VOIP Traffic is Being Dropped
Resolution
Issue
Topology: Call Manager------PAN------VoIP
Following an upgrade, the Call Manager is trying to send RST packets to the VoIP phones to re-initiate the connections. The firewall is not aware of the existing sessions and is dropping all the RST Packets.
Resolution
The RST packets are being dropped on the Palo Alto Networks firewall as they are identified as "out-of-order", by the global counters.
To bypass the asymmetric path causing the RST drops, use the following command:
> configure
# set deviceconfig setting tcp asymmetric-path bypass
# Commit
A more detailed bypass can be configured with this command:
# set deviceconfig setting tcp asymmetric-path bypass
+ bypass-exceed-oo-queue whether to skip inspection of session if out-of-order packets limit is exceeded
+ check-timestamp-option whether to drop packets with invalid timestamp option
+ favor-new-seg whether to favor new segments when overlapping happens
+ urgent-data clear urgent flag in TCP header
owner: kalavi