Logging traffic for global counters
If you need GUI Tutorial goto Palo Alto page:
https://live.paloaltonetworks.com/docs/DOC-3199
1. Lets look for a drop or error counter that currently counts bad packets
This is an example with arp protocol. we are looking for some arp issues. Thats a tipical problem on networks…
> show counter global filter value non-zero delta yes | match arp flow_fwd_l3_noarp 5 0 drop flow forward Packets dropped: no ARP ----- HERE 5 bad packets!!! Look for it. flow_arp_pkt_rcv 468 47 info flow arp ARP packets received flow_arp_pkt_xmt 2 0 info flow arp ARP packets transmitted flow_arp_pkt_replied 175 17 info flow arp ARP requests replied flow_arp_pkt_learned 2 0 info flow arp ARP entry learned flow_arp_rcv_gratuitous 10 1 info flow arp Gratuitous ARP packets received flow_arp_resolve_xmt 2 0 info flow arp ARP resolution packets transmitted |
2. Activate the log for that specific counter
> debug dataplane packet-diag set log counter flow_fwd_l3_noarp
> debug dataplane packet-diag set filter pre-parse-match yes
# Thats what we did
> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: no
Match pre-parsed packet: yes
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
flow_fwd_l3_noarp drop Packets dropped: no ARP
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
--------------------------------------------------------------------------------
|
3. Find the timestamps with the logged drops for the specific counter
You can see in the outpit 4 times in one second at 2015/01/13 16:29:44.
> show log system | match flow_fwd_l3_noarp 2015/01/13 16:29:05 info general general 0 counter flow_fwd_l3_noarp=753176 2015/01/13 16:29:05 info general general 0 counter flow_fwd_l3_noarp=753177 2015/01/13 16:29:06 info general general 0 counter flow_fwd_l3_noarp=753178 2015/01/13 16:29:06 info general general 0 counter flow_fwd_l3_noarp=753178 2015/01/13 16:29:06 info general general 0 counter flow_fwd_l3_noarp=753178 2015/01/13 16:29:06 info general general 0 counter flow_fwd_l3_noarp=753178 2015/01/13 16:29:06 info general general 0 counter flow_fwd_l3_noarp=722221 2015/01/13 16:29:06 info general general 0 counter flow_fwd_l3_noarp=753179 2015/01/13 16:29:23 info general general 0 counter flow_fwd_l3_noarp=753180 2015/01/13 16:29:23 info general general 0 counter flow_fwd_l3_noarp=722222 2015/01/13 16:29:23 info general general 0 counter flow_fwd_l3_noarp=753181 2015/01/13 16:29:24 info general general 0 counter flow_fwd_l3_noarp=753182 2015/01/13 16:29:24 info general general 0 counter flow_fwd_l3_noarp=722223 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=722224 --------4 times in one second!!! 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=753183 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=753184 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=753185 2015/01/13 16:29:45 info general general 0 counter flow_fwd_l3_noarp=722225 2015/01/13 16:29:57 info general general 0 counter flow_fwd_l3_noarp=722226 2015/01/13 16:29:58 info general general 0 counter flow_fwd_l3_noarp=753186 2015/01/13 16:29:58 info general general 0 counter flow_fwd_l3_noarp=722227 2015/01/13 16:29:58 info general general 0 counter flow_fwd_l3_noarp=753187 2015/01/13 16:29:58 info general general 0 counter flow_fwd_l3_noarp=722228 2015/01/13 16:29:59 info general general 0 counter flow_fwd_l3_noarp=753188 ... |
4. We have a timestamp we can start to find the complete entries
Look for the log at 2015/01/13 16:29:44
> show log system start-time equal 2015/01/13@16:29:44 Time Severity Subtype Object EventID ID Description =============================================================================== 2015/01/13 16:29:44 info dhcp lease-e 0 DHCP lease ended ip 192.168.10.107 --> mac 64:76:ba:9e:36:d0, interface ethernet1/4. 108 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=722224 192.168.8.250[29704]-->192.168.10.107[1] sess id 50530Packet info: len 102 port 19 tag 0 interface 260 IP: 192.168.8.250->192.168.10.107, pro 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=753183 192.168.8.250[29704]-->192.168.10.107[2] sess id 61728Packet info: len 102 port 19 tag 0 interface 260 IP: 192.168.8.250->192.168.10.107, pro 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=753184 192.168.8.250[29704]-->192.168.10.107[3] sess id 33643Packet info: len 102 port 19 tag 0 interface 260 IP: 192.168.8.250->192.168.10.107, pro 2015/01/13 16:29:44 info general general 0 counter flow_fwd_l3_noarp=753185 192.168.8.250[29704]-->192.168.10.107[4] sess id 12976Packet info: len 102 port 19 tag 0 interface 260 IP: 192.168.8.250->192.168.10.107, pro .... |
There we go. the ARP for 192.168.10.107 has disappeared, the packets cannot be forwarded… That was the reason for the counter value. We have catch that! 🙂
5. Delete your filter and set back to default
It is important to have a clear state for the next issue.
> debug dataplane packet-diag clear all Packet diagnosis setting set to default. > debug dataplane packet-diag show setting -------------------------------------------------------------------------------- Packet diagnosis setting: -------------------------------------------------------------------------------- Packet filter Enabled: no Match pre-parsed packet: no -------------------------------------------------------------------------------- Logging Enabled: no Log-throttle: no Sync-log-by-ticks: yes Features: Counters: -------------------------------------------------------------------------------- Packet capture Enabled: no Snaplen: 0 -------------------------------------------------------------------------------- |
Done…
