How to identify and troubleshoot physical interface error counters on the firewall

Following the procedure will return any kind of physical port error counters. This can help with identifying issues at the physical layer of a port, traffic slowness, and packet drops.

• Any Palo Alto Networks firewall
• Any PAN-OS version

Three methods are mentioned below to check interface error counters. The counters will be in hexadecimal format.

1. Run the following CLI command to find interface errors across all the interfaces on a Palo Alto Networks firewall:

> show system state filter sys.s1.* | match Error

Note: 's1' should be changed to the relevant slot number for platforms with multiple slots (s2, s3, etc).

2. If the interface with errors is already known then the following command can be used from the CLI:
   

> show interface ethernet1/6
> show system state filter sys.s1.p6.detail

3. If a tech support file is available then the log file below can be checked to get the same output:

xyz_techsupport.tgz/tmp/cli/logs/sdb.txt

In the above file, look for the problematic interface. For example; ( sys.s1.p6.detail == Ethernet1/6 )

If the error counters indicate some value other than zero then a physical layer issue can be confirmed by passing the previously affected traffic to traverse the interface again and checking whether the error counters increment. If the error counter increments then there could be issues at the physical layer and it is recommended to change physical equipment connected to the port such as SFP, cable, fiber, etc, one at a time to isolate the cause.

Definitions for counters can be found in MIB browsers or in online MIB databases by searching for the counter name.
A few examples of physical port errors seen on an interface are listed below. These are mostly for the PA-3200, PA-5200 and PA-7000 series firewalls, as other platform series will have different counter names.

• snmpDot3StatsFCSErrors: A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. This count does not include frames received with frame-too-long or frame-too-short error.
   

• snmpDot3StatsInternalMacReceiveErrors: A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error.
   

• snmpDot3StatsSymbolErrors: the number of times there was an invalid data symbol when a valid carrier was present.
   

• snmpEtherStatsCRCAlignErrors: The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
   

• snmpIfInErrors: For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.

Note: 'snmpEtherStatsRXNoErrors' and 'snmpEtherStatsTXNoErrors' do not indicate any errors. These counters are "success" counters not indicative of any sort of issue on the device/interface. 

Other useful articles that can be referred to detect physical layer issue at the firewall interface:

• How To Check For CRC Errors On An Interface

• How to Check for Logical Errors on an Interface

• How to Check Interface Hardware Counters Including Errors

• How to Display Port Information: Connected Media, Interface Counters, Speed/Duplex