How to mitigate an abnormal increase in "flow_rcv_dot1q_tag

How to mitigate an abnormal increase in "flow_rcv_dot1q_tag_err" global counter

23206

Created On 09/26/18 13:51 PM - Last Modified 07/27/23 23:42 PM

Interfaces

Layer 2

Layer 3

Packet Capture

Virtual Appliance

Virtual Wire

VLAN

VMware ESXi

Installation or Deployment

Initial Configuration

9.1

10.2

10.1

11.0

PAN-OS

VM-Series

Next-Generation Firewall

Symptom

When a packet comes into the firewall, the ingress port, 802.1q (VLAN) tag, and destination MAC address are used as keys to look up the ingress logical interface. If the interface is not found, the packet is discarded. The hardware interface counter "receive error" and global counter “flow_rcv_dot1q_tag_err” are incremented.

Below is an example of the global counter flow_rcv_dot1q_tag_err incrementing in the firewall:

> show counter global

name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_rcv_dot1q_tag_err                    32        7 drop      flow      parse     Packets dropped: 802.1q tag not configured

Environment

PAN-OS
VLANs
Interfaces/Subinterfaces

Cause

Common scenarios where flow_rcv_dot1q_tag_err increments include:

A packet comes into the firewall with an unexpected VLAN tag (i.e. a VLAN tag that does not match the configured VLAN tag on that interface or subinterface)
The neighboring device (Ex: a switch) is flooding VLAN-tagged or untagged traffic out a port which leads to the firewall
User misconfiguration of the VLAN tag on the interface or subinterface (configured no VLAN tag, configured a VLAN tag when one was not needed, configured the incorrect VLAN tag, etc.)
Untagged Spanning Tree Protocol BPDU packets are coming into the firewall. Unless explicitly configured, Spanning Tree Protocol does not by default include VLAN tags. This configuration is known as "Per-VLAN Spanning Tree" which would require manual configuration on the STP enabled device.

Note: If the global counter flow_rcv_dot1q_tag_err increments occasionally/a small amount, it may be safely ignored (as long as the packets dropped are not necessary or causing an issue for a certain traffic in your network to function). However, if the counter increments heavily/at a high rate, it may cause a performance issue on the firewall, as with any heavy rate of traffic ingressing. In that case, the packets ingressing the firewall causing this counter to increment should be identified using a Packet Capture.

Resolution

Verify that the packets coming into this interface are tagged with the VLAN tag number that matches the VLAN tag configured on this interface/subinterface. If needed, take a packet capture to view which packets are coming into the firewall with no tag/an unexpected tag.

Additional Information