Packet drop counter increment normal?

cancel
Showing results for 
Search instead for 
Did you mean: 

Packet drop counter increment normal?

L4 Transporter

Hi folks,

 

We had a Lync meeting yesterday that was reported with poor performance and dropped calls.

The Lync Monitor dashboard indicates dropped packets and jitter in that time frame.

I checked the Lync server and the LAN switch its ESXi host is connected to, no alerts or reports of packet loss.

 

I see that all of our PA 3020 interfaces have a packet drop counter that is incrementing. 

Is this normal?

 

This is example of ethernet 1/1 our public facing interface, but they are all doing it, including internal.

 

PAdrops3.jpg

I did a catch all packet capture and opened the drop.pcap file in wireshark, small sample looks like this.  Is this normal for networks to drop these packets and increment the packet drop counter?

PAdrops2.jpg

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Drop-Counters-in-quot-Show-Interface-E...

 

1 ACCEPTED SOLUTION

Accepted Solutions

well the good thing is that there usually is not a lot of 'low level' packetloss, most of the time that happens when you have a faulty cable or incorrect speed/duplex setting, everything else usually happens in the processing layer where packets are either discarded due to policy (security policy, security profile, QoS, DoS protection , ....) or because the system is overloaded 

 

these commands will help you pinpoint 'system overload'

>show running resource-monitor 

when the packet descriptor (buffers) are extremely high (past 85% packetloss may occur)

(don't worry too much about cpu or processes running 100%, some are pre-spun to 100%, others are perfectly ok at 100% as long as the buffers and pools are 'free')

or

> debug dataplane pool statistics

when the software/harware memory pools run dry

 

 

at first glance you have a very low amount of dropped packets in the system, thats good. Please check with your ISP, usually a 'box on the wall means a regular routing/modem device that has automatic settings which will fix your bad quality voip issue when you set the firewall to comply, else try switching out the cable just to make sure 

if that doesn;t fix the issue you could also try transplanting your configuration on a different firewall interface so you can exclude a faulty hardware port also

Tom Piens
PANgurus

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

this packetcpture may not capture all the dropped packets seen in the interface

 

a little bckground

the dropped packets on the interface are usually malformed packets the interface wont accept (too large frames, broken, missing header, ...)

the packets seen in the packet-diag are packets discarded by the packet processing CPU, which is after the interface.packets dropped by the processor appear in the global counters

 

you'll want to run > show counter global filter delta yes (optionally 'packet-filter yes' if you added packet-diag filters)

and see which drop counters increment there

 

it looks like you set a manual link speed and duplex, did you also set this speed on the connected switch? if not, you'll want to change the firewall to auto-auto or set the switch to 100/full. a mismatch in auto/static will also cause packet drops due to negotiation mishaps

Tom Piens
PANgurus

Thanks reaper,

 

The 1/1 interface is set to 100 and full.  It's other end goes to a small box on the wall representing our Internet provider.  I am assuming there must have been a requirement for it to be setup that way.  I would have to call the ISP to verify I guess. Thanks for noticing...

 

I ran the command you reference, but do not see nearly the drop number(s) I see when running the show interface command.  Of course I am a newbie and trying to understand what is relevant.   Still confusing on how to monitor packet loss.

 

PAcounters.jpg

well the good thing is that there usually is not a lot of 'low level' packetloss, most of the time that happens when you have a faulty cable or incorrect speed/duplex setting, everything else usually happens in the processing layer where packets are either discarded due to policy (security policy, security profile, QoS, DoS protection , ....) or because the system is overloaded 

 

these commands will help you pinpoint 'system overload'

>show running resource-monitor 

when the packet descriptor (buffers) are extremely high (past 85% packetloss may occur)

(don't worry too much about cpu or processes running 100%, some are pre-spun to 100%, others are perfectly ok at 100% as long as the buffers and pools are 'free')

or

> debug dataplane pool statistics

when the software/harware memory pools run dry

 

 

at first glance you have a very low amount of dropped packets in the system, thats good. Please check with your ISP, usually a 'box on the wall means a regular routing/modem device that has automatic settings which will fix your bad quality voip issue when you set the firewall to comply, else try switching out the cable just to make sure 

if that doesn;t fix the issue you could also try transplanting your configuration on a different firewall interface so you can exclude a faulty hardware port also

Tom Piens
PANgurus

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!