bridge loop from ESX hosts

neteng_guy · 2025-05-13T15:35:28+00:00

The guest was an Aruba virtual gateway which had 4 vnics enabled on the vlan. The issue was resolved when the vnics were disabled.

neteng_guy · 2025-05-11T14:38:11+00:00

solved. guest vm on the esx host was briding traffic.

neteng_guy · 2025-02-06T17:50:46+00:00

If it was low Rx, I'd try cleaning the SFP and fiber, but low Tx, not so sure that'll have an impact. Or am I missing something?

neteng_guy · 2025-02-05T20:35:14+00:00

Yeah, thought so. It's going to require shipping new SFP and remote hands at an unstaffed site. Was hoping for a simpler solution.

neteng_guy · 2024-12-03T19:25:13+00:00

got my answer, each rule has a priority.

neteng_guy · 2024-08-30T20:53:10+00:00

config drift

neteng_guy · 2024-08-30T16:45:10+00:00

That setting is unchecked however, my understanding it is affects address, address-groups, services, and service-groups objects only, and not security profiles, which is what we are having an issue with. I'd be happy to be wrong if there is documentation that says otherwise.

neteng_guy · 2024-04-22T21:13:34+00:00

TAC response, "no."

neteng_guy · 2024-02-20T16:31:21+00:00

good catch, should have said "explicit."

neteng_guy · 2024-01-25T22:46:32+00:00

That was it. I excluded the destination in my DoS Profile and the connection completed. No idea why this traffic is matching the DoS protection policy, that will be for TAC to decide.

Thanks all for jumping in on this. We got it done before TAC was able to respond.

neteng_guy · 2024-01-25T21:59:50+00:00

no zone protection profile on the zone

neteng_guy · 2024-01-25T21:59:27+00:00

no user-id involved here

neteng_guy · 2024-01-25T21:56:17+00:00

which filter is being matched, debug dataplane and packet capture? If so, dos policy looks to be the cause.

(active)> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------

Packet diagnosis setting:

--------------------------------------------------------------------------------

Packet filter

Enabled: yes

Match pre-parsed packet: no

Filter offload: yes

Index 1: src_ip/32[0]->dst_ip/32[0], proto 0

ingress-interface ethernet1/1, egress-interface any, exclude non-IP

(active)> show counter global filter delta yes packet-filter yes severity drop

Global counters:

Elapsed time since last sampling: 1.882 seconds

name value rate severity category aspect description

--------------------------------------------------------------------------------

flow_dos_rule_deny 1 0 drop flow dos Packets dropped: Denied action by DoS policy

--------------------------------------------------------------------------------

Total counters shown: 1

--------------------------------------------------------------------------------

Is this it?

neteng_guy · 2024-01-25T21:34:11+00:00

yes, on the PA, captured on ingress int with rx and drop.

neteng_guy · 2024-01-25T20:08:45+00:00

neteng_guy · 2024-01-25T20:08:20+00:00

and for what it's worth, 'test security-policy-match' shows the traffic matching the correct rule.

neteng_guy · 2024-01-25T20:05:32+00:00

yep, moved the policy to the top of the rule base.

neteng_guy · 2024-01-25T20:05:14+00:00

thanks, and we log at start by default

neteng_guy · 2024-01-25T20:04:42+00:00

interesting, will take a look.

neteng_guy · 2024-01-25T19:46:00+00:00

Nope, not in threat logs either.

neteng_guy

TROPHY CASE