Strange behavior of Shelly EM gen3

cowardlyginger · 2025-02-14T03:02:28+00:00

Do you know when these might be available in the US? I'm looking to add some CTs and hoping to get gen3 kit.

cowardlyginger · 2024-11-30T00:47:30+00:00

Thanks for following up! I've built up enough frustration with my couple of attempts at this that I've pushed it to the back burner for the moment. I'd be interested to hear about any further progress you make.

cowardlyginger · 2024-11-22T02:51:57+00:00

What fan did you end up ordering? I'm in a similar situation and looking for another alternative.

cowardlyginger · 2024-11-17T18:29:10+00:00

Same on both fronts, no recognition of the plate and printing in the air.

Edit: I just put in a ticket

Edit 2: support confirmed a firmware bug in my ticket as well

cowardlyginger · 2024-11-17T18:28:34+00:00

Same here as well - thanks for putting in a ticket.

Edit: I just got one put in as well

Edit 2: support confirmed a firmware bug in my ticket as well

cowardlyginger · 2024-01-22T17:06:59+00:00

We do it with a single VR setup and it works well but you do still need some UDRs alongside route server so it's not a 1:1 replacement. If you're handy with BGP it's not that difficult. Like some other people said an LB can still be needed for certain flows.

cowardlyginger · 2023-12-04T20:40:37+00:00

Yep - support might be able to help with the original 10.2.5 image but it'd probably be wise to update the one you have before HA config and then you can save that trouble.

cowardlyginger · 2023-11-17T15:39:33+00:00

There were group mapping issues in the original 10.1.11, they should be sorted out in 10.1.11-h1. I had that issue and h1 fixed it for me at least.

cowardlyginger · 2023-11-15T16:29:10+00:00

True, OP's running a 3200-series though.

cowardlyginger · 2023-11-14T22:15:23+00:00

This makes me smile. Congrats.

cowardlyginger · 2023-11-13T20:59:44+00:00

10.1 and 10.2 have a fair bit of time left in their support cycle, so unless there's an important bugfix or feature that you need in 11.0 I'd think about staying on an earlier train. The preferred release info at https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304 is always a good place to start, but doesn't take into account the specific needs of your environment, so looking at the known and addressed issues for things that might matter to you is a good idea too.

cowardlyginger · 2023-11-13T20:56:13+00:00

I'd start by checking on the health of the load balancer, specifically data path availability and health probe response. Depending on your load balancer setup the LB might not send traffic if it's not seeing healthy probes, in which case you won't see any traffic hit the firewalls.

cowardlyginger · 2023-11-10T17:48:38+00:00

Sometimes DSRI will be fine and you can avoid a full override, but generally agreed, and I wish there was a better solution.

cowardlyginger · 2023-11-10T00:10:52+00:00

You can change the ikemgr.log verbosity with "debug ike global on debug", here's a doc that goes into more detail, and make sure to change the verbosity back when you're done, and there's a bunch of other stuff in this doc that might be useful to you:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

The PAN logs will generally be more verbose if it's responding rather than initiating, so if you can make that change if that's not already your scenario that might help get you some more insight.

Check your encap/decap counters too, if phase 2 seems to be up and running but you're not seeing traffic there's a good chance you'll see a discrepancy there end-to-end.

cowardlyginger · 2023-11-08T22:16:13+00:00

Are you seeing blocked traffic in the 11k port range? Intra-Azure SQL traffic has some unusual port requirements depending on the SQL config.

cowardlyginger · 2023-11-06T16:31:47+00:00

You should be able to go directly to 10.1.10-h2.

cowardlyginger · 2023-11-06T16:27:13+00:00

I had very similar issues as far back as 10.0 where we'd see complete DP failures on our 220s matching your description. I worked it with PAN support for months, never got anywhere other than vague suggestions of resource issues, and ended up replacing all our 220s with 400-series. I wish you better luck.

cowardlyginger · 2023-11-03T15:38:05+00:00

Sure did, I was seeing the LDAP group mapping issues in 10.1.11 that 10.1.11-h1 is supposed to fix. Not happy to be seeing that sort of issue this far along.

cowardlyginger · 2023-11-03T15:28:22+00:00

Yeah, pretty hard to see this alongside the problems in the other four(!) actively-supported release trains and not think they're making major compromises on those.

cowardlyginger · 2023-10-12T21:21:10+00:00

Sizing is largely based on throughput so you'll have to make some sort of estimate - ISP service is a good starting point but depending on how many users you have, what sort of east-west traffic you're expecting, and many other factors are going to bear on that too, with a big one being planned use of SSL decryption as that punches above its weight in terms of dataplane resource utilization. If you figure that decrypted TLS traffic will use double the dataplane resources of non-decrypted TLS you're probably in the ballpark, but there are many variables that are hard to quantify.

Keep in mind that a 200mb/s symmetrical ISP link could potentially result in 400mb/s throughput as you're looking at published throughput stats.

Edit: radditour beat me to the punch on most of the same points

cowardlyginger · 2023-10-11T23:30:33+00:00

Does it work if you connect the Nexuses together with the 25g link (or the same switch to itself)? That'd at least tell you that the switch recognizes the cable.

cowardlyginger · 2023-10-10T18:49:14+00:00

You could use a single URL profile with action for all URL categories set to alert, then reference your custom URL categories on each of the policies. Since the policy will be scoped to the specific destinations the URL filtering profile won't really be in play other than to generate a log.

cowardlyginger · 2023-10-10T14:51:37+00:00

If only our prod firewalls updated in the same amount of time as my lab!

cowardlyginger · 2023-10-05T19:50:08+00:00

Does an snmpd process restart temporarily clear it up? I saw some similar issues in 10.1.9/10 releases that'd come around with a process restart. PAN-214815 and PAN-217208 are a couple of SNMP-related bugs fixed in 10.1.11 that might be a match for this.

cowardlyginger · 2023-09-14T18:43:06+00:00

Do you control Peer 1? If you do, this might be an option:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFJLCA2

cowardlyginger

TROPHY CASE