topic Re: Packets dropped: forwarded to different zone in Next-Generation Firewall Discussions

Packets dropped: forwarded to different zone

vnkhwazi — Wed, 17 Jan 2024 10:22:57 GMT

We have a PaloAlto firewall that we have configured differrent zones, everything is working fine, except for a specific traffic between IP 10.40.129.49 and 172.26.2.58. The 10.40.129.49 is located on a subnet directly in a zone defined on the firewall, 172.26.2.58 is a remote host over a WAN link going via another zone on the firewall. Traffic to and from both IPs is reaching the firewall but does not get through it despite having a Policy that is allowing the traffic. Upon doing further troubleshooting, it looks like the firewall is dropping the packets with a message that "Packets dropped: forwarded to different zone"

See the test below:

vnkhwazi@PDC_EDGE_FW_P(active)> debug dataplane packet-diag set filter match source 10.40.129.49 destination 172.26.2.58

vnkhwazi@PDC_EDGE_FW_P(active)> debug dataplane packet-diag set filter on

debug packet filter: on
vnkhwazi@PDC_EDGE_FW_P(active)> show counter global filter packet-filter yes delta yes severity drop

Global counters:
Elapsed time since last sampling: 19.244 seconds

name value rate severity category aspect description
----------------------------------------------------------------------------------------------------
flow_fwd_zonechange 8 0 drop flow forward Packets dropped: forwarded to different zone
------------------------------------------------------------------------------------------------------
Total counters shown: 1
-------------------------------------------------------------------------------------------------------

What could be the cause of this?

Regards.

Re: Packets dropped: forwarded to different zone

reaper — Wed, 17 Jan 2024 11:29:10 GMT

this is typically a routing problem (concentrated on the reply packets)

some of the most common issues are

-either you don't have routes for both subnets set to the right destination interface (connected subnets don't need that, remote do, subnets that are 'local' but don't have an IP on the firewall interface also need this)

-or if you're using policy based forwarding, symmetric return was not enabled and reply packets are being sent out a different interface due to routing

Re: Packets dropped: forwarded to different zone

vnkhwazi — Wed, 17 Jan 2024 12:49:00 GMT

i am able to ping between the two IPs, but SIP (UDP 5060) is the one failing.

Re: Packets dropped: forwarded to different zone

reaper — Wed, 17 Jan 2024 14:41:34 GMT

aha

sip uses an ALG, maybe that's derailing the whole process

try disabling the ALG by going to objects > applications, find sip and open it. on the right hand side you'll see the ALG

Re: Packets dropped: forwarded to different zone

vnkhwazi — Wed, 17 Jan 2024 15:13:11 GMT

Hello @reaper

SIP-ALG was already disabled, see screenshot below

Re: Packets dropped: forwarded to different zone

reaper — Wed, 31 Jan 2024 09:58:13 GMT

then reverse my question 🙂

does it help if you enable the ALG?