Troubleshoot Network Packet Broker
If you encounter issues configuring Network Packet Broker,
check the following items:
Firewall configuration:
Check the next-hop
route on the forwarding interface pairs to ensure that it specifies
the correct device interface.
IP addresses of the chain devices and the firewall interfaces
and ensure that they are properly entered in the Packet Broker profile.
If HA is enabled, check that the correct interfaces are specified
in the profile.
Check the flow direction of traffic through the chain.
Ensure that the profile indicates the appropriate security
chain type.
Security chain configuration; check:
IP addresses,
next-hop addresses, and default gateways for each appliance in the
security chain.
The configuration of any devices between the firewall and
the security chain (routers, switches, etc.) for IP addressing,
next-hop, and default gateway misconfiguration.
The path between the firewall and the chain.
Check firewall Traffic logs to validate that you see the
“Forwarded” flag set as expected for brokered traffic.
Useful CLI commands include:
show rulebase network-packet-broker
show running network-packet-broker status
show running network-packet-broker statistics
show running application-cache all
show running application setting—Confirm
that the App-ID cache is enabled and that the cache is used for
App-ID, check the cache threshold setting, etc.
