Troubleshoot Network Packet Broker

If you encounter issues configuring Network Packet Broker, check the following items:
  • Firewall configuration:
    • Check the next-hop route on the forwarding interface pairs to ensure that it specifies the correct device interface.
    • IP addresses of the chain devices and the firewall interfaces and ensure that they are properly entered in the Packet Broker profile.
    • If HA is enabled, check that the correct interfaces are specified in the profile.
    • Check the flow direction of traffic through the chain.
    • Ensure that the profile indicates the appropriate security chain type.
  • Security chain configuration; check:
    • IP addresses, next-hop addresses, and default gateways for each appliance in the security chain.
    • The configuration of any devices between the firewall and the security chain (routers, switches, etc.) for IP addressing, next-hop, and default gateway misconfiguration.
    • The path between the firewall and the chain.
  • Check firewall Traffic logs to validate that you see the “Forwarded” flag set as expected for brokered traffic.
  • Useful CLI commands include:
    • show rulebase network-packet-broker
    • show running network-packet-broker status
    • show running network-packet-broker statistics
    • show running application-cache all
    • show running application setting
      —Confirm that the App-ID cache is enabled and that the cache is used for App-ID, check the cache threshold setting, etc.

Recommended For You