https://live.paloaltonetworks.com/t5/general-topics/why-do-we-have-to-separate-session-owner-and-session-setup/m-p/10812#M7973 <HTML><HEAD></HEAD><BODY><P>I dont know if im right on this but I can imagine that session owner is the statetable itself which even in A/A configurations actually is working like A/P. That is one of the boxes owns the session but mirror this to the other box (in case of failure).</P><P></P><P>While session setup is the physical box which the packet actually arrived to (which we dont know which box it will be in A/A setup).</P><P></P><P>That is if box1 is session owner (mirroring to box2) and a packet that arrives to box1 is then processed by the session owner (who happens to be at box1) and then forwarded if policy matches. If a packet arrives to box2 this box will forward this to box1 to notify the session owner (and setup a session) but then it will forward the packet on its own once the session is setup and it has a "cache" of it in its own memory.</P><P></P><P>Or if its the other way around (session setup is the statetable while session owner is which physical box the packet arrived to) :smileysilly:</P><P></P><P>Because of this session owner and session setup is two different processes?</P></BODY></HTML> Thu, 21 Mar 2013 07:53:17 GMT mikand 2013-03-21T07:53:17Z https://live.paloaltonetworks.com/t5/general-topics/why-do-we-have-to-separate-session-owner-and-session-setup/m-p/10811#M7972 <HTML><HEAD></HEAD><BODY><P>Hel<SPAN style="font-family: arial,helvetica,sans-serif;">lo,</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">in the documentation it is said: "<SPAN style="font-size: 10pt;">The separation of session owner and session setup devices is necessary to avoid race conditions that can occur in asymmetrically routed environments.”</SPAN></SPAN></P><P>But nothing more in detail.</P><P></P><P>I absolutely understand, what the session owner and what the session setup device is doing and I understand the configuration. </P><P>But I do not understand the need for separation. Why isn't it possible that the session owner is doing the setup as well?</P><P>Can somebody explain?</P><P></P><P>Many thanks,</P><P>Sylvia</P></BODY></HTML> Thu, 21 Mar 2013 07:15:35 GMT https://live.paloaltonetworks.com/t5/general-topics/why-do-we-have-to-separate-session-owner-and-session-setup/m-p/10811#M7972 sylvia 2013-03-21T07:15:35Z https://live.paloaltonetworks.com/t5/general-topics/why-do-we-have-to-separate-session-owner-and-session-setup/m-p/10812#M7973 <HTML><HEAD></HEAD><BODY><P>I dont know if im right on this but I can imagine that session owner is the statetable itself which even in A/A configurations actually is working like A/P. That is one of the boxes owns the session but mirror this to the other box (in case of failure).</P><P></P><P>While session setup is the physical box which the packet actually arrived to (which we dont know which box it will be in A/A setup).</P><P></P><P>That is if box1 is session owner (mirroring to box2) and a packet that arrives to box1 is then processed by the session owner (who happens to be at box1) and then forwarded if policy matches. If a packet arrives to box2 this box will forward this to box1 to notify the session owner (and setup a session) but then it will forward the packet on its own once the session is setup and it has a "cache" of it in its own memory.</P><P></P><P>Or if its the other way around (session setup is the statetable while session owner is which physical box the packet arrived to) :smileysilly:</P><P></P><P>Because of this session owner and session setup is two different processes?</P></BODY></HTML> Thu, 21 Mar 2013 07:53:17 GMT https://live.paloaltonetworks.com/t5/general-topics/why-do-we-have-to-separate-session-owner-and-session-setup/m-p/10812#M7973 mikand 2013-03-21T07:53:17Z