Firewall Dropping Packets with Counter "flow_fpga_rcv_igr_L4CHKSUMERR" due to network processor (FPGA) fails to validate the L4 checksum
44264
Created On 04/28/19 08:51 AM - Last Modified 11/21/23 21:26 PM
Symptom
Firewall drops packets with "flow_fpga_rcv_igr_L4CHKSUMERR" when the network processor (FPGA) fails to validate the L4 checksum of packets.
The set of counters below can be seen in global counters on the firewall:
> show counter global filter delta yes | match flow_fpga flow_fpga_rcv_igr_L4CHKSUMERR 7 0 info flow offload FPGA IGR Exception: L4CHKSUMERR flow_fpga_rcv_igr_FLOWDROP 38 0 info flow offload FPGA IGR Exception: FLOWDROP flow_fpga_rcv_err 3 0 drop flow offload Packets dropped: receive error from offload processor flow_fpga_ingress_exception_err 8100 245 drop flow offload Packets dropped: receive ingress exception error from offload processor
Environment
PA-3200 Series firewalls
PA-5200 Series firewalls
PA-5400 Series firewalls
PA-7000 Series firewalls
Cause
L4 checksum fails when trailing bytes are added to packets with a size bigger than 256 bytes. and the counter "flow_fpga_rcv_igr_L4CHKSUMERR" is seen when the packet has gone corrupt and is failing the checksum validation.
Resolution
It is expected for the firewall to drop such a packet due to strict L4 checksum validation enabled by default.
Please run the below command to disable the L4 checksum check:
1. CLI command "set system setting layer4-checksum disable"
2. Reboot the System