This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PAN-88671

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-88671

nextgenhappines
L4 Transporter

‎03-13-2018 07:16 AM

Hello,

 

In PANOS 8.0.8 release,  now can disable or enable the L4 checksum checking.

 

How do I check if my 5200 firewall L4 checksum is enabled or disabled?

 

How do I check if traffic is dropped due the L4 checksum?

 

Thanks,

 

E

0 Likes Likes
6 REPLIES 6

reaper
Cyber Elite
Cyber Elite

‎03-15-2018 04:56 AM

 

enabled
admin@PA-5250> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 1, 'usecase': 1, 'v4_v6_choice': 2, }

disabled
admin@PA-5250> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 0, 'usecase': 1, 'v4_v6_choice': 2, }

 

these counters will increment when the firewall discards packets: :flow_fpga_rcv_igr_L4CHKSUMERR

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

nextgenhappines
L4 Transporter
In response to reaper

‎03-15-2018 06:25 AM

Hi Reaper,

 

I don't see this counter increased (or listed when I run show counter global filter delta yes packet-filter yes ) until I have the pre-parse match enabled.

 

 

 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to nextgenhappines

‎03-15-2018 06:44 AM

Then I would think it likely no packets are being discarded by this check in the first place

 

are you seeing this counter pop up: flow_fpga_ingress_exception_err

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

nextgenhappines
L4 Transporter
In response to reaper

‎03-15-2018 07:15 AM

None of that counter as well, flow_fpga_ingress_exception_err

 

TAC and I compare the packet captures on the firewall vs on the span port from the switch below the firewall.  Packets are getting dropped by the firewall.  The counters mentioned were not showing up until you have pre-parse match enabled.  

 

 

0 Likes Likes

Karim.Benyelloul
L1 Bithead
In response to reaper

‎01-15-2019 06:28 AM

Hi reaper,

 

Could you please tell me when the counter : flow_fpga_ingress_exception_err pop up ? 

 

Many thanks ,

Kairm

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to Karim.Benyelloul

‎01-17-2019 01:58 PM

hi @Karim.Benyelloul

 

thats a bit of an open ended question as i cannot tell you wjhen exactly that counter will pop up, it will be part of a larger set of symptoms rather than a 'this counter increments when x is happening'

 

it is counted when an error occurs when the fpga tries to intake a packet, which can happen due to different reasons

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4287 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks