https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/598141#M118980 <P>Hi, We fixed this in our environment by creating a black hole route with 50 weight. So as soon as bgp comes in the BGP routes take preference as it has 20 weight.</P> <P>Thanks,&nbsp;</P> Wed, 18 Sep 2024 16:38:41 GMT kashifkhana 2024-09-18T16:38:41Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72447#M41104 <P>Does anybody know if existing sessions can be updated when there is a routing table change, or if there is a way to clear sessions?&nbsp; I'm hoping for something analagous to the Session Rematch feature when policies change.</P> <P>&nbsp;</P> <P>My problem is that I have an existing session that becomes hung when the routing table changes.&nbsp; The routing table updates when our primary link goes down so traffic will follow the backup link.&nbsp; New sessions work properly, but the existing sessions do not.&nbsp;</P> <P>&nbsp;</P> <P>I believe part of my issue is that I have a particular session that is UDP, and always uses the same source and destination ports.&nbsp; This means any new traffic continues to match the existing session.&nbsp; Further compounding the problem is that this is SIP traffic, so the session timeout is 60 minutes.</P> Tue, 09 Feb 2016 19:02:15 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72447#M41104 alowther_chatham 2016-02-09T19:02:15Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72469#M41106 <P>Some time issue happens with SIP traffic. Clearing session will help. We can use the folllowing command to clear the session</P> <P>&nbsp;</P> <P>PA&gt; clear session all filter source &lt;ip&gt; destination &lt;ip&gt;</P> <P>&nbsp;</P> <P>Hope this helps!</P> Tue, 09 Feb 2016 21:17:38 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72469#M41106 pankaku 2016-02-09T21:17:38Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72513#M41111 <P>&gt; Clearing session will clear out everything and the new session will use the other active gateway</P> <P>&gt; A feature called TCP&nbsp;<SPAN>midstream-connection-pickup would have helped your situation but I don't believe that on Paloalto we have that feature, Once I saw this feature on Cyberoam firewall (again a linux based OS)</SPAN></P> <P>&nbsp;</P> <P><SPAN>&gt; I think with root access this can be done, but again I am presuming</SPAN></P> <P>&nbsp;</P> Tue, 09 Feb 2016 23:56:08 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72513#M41111 vkalal 2016-02-09T23:56:08Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72547#M41124 <P>Have you verified that firewall stops passing traffic towards new route (take packet capture for example)?</P> <P>Maybe application at destination does not map changed source IP to existing session.</P> <P>You can't just suddenly change endpoint ip's without application level to be aware of that.</P> <P>&nbsp;</P> Wed, 10 Feb 2016 12:59:18 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72547#M41124 Raido_Rattameister 2016-02-10T12:59:18Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72575#M41133 <P>Thanks for the replies.</P> <P>&nbsp;</P> <P>Clearing the session did fix the issue.&nbsp; I was hoping to find a way to make this automatic.</P> <P>&nbsp;</P> <P>For confirmation, the PaloAlto at the other end of the backup link did not have a session for the traffic.&nbsp; This leads me to believe the traffic never reaches the destination after the route change.&nbsp; The source and destination IPs do not change.</P> <P>&nbsp;</P> <P>From reviewing documentation, because the source IP, destination IP, source port, destination port, protocol, and ingress interface do not change the session stays in the Fastpath and forwarding lookup never reoccurs.</P> Wed, 10 Feb 2016 16:53:34 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72575#M41133 alowther_chatham 2016-02-10T16:53:34Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72947#M41248 <P>Have you configured the same zone on both outgoing interfaces? If not the firewall will drop the packets</P> <P>The firewall session's table is based among other things on source and destination zones (not physical interfaces) if the destination zone changed the packets will be dropped (as it broke the ecisting session). There is a Global counter for it but I don't remember it at the top of my head (something lime pkt_flow_zone_change)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You can check&nbsp;the global counters and see if the packets are being dropped.</P> <P>Before and after the issue,</P> <P><SPAN>&gt; show </SPAN><SPAN class="lia-search-match-lithium lia-search-match-lithium">counter</SPAN><SPAN> global filter delta yes | match drop</SPAN></P> <P>&nbsp;</P> <P>Regards,</P> <P>Gerardo.</P> Wed, 17 Feb 2016 00:34:39 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/72947#M41248 glastra1 2016-02-17T00:34:39Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/560383#M113604 <P>Hello, <BR />Did you solve this? I have a similar behavior and I need to change the outgoing interface when route change because it is a UDP flow that use default route because is the first available before learn the BGP routes.</P> <P>Thanks</P> Tue, 03 Oct 2023 15:40:28 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/560383#M113604 Raul_Garcia 2023-10-03T15:40:28Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/598141#M118980 <P>Hi, We fixed this in our environment by creating a black hole route with 50 weight. So as soon as bgp comes in the BGP routes take preference as it has 20 weight.</P> <P>Thanks,&nbsp;</P> Wed, 18 Sep 2024 16:38:41 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/598141#M118980 kashifkhana 2024-09-18T16:38:41Z https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/1222168#M123424 <P>After years of providing outputs and asking for a feature request, PaloAlto has finally given us an option to address this. Refer - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBmqCAG" target="_blank">UDP sessions stuck after failover - Knowledge Base - Palo Alto Networks</A></P> Thu, 27 Feb 2025 09:42:22 GMT https://live.paloaltonetworks.com/t5/general-topics/existing-session-behavior-when-routing-table-changes/m-p/1222168#M123424 TusharS 2025-02-27T09:42:22Z