Palo Alto Networks Knowledgebase: Receive Time" and "Generate Time" in Traffic and URL Logs have Time Lag if More Than 512 Interfaces"

Receive Time" and "Generate Time" in Traffic and URL Logs have Time Lag if More Than 512 Interfaces"

2411
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:39 PM
URL Filtering
Resolution

Symptom

"Receive Time" and "Generate Time" in Traffic and URL logs have time lag, as shown in the following screenshots:

Traffic Log Sample (18 minutes gap)

Traffic_logs.png

URL Log Sample (18 minutes gap)

url_logs.png

Cause

This is due to a time gap between management plane (MP) and data plane (DP), both can be confirmed by following the CLI commands below:

Clock check on MP

> show clock

Sat Mar 15 23:44:25 CDT 2014

Clock check on DP

> show clock more

DP0:

dataplane time: Sat Mar 15 23:26:01 CDT 2014

DP1:

dataplane time: Sat Mar 15 23:26:01 CDT 2014

DP2:

dataplane time: Sat Mar 15 23:26:01 CDT 2014

If there are more than 512 IP addresses on interfaces (including loopback interfaces) on the DP, NTP daemons stopped on MP and DP.

The error frequent NTP "error 6" in /var/log/messages can be confirmed:

Aug 16 15:38:21 segfault at 8b ip 0804f2a5 sp bfaf7fb0 error 6 in ntpd[8048..

Aug 16 15:53:21 segfault at 8b ip 0804f2a5 sp bfadba70 error 6 in ntpd[8048..

Aug 16 16:23:21 segfault at 8b ip 0804f2a5 sp bfaa1890 error 6 in ntpd[8048..

Aug 16 17:23:22 segfault at 8b ip 0804f2a5 sp bfd82180 error 6 in ntpd[8048..

Aug 16 19:08:49 segfault at 8b ip 0804f2a5 sp bff06c60 error 6 in ntpd[8048.

Workaround

Reduce IP addresses on the interfaces to less than 512.

See Also

Traffic Log Time Stamps

owner: kkondo



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClwdCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language