How to mitigate an abnormal increase in "flow_fwd_l3_ttl_zero" global counter
6292
Created On 06/03/24 16:02 PM - Last Modified 10/29/24 20:00 PM
Objective
- To mitigate an abnormal increase in flow_fwd_l3_ttl_zero global counter.
show counter global filter delta yes flow_fwd_l3_ttl_zero x y drop flow forward Packets dropped: IP TTL reaches zero - This counter flow_fwd_l3_ttl_zero increments when a packet is dropped due to the IP Time to Live (TTL) value in its IP header reaches 1 before reaching the firewall. The firewall decrements the TTL by 1 and drops the packet when it becomes 0, it also sends an ICMP message type 11 and code 0 (time exceeded) to the originator of the IP packet.
Environment
- Next Generation Firewall
- Supported PAN-OS
- routing loop
- flow_fwd_l3_ttl_zero global counter
Procedure
- Review the routing configuration of the network and the firewall:
- To check the routing table use the CLI command:
show routing route
Ensure that the routes are properly configured to minimize the number of hopes required for the packets to reach their destinations. - To check the forwarding table use the CLI command:
show routing fib
Ensure that the routing protocols are updated and reviewed to prevent any misconfiguration or routing loops.
- To check the routing table use the CLI command:
- Check the traffic logs and search for the traffic that is being dropped by the firewall. Navigate to MONITOR > Traffic in the UI.
- Once the source IP, destination IP, and/or application are identified perform a filtered packet capture. Use a packet analyzer to help you identify which device in the network is sending the firewall a packet with TTL=1 and if the problem is within the firewall configuration or outside the firewall. (In Wireshark use the filter ip.ttl == 1)
- Use a traceroute to trace the path of the packet and identify any routers that are decrementing the TTL too quickly.
traceroute source <source address> host <host address>
- Note: It is possible to set the max-ttl in the above command.