topic Re: Subnetted traffic issue in General Topics

Subnetted traffic issue

hfhighschool — Wed, 02 Jan 2013 18:16:34 GMT

I am running my PA-2050 on layer 2. The system runs great except for one issue. My wireless zones are subnetted. The PA can see the subnetted traffic, allows it to go out, but the packets get lost on the return back. I know there is nothing wrong with any devices in the upstream since all other content filtering systems we have ran before never had a problem with the subnets. Any suggestions?

Re: Subnetted traffic issue

Abs — Wed, 02 Jan 2013 20:31:50 GMT

Is this a new install or has it worked before? Are other networks connected to the PA affected? Can you ping your wireless subnets from the upstream device?

Re: Subnetted traffic issue

hfhighschool — Wed, 02 Jan 2013 20:44:04 GMT

This is a new install. Our main production network is connected and works great. It's only the wireless subnets that are the issue. I can ping back from any upstream device back to the workstation without any issue. I can even tracert to any site such as google without any problems. I just can't get the return packets to get Internet access in these subnets.

Re: Subnetted traffic issue

Abs — Wed, 02 Jan 2013 20:45:50 GMT

What's the upstream device?

Re: Subnetted traffic issue

sdurga — Wed, 02 Jan 2013 20:50:49 GMT

So if I understand correctly from your description the traffic is passing through the Paloalto in outbound direction and the return traffic hitting Paloalto and is getting blocked . Are you able to see the sessions on Paloalto ? If so how are the sessions, are they stuck in incomplete ? The weird thing is that you are saying the ping and the trace route from the upstream is working fine which makes me believe that you are having proper routes. Also please check your NAT and security policies.

Tx,
Sandeep T

Re: Subnetted traffic issue

hfhighschool — Wed, 02 Jan 2013 20:53:16 GMT

Cisco ASA 5520. Everything worked great with the current configs until we installed the PA. We had a Cymphonix content filter before this and didn't have any routing issues. The PA is using the same IP address as the previous filter so no routes would need to be updated. We had a Cisco tech verify the configs once more and they are very adamant that it's the PA that is the issue.

Re: Subnetted traffic issue

hfhighschool — Wed, 02 Jan 2013 20:55:44 GMT

Sandeep,

You are correct in your understanding. The session is visible and stuck in incomplete.

Steve

Re: Subnetted traffic issue

sdurga — Wed, 02 Jan 2013 21:48:37 GMT

If the session is incomplete means the TCP hand shake is not complete. So try to see the monitor logs on Paloalto and check if paloalto is dropping the return traffic. If you do not find anything useful there then you have to set your packet filters to match the traffic of our interest and run the counters to see if there is any drops and the reason for the same.

Once you have the filters correct try to run the following command from the cli to see the drop counters

"show counter global filter delta-yes packet filter yes | match drop"

Run this a couple of time with 10 seconds delay and look for the output. If you do find any drops you will the reason for the drops too.

I would advise you to open a ticket with support so we can help you !!!

Re: Subnetted traffic issue

hfhighschool — Thu, 03 Jan 2013 15:26:32 GMT

Here is the output that I get:

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_policy_nofwd 2 0 drop flow session Session setup: no destination zone from forwarding

flow_tcp_non_syn_drop 88 1 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 6637 76 drop flow forward Packets dropped: no desitnation MAC

flow_fwd_l2_same_interface 4 0 drop flow forward Packets dropped: destination MAC on same interface

flow_action_close 30 0 drop flow pktproc TCP sessions closed via injecting RST

url_request_pkt_drop 5 0 drop url pktproc The number of packets get dropped because of waiting for url category request

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 13 0 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 1974 76 drop flow forward Packets dropped: no desitnation MAC

flow_fwd_l2_same_interface 12 0 drop flow forward Packets dropped: destination MAC on same interface

flow_action_close 9 0 drop flow pktproc TCP sessions closed via injecting RST

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 5 2 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 144 70 drop flow forward Packets dropped: no desitnation MAC

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 1 0 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 165 62 drop flow forward Packets dropped: no desitnation MAC

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 1 0 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 173 73 drop flow forward Packets dropped: no desitnation MAC

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 9 2 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 270 86 drop flow forward Packets dropped: no desitnation MAC

flow_action_close 1 0 drop flow pktproc TCP sessions closed via injecting RST

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 10 2 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 329 80 drop flow forward Packets dropped: no desitnation MAC

flow_action_close 6 1 drop flow pktproc TCP sessions closed via injecting RST

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_fwd_l2_nomac 147 62 drop flow forward Packets dropped: no desitnation MAC

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 1 0 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 311 96 drop flow forward Packets dropped: no desitnation MAC

flow_action_close 6 1 drop flow pktproc TCP sessions closed via injecting RST

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 5 1 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 283 80 drop flow forward Packets dropped: no desitnation MAC

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 3 1 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 226 76 drop flow forward Packets dropped: no desitnation MAC

flow_fwd_l2_same_interface 1 0 drop flow forward Packets dropped: destination MAC on same interface

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 4 0 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 448 96 drop flow forward Packets dropped: no desitnation MAC

url_request_pkt_drop 1 0 drop url pktproc The number of packets get dropped because of waiting for url category request

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 9 2 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 202 61 drop flow forward Packets dropped: no desitnation MAC

flow_action_close 1 0 drop flow pktproc TCP sessions closed via injecting RST

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 6 1 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 261 74 drop flow forward Packets dropped: no desitnation MAC

flow_fwd_l2_same_interface 1 0 drop flow forward Packets dropped: destination MAC on same interface

flow_action_close 2 0 drop flow pktproc TCP sessions closed via injecting RST

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 4 1 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 249 82 drop flow forward Packets dropped: no desitnation MAC

admin@PA-2050> show counter global filter delta yes packet-filter yes | match drop

flow_tcp_non_syn_drop 2 0 drop flow session Packets dropped: non-SYN TCP without session match

flow_fwd_l2_nomac 328 76 drop flow forward Packets dropped: no desitnation MAC

Re: Subnetted traffic issue

reaper — Tue, 08 Jan 2013 11:48:28 GMT

Hi Steve

Looks like you have a lot of non-syn drops.. these are usually caused by asymmetric routing.

This could also explain why ping seems to work but tcp not so much, as ping is stateless and will usually find it way back regardless of which route it takes.

Can you give this cli command a shot to see if this improves your connectivity: > set session tcp-reject-non-syn no

Next step would be to figure out where the asymmetry lives, by going over each hop from the AP out to the internet and doublechecking routing tables (make sure there are both inbound and outbound routes for the wifi subnets and default gateways etc. on every single hop) and verifying if there's any static/faulty arp entries that could be interfering with proper routing.

kind regards

Tom

Re: Subnetted traffic issue

hfhighschool — Tue, 08 Jan 2013 15:06:14 GMT

Tom,

That did the trick! Thank you so much for your insight.

Steve