No traffic logs seen for VN-TAG traffic coming to the firewall on tap interface

No traffic logs seen for VN-TAG traffic coming to the firewall on tap interface

400
Created On 05/03/22 15:28 PM - Last Modified 11/17/25 20:03 PM


Symptom


- Traffic coming to the firewall, verified from the DataPlane packet capture.
- No session being created for VN-TAG traffic
- No traffic logs seen for VN-TAG traffic

Environment


Any Pan-Os with offload FPGA

Cause


The FE or the offload processor  does not recognise VN-TAG, so it generates an igrexc to the DP. DP tries to forward it and find out the forwarding type is TAP so it discards it.

packet processing at np level: 
== Packet received at np stage ==
CMH-CTRL: SSP: 0x14, [NXTG,PKT,], IHDR: 0xf01c8039/0x00000000
/IGREXC/: CODE: PROTO, ICODE 0, FLOWID: 0x0
PKTINFO: INSLOT: 1, INPORT: 1, EGPORT: 0
         SW: 0, RS: 0, HA3: 0 P: 0 F: 0
         LIF: 0x40, VL: 1, PT: NOTIP, L4O: 0, L3O: 18
        000000   00 f6 63 7f 70 c8 00 50 56 9b 60 1c 81 00 0e 59
        000010   89 26 80 22 00 00 81 00 00 11 08 00 45 00 00 3c
        000020   a4 9b 40 00 3f 06 08 5e ac 10 2e f4 8e fb 24 c3
        000030   d3 54 00 50 45 88 58 03 00 00 00 00 a0 02 ff ff
        000040   6a 11 00 00 02 04 05 64 04 02 08 0a a1 be 3c 8c
        000050   00 00 00 00 01 03 03 08
processing a condor igrexc message, code 32 <----- The IP protocol is invalid

No flow lookup for packet, continue with forwarding
Forwarding lookup, ingress interface 64
2022-04-19 18:58:04.407 +0200  pan_flow_run_fwd(src/pan_flow_fwd.c:2297): Packet dropped, tap mode


packet processing at DP level:

Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 102 port 64 interface 64 vsys 1
  wqe index 552940 packet 0x0x800000037dd228e2, HA: 0, IC: 0
Packet decoded dump:
L2:     00:50:56:9b:60:1c->c4:24:56:e1:51:49, VLAN 3673 (0x8100 0x0e59), type 0x0800
IP:     172.16.46.244->172.16.46.1, protocol 1
        version 4, ihl 5, tos 0x00, len 84,
        id 49534, frag_off 0x4000, ttl 64, checksum 50196(0xc414)
ICMP:   type 8, code 0, checksum 60884, id 12766, seq 33
Flow lookup, msgtype 0, wp.sport 8,wp.dport 0, wp.l4info 524288 key word0 0x31de002100010100 word1 0  word2 0xffffac102ef4 word3 0x0 word4 0xffffac102e01
Flow not found, HA 0
Forward session not supported; go to slowpath
Session setup: vsys 1
No active flow found, enqueue to create session

 

Resolution


The customer needs to remove the VN-TAG from the traffic and needs to send the traffic to the firewall or he can use Vwire to send the traffic for logging purpose.
 

Additional Information


A VN-TAG is different than a normal vlan tag. 
Read more information from the link, click here
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNpbCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail