https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376421#M89301 <P>Hi Community,</P><P>I am seeing the below behaviour in my PA-850 running on 9.1.4. Security policy is allowed for traffic.</P><P>Scenario-1, without zone protection in internet zone - Everything works fin</P><P>&nbsp;</P><P>Scenario -2,</P><P>Having zone protection with pretty much all options enabled for 'IP Drop' and TCP drop' and other options as well. Applied it on internet zone.</P><P>Everything works fine like browsing, streaming etc.. but once I start downloading a big file, after downloading some part, the session will move from Active to discard and the download will simply hung. There is no application shift(connection is over ssl and policy allows every app).</P><P>when checked for global counters, I can see the following counter increasing,</P><UL><LI>packets dropped because of failure in tcp reassembly</LI><LI>packets dropped due to the limitation on tcp out-of-order queue size</LI></UL><P>Even though the drops are there, not sure why the session should move to discard state.</P><P>After the session hungs, I can see the counter "packet buffer pointer inconsistent" as well. Once I remove zone-protection, everything works fine ( i have tested iso download from releases.ubuntu.com).</P><P>What are the reasons the session moves from active to discard? I can't see any threat logs.</P><P>buffer protection is not enabled in global.</P><P>&nbsp;</P><P>----counter-----</P><P>show counter global filter packet-filter yes delta yes<BR /><BR />Global counters:<BR />Elapsed time since last sampling: 3.72 seconds</P><P>name value rate severity category aspect description<BR />--------------------------------------------------------------------------------<BR />pkt_outstanding 4026 1310 info packet pktproc Outstanding packet to be transmitted<BR />pkt_alloc 5 1 info packet resource Packets allocated<BR />pkt_inconsist 2101 683 info packet pktproc Packet buffer pointer inconsistent<BR />session_freed 28 9 info session resource Sessions freed<BR />flow_fwd_drop_noxmit 120 39 info flow forward Packet dropped at forwarding: noxmit<BR />flow_qos_pkt_enque 2094 681 info flow qos Packet enqueued to QoS module<BR />flow_dos_ag_buckets_upd 1 0 info flow dos Updated aggregate buckets for aging<BR />flow_pppoe_encap_pkts 3868 1259 info flow pktproc Total packets encapsulated with PPPoE header<BR />flow_host_pkt_xmt 5 1 info flow mgmt Packets transmitted to control plane<BR />appid_unknown_fini_empty 11 3 info appid pktproc The number of unknown applications because of no data<BR />nat_dynamic_port_release 5 1 info nat resource The total number of dynamic_ip_port NAT release called<BR />dfa_sw 2132 694 info dfa pktproc The total number of dfa match using software<BR />tcp_drop_packet 7 2 warn tcp pktproc packets dropped because of failure in tcp reassembly<BR />tcp_pkt_queued 4294967233 1398101312 info tcp resource The number of out of order packets queued in tcp<BR />tcp_case_2 24 7 info tcp pktproc tcp reassembly case 2<BR />tcp_exceed_flow_seg_limit 7 2 warn tcp resource packets dropped due to the limitation on tcp out-of-order queue size<BR />aho_sw_offload 2015 655 info aho pktproc The total number of software aho offload<BR />ctd_pscan_sw 2132 694 info ctd pktproc The total usage of software for pscan<BR />ctd_pkt_slowpath 2132 694 info ctd pktproc Packets processed by slowpath<BR />log_traffic_cnt 28 9 info log system Number of traffic logs<BR />--------------------------------------------------------------------------------</P><P>&nbsp;</P><P>Thanks in advance.</P> Mon, 28 Dec 2020 15:01:43 GMT Abdul_Razaq 2020-12-28T15:01:43Z https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376421#M89301 <P>Hi Community,</P><P>I am seeing the below behaviour in my PA-850 running on 9.1.4. Security policy is allowed for traffic.</P><P>Scenario-1, without zone protection in internet zone - Everything works fin</P><P>&nbsp;</P><P>Scenario -2,</P><P>Having zone protection with pretty much all options enabled for 'IP Drop' and TCP drop' and other options as well. Applied it on internet zone.</P><P>Everything works fine like browsing, streaming etc.. but once I start downloading a big file, after downloading some part, the session will move from Active to discard and the download will simply hung. There is no application shift(connection is over ssl and policy allows every app).</P><P>when checked for global counters, I can see the following counter increasing,</P><UL><LI>packets dropped because of failure in tcp reassembly</LI><LI>packets dropped due to the limitation on tcp out-of-order queue size</LI></UL><P>Even though the drops are there, not sure why the session should move to discard state.</P><P>After the session hungs, I can see the counter "packet buffer pointer inconsistent" as well. Once I remove zone-protection, everything works fine ( i have tested iso download from releases.ubuntu.com).</P><P>What are the reasons the session moves from active to discard? I can't see any threat logs.</P><P>buffer protection is not enabled in global.