PA-3200/5200 does not capture inbound ESP Protocol 50 packets in Receive stage

17765

Created On 10/25/19 02:21 AM - Last Modified 10/15/25 10:05 AM

IPSec

PA-3200 Series

PA-5200 Series

Packet Capture

Analysis

Hardware

VPNs

Remote Networks

8.1

9.0

Hardware

PAN-OS

Symptom

PA-32xx and PA-52xx Firewall do not capture ESP packets at Receive stage.
It doesn't impact the traffic.
Configured filter on PA-3220 and initiated traffic by sending ping.

admin@Lab34-77-PA-3220> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
  Enabled:                   yes
  Match pre-parsed packet:   no
  Index 1: 0.0.0.0/32[0]->0.0.0.0/32[0], proto 50          <<<<<<<<<<< for ESP
           ingress-interface any, egress-interface any, exclude non-IP
  Index 2: 34.34.34.1/32[0]->34.34.34.2/32[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
  Index 3: 34.34.34.2/32[0]->34.34.34.1/32[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
  Index 4: 0.0.0.0/0[0]->0.0.0.0/0[0], proto 0
           ingress-interface ethernet1/1, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
  Enabled:                   yes
  Log-throttle:              no
  Sync-log-by-ticks:         yes
  Features:
    flow    : basic
    tunnel  : flow
  Counters:
--------------------------------------------------------------------------------

Ping started between tunnel IP addresses to initiate tunnel

admin@Lab33-198-PA-3220> ping source 33.33.33.2 host 33.33.33.1
PING 33.33.33.1 (33.33.33.1) from 33.33.33.2 : 56(84) bytes of data.
64 bytes from 33.33.33.1: icmp_seq=2 ttl=64 time=1.48 ms
64 bytes from 33.33.33.1: icmp_seq=3 ttl=64 time=1.46 ms
64 bytes from 33.33.33.1: icmp_seq=4 ttl=64 time=1.45 ms
64 bytes from 33.33.33.1: icmp_seq=5 ttl=64 time=1.45 ms
64 bytes from 33.33.33.1: icmp_seq=6 ttl=64 time=1.48 ms
64 bytes from 33.33.33.1: icmp_seq=7 ttl=64 time=1.37 ms
64 bytes from 33.33.33.1: icmp_seq=8 ttl=64 time=1.45 ms
64 bytes from 33.33.33.1: icmp_seq=9 ttl=64 time=1.46 ms
64 bytes from 33.33.33.1: icmp_seq=10 ttl=64 time=1.48 ms
64 bytes from 33.33.33.1: icmp_seq=11 ttl=64 time=1.56 ms
64 bytes from 33.33.33.1: icmp_seq=12 ttl=64 time=1.47 ms
64 bytes from 33.33.33.1: icmp_seq=13 ttl=64 time=1.50 ms
64 bytes from 33.33.33.1: icmp_seq=14 ttl=64 time=1.49 ms
64 bytes from 33.33.33.1: icmp_seq=15 ttl=64 time=1.44 ms
^C
— 33.33.33.1 ping statistics —
15 packets transmitted, 14 received, 6% packet loss, time 14025ms
rtt min/avg/max/mdev = 1.373/1.471/1.565/0.055 ms
admin@Lab33-198-PA-3220>

Debug Dataplane Logs show the following on PA-3220:

admin@Lab33-198-PA-3220>
.
.
.
== 2019-07-23 12:53:07.557 -0700 ==
Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 342 port 64 interface 64 vsys 1
Pattern not found  (press RETURN)   <<<<<<<<<<<<<<<<<<<<<<

On Wireshark, Received Packets on PA-3220 vs PA-3020:
- ESP packets can be seen on PA-3020 firewall.

- There were no ESP packets at receive stage on PA-3220 firewall.

Environment

PA-3200
PA-5200
PAN-OS 8.1 and PAN-OS 9.0

Cause

The root cause is that the ESP pkts matching the tunnel session will be decapsulated at the NP stage and those skipped the receive stage pkt capture.

Resolution

There is no solution or workaround. Issue was reported in PAN-122181 and is targeted to be fixed in PAN-OS 8.1.12 and PAN-OS 9.0.6.

Additional Information