topic PA-VM in AWS with Decryption Rule - server side connection kept open in VM-Series in the Public Cloud https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-aws-with-decryption-rule-server-side-connection-kept/m-p/615639#M2293 <P>Hello, running 11.1.2-h3 on AWS with decryption rule. The setup is: Windows Client --&gt; FW --&gt; Web-Proxy --&gt; Internet</P> <P>Firewall decrypts the traffic (so firewall itself acts like proxy). After the client side connection is closed with TCP-FIN, the firewall keeps server side connection to Web-Proxy and both firewall and Web-Proxy exchanges millions of TCP ACK. They never close the connection. This is causing huge packets in the network and causes CPU spike on the firewall and Web-Proxy.&nbsp;<BR /><BR />show session id 3098735 | match count<BR />total byte count(c2s) : 96946<BR />total byte count(s2c) : 603114645473<BR />layer7 packet count(c2s) : 1592<BR />layer7 packet count(s2c) : 2578574997</P> <P>===================================<BR />show session id 3098735 | match count<BR />total byte count(c2s) : 96946<BR />total byte count(s2c) : 603125152686<BR />layer7 packet count(c2s) : 1592<BR />layer7 packet count(s2c) : 2578769575</P> <P>=================================<BR />show session id 3098735 | match count<BR />total byte count(c2s) : 96946<BR />total byte count(s2c) : 603146147833<BR />layer7 packet count(c2s) : 1592<BR />layer7 packet count(s2c) : 2579158374<BR /><BR />The session info doesn't reflect that there are packets leaving from the firewall to web-proxy. But packet capture does show.&nbsp;</P> Tue, 29 Oct 2024 20:53:12 GMT karthik.subramaniam 2024-10-29T20:53:12Z PA-VM in AWS with Decryption Rule - server side connection kept open https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-aws-with-decryption-rule-server-side-connection-kept/m-p/615639#M2293 <P>Hello, running 11.1.2-h3 on AWS with decryption rule. The setup is: Windows Client --&gt; FW --&gt; Web-Proxy --&gt; Internet</P> <P>Firewall decrypts the traffic (so firewall itself acts like proxy). After the client side connection is closed with TCP-FIN, the firewall keeps server side connection to Web-Proxy and both firewall and Web-Proxy exchanges millions of TCP ACK. They never close the connection. This is causing huge packets in the network and causes CPU spike on the firewall and Web-Proxy.&nbsp;<BR /><BR />show session id 3098735 | match count<BR />total byte count(c2s) : 96946<BR />total byte count(s2c) : 603114645473<BR />layer7 packet count(c2s) : 1592<BR />layer7 packet count(s2c) : 2578574997</P> <P>===================================<BR />show session id 3098735 | match count<BR />total byte count(c2s) : 96946<BR />total byte count(s2c) : 603125152686<BR />layer7 packet count(c2s) : 1592<BR />layer7 packet count(s2c) : 2578769575</P> <P>=================================<BR />show session id 3098735 | match count<BR />total byte count(c2s) : 96946<BR />total byte count(s2c) : 603146147833<BR />layer7 packet count(c2s) : 1592<BR />layer7 packet count(s2c) : 2579158374<BR /><BR />The session info doesn't reflect that there are packets leaving from the firewall to web-proxy. But packet capture does show.&nbsp;</P> Tue, 29 Oct 2024 20:53:12 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/pa-vm-in-aws-with-decryption-rule-server-side-connection-kept/m-p/615639#M2293 karthik.subramaniam 2024-10-29T20:53:12Z