show counter interface management multicast packets dropped

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

show counter interface management multicast packets dropped

Cyber Elite
Cyber Elite

show counter interface management


Interface: Management Interface
-------------------------------------------------------------------------------


-------------------------------------------------------------------------------
Logical interface counters:
-------------------------------------------------------------------------------
bytes received 50983020707
bytes transmitted 1703516003
packets received 38137194
packets transmitted 18673283
receive errors 0
transmit errors 0
receive packets dropped 1971053
transmit packets dropped 0
multicast packets received 1971053

 

need to know why PA is dropping these packets?

from where they are coming?

 

Mike

MP

Help the community: Like helpful comments and mark solutions.
7 REPLIES 7

L2 Linker

@MP18you can do a packet capture on the mangement interface and find it out.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

 

Didn't know it exactly which type of packets this counter hits, but maybe your management interface have a list of permitted ip addresses in the config and these packets came from devices not on the list?!?

Management interface is configured for any IP addresses.

 

 tcpdump filter "host 192.168.1.10 and port not 22 and not 443"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
^C4 packets captured
8 packets received by filter
0 packets dropped by kernel
mparmar2@PA-220> view-pcap mgmt-pcap mgmt.pcap
19:40:13.782669 IP 192.168.1.10.58468 > nsc1.so.cg.shawcable.net.domain:  39907+[|domain]
19:40:13.782697 IP 192.168.1.10.58468 > nsc1.so.cg.shawcable.net.domain:  10687+[|domain]
19:40:13.797919 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.58468:  39907[|domain]
19:40:13.798329 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.58468:  10687[|domain]
mparmar2@PA-220> tcpdump filter "host 192.168.1.10 and port not 22 and not 443"
Press Ctrl-C to stop capturing

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
^C6 packets captured
12 packets received by filter
0 packets dropped by kernel
mparmar2@PA-220> view-pcap mgmt-pcap mgmt.pcap
19:41:18.770752 arp who-has 192.168.1.20 tell 192.168.1.10
19:41:18.770930 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:41:29.512025 IP 192.168.1.10.59224 > nsc1.so.cg.shawcable.net.domain:  5217+[|domain]
19:41:29.512051 IP 192.168.1.10.59224 > nsc1.so.cg.shawcable.net.domain:  6919+[|domain]
19:41:29.527328 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.59224:  5217[|domain]
19:41:29.527642 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.59224:  6919[|domain]

MP

Help the community: Like helpful comments and mark solutions.

@PA-220> view-pcap mgmt-pcap mgmt.pcap
19:42:47.902330 IP 192.168.1.10.60433 > nsc1.so.cg.shawcable.net.domain:  57606+[|domain]
19:42:47.902355 IP 192.168.1.10.60433 > nsc1.so.cg.shawcable.net.domain:  46160+[|domain]
19:42:47.917557 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.60433:  57606[|domain]
19:42:47.917901 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.60433:  46160[|domain]
19:43:52.770748 arp who-has 192.168.1.20 tell 192.168.1.10
19:43:52.770921 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:44:13.492580 IP 192.168.1.10.54095 > nsc1.so.cg.shawcable.net.domain:  64697+[|domain]
19:44:13.492610 IP 192.168.1.10.54095 > nsc1.so.cg.shawcable.net.domain:  60268+[|domain]
19:44:13.520459 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.54095:  64697[|domain]
19:44:13.521289 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.54095:  60268[|domain]
19:45:18.550772 arp who-has 192.168.1.20 tell 192.168.1.10
19:45:18.550911 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:45:52.940757 arp who-has 192.168.1.20 tell 192.168.1.10
19:45:52.940905 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)
19:45:54.122667 IP 192.168.1.10.35815 > nsc1.so.cg.shawcable.net.domain:  6767+[|domain]
19:45:54.122698 IP 192.168.1.10.35815 > nsc1.so.cg.shawcable.net.domain:  10019+[|domain]
19:45:54.163938 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35815:  6767[|domain]
19:45:54.164306 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35815:  10019[|domain]
19:46:13.472925 IP 192.168.1.10.35585 > nsc1.so.cg.shawcable.net.domain:  57846+[|domain]
19:46:13.472954 IP 192.168.1.10.35585 > nsc1.so.cg.shawcable.net.domain:  46565+[|domain]
19:46:13.487259 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35585:  57846[|domain]
19:46:13.487626 IP nsc1.so.cg.shawcable.net.domain > 192.168.1.10.35585:  46565[|domain]
19:47:18.760755 arp who-has 192.168.1.20 tell 192.168.1.10
19:47:18.760912 arp reply 192.168.1.20 is-at b0:fa:eb:a2:cb:cb (oui Unknown)

MP

Help the community: Like helpful comments and mark solutions.

there are no packets listed where i can see multicast. but your filter will only capture packets where 192.168.1.10 is involved (i guess its your local management ip of your pa-220). so if there is multicast which is dropped (not answered by your pa) you would never see it with your packet filter (host 192.168.1.10).

 

the traffic i can see for now is only arp with your gateway (192.168.1.20) i guess and dns traffic with the name server. thats ok.

or maybe there are devices in the network with ipv6 enabled. ipv6 uses multicast (no broadcasts). if the mangement interface had no ipv6 configuration enabled it will probably drop those ipv6 multicasts.

seems on management interface ipv6 is not configured.

is there any way on PA we can find source of ipv6 traffic?

MP

Help the community: Like helpful comments and mark solutions.

yes 192.168.1.10 is management ip of pa

MP

Help the community: Like helpful comments and mark solutions.
  • 5075 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!