topic Re: Security Policy not HIT after work for 1 month in General Topics

Security Policy not HIT after work for 1 month

TimmyLamar — Wed, 15 Aug 2018 08:00:57 GMT

I got setup 6 AWS VPC with direct connect connection to on prem panorama, which is working fine for a month, and now suddently all 5 VPC disconnected from panorama in the same time.

i checked the BGP and IKE all established, i can ping the panorama IP, and make sure the right security policy with specific ssl and panorama application allowed.

my session browser showing it hit the clean up rule on the bottom, never hit my panorama-access rule.

anyone face this before?

my pcap showing re-transmission on DROP phase.

Re: Security Policy not HIT after work for 1 month

TimmyLamar — Wed, 15 Aug 2018 08:45:48 GMT

ok after a while, my senior advice me to put 1 specific rule with TCP 3978 and application is any, then my traffic start hit my OLD RULE.

super strange.

i can see my panorama session on my session browser now.

Re: Security Policy not HIT after work for 1 month

BPry — Wed, 15 Aug 2018 12:37:13 GMT

@TimmyLamar,

What does your old rule actually look like, and more specifically what was the specified applications and services?

If I would have to take a guess right off hand, your existing rule that was working was only doing so because the session was already established over tcp/3978, and the rule you've specified is reliant on the traffic being seen as a particular application. Once that session dropped and the traffic had to go through and actually establish itself again, there was nothing that was actually allowing the traffic over 3978, and therefore the application was never identified and you hit your cleanup rule.