09-30-2018 09:25 AM
show counter interface management
Interface: Management Interface
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Logical interface counters:
-------------------------------------------------------------------------------
bytes received 50983020707
bytes transmitted 1703516003
packets received 38137194
packets transmitted 18673283
receive errors 0
transmit errors 0
receive packets dropped 1971053
transmit packets dropped 0
multicast packets received 1971053
need to know why PA is dropping these packets?
from where they are coming?
Mike
10-01-2018 04:34 AM
@MP18you can do a packet capture on the mangement interface and find it out.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS
Didn't know it exactly which type of packets this counter hits, but maybe your management interface have a list of permitted ip addresses in the config and these packets came from devices not on the list?!?
10-01-2018 06:42 PM
Management interface is configured for any IP addresses.
tcpdump filter "host 192.168.1.10 and port not 22 and not 443"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
^C4 packets captured
8 packets received by filter
0 packets dropped by kernel
mparmar2@PA-220> view-pcap mgmt-pcap mgmt.pcap
19:40:13.782669 IP 192.168.1.10.58468 > nsc1.so.cg.shawcable.net.domain: 39907+[|domain]
19:40:13.782697 IP 192.168.1.10.58468 > nsc1.so.cg.shawcable.net.domain: 10687+[|domain]
19:40:13.797919 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.58468: 39907[|domain]
19:40:13.798329 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.58468: 10687[|domain]
mparmar2@PA-220> tcpdump filter "host 192.168.1.10 and port not 22 and not 443"
Press Ctrl-C to stop capturing
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
^C6 packets captured
12 packets received by filter
0 packets dropped by kernel
mparmar2@PA-220> view-pcap mgmt-pcap mgmt.pcap
19:41:18.770752 arp who-has 192.168.1.20 tell 192.168.1.10
19:41:18.770930 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:41:29.512025 IP 192.168.1.10.59224 > nsc1.so.cg.shawcable.net.domain: 5217+[|domain]
19:41:29.512051 IP 192.168.1.10.59224 > nsc1.so.cg.shawcable.net.domain: 6919+[|domain]
19:41:29.527328 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.59224: 5217[|domain]
19:41:29.527642 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.59224: 6919[|domain]
10-01-2018 06:49 PM
@PA-220> view-pcap mgmt-pcap mgmt.pcap
19:42:47.902330 IP 192.168.1.10.60433 > nsc1.so.cg.shawcable.net.domain: 57606+[|domain]
19:42:47.902355 IP 192.168.1.10.60433 > nsc1.so.cg.shawcable.net.domain: 46160+[|domain]
19:42:47.917557 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.60433: 57606[|domain]
19:42:47.917901 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.60433: 46160[|domain]
19:43:52.770748 arp who-has 192.168.1.20 tell 192.168.1.10
19:43:52.770921 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:44:13.492580 IP 192.168.1.10.54095 > nsc1.so.cg.shawcable.net.domain: 64697+[|domain]
19:44:13.492610 IP 192.168.1.10.54095 > nsc1.so.cg.shawcable.net.domain: 60268+[|domain]
19:44:13.520459 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.54095: 64697[|domain]
19:44:13.521289 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.54095: 60268[|domain]
19:45:18.550772 arp who-has 192.168.1.20 tell 192.168.1.10
19:45:18.550911 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:45:52.940757 arp who-has 192.168.1.20 tell 192.168.1.10
19:45:52.940905 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:45:54.122667 IP 192.168.1.10.35815 > nsc1.so.cg.shawcable.net.domain: 6767+[|domain]
19:45:54.122698 IP 192.168.1.10.35815 > nsc1.so.cg.shawcable.net.domain: 10019+[|domain]
19:45:54.163938 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35815: 6767[|domain]
19:45:54.164306 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35815: 10019[|domain]
19:46:13.472925 IP 192.168.1.10.35585 > nsc1.so.cg.shawcable.net.domain: 57846+[|domain]
19:46:13.472954 IP 192.168.1.10.35585 > nsc1.so.cg.shawcable.net.domain: 46565+[|domain]
19:46:13.487259 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35585: 57846[|domain]
19:46:13.487626 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35585: 46565[|domain]
19:47:18.760755 arp who-has 192.168.1.20 tell 192.168.1.10
19:47:18.760912 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
10-04-2018 03:25 AM - edited 10-04-2018 03:46 AM
there are no packets listed where i can see multicast. but your filter will only capture packets where 192.168.1.10 is involved (i guess its your local management ip of your pa-220). so if there is multicast which is dropped (not answered by your pa) you would never see it with your packet filter (host 192.168.1.10).
the traffic i can see for now is only arp with your gateway (192.168.1.20) i guess and dns traffic with the name server. thats ok.
10-04-2018 04:35 AM
or maybe there are devices in the network with ipv6 enabled. ipv6 uses multicast (no broadcasts). if the mangement interface had no ipv6 configuration enabled it will probably drop those ipv6 multicasts.
10-05-2018 06:52 PM
seems on management interface ipv6 is not configured.
is there any way on PA we can find source of ipv6 traffic?
10-05-2018 06:55 PM
yes 192.168.1.10 is management ip of pa
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
