Firewall drops VSS-Management trailer due to Layer 4 checksum enabled

• Some packets are missing in the drop or receive stage of pcap on the FW.
• Wireshark capture at the source shows the VSS-Monitoring ethernet trailer added to the packets that do not make it to the FW.
• The global counter 'flow_fpga_rcv_igr_L4CHKSUMERR'  increments during the time of issue.

• Palo Alto 5200 Series Firewall
• Supported PAN-OS

• On the platforms like PA-5250 with FE100 hardware chip, the FW performs an FCS on the ingress.
• The packets containing VSS-Management trailer breaks the L4 checksum and hence does not make it to the dataplane.
• If the total length of the packet is more than 256 B and the packet has trailer bytes, this cause the L4 checksum on the Firewall and to fail, and that packet is dropped by the Firewall.
• For this  reason these packets are not seen in the packet capture or debug logs on the Firewall

1. On the Firewall, disable layer4 checksum using below command:

> set system setting layer4-checksum disable

2. Reboot the device during maintenance window to bring the change in to effect:

> request restart system

3.  After box comes up after reboot, confirm setting in sdb,  The output should display l4_chk_sum': 0 as below:

> show system state | match fe100
.. 
cfg.hw.fe100: { 'cfg_mode': 10, 'l4_chk_sum': 0, 'usecase': 1, 'v4_v6_choice': 2,