VM-Series Firewall in OCI intermittently stops processing traffic
10727
Created On 02/13/20 15:39 PM - Last Modified 02/01/24 19:21 PM
Symptom
- PA-VM deployed in OCI intermittently stops processing packets. In some cases, the firewalls work fine for a few days / months but stops processing traffic suddenly and triggers unexpected reboots.
- Review System Logs to understand the failure event.
show log system severity equal critical | match rebooting
2019/10/28 14:51:42 critical general general 0 data_plane: restarts exhausted, rebooting system
2019/10/16 16:57:14 critical general general 0 data_plane: restarts exhausted, rebooting system
2019/10/16 16:44:34 critical general general 0 data_plane: restarts exhausted, rebooting system
2019/10/28 14:51:42 critical general general 0 data_plane: restarts exhausted, rebooting system
2019/10/16 16:57:14 critical general general 0 data_plane: restarts exhausted, rebooting system
2019/10/16 16:44:34 critical general general 0 data_plane: restarts exhausted, rebooting system
- Check for DPDK status on the firewall
show system setting dpdk-pkt-io
Device current Packet IO mode: DPDK
Device DPDK Packet IO capable: yes
Device default Packet IO mode: DPDK
Device DPDK Packet IO capable: yes
Device default Packet IO mode: DPDK
- Above CLI output shows DPDK mode is enabled on the VM-Series firewall
Environment
- Platform: PA-VM
- PAN OS : 8.1 and 9.0.
Cause
- Only Packet_MMAP mode is supported in OCI, DPDK must be disabled in PAN-OS 9.0 and below.
Resolution
- Disable DPDK on the firewall using the below CLI command:
> configure
# set system setting dpdk-pkt-io off
# commit force
Note: Updating the system capacity may reset the value DPDK to “on”
Additional Information
Support for DPDK was added in PAN-OS 9.1
https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/vms-series-hypervisor-support
SROIV and DPDK is not supported. SROIV and MMAP is supported.