PA-3200/5200不会在接收阶段捕获入站 ESP 协议 50 包
17771
Created On 10/25/19 02:21 AM - Last Modified 10/15/25 10:05 AM
Symptom
- PA-32xx 和 PA- 52xx Firewall ESP 不会在接收阶段捕获数据包。
- 它不会影响流量。
- 通过发送ping对已配置的筛选器进行打开 PA-3220 并启动流量。
admin@Lab34-77-PA-3220> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 0.0.0.0/32[0]->0.0.0.0/32[0], proto 50 <<<<<<<<<<< for ESP
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 34.34.34.1/32[0]->34.34.34.2/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 3: 34.34.34.2/32[0]->34.34.34.1/32[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 4: 0.0.0.0/0[0]->0.0.0.0/0[0], proto 0
ingress-interface ethernet1/1, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: yes
Log-throttle: no
Sync-log-by-ticks: yes
Features:
flow : basic
tunnel : flow
Counters:
--------------------------------------------------------------------------------
- 平在隧道 IP 地址之间启动隧道
admin@Lab33-198-PA-3220> ping source 33.33.33.2 host 33.33.33.1 PING 33.33.33.1 (33.33.33.1) from 33.33.33.2 : 56(84) bytes of data. 64 bytes from 33.33.33.1: icmp_seq=2 ttl=64 time=1.48 ms 64 bytes from 33.33.33.1: icmp_seq=3 ttl=64 time=1.46 ms 64 bytes from 33.33.33.1: icmp_seq=4 ttl=64 time=1.45 ms 64 bytes from 33.33.33.1: icmp_seq=5 ttl=64 time=1.45 ms 64 bytes from 33.33.33.1: icmp_seq=6 ttl=64 time=1.48 ms 64 bytes from 33.33.33.1: icmp_seq=7 ttl=64 time=1.37 ms 64 bytes from 33.33.33.1: icmp_seq=8 ttl=64 time=1.45 ms 64 bytes from 33.33.33.1: icmp_seq=9 ttl=64 time=1.46 ms 64 bytes from 33.33.33.1: icmp_seq=10 ttl=64 time=1.48 ms 64 bytes from 33.33.33.1: icmp_seq=11 ttl=64 time=1.56 ms 64 bytes from 33.33.33.1: icmp_seq=12 ttl=64 time=1.47 ms 64 bytes from 33.33.33.1: icmp_seq=13 ttl=64 time=1.50 ms 64 bytes from 33.33.33.1: icmp_seq=14 ttl=64 time=1.49 ms 64 bytes from 33.33.33.1: icmp_seq=15 ttl=64 time=1.44 ms ^C — 33.33.33.1 ping statistics — 15 packets transmitted, 14 received, 6% packet loss, time 14025ms rtt min/avg/max/mdev = 1.373/1.471/1.565/0.055 ms admin@Lab33-198-PA-3220>
- 试飞数据平面日志显示以下情况 PA-3220 :
admin@Lab33-198-PA-3220> . . . == 2019-07-23 12:53:07.557 -0700 == Packet received at ingress stage, tag 0, type ORDERED Packet info: len 342 port 64 interface 64 vsys 1 Pattern not found (press RETURN) <<<<<<<<<<<<<<<<<<<<<<
On Wireshark, Received Packets on PA-3220 vs PA-3020: - ESP packets can be seen on PA-3020 firewall.
- There were no ESP packets at receive stage on PA-3220 firewall.
Environment
- PA-3200
- PA-5200
- PAN-OS 8.1 和 PAN-OS 9.0
Cause
根本原因是匹配 ESP 隧道会话的 pkts 将在阶段被斩首 NP ,而跳过接收阶段 pkt 捕获的 pkts 将被斩首。
Resolution
没有解决方案或解决方法。 问题已报告, PAN-122181 并定位于 PAN-OS 8.1.12 和 PAN-OS 9.0.6。
Additional Information
- PA-32x00/5200 不会 ESP 在接收阶段捕获入站协议 50 包
- PA-52xx不会在接收阶段捕获入站 ESP 协议50包(已返回 PAN-122181 到)