</P><P>&nbsp;</P><P>----counter-----</P><P>show counter global filter packet-filter yes delta yes<BR /><BR />Global counters:<BR />Elapsed time since last sampling: 3.72 seconds</P><P>name value rate severity category aspect description<BR />--------------------------------------------------------------------------------<BR />pkt_outstanding 4026 1310 info packet pktproc Outstanding packet to be transmitted<BR />pkt_alloc 5 1 info packet resource Packets allocated<BR />pkt_inconsist 2101 683 info packet pktproc Packet buffer pointer inconsistent<BR />session_freed 28 9 info session resource Sessions freed<BR />flow_fwd_drop_noxmit 120 39 info flow forward Packet dropped at forwarding: noxmit<BR />flow_qos_pkt_enque 2094 681 info flow qos Packet enqueued to QoS module<BR />flow_dos_ag_buckets_upd 1 0 info flow dos Updated aggregate buckets for aging<BR />flow_pppoe_encap_pkts 3868 1259 info flow pktproc Total packets encapsulated with PPPoE header<BR />flow_host_pkt_xmt 5 1 info flow mgmt Packets transmitted to control plane<BR />appid_unknown_fini_empty 11 3 info appid pktproc The number of unknown applications because of no data<BR />nat_dynamic_port_release 5 1 info nat resource The total number of dynamic_ip_port NAT release called<BR />dfa_sw 2132 694 info dfa pktproc The total number of dfa match using software<BR />tcp_drop_packet 7 2 warn tcp pktproc packets dropped because of failure in tcp reassembly<BR />tcp_pkt_queued 4294967233 1398101312 info tcp resource The number of out of order packets queued in tcp<BR />tcp_case_2 24 7 info tcp pktproc tcp reassembly case 2<BR />tcp_exceed_flow_seg_limit 7 2 warn tcp resource packets dropped due to the limitation on tcp out-of-order queue size<BR />aho_sw_offload 2015 655 info aho pktproc The total number of software aho offload<BR />ctd_pscan_sw 2132 694 info ctd pktproc The total usage of software for pscan<BR />ctd_pkt_slowpath 2132 694 info ctd pktproc Packets processed by slowpath<BR />log_traffic_cnt 28 9 info log system Number of traffic logs<BR />--------------------------------------------------------------------------------</P><P>&nbsp;</P><P>Thanks in advance.</P> Mon, 28 Dec 2020 15:01:43 GMT https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376421#M89301 Abdul_Razaq 2020-12-28T15:01:43Z https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376513#M89309 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>,</P> <P>Sounds like PBP is being activated. I'm guessing that if you run&nbsp;<EM>show running resource-monitor ingress-backlogs&nbsp;</EM>your ISO download will be taking max buffer. You could easily test this by just disabling PBP at the zone level and trying again.&nbsp;</P> Tue, 29 Dec 2020 04:16:50 GMT https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376513#M89309 BPry 2020-12-29T04:16:50Z https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376529#M89312 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>I suspected the same before, but Packet buffer protection is not enabled at the global level. As well as I disabled the same in zone level. I cannot see any threat logs for the session as well.&nbsp;<EM>show running resource-monitor ingress-backlogs </EM>was mot showing any session consuming more buffer<EM>.&nbsp;</EM></P> Tue, 29 Dec 2020 05:46:33 GMT https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376529#M89312 Abdul_Razaq 2020-12-29T05:46:33Z https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376545#M89314 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;,</P><P>&nbsp;</P><P>I can see the below output for 'show zone-protection'. Is any of these is capable of putting a session to discard from active instead of dropping packet?</P><P>&nbsp;</P><P>--------------</P><P>IPv(4/6) Filter:<BR />discard-ip-spoof: enabled: yes, packet dropped: 0<BR />tcp-reject-non-syn: enabled: yes, (global), packet dropped: 413<BR />tcp-timestamp: enabled: yes, packets modified: 0<BR />discard-tcp-syn-with-data: enabled: yes, packet dropped: 0<BR />discard-tcp-synack-with-data: enabled: yes, packet dropped: 0<BR />strip-tcp-fast-open-and-data: enabled: yes, packet stripped: 21<BR />IPv4 packet filter:<BR />discard-icmp-ping-zero-id: enabled: yes, packet dropped: 0<BR />discard-icmp-frag: enabled: yes, packet dropped: 0<BR />discard-icmp-large-packet: enabled: yes, packet dropped: 0<BR />discard-icmp-error: enabled: yes, packet dropped: 87<BR />suppress-icmp-timeexceeded: enabled: yes, packet dropped: 0<BR />suppress-icmp-needfrag: enabled: yes, packet dropped: 0<BR />discard-malformed-option: enabled: yes, packet dropped: 0<BR />discard-overlapping-tcp-segment-mismatch: enabled: yes, packet dropped: 4<BR />strict-ip-check: enabled: yes, packet dropped: 0<BR />discard-tcp-split-handshake: enabled: yes, packet dropped: 0<BR />IPv6 packet filter:<BR />routing-header-0: enabled: yes, packet dropped: 0<BR />routing-header-1: enabled: yes, packet dropped: 0<BR />routing-header-4-252: enabled: yes, packet dropped: 0<BR />routing-header-255: enabled: yes, packet dropped: 0<BR />redirect: enabled: yes<BR />dest-unreach: enabled: yes<BR />pkt-too-big: enabled: yes<BR />time-exceeded: enabled: yes<BR />param-problem: enabled: yes<BR />----------------------</P><P>Thanks in advance.</P> Tue, 29 Dec 2020 10:43:03 GMT https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/376545#M89314 Abdul_Razaq 2020-12-29T10:43:03Z https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/377630#M89367 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;/community,</P><P>&nbsp;</P><P>I was able to identify the cause as '<SPAN>discard-overlapping-tcp-segment-mismatch', it was causing the session to be in a discard state.</SPAN></P> Mon, 04 Jan 2021 14:07:01 GMT https://live.paloaltonetworks.com/t5/general-topics/session-moves-from-active-to-discard-in-middle-of-download-once/m-p/377630#M89367 Abdul_Razaq 2021-01-04T14:07:01Z