This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2022-09-19 03:45 AM
Jump to solution

millions of dropped packets

Hello All,

we have several GW R81.10 with a GRE interface configured. The GRE together with Policy Based Routing is used for Zscaler. On one Firewall at the headquarters we see only 50k dropped packets, but on another branch, we see over 2M dropped packets. How can I find out, what is dropped?

Thank you!

gedroppte_pakete.png

0 Kudos
1 Solution

Accepted Solutions
Exonix
Advisor
‎2022-09-20 01:29 AM
In response to _Val_
Jump to solution

log2.png

can this setting be a reson for the drop?

qos1.png

View solution in original post

0 Kudos
12 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2022-09-19 05:22 AM
Jump to solution

It is not clear if the drops being reported there are policy drops, or interface buffering drops (RX-DRP).  Please post the output of:

netstat -ni

ifconfig gre1

ethtool -S gre1  (this may not work)

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Exonix
Advisor
‎2022-09-19 08:47 AM
In response to Timothy_Hall
Jump to solution

[Expert@vrafws01:0]# netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 1737832834 0 0 0 1600292921 0 0 0 BMRU
eth1 1500 0 1758186694 0 0 0 1695221461 0 0 0 BMRU
eth2 1500 0 520731 0 0 0 81 0 0 0 BMRU
eth2.716 1500 0 520729 0 0 0 81 0 0 0 BMRU
eth2.802 1500 0 0 0 0 0 0 0 0 0 BMRU
eth2.816 1500 0 0 0 0 0 0 0 0 0 BMRU
eth2.817 1500 0 0 0 0 0 0 0 0 0 BMRU
eth2.819 1500 0 0 0 0 0 0 0 0 0 BMRU
gre1 1476 0 576331143 0 0 0 673523116 0 0 0 MOPRU
gre2 1476 0 420183 0 0 0 500820 0 0 0 MOPRU
lo 65536 0 4625268 0 0 0 4625268 0 0 0 LMPRU

[Expert@vrafws01:0]# ifconfig gre1
gre1 Link encap:UNSPEC HWaddr DF-1F-02-F2-16-09-AC-8B-00-00-00-00-00-00-00-00
inet addr:172.21.241.129 P-t-P:172.21.241.130 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1476 Metric:1
RX packets:576348007 errors:0 dropped:0 overruns:0 frame:0
TX packets:673539505 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:351032158812 (326.9 GiB) TX bytes:622558876610 (579.8 GiB)

[Expert@vrafws01:0]# ethtool -S gre1
no stats available

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-09-19 09:24 AM
In response to Exonix
Jump to solution

Must be policy drops then, try applying this filter to the traffic logs in the SmartConsole:

interface:gre1 and not action:accept

Otherwise you'll need to run fw ctl zdebug + drop | grep gre1 and wait for some traffic to get dropped to see the reason.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Wolfgang
MVP Gold
MVP Gold
‎2022-09-19 12:38 PM
In response to Timothy_Hall
Jump to solution

@Exonix use the filter mentioned by @Timothy_Hall in the log view of SmartConsole. On the right you can open and see a statistics tab with details to top source, destination, service etc. With this information you  get more details for the dropped traffic.

Exonix
Advisor
‎2022-09-20 01:10 AM
In response to Wolfgang
Jump to solution

I found a lot of dropped traffic from and to Zscaler Servers. fw ctl zdebug didn't schow anyting.

gre47.png

 

The top-sources are Zscaler Servers:

top1.png

 

0 Kudos
_Val_
Admin
Admin
‎2022-09-20 01:22 AM
In response to Exonix
Jump to solution

Click on one of the logs, what does it say?

 

Exonix
Advisor
‎2022-09-20 01:29 AM
In response to _Val_
Jump to solution

log2.png

can this setting be a reson for the drop?

qos1.png

0 Kudos
_Val_
Admin
Admin
‎2022-09-20 02:07 AM
In response to Exonix
Jump to solution

Yes, it could be it. Why did you set this in the first place?

0 Kudos
Exonix
Advisor
‎2022-09-20 08:08 AM
In response to _Val_
Jump to solution

I didn't set it, it was configured long time ago, before I joined the company.

As soon as we removed this restriction, the number of dropped packets decreased three times. I was told the customer has upgraded its Internet connection to 50 Mbit and the restriction is no longer necessary. I keep watching.

_Val_
Admin
Admin
‎2022-09-20 11:51 PM
In response to Exonix
Jump to solution

Good we figured this out

Exonix
Advisor
‎2022-09-21 04:12 AM
In response to _Val_
Jump to solution

thank you!

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-09-19 05:26 AM
Jump to solution

Drop ratio is four times higher.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events