https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/538728#M1138 <P>For future generations - issue&nbsp;PAN-216314.&nbsp;<SPAN>Long story short - there are two ways DP is registering offloaded traffic counters - traffic and time based (<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8cCAC" target="_self">Disable Firewall offloading traffic</A>) and time based mechanism was disabled after the upgrade.</SPAN></P> <P>When running "<EM>debug dataplane internal pdt fe100 csr rd name sem_ctrl</EM>" in case of this issue value was&nbsp;</P> <P><SPAN>&nbsp;<EM> [&nbsp;&nbsp;&nbsp; 8] ctr_scan_dis&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 (0x1)</EM></SPAN></P> <P><SPAN>... but it should be 0.</SPAN></P> <P><SPAN>Can be changed via "<EM>debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0</EM>".</SPAN></P> <P><SPAN>There is no interruption in traffic, has to be done on each HA node.</SPAN></P> <P><SPAN>Use at your own risk.</SPAN></P> <P>&nbsp;</P> Fri, 14 Apr 2023 07:17:20 GMT nikoo 2023-04-14T07:17:20Z https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/534325#M1016 <P>PA-32xx series with 10.1.9 (issue showed up after upgrade)</P> <P>There is long-lasting SSH session where only something like keepalive is sent every 5 minutes or so. With hardware offload enabled, this traffic is not registered in the dataplane (session stats are not increasing even though there is traffic for that session) and subsequently TTL is not reset and session breaks after hour (TCP timeout).</P> <P>If HW offload is disabled - everything works as expected, each keepalive resets TCP session TTL.</P> <P>it looks like the same behavior was seen on other "low traffic" sessions, but SSH is the most obvious one.</P> <P>Currently there is TAC case open and under research, but I have a feeling this may be wider issue, so maybe there's already feedback on this?</P> Tue, 14 Mar 2023 08:13:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/534325#M1016 nikoo 2023-03-14T08:13:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/535517#M1074 <P>You may not&nbsp; see it as it is offloaded but have you checked if you create a new service just to change the timeout for example to 4/3 minutes what happens?</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMbvCAG" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMbvCAG</A></P> <P>&nbsp;</P> <P>Also test application overide:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0</A></P> Thu, 23 Mar 2023 07:16:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/535517#M1074 nikoolayy1 2023-03-23T07:16:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/538728#M1138 <P>For future generations - issue&nbsp;PAN-216314.&nbsp;<SPAN>Long story short - there are two ways DP is registering offloaded traffic counters - traffic and time based (<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8cCAC" target="_self">Disable Firewall offloading traffic</A>) and time based mechanism was disabled after the upgrade.</SPAN></P> <P>When running "<EM>debug dataplane internal pdt fe100 csr rd name sem_ctrl</EM>" in case of this issue value was&nbsp;</P> <P><SPAN>&nbsp;<EM> [&nbsp;&nbsp;&nbsp; 8] ctr_scan_dis&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 (0x1)</EM></SPAN></P> <P><SPAN>... but it should be 0.</SPAN></P> <P><SPAN>Can be changed via "<EM>debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0</EM>".</SPAN></P> <P><SPAN>There is no interruption in traffic, has to be done on each HA node.</SPAN></P> <P><SPAN>Use at your own risk.</SPAN></P> <P>&nbsp;</P> Fri, 14 Apr 2023 07:17:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/538728#M1138 nikoo 2023-04-14T07:17:20Z https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/544486#M1373 <P>Hello, did the TAC give you any solution?</P> Fri, 02 Jun 2023 03:29:16 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/not-updating-low-traffic-session-status-with-hw-offload-enabled/m-p/544486#M1373 NicolasReyes 2023-06-02T03:29:16Z