshooting a intermittent issue where a device that sits behind my Palo Alto running 10.0.0.3 is frequently losing it's connection for UDP port 2156 traffic.

 

Today I ran a packet capture on the PA using the "drop stage" while the connectivity was lost and there was my missing traffic, right there in that capture.

When connectivity restored itself I ran the "drop stage" capture again and the interesting traffic was no longer present.

 

How can I investigate further to determine the reason why this traffic is getting dropped by the firewall?  When I look in the monitor > traffic logs I do not see this traffic as being dropped.

OtakarKlier
Cyber Elite

Hello,

In the policy, make sure you are logging the traffic. Also when it cones to UDP traffic, the session stays open so it might not show in the traffic logs immediately. I would suggest checking the Session Browser as that is showing all active sessions and is better for looking at UDP traffic.

 

However the traffic logs should show why the session ended and the policy that allowed/blocked the traffic.

 

Regards,

AlexanderAstardzhiev
L4 Transporter

Hi @mjensen40400 

Try to check the global counters as described here - How to check global counters for a specific source and destinat... - Knowledge Base - Palo Alto Netw...
- Set the same filter you have set for the packet capture

- Run the command >show counter global filter packet-filter yes delta yes (note that with the option delta the output will show only the difference between last and previous execution of the show command. )

mjensen40400
L1 Bithead

Hello,

 

I ran a debug:

> debug dataplane packet-diag set log feature flow basic 
> debug dataplane packet-diag set log on

debug dataplane packet-diag aggregate-logs
packet-diag.log is aggregated

but I am not able to view the packet-diag.log which probably contains my answers.
Do you know how I can view the contents of the .log?
mjensen40400
L1 Bithead

What is messed up is when I look in traffic logs and query for the traffic in question logs come up from days ago and nothing current.  For example this morning I can only see traffic logs for the interesting traffic from April 5th!

The security policy rules are set to log.

I know for sure this traffic has successfully passed through the firewall since the 5th as this problem is intermitent and the traffic flow does work sometimes.

OtakarKlier
Cyber Elite

Hello,

In the drop logs, what is the reason it gives for the drop traffic?

 

Regards,

mjensen40400
L1 Bithead

Using the global counters method I discovered the drop reason is due to arp.

 

Using the "show arp all" command I was able to determine that the firewall has a "incomplete" arp entry for it's default gateway during times the traffic stops and it has a actual full entry when traffic is flowing as it should.

 

I do have a static source NAT and I followed kb "FIREWALL IS DROPPING PACKETS FROM LAN FOR NO ARP" @ https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmm8CAC&lang=en_US%E2%80%A....

 

My static NAT was a host IP without a netmask so I put a /32 at the end of it and that didn't make a difference.

 

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!