topic Re: o session in General Topics

o session

klumpen — Tue, 30 Apr 2013 20:16:50 GMT

Hi,

Have a installation with a PA-200 firewall.

It's a standard vwire-setup with policyes from untrust to trust. It is places between the ISPs router and another firewall.

The traffic is forwarding between the interfaces, but the PA-200 is counting 0 sessions.

Log monitor e.g state null traffic.

Have created a case at Palo Alto, but have no solution yet.

Downgraded from 5.0.4 to 5.03 with no luck.

Anyone seen this issue before?

Re: o session

scantwell — Tue, 30 Apr 2013 20:32:58 GMT

Hmmm, If I understand you, Vwire is NOT counting any sessions. What I visualize is the following (please confirm if different)

ISP-Router <====> PA200 <====> 3rd party firewall.

Questions, obeservations I have: If your FW was NOT in the middle, I would be lead to believe that you would have

ISP-Router <========> 3rd party firewall.

Which gives me indication that you have UNTRUST from Internet talking to UNTRUST interface on the 3rd party FW. Maybe your Zones are setup incorrectly?

I would think Untrust talking to Untrust just looks like your setup, (yet you have Untrust talking to Trust, which does not match)

Can you provide a simple network drawing (like I did)

Re: o session

klumpen — Tue, 30 Apr 2013 20:41:27 GMT

Hi,

Your network diagram is correct.

I have ensured that ethernet 1/1 (untrust) is connected to the ISP and ethernet 1/2 (tust)is connected to the original firewall.

Packets from the ISP is untagged, so VLAN should not be a issue.

Have also a second policy that accept traffic from untrust to trust, so in the case that I had mixed between the zones that should not matter (since they have some services on the inside..)

Re: o session

emr_1 — Wed, 01 May 2013 03:08:19 GMT

You are saying traffics are traversing PA-200 and you are enable to see any web-sites, right?

I just wonder 3rd party firewall is using pppoe or not.

I saw very similar issue before.

My situation was PA placed between two devices and all packets are capsuled by pppoe.

The result of 'show system statistics session' was counting correctly, but we could not see any sessions.

Regards

Re: o session

mvenkatesan — Wed, 01 May 2013 06:07:12 GMT

Hi,

What is configured for "tag allowed" under Network -> Virtual Wires -> (Name of the vwire instance)?

Please add "0-4094" for tag allowed, commit the change and check to see if traffic traverses successfully. 0-4094 will allow tagged as well as untagged traffic through the vwire pair.

Regards,

Manish

Re: o session

klumpen — Mon, 06 May 2013 11:53:41 GMT

Thanks for your help.

The problem was PPPoE between the existing firewall and the ISP.