- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-26-2014 05:42 AM
Hi All,
For a 5 minutes we are unable to access internet ( even not able to ping next hop router), We observed that there is a packet drops in PaloAlto LAN interface, below snap shows the same. Can any body give the reason for this packet drops?
Please help me to identify the root cause,.
Thank you,
Guru
05-27-2016 12:33 PM
Hi everyone...
I have the same issue but i can't found some clue to have the diagnose, the counters on each interface are weird. in my case the disconnect occurs at least 15 seconds, maximum 30 seconds, but this is enough to make server applications get offline....
i suspect that the problem comes on the interface assigned for LAN connection because the ping don't respond when the problem occurs...
i tried to find answers in the system logs ,traffic logs and threat logs but there's nothing unusual. no information about some disconnected interface, some kind of threat DDos or a simple rule that deny the connections.
i need help......
05-28-2016 05:25 AM - edited 06-07-2016 02:43 AM
Hi Guys,
It could be many reasons for this.
The Difference Between Receive Errors for Hardware and Logical Interface Counters
Packet Drop Counters in "Show Interface Ethernet ..." Display
Is it SFP interface. We had a similar issue before with bad SFP interface/module.
How to Check Interface Hardware Counters Including Errors
Need a better picture of you topology set-up
05-29-2016 04:59 PM
Hi,
Maybe your zone protection kicked in? Look for floods coming from IP address 0.0.0.0 and action "drop" in your threats logs.
Benjamin
05-30-2016 02:19 AM
The moment the outage occurs you could also try to run
> show counter global filter delta yes severity drop
a couple of times. the delta filter will make sure you only see the counters that incremented after the first time you executed the command, so starting from the second time you should see which types of drops the system is seeing 'right now', this could help determine if the drops are caused by the system or are a result of an issue further down the stream (packets dropped because session is out of sync, not receiving syn packets, idle timeout , ...)
07-15-2016 07:18 AM
Hi Daniel,
I have a similar issue, did you find the solution to this problem
Thanks
Hari
01-30-2019 05:02 AM
i am also having the same issue for 1 month PA TAC is provided the RMA Device with out proper investigation, still having the same issue
01-30-2019 06:04 AM
What kind of troubleshooting has been performed by yourself or TAC and what were your findings?
what version of PAN-OS are you one?
Although this post dates from 2016, the troubleshooting steps mentioned above could still prove useful, have you been able to try them and what drop counters did you see ?
01-31-2019 12:50 AM
Hi Team,
We found and resolve the issue today, we have 2 set of PA firewalls are configured in HA, in the same subnet with Simmilar HA group ID, today we have changed the HA group ID on the ping drop FIrewall, issue got resolved
So group ID has to be diffrent when there are more than one HA firewalls are placed in the same subnet.
Thanks
Sudhakar
01-31-2019 03:37 AM
as an FYI: the HA group ID is used to form the VMAC that is shared between the HA members, reuse of this ID will cause multiple clusters to have the same VMAC
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!