Logical interface packet drop counter explanation

Logical interface packet drop counter explanation

79945
Created On 07/28/20 20:04 PM - Last Modified 07/29/20 19:35 PM


Symptom


Observed an increase of the drop packets on the logical interface.
 



Environment


  • PAN-OS All Next Generation Firewall


Cause


Difference between hardware interface statistics and logical interface statistics

  • Each interface on the firewall (for example Ethernet1/1) is composed of both a physical and logical component
  • The physical (hardware) component is responsible for layer-1 and layer-2 frame processing
  • The logical component is responsible for layer-3 and above packet processing
  • Packet drops on the physical interface generally indicate a hardware error (either on the firewall, connected device, or cabling) or layer-2 mismatch of some sort (MTU, CRC errors, etc).
  • Packet drops on the logical interface indicate traffic that is dropped by the firewall before security rulebase processing due to the received traffic being of a type that the firewall cannot process.  This behavior is to be expected.
  • Hardware interface packet drops are handled directly by the device’s network processor (such as FE20, FE100, FE101); logical interface packet drops are handled by the dataplane CPUs
  • Details on logical interface packet drops can be seen via the system global counters, detailed below

Reasons for logical interface packet drops

You may experience logical interface packet drops for one or more of the following reasons
  • A Non-Syn TCP packet traversing the firewall when the firewall has not seen the SYN packet 
  • Invalid destination MAC address
  • Invalid destination VLAN tag 
  • Invalid destination IP 
  • Invalid TCP/UDP port 
  • Multicast packet received on the same interface
  • Non-IP packets (other than ARP) received
  • No topology is configured (ie no route available)
  • Session setup failure / no firewall resources available
  • A discard route is found
  • Packet dropped by PBP (Packet Buffer Protection)  
  • Packet dropped by SYN-COOKIES or RED (Random Early Drop)


 



Resolution


This behavior is by design/expected
 


Additional Information


Example of logical interface drops
 
show interface ethernet1/1
...
Logical interface counters read from CPU:
--------------------------------------------------------------------
bytes received                           26089926955
bytes transmitted                        4755803472
packets received                         58418264
packets transmitted                      10517325
receive errors                           0
packets dropped                          30037
...
--------------------------------------------------------------------


After successful L2 parsing such as verifying header checksums of the packet in hardware, further L3-L4 checks are done on the packet. 

We can check the exact reason for the packet drop from the global counters. For example, the packets in this example are dropped due to the highlighted reason in the below global counters:
show counter global filter delta yes

With this command you will see logical interface counters with this specific example:
show counter global | match flow_tcp_non_syn_drop
Global counters:
Elapsed time since last sampling: 1.150 seconds
name                          value    rate severity  category  aspect  description
---------------------------------------------------------------

flow_tcp_non_syn_drop           34028    0 drop   flow   session   Packets dropped: non-SYN TCP without session match
 
The example below shows how the hardware drop is not increasing however the logical drop count is; this indicates there are no hardware level issues and may be normal in your environment depending on the traffic flow. 

In the output below, the first “Packets Dropped” number is from the section “Hardware interface counters read from CPU:” and displays hardware packet drops.
The second “Packets Dropped” number is from the section “Logical interface counters read from CPU:” and displays logical packet drops. This indicates that the hardware is functioning properly.  

show interface ethernet1/1 | match drop
 
admin@fw01> show interface ethernet1/1 | match drop
packets dropped                          0
packets dropped                          42709

 
 
Example test with HPing3
Using the hping3 packet generator, Palo Alto Networks initialized only non-syn traffic with the command below: 
hping3 8.8.8.8 -a X.X.X.X -s 3000 -p 80 -P -c l
 

Where X.X.X.X represents the source IP
-P is the push flag


From the command output below, you can see that one packet was received and processed properly in the hardware interface packet counters, whereas one packet was received and then dropped in the logical interface packet counters due to flow_tcp_non_syn_drop as shown by the global counters. 
 
Hardware interface counters read from CPU:
-----------------------------------------------------------------------------
bytes received                           60
bytes transmitted                        0
packets received                         1 
packets transmitted                      0
receive incoming errors                  0
receive discarded                        0
receive errors                           0
packets dropped                          0
-----------------------------------------------------------------------------
Logical interface counters read from CPU:
-----------------------------------------------------------------------------
bytes received                           60
bytes transmitted                        0
packets received                         1
packets transmitted                      0
receive errors                           0
packets dropped                          1
Txt deleted...
-----------------------------------------------------------------------------
show counter global filter delta yes
Global counters:
Elapsed time since last sampling: 34.640 seconds
name                                   value     rate severity  category  aspect    description
-----------------------------------------------------------------------------
flow_tcp_non_syn                           1        0 info      flow      session   Non-SYN TCP packets without session match
flow_tcp_non_syn_drop                      1        0 drop      flow      session   Packets dropped: non-SYN TCP without session match
 
Additional debugging info from ‘flow basic’ in the Palo Alto Networks’ TAC lab provides additional insight into the reason for these drops:
 
== 2020-07-27 10:01:04.458 -0700 ==
Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 60 port 69 interface 69 vsys 1
 wqe index 2097054 packet 0x0x8000001fd5f8e0f6, HA: 0, IC: 0
Packet decoded dump:
L2:     00:50:56:81:9c:f2->00:86:9c:07:55:45, type 0x0800
IP:     192.168.48.166->8.8.8.8, protocol 6
       version 4, ihl 5, tos 0x00, len 40,
       id 26991, frag_off 0x0000, ttl 64, checksum 4099(0x1003)
TCP:    sport 3000, dport 80, seq 450715754, ack 538818507,
       reserved 0, offset 5, window 512, checksum 19782,
       flags 0x08 ( PSH), urgent data 0, l4 data len 0
TCP option:
Flow lookup, key word0 0xbb8005000040600 word1 0  word2 0xffffc0a830a6 word3 0x0 word4 0xffff08080808
Flow not found, HA 0
Session setup: vsys 1
No active flow found, enqueue to create session
 
== 2020-07-27 10:01:04.458 -0700 ==
Packet received at slowpath stage, tag 583253716, type ATOMIC
Packet info: len 60 port 69 interface 69 vsys 1
 wqe index 2097054 packet 0x0x8000001fd5f8e0f6, HA: 0, IC: 0
Packet decoded dump:
L2:     00:50:56:81:9c:f2->00:86:9c:07:55:45, type 0x0800
IP:     192.168.48.166->8.8.8.8, protocol 6
       version 4, ihl 5, tos 0x00, len 40,
       id 26991, frag_off 0x0000, ttl 64, checksum 4099(0x1003)
TCP:    sport 3000, dport 80, seq 450715754, ack 538818507,
       reserved 0, offset 5, window 512, checksum 19782,
       flags 0x08 ( PSH), urgent data 0, l4 data len 0
TCP option:
Session setup: vsys 1
Syncookie time count mismatch
* Dos Profile NULL (NO) Index (0/0) *
Packet dropped, non-SYN TCP packet during session setup
Packet dropped, Session setup failed
 

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA14u0000008V0l&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language