Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Palo Alto high latency on the external interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto high latency on the external interface

L6 Presenter

Hi All,

 

What could be the reason fro high latency on the Palo interface and why do l have the same hop multiple times, in fact, 4 times?

 

C:\Users\admim>tracert 1x3.2x0.x5.x4

 

Tracing route to 1x3.2x0.x5.x4 over a maximum of 30 hops

1 1 ms <1 ms <1 ms vpn_firewall [192.168.1.200]
2 1 ms <1 ms <1 ms 1x5.11x.1x1.1x1
3 4 ms 4 ms 4 ms 1x4.x0.8x.x9
4 5 ms 5 ms 5 ms 1x4.70.x7.x1
5 6 ms 5 ms 5 ms 1x4.70.x7.x6
6 5 ms 5 ms 5 ms 1x5.2.x0.x2
7 5 ms 7 ms 5 ms x4.2x8.x7.x3
8 11 ms 11 ms 11 ms 1x6.x2.x4.x4
9 3104 ms 1632 ms 1749 ms 1x3.2x0.x5.2x3 External IP address of the Palo Alto (interface details below)
10 2082 ms 1304 ms 1491 ms 1x3.2x0.x5.x4
11 1879 ms 1897 ms 1731 ms 1x3.2x0.x5.x4
12 1096 ms 196 ms 144 ms 1x3.2x0.x5.x4
13 15 ms 13 ms 34 ms 1x3.2x0.x5.x4

 

PAN03(active)> show interface ethernet1/1 
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
  Runtime link speed/duplex/state: 1000/full/up
  Configured link speed/duplex/state: auto/auto/auto            
MAC address:
  Port MAC address 00:1b:00:00:00:00
Operation mode: layer3 Untagged sub-interface support: no -------------------------------------------------------------------------------- Name: ethernet1/1, ID: 16 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address: 1x3.2x0.x5.2x3/24 Interface management profile: N/A Service configured: IKE Zone: Internet, virtual system: vsys1 Adjust TCP MSS: no -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Physical port counters read from MAC: -------------------------------------------------------------------------------- rx-broadcast 34321415 rx-bytes 85812021477908 rx-multicast 49938405 rx-unicast 76258396101 tx-broadcast 1104883 tx-bytes 16568307831568 tx-multicast 0 tx-unicast 49361105462 -------------------------------------------------------------------------------- Hardware interface counters read from CPU: -------------------------------------------------------------------------------- bytes received 85507522375834 bytes transmitted 16370745262951 packets received 3332921716 packets transmitted 2117570089 receive errors 3736051 packets dropped 0 -------------------------------------------------------------------------------- Logical interface counters read from CPU: -------------------------------------------------------------------------------- bytes received 85507364284046 bytes transmitted 16370745262951 packets received 3331006950 packets transmitted 2117570089 receive errors 0 packets dropped 94389174 packets dropped by flow state check 31605741 forwarding errors 0 no route 1 arp not found 38106940 neighbor not found 0 neighbor info pending 0 mac not found 0 packets routed to different zone 3875 land attacks 0 ping-of-death attacks 0 teardrop attacks 580 ip spoof attacks 0 mac spoof attacks 0 ICMP fragment 0 layer2 encapsulated packets 0 layer2 decapsulated packets 0 --------------------------------------------------------------------------------

 

 

Any ideas/suggestion are welcome.

 

Thank you all.

1 accepted solution

Accepted Solutions

If this comes and goes (or even just came once) with no patter you have yet observed, I would suggest setting up SNMP and gathering information over time. Basically ping/device load/interface statistics, etc. - everything that may help to find the pattern. 

If that was once, maybe it was smallish DoS, maybe excessive traffic flood from inside, maybe some kind of a loop, a lot of guesses can be made, so statistics would be your friend.

Same IP could show up if the NAT is present.

 

View solution in original post

4 REPLIES 4

L5 Sessionator

If you do a traceroute from the firewall what'sthe latency?

If you bypass the firewall and plug a laptop directly what's the latency?

Is it a new setup or it started happening suddenly?

Hi Pankaj,

 

Thanks for your feedback. 

As this is an intermittent issue, it is hard to troubleshoot. It has been reported only once. Currently, no hight latency observed. 

Just thought that people can share their experience or thoughts about this. This is an old set-up, between Palo and next hop couple layer 2 Cisco switches. Do you know why l got 4 entries from the same destination in my traceroute output?

 

Cheers

If this comes and goes (or even just came once) with no patter you have yet observed, I would suggest setting up SNMP and gathering information over time. Basically ping/device load/interface statistics, etc. - everything that may help to find the pattern. 

If that was once, maybe it was smallish DoS, maybe excessive traffic flood from inside, maybe some kind of a loop, a lot of guesses can be made, so statistics would be your friend.

Same IP could show up if the NAT is present.

 

Thanks guys for all your suggestions!

  • 1 accepted solution
  • 7606 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!