we have an SSL-VPN portal that has been working for a long time. However, in the last 2-3 weeks, we have experienced the same problem twice. The Portal won't show on the browser, but traffic logs show the traffic being allowed by the corresponding rule. Access to the management IP is working fine as well as all other services.
I have tryed restarting Management and Device Servers, as well as SSL VPN Web Server without any success.
The only thing that solved this issue in both cases was to reboot the entire device.
PAN-OS version is 4.1.2 but we didn't see any relationship between the upgrade and this issue, since it appeared a long time after upgrading, not right after.
I opened a case and sent techsupport file, but meanwhile, I would like to know if anyone has experienced similar issues and how were they resolved.
Thanks in advance!
There is a known sofware packet buffer leak that can cause similar behavior. When encountered the only resolution is to restart the dataplane or upgrade to 4.1.4.
To check if you are affected by the leak you can run the following command:
> debug dataplane pool statistics
[ 0] software packet buffer 0 : 1/16384 0x8000000022000680
[ 1] software packet buffer 1 : 1/8192 0x8000000022810700
[ 2] software packet buffer 2 : 1/16384 0x8000000023018780
[ 3] software packet buffer 3 : 1/4192 0x8000000025028800
[ 4] software packet buffer 4 : 1/304 0x800000002d538a00
Above, all of the pools are depleted. Here is a example of what a device not affected by the leak:
[ 0] software packet buffer 0 : 16383/16384 0x8000000022000680
[ 1] software packet buffer 1 : 8192/8192 0x8000000022810700
[ 2] software packet buffer 2 : 16384/16384 0x8000000023018780
[ 3] software packet buffer 3 : 4096/4096 0x8000000025028800
[ 4] software packet buffer 4 : 304/304 0x800000002d22c880
The software pool stats will also be written to the dp-monitor.log file every 10 minutes so you could find the time of the failure and search for "software packet buffer".
Thanks for the answer!
Since there is no HA on this envorinment and restarting the data-plane everytime is not viable, I will update the device to 4.1.4.
In case it happens again, I will try with that command to check the output.
Really appreciated the answer.
I have experimented the same issue on PanOS 4.0.9 in a PAN 2020.
[ 0] Packet Buffers : 57170/57344 0x8000000410000000
[ 1] Work Queue Entries : 192131/229376 0x8000000417000000
[ 2] Output Buffers : 999/1024 0x8000000418c00000
[ 3] DFA Result : 2048/2048 0x8000000419100000
DFA Result :
[ 4] Timer Buffers : 4092/4096 0x8000000418d00000
Timer Buffers :
[ 5] PAN_FPA_LWM_POOL : 8192/8192 0x8000000419300000
[ 6] PAN_FPA_ZIP_POOL : 1024/1024 0x8000000419500000
[ 7] PAN_FPA_BLAST_POOL : 64/64 0x8000000419700000
[ 0] software packet buffer 0 : 1/16384 0x8000000021800680
[ 1] software packet buffer 1 : 1/8192 0x8000000022010700
[ 2] software packet buffer 2 : 1/8192 0x8000000022818780
[ 3] software packet buffer 3 : 1/4096 0x8000000023820800
[ 4] software packet buffer 4 : 1/256 0x800000002ba24880
[ 5] Pktlog logs : 10000/10000 0x800000002ca514e0
[ 6] Pktlog threats : 4999/5000 0x800000002cc6a720
[ 7] Pktlog packet : 5000/5000 0x800000002cd77080
Software Version 4-0-11 was out April 11, 2012.
If you get a chance please upgrade to that version if NOT already to get rid of the Software Pools depletion bug .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!