Palo Alto high latency on the external interface

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L6 Presenter

Palo Alto high latency on the external interface

Hi All,

 

What could be the reason fro high latency on the Palo interface and why do l have the same hop multiple times, in fact, 4 times?

 

C:\Users\admim>tracert 1x3.2x0.x5.x4

 

Tracing route to 1x3.2x0.x5.x4 over a maximum of 30 hops

1 1 ms <1 ms <1 ms vpn_firewall [192.168.1.200]
2 1 ms <1 ms <1 ms 1x5.11x.1x1.1x1
3 4 ms 4 ms 4 ms 1x4.x0.8x.x9
4 5 ms 5 ms 5 ms 1x4.70.x7.x1
5 6 ms 5 ms 5 ms 1x4.70.x7.x6
6 5 ms 5 ms 5 ms 1x5.2.x0.x2
7 5 ms 7 ms 5 ms x4.2x8.x7.x3
8 11 ms 11 ms 11 ms 1x6.x2.x4.x4
9 3104 ms 1632 ms 1749 ms 1x3.2x0.x5.2x3 External IP address of the Palo Alto (interface details below)
10 2082 ms 1304 ms 1491 ms 1x3.2x0.x5.x4
11 1879 ms 1897 ms 1731 ms 1x3.2x0.x5.x4
12 1096 ms 196 ms 144 ms 1x3.2x0.x5.x4
13 15 ms 13 ms 34 ms 1x3.2x0.x5.x4

 

PAN03(active)> show interface ethernet1/1 
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
  Runtime link speed/duplex/state: 1000/full/up
  Configured link speed/duplex/state: auto/auto/auto            
MAC address:
  Port MAC address 00:1b:00:00:00:00
Operation mode: layer3 Untagged sub-interface support: no -------------------------------------------------------------------------------- Name: ethernet1/1, ID: 16 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address: 1x3.2x0.x5.2x3/24 Interface management profile: N/A Service configured: IKE Zone: Internet, virtual system: vsys1 Adjust TCP MSS: no -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Physical port counters read from MAC: -------------------------------------------------------------------------------- rx-broadcast 34321415 rx-bytes 85812021477908 rx-multicast 49938405 rx-unicast 76258396101 tx-broadcast 1104883 tx-bytes 16568307831568 tx-multicast 0 tx-unicast 49361105462 -------------------------------------------------------------------------------- Hardware interface counters read from CPU: -------------------------------------------------------------------------------- bytes received 85507522375834 bytes transmitted 16370745262951 packets received 3332921716 packets transmitted 2117570089 receive errors 3736051 packets dropped 0 -------------------------------------------------------------------------------- Logical interface counters read from CPU: -------------------------------------------------------------------------------- bytes received 85507364284046 bytes transmitted 16370745262951 packets received 3331006950 packets transmitted 2117570089 receive errors 0 packets dropped 94389174 packets dropped by flow state check 31605741 forwarding errors 0 no route 1 arp not found 38106940 neighbor not found 0 neighbor info pending 0 mac not found 0 packets routed to different zone 3875 land attacks 0 ping-of-death attacks 0 teardrop attacks 580 ip spoof attacks 0 mac spoof attacks 0 ICMP fragment 0 layer2 encapsulated packets 0 layer2 decapsulated packets 0 --------------------------------------------------------------------------------

 

 

Any ideas/suggestion are welcome.

 

Thank you all.


Accepted Solutions
Highlighted
L3 Networker

If this comes and goes (or even just came once) with no patter you have yet observed, I would suggest setting up SNMP and gathering information over time. Basically ping/device load/interface statistics, etc. - everything that may help to find the pattern. 

If that was once, maybe it was smallish DoS, maybe excessive traffic flood from inside, maybe some kind of a loop, a lot of guesses can be made, so statistics would be your friend.

Same IP could show up if the NAT is present.

 

View solution in original post


All Replies
Highlighted
L5 Sessionator

If you do a traceroute from the firewall what'sthe latency?

If you bypass the firewall and plug a laptop directly what's the latency?

Is it a new setup or it started happening suddenly?

Highlighted
L6 Presenter

Hi Pankaj,

 

Thanks for your feedback. 

As this is an intermittent issue, it is hard to troubleshoot. It has been reported only once. Currently, no hight latency observed. 

Just thought that people can share their experience or thoughts about this. This is an old set-up, between Palo and next hop couple layer 2 Cisco switches. Do you know why l got 4 entries from the same destination in my traceroute output?

 

Cheers

Highlighted
L3 Networker

If this comes and goes (or even just came once) with no patter you have yet observed, I would suggest setting up SNMP and gathering information over time. Basically ping/device load/interface statistics, etc. - everything that may help to find the pattern. 

If that was once, maybe it was smallish DoS, maybe excessive traffic flood from inside, maybe some kind of a loop, a lot of guesses can be made, so statistics would be your friend.

Same IP could show up if the NAT is present.

 

View solution in original post

Highlighted
L6 Presenter

Thanks guys for all your suggestions!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!