https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532728#M960 <P>Hi guys,<BR /><BR /><STRONG>PA-5250,&nbsp;9.1.14<BR /></STRONG><BR />Can you help me with this one, please?<BR /><BR />PA does not like fragmented SIP INVITE packets, and we can see them in the drop queue:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="d_r.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48286iC0FAF5EE159D444C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="d_r.PNG" alt="d_r.PNG" /></span>No traffic, threat or URL filtering logs were created (expected, I believe).&nbsp;<BR />Why is it doing that?<BR /><BR />Thanks,<BR />myky<BR /><BR /></P> Thu, 02 Mar 2023 08:02:29 GMT MykyUk 2023-03-02T08:02:29Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532728#M960 <P>Hi guys,<BR /><BR /><STRONG>PA-5250,&nbsp;9.1.14<BR /></STRONG><BR />Can you help me with this one, please?<BR /><BR />PA does not like fragmented SIP INVITE packets, and we can see them in the drop queue:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="d_r.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48286iC0FAF5EE159D444C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="d_r.PNG" alt="d_r.PNG" /></span>No traffic, threat or URL filtering logs were created (expected, I believe).&nbsp;<BR />Why is it doing that?<BR /><BR />Thanks,<BR />myky<BR /><BR /></P> Thu, 02 Mar 2023 08:02:29 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532728#M960 MykyUk 2023-03-02T08:02:29Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532729#M961 <P>Do you have Zone Protection applied to zone this traffic comes from?</P> <P>If you add filter to "Monitor &gt; Packet Capture" to capture traffic from&nbsp;10.125.3.23 and then run following command in cli what is output? Can you identify based on couters what caused packet drops?</P> <P>&nbsp;</P> <P>&gt; show counter global filter delta yes packet-filter yes</P> Wed, 01 Mar 2023 17:52:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532729#M961 Raido_Rattameister 2023-03-01T17:52:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532894#M970 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;.<BR />Long time!&nbsp;<BR /><BR />At one point, I thought that my PA skills completely got rusty, as I believe I have checked that earlier.&nbsp;<BR />There is no ZPP applied; we got only a basic one on the untrusted zone:<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MykyUk_0-1677742692924.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48355iBF6A660CB0E87FC8/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MykyUk_0-1677742692924.png" alt="MykyUk_0-1677742692924.png" /></span><BR />thanks,</P> <P>myky</P> Thu, 02 Mar 2023 08:13:07 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532894#M970 MykyUk 2023-03-02T08:13:07Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532941#M972 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/276706">@MykyUk</a>&nbsp;</P> <P>In this case "show counter global filter delta yes packet-filter yes" is best next step figuring out why they are dropped.</P> Thu, 02 Mar 2023 13:14:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532941#M972 Raido_Rattameister 2023-03-02T13:14:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532953#M974 <P>Got yah, yes will arrange testing today and update this thread. Thanks! myky</P> Thu, 02 Mar 2023 14:12:06 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532953#M974 MykyUk 2023-03-02T14:12:06Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532965#M976 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;have you seen this before:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fr.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48371iFC5FE055E8F27016/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="fr.PNG" alt="fr.PNG" /></span><BR />I have a feeling it might be a TAC case.<BR /><BR />thanks,<BR />myky</P> Thu, 02 Mar 2023 15:15:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532965#M976 MykyUk 2023-03-02T15:15:53Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532986#M977 <P>re-run it again; PA is clearly not happy:<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MykyUk_0-1677776358357.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48374iB574AB896AF5ABE4/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MykyUk_0-1677776358357.png" alt="MykyUk_0-1677776358357.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MykyUk_1-1677776386993.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48375i4303F1C5F1BAE730/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MykyUk_1-1677776386993.png" alt="MykyUk_1-1677776386993.png" /></span></P> <P>&nbsp;</P> Thu, 02 Mar 2023 16:59:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/532986#M977 MykyUk 2023-03-02T16:59:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/533571#M997 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;correction:<BR />SSD was replaced, and when we failback traffic, the issue returned.<BR />Eventually, TAC confirmed that we hit the following bug:<BR /><BR /></P> <DIV><STRONG>PAN-194395</STRONG><BR /><SPAN>Fixed an issue where the firewall dropped all decrypted outbound (SSL Forward Proxy) HTTP/2 traffic after you upgraded to PAN-OS 9.1.14, which caused websites that used HTTP/2 to become inaccessible.</SPAN></DIV> <P><LI-WRAPPER></LI-WRAPPER></P> <P>&nbsp;</P> <P>Same issue, old discussion:<BR /><A href="https://www.reddit.com/r/paloaltonetworks/comments/vzrann/panos_9114_software_buffer_depletion/" target="_blank">https://www.reddit.com/r/paloaltonetworks/comments/vzrann/panos_9114_software_buffer_depletion/</A><BR /><BR />The bug description is way off.<BR /><BR />thanks, myky&nbsp;</P> Thu, 16 Mar 2023 18:12:44 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fragmented-sip-traffic-gets-silently-dropped/m-p/533571#M997 MykyUk 2023-03-16T18:12:44Z