topic Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220 in General Topics

PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 14:54:29 GMT

Dear experts,

I am moving from PA3050 to PA3220. I did export the current configurations from the old PA3050 and imported to the new PA3220, i committed successfully, but when i migrate cables from old device to the new one i get random issue! like some zones are not reachable, like i have ping to internet and telnet and traceroute but i can't browse!, like i can't ping some destinations. WEIRD! its the SAME configuration and OS versions are the same on both devices plus, i did download and install latest content version on both devices before moving the exporting the config file.xml.

NOTE: when i move to old PA3050 all work properly!

One more thing, we have A10 (SSL Interception) connected to PA from external side and StormShield (AS core firewall).

REALLY WOULD APPRECIATE YOUR HELP.

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

rmfalconer — Thu, 28 Feb 2019 16:29:46 GMT

Maybe asymmetric routing? Traffic like ping doesn't need a 3-way handshake to work through the PA but internet browsing would. Maybe the syn-ack isn't going through the PA?

Did anything else change when you moved to the new firewall?

Is there anything in the logs showing this traffic dropping?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 16:38:41 GMT

NO, i checked through all dvices, no single drop in any.. plus i cleared ARP in PA and in neighbor devices and still not working, i noticed that i can't ping from PA interface to the other end which is a switch. i have no idea why would this happen...

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

rmfalconer — Thu, 28 Feb 2019 16:47:13 GMT

What do the ARP entries on the PA and switch show for each other? Are they correct?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 16:50:54 GMT

Its showing the correct ARP, PA MAC address matching the correct IP. On the other hand, why would be an asymetric routing if nothing changed in the network except changing the device.? that's the point here.. whenever i switch cable to the old device all work properly.

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

rmfalconer — Thu, 28 Feb 2019 16:59:41 GMT

Is there asymmetry in your network? There is a setting on the PA to bypass the dropping of traffic where the full handshake isn't seen. Was that set on the old firewall?

If you do 'show session info' ,there's a section for Session Setup that will tell you the current value of this setting. Default is True, meaning it will drop the traffic. If it's set to False, then the full handshake isn't needed to permit traffic.

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 17:09:26 GMT

You mean its a setting in the Zone protection? I created a zone protection.. -->Packet based attack protection-->"reject non SYN TCP" i put it to "NO" and the Asymmetric Path to "Bypass"

Is that correct?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

rmfalconer — Thu, 28 Feb 2019 17:19:30 GMT

No, it's a command line entry. At the CLI, you enter 'show session info'. Then look for the section called 'Session setup'.

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 17:25:24 GMT

Ah i didn't, but i will check this and get back to you. One more thing, would this affect the other zones as well ? i mean would this affect the DMZ zone ? or only this would affect internet connectivity.?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 17:26:42 GMT

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

rmfalconer — Thu, 28 Feb 2019 17:28:37 GMT

It's a global setting so any asymmetric traffic would be affected.

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 17:33:02 GMT

Ah okay, but this global setting shouldn't be included in the config file that i exported from the old PA3050 ?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

rmfalconer — Thu, 28 Feb 2019 17:54:43 GMT

It’s probably included but I don’t know for sure.

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

BPry — Thu, 28 Feb 2019 18:08:48 GMT

@SamerKiwan ,

So the configuration on your 3050 and your PA-3220 is going to be different in a few ways. Things I would verify:

1) On the PA-3220 are you using interfaces 17 through 20, and if so have you actually verified the interface is set to the proper speed if you are using SFP instead of SFP+?

2) Importing a configuration like that can cause some issues if things don't 100% import properly. I would pull the PA-3050 and the PA-3220 configurations and verify that they are actually similar by running a compare.

3) What do you see on the logs when you are attempting to browse? Resets or age-out responses?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 18:09:19 GMT

Okay, Thank you very much for your responses. I will check and update you.

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Thu, 28 Feb 2019 18:24:40 GMT

1) i am using ports 1-12
2) I didnt compare through config audit i will do so
3)i see resets, but all actions are allowed..

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Mon, 04 Mar 2019 08:23:12 GMT

@rmfalconer what is the setting exact name of the asymetric routing ? below is my session settings

Session setup
TCP - reject non-SYN first packet: False
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Mon, 04 Mar 2019 08:39:08 GMT

@BPry I checked configuration syntax its exactly the same.. :S any other suggestions ?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

rmfalconer — Mon, 04 Mar 2019 19:50:46 GMT

The setting that shows that asymmetry is permitted is "TCP - reject non-SYN first packet: False"

Is this on both firewalls?

Are you absolutely sure that this is a setting you want enabled? It's definitely not best practice to enable. Do you know why you have flows bypassing the firewall?

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

SamerKiwan — Mon, 04 Mar 2019 20:11:21 GMT

For sure no i don't keep such setting, but i did that for testing purpose it was "True" i put it "False" to check if issue will get resolved but it didn't. Is it possible that A10 device makes such issue? maybe its SFPs are not compatible with the new PA ethernet ports?