SNMPv3 response delays or timeouts occur on the PA-220/PA-800 series.
5195
Created On 02/13/24 02:14 AM - Last Modified 03/31/25 05:42 AM
Symptom
- SNMPv3 response delays or timeouts occur on the PA-220/PA-800 series from 10.1 or later versions.
- This is observed by executing the following command from the client.
Client:~$ snmpwalk -v 3 -u paloalto -l authPriv -a SHA -A paloalto -x AES -X paloalto 10.x.x.206 1.3.6.1.2.1.25.2.3.1.6.1020
- The actual capture data is shown below when the above request is sent to the PA-220 device.
16:27:01.316042 IP 10.x.x.117.39234 > 10.x.x.206.snmp: F=r U="" E= C="" GetRequest(14)
16:27:02.316898 IP 10.x.x.117.39234 > 10.x.x.206.snmp: F=r U="" E= C="" GetRequest(14)
16:27:03.318021 IP 10.x.x.117.39234 > 10.x.x.206.snmp: F=r U="" E= C="" GetRequest(14)
16:27:04.319139 IP 10.x.x.117.39234 > 10.x.x.206.snmp: F=r U="" E= C="" GetRequest(14)
16:27:05.320251 IP 10.x.x.117.39234 > 10.x.x.206.snmp: F=r U="" E= C="" GetRequest(14)
16:27:06.321428 IP 10.x.x.117.39234 > 10.x.x.206.snmp: F=r U="" E= C="" GetRequest(14)
16:27:07.009269 IP 10.x.x.206.snmp > 10.x.x.117.39234: F= U="" E=_80_00_1f_88_04_30_31_32_38_30_31_30_30_31_30_38_36 C="" Report(31) S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=4
16:27:07.014131 IP 10.x.x.206.snmp > 10.x.x.117.39234: F= U="" E=_80_00_1f_88_04_30_31_32_38_30_31_30_30_31_30_38_36 C="" Report(31) S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=5
16:27:07.014357 IP 10.x.x.206.snmp > 10.x.x.117.39234: F= U="" E=_80_00_1f_88_04_30_31_32_38_30_31_30_30_31_30_38_36 C="" Report(31) S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=6
16:27:07.014579 IP 10.x.x.206.snmp > 10.x.x.117.39234: F= U="" E=_80_00_1f_88_04_30_31_32_38_30_31_30_30_31_30_38_36 C="" Report(31) S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=7
16:27:07.014775 IP 10.x.x.206.snmp > 10.x.x.117.39234: F= U="" E=_80_00_1f_88_04_30_31_32_38_30_31_30_30_31_30_38_36 C="" Report(31) S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=8
16:27:07.014984 IP 10.x.x.206.snmp > 10.x.x.117.39234: F= U="" E=_80_00_1f_88_04_30_31_32_38_30_31_30_30_31_30_38_36 C="" Report(31) S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=9
- In this capture data, it took about 7 seconds until the first response.
Environment
- PA-220, PA-800 series
- PAN-OS 10.1, 10.2, 11.0, 11.1
- SNMPv3
Cause
PA-220 / PA-800 platforms have less processing power than the other higher platforms and can contribute to slowness.
Resolution
The following methods can be used as workaround.
- This issue was fixed as PAN-232550 in 10.2.10, 11.1.5, 11.2.3.
- Use SNMPv2.
- Set timeout to accept the delay of about 30~60 sec in the client side request as the following.
Client:~$ snmpwalk -v 3 -u paloalto -l authPriv -a SHA -A paloalto -x AES -X paloalto 10.x.x.206 1.3.6.1.2.1.25.2.3.1.6.1020 -t 30