Palo Alto Networks Knowledgebase: How to Check for Logical Errors on an Interface

How to Check for Logical Errors on an Interface

26247
Created On 09/25/18 19:22 PM - Last Updated 02/08/19 00:00 AM
Mobile Network Infrastructure
Resolution

SNMP traps for logical interfaces

According to RFC 1213 the MIB will include only standard interface table. The traps are only for the system and interface groups that are incorporated in the MIB are supported.

 

 

PAN-OS 7.0 supports logical interfaces. 

 

When running versions of PAN-OS up to 6.1.x , you can send intel on interface group for physical interfaces only, and not for logical interfaces. As a workaround, enable netflow to get this information.

 

For PAN-OS 5.0 and older

 

To check for logical errors on a specific interface (ethernet1/3 is used as an example) type the CLI command:

admin@Ironhide> show interface ethernet1/3

--------------------------------------------------------------------------------

Name: ethernet1/3, ID: 18

Link status:

  Runtime link speed/duplex/state: 1000/full/up

  Configured link speed/duplex/state: 1000/auto/auto

MAC address:

  Port MAC address b4:0c:25:f8:e5:12

Operation mode: layer3

Untagged sub-interface support: yes

--------------------------------------------------------------------------------

Name: ethernet1/3, ID: 18

Operation mode: layer3

Virtual router default

Interface MTU 1500

Interface IP address: 192.168.9.1/24

Interface management profile: allowall

  ping: yes  telnet: yes  ssh: yes  http: yes  https: yes

  snmp: yes  response-pages: yes  userid-service: no

Service configured:

Interface belong to same subnet as management interface: Yes

Zone: trust_9999, virtual system: vsys1

Adjust TCP MSS: no

--------------------------------------------------------------------------------

 

--------------------------------------------------------------------------------

Physical port counters read from MAC:

--------------------------------------------------------------------------------

rx-broadcast                  0

rx-bytes                      1775076722

rx-multicast                  0

rx-unicast                    13635670

tx-broadcast                  110085

tx-bytes                      6992300789

tx-multicast                  0

tx-unicast                    11299072

--------------------------------------------------------------------------------

 

These are the interface counters from the time the data-plane started on the firewall. These counters can be cleared with a data-plane restart only.

--------------------------------------------------------------------------------

Hardware interface counters read from CPU:

--------------------------------------------------------------------------------

bytes received                          360

bytes transmitted                        0

packets received                        6

packets transmitted                      0

receive errors                          6

packets dropped                          0

--------------------------------------------------------------------------------

 

Packets that fail the L2-L4 parsing checks will cause the receive errors counters above to increment and are dropped, they are not passed to CPU. Most common cases include invalid destination mac, invalid vlan tag, invalid ip, invalid tcp/udp port and so forth. For the above example we can see that there are 6 receive errors ( TCP packet too short), which are dropped and not passed to the CPU level and thus the packet received at the the logical interface counters is reading zero as shown below.

Logical interface counters read from CPU:

--------------------------------------------------------------------------------

bytes received                          0

bytes transmitted                        84

packets received                        0

packets transmitted                      2

receive errors                          0

packets dropped                          0

packets dropped by flow state check      0

forwarding errors                        0

no route                                0

arp not found                            0

neighbor not found                      0

neighbor info pending                    0

mac not found                            0

packets routed to different zone        0

land attacks                            0

ping-of-death attacks                    0

teardrop attacks                        0

ip spoof attacks                        0

mac spoof attacks                        0

ICMP fragment                            0

layer2 encapsulated packets              0

layer2 decapsulated packets              0

--------------------------------------------------------------------------------

 

After successful L2-L4 parsing of the packet, further security checks are done on the packet. Packets dropped due to security rules, Non-Syn tcp checks and other reasons will cause the above "packet dropped" counters to increment.

 

One can check the exact reason for the packet drop from the global counters. For example, the packets in this example are dropped at the l2-l4 parsing due to the highlighted reason in the below global counters.

admin@Ironhide> show counter global filter delta yes

 

Global counters:

Elapsed time since last sampling: 1.150 seconds

 

name                                  value    rate severity  category  aspect    description

--------------------------------------------------------------------------------

pkt_recv                                  41      35 info      packet    pktproc  Packets received

pkt_recv_zero                            41      35 info      packet    pktproc  Packets received from QoS 0

pkt_sent                                  7        6 info      packet    pktproc  Packets transmitted

pkt_alloc                                  1        0 info      packet    resource  Packets allocated

flow_rcv_err                              1        0 drop      flow      parse    Packets dropped: flow stage receive error

flow_rcv_dot1q_tag_err                    5        4 drop      flow      parse    Packets dropped: 802.1q tag not configured

flow_no_interface                          5        4 drop      flow      parse    Packets dropped: invalid interface

flow_fwd_l3_mcast_drop                    11        9 drop      flow      forward  Packets dropped: no route for IP multicast

flow_parse_l4_hdr                          1        6 drop      flow      parse    Packets dropped: TCP (UDP) packet too short

 

Counters can be cleared with the following CLI command:

> clear counter all

All counters cleared

 

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWoCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language