topic Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario in General Topics

PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

CarloTaddei — Wed, 20 Nov 2019 19:12:56 GMT

Hi Experts,

I have the following scenario: a pair of PA 5220 (running pan os 8.1.10) in an ACTIVE / ACTIVE Setup (session owner 1st Packter - session setup 1st Packet) -We have been running Active / Active since roughtly 2 Years now without any significant problems.

However tftp (PXE Boot) session in an asymmetric scenario do not get properly synched (first packet flows through the Primary Firewall; reply (due to our routing setup) flows back via the secondary FW unit - the session which was initiated by going through the Primary FIrewall is no where to be seen on the Secondary Firewall). TCP traffic (also asymmetric) via both Primary and Secondary Firewall works without any issue.

I was wondering if this is a known issue / limitation or if I have some sort of misconfiguration on our side.

Any suggestion would be greatly appreciated.

I can provide additional infos / schematics if needed.

Thanks in advance

Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

S.Cantwell — Wed, 20 Nov 2019 21:03:31 GMT

Just seeking confirmation on session setup.

Choices are:

IP Modulo, IP Hash, or Primary Device.

(Definitely do NOT recommend primary device...)

So when you wrote "(session owner 1st Packter - session setup 1st Packet) ", I am looking to determine what you have.

If you truly have Primary Device for Session Setup, then this explains why you are not seeing a session in the Secondary-Active FW.

Please confirm and advise.

Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

CarloTaddei — Thu, 21 Nov 2019 05:12:18 GMT

Hi,

thank you for your Feedback.

As I wrote, we are currently using "First Packet" for both Session Owner as well as Session Setup.

Do you believe the Problem that we are seeing with tftp is due to this ?

Please note that we haven't seen so far such issues in our asymmetric Routing Scenario with other traffic / application types (mostly TCP based) ...

Thanks

Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

ZhouYu — Tue, 01 Nov 2022 05:15:33 GMT

Hello
I also have the same problem

Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

S.Cantwell — Tue, 01 Nov 2022 14:26:25 GMT

If an Active/Active FW is setup with Session Owner AND Session Setup as 1st packet, then this is very comparable to a traditional Active/Passive setup where the ACTIVE FW is responsible for establishing the slowpath (session setup) and fastpath (security analysis) of a flow through the FW.

TFTP is a UDP protocol, so there is no reason why the 2nd FW would see any packets from the 1st FW (in the original post, this was due to the routing. With TCP, it is a connection-oriented protocol, yet with UDP, it is "spray and pray". So, if the session has not been fully setup on the 1st FW, then the 2nd FW will not see the session. It is best to probably use a TCP client for tftp is needed.

Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

ZhouYu — Wed, 02 Nov 2022 01:55:21 GMT

Hello

But other udp applications are normal; only udp tftp has problems;