topic Re: millions of dropped packets in Firewall and Security Management

millions of dropped packets

Exonix — Mon, 19 Sep 2022 10:45:05 GMT

Hello All,

we have several GW R81.10 with a GRE interface configured. The GRE together with Policy Based Routing is used for Zscaler. On one Firewall at the headquarters we see only 50k dropped packets, but on another branch, we see over 2M dropped packets. How can I find out, what is dropped?

Thank you!

Re: millions of dropped packets

Timothy_Hall — Mon, 19 Sep 2022 12:24:04 GMT

It is not clear if the drops being reported there are policy drops, or interface buffering drops (RX-DRP). Please post the output of:

netstat -ni

ifconfig gre1

ethtool -S gre1 (this may not work)

Re: millions of dropped packets

G_W_Albrecht — Mon, 19 Sep 2022 12:26:19 GMT

Drop ratio is four times higher.

Re: millions of dropped packets

Exonix — Mon, 19 Sep 2022 15:47:43 GMT

[Expert@vrafws01:0]# netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 1737832834 0 0 0 1600292921 0 0 0 BMRU
eth1 1500 0 1758186694 0 0 0 1695221461 0 0 0 BMRU
eth2 1500 0 520731 0 0 0 81 0 0 0 BMRU
eth2.716 1500 0 520729 0 0 0 81 0 0 0 BMRU
eth2.802 1500 0 0 0 0 0 0 0 0 0 BMRU
eth2.816 1500 0 0 0 0 0 0 0 0 0 BMRU
eth2.817 1500 0 0 0 0 0 0 0 0 0 BMRU
eth2.819 1500 0 0 0 0 0 0 0 0 0 BMRU
gre1 1476 0 576331143 0 0 0 673523116 0 0 0 MOPRU
gre2 1476 0 420183 0 0 0 500820 0 0 0 MOPRU
lo 65536 0 4625268 0 0 0 4625268 0 0 0 LMPRU

[Expert@vrafws01:0]# ifconfig gre1
gre1 Link encap:UNSPEC HWaddr DF-1F-02-F2-16-09-AC-8B-00-00-00-00-00-00-00-00
inet addr:172.21.241.129 P-t-P:172.21.241.130 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1476 Metric:1
RX packets:576348007 errors:0 dropped:0 overruns:0 frame:0
TX packets:673539505 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:351032158812 (326.9 GiB) TX bytes:622558876610 (579.8 GiB)

[Expert@vrafws01:0]# ethtool -S gre1
no stats available

Re: millions of dropped packets

Timothy_Hall — Mon, 19 Sep 2022 16:24:02 GMT

Must be policy drops then, try applying this filter to the traffic logs in the SmartConsole:

interface:gre1 and not action:accept

Otherwise you'll need to run fw ctl zdebug + drop | grep gre1 and wait for some traffic to get dropped to see the reason.

Re: millions of dropped packets

Wolfgang — Mon, 19 Sep 2022 19:38:15 GMT

@Exonix use the filter mentioned by @Timothy_Hall in the log view of SmartConsole. On the right you can open and see a statistics tab with details to top source, destination, service etc. With this information you get more details for the dropped traffic.

Re: millions of dropped packets

Exonix — Tue, 20 Sep 2022 08:10:38 GMT

I found a lot of dropped traffic from and to Zscaler Servers. fw ctl zdebug didn't schow anyting.

The top-sources are Zscaler Servers:

Re: millions of dropped packets

_Val_ — Tue, 20 Sep 2022 08:22:24 GMT

Click on one of the logs, what does it say?

Re: millions of dropped packets

Exonix — Tue, 20 Sep 2022 08:29:09 GMT

can this setting be a reson for the drop?

Re: millions of dropped packets

_Val_ — Tue, 20 Sep 2022 09:07:05 GMT

Yes, it could be it. Why did you set this in the first place?

Re: millions of dropped packets

Exonix — Tue, 20 Sep 2022 15:08:56 GMT

I didn't set it, it was configured long time ago, before I joined the company.

As soon as we removed this restriction, the number of dropped packets decreased three times. I was told the customer has upgraded its Internet connection to 50 Mbit and the restriction is no longer necessary. I keep watching.

Re: millions of dropped packets

_Val_ — Wed, 21 Sep 2022 06:51:19 GMT

Good we figured this out

Re: millions of dropped packets

Exonix — Wed, 21 Sep 2022 11:12:38 GMT

thank you!