- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-29-2011 02:37 PM
Very basic configuration, an any any rule and a PAT rule for nat... trust and untrust zones and a default route and an internal summary route... what is happening is that from a traffic log perspective its being ALLOWED, from a NAT perspective I can see the session built with two flows for each direction successfully and they go ACTIVE. However, the return traffic never comes back.
What I found when trying to dump pcaps on the box is that the traffic post-nat shows up in the DROP stage. However nothing in the default logs shows any drops at all caused from a policy perspective (again policy is very boilerplate)
Any way I can get more information on what is causing it to end up in DROP? additional dataplane debugs or something?
Thanks,
- Josh
12-29-2011 03:07 PM
Hi there,
Drop counters are your friend:
Set a filter to control what traffic is counted
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Show the drop counters (absolute or relative to last time command was run)
show counter global packet-filter yes | match drop
show counter global filter severity drop packet-filter yes delta yes
Cheers,
Kelly
12-29-2011 03:07 PM
Hi there,
Drop counters are your friend:
Set a filter to control what traffic is counted
debug dataplane packet-diag set filter match <criteria>
debug dataplane packet-diag set filter on
Show the drop counters (absolute or relative to last time command was run)
show counter global packet-filter yes | match drop
show counter global filter severity drop packet-filter yes delta yes
Cheers,
Kelly
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!