https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416228#M93389 <P>As the Palo Alto Tac did not help you may need to open a request for enhancement with you local palo alto contact.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Still you can on your own check what is the exact error with global counters or flow basic as described in:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/m-p/402102#M91777" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/m-p/402102#M91777</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>You then can check if there is option to stop the palo alto protection that drops your tcp sync packets:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-session/tcp-settings.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-session/tcp-settings.html</A></P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/packet-based-attack-protection/tcp-drop.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/packet-based-attack-protection/tcp-drop.html</A></P><P>&nbsp;</P><P>&nbsp;</P><P>Also a small workaround is to set a smaller TCP timeout :</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/service-based-session-timeouts.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/service-based-session-timeouts.html</A></P> Wed, 30 Jun 2021 10:06:43 GMT NikolayDimitrov 2021-06-30T10:06:43Z https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416170#M93385 <P>Hi,</P><P>I got the following scenario.</P><P>client -&gt; Paloalto -&gt; Server:1234</P><P>The client initiates a tcp session to server always using the same source port and same sequence number (verified in packet capture). The session time out is the default 60 minutes.</P><P>&nbsp;</P><P>The client sometimes looses network coverage and initiates a new sync (with same source port and sequence number). But on the firewall the previous session exists and this syn packet is causing the session timer to reset. So the session is never timing out and the capture on firewall is showing that it is dropping all the new syn packets.&nbsp;</P><P>&nbsp;</P><P>We ended up having to clear the sessions manually on firewall for the client to be able to connect.</P><P>&nbsp;</P><P>We did open ticket with support and were told that client is not following RFC (they need to stop using same source port and sequence number). But as usual the client is saying that this application is working at other sites and it is firewall issue.</P><P>&nbsp;</P><P>Looking for some pointers on this.</P><P>&nbsp;</P> Wed, 30 Jun 2021 05:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416170#M93385 livewire 2021-06-30T05:25:56Z https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416228#M93389 <P>As the Palo Alto Tac did not help you may need to open a request for enhancement with you local palo alto contact.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Still you can on your own check what is the exact error with global counters or flow basic as described in:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/m-p/402102#M91777" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/m-p/402102#M91777</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>You then can check if there is option to stop the palo alto protection that drops your tcp sync packets:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-session/tcp-settings.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-session/tcp-settings.html</A></P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/packet-based-attack-protection/tcp-drop.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/packet-based-attack-protection/tcp-drop.html</A></P><P>&nbsp;</P><P>&nbsp;</P><P>Also a small workaround is to set a smaller TCP timeout :</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/service-based-session-timeouts.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/service-based-session-timeouts.html</A></P> Wed, 30 Jun 2021 10:06:43 GMT https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416228#M93389 NikolayDimitrov 2021-06-30T10:06:43Z https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416290#M93405 <P>Edit:</P><P>&nbsp;</P><P>&nbsp;</P><P>You may also check if the zone protection porofile is not blocking your second sync packet:</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK</A></P> Wed, 30 Jun 2021 13:34:42 GMT https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416290#M93405 NikolayDimitrov 2021-06-30T13:34:42Z https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416454#M93425 <P><FONT color="#000000"><U>To prevent&nbsp;SYN flood&nbsp;attacks, and to preserve&nbsp;<A href="https://www.mygiftcardsite.bid/" target="_self"><SPAN>mygiftcardsite</SPAN></A> memory, the BIG-IP system can prevent&nbsp;new&nbsp;connections by sending a TCP RST&nbsp;packet&nbsp;to the client with a TCP RST&nbsp;packet&nbsp;when the connection reaches the idle&nbsp;session timeout. The BIG-IP LTM system&nbsp;resets&nbsp;TCP connections after sending eight.</U></FONT></P> Fri, 02 Jul 2021 09:43:44 GMT https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416454#M93425 juan9584 2021-07-02T09:43:44Z https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416463#M93426 <P>This setting is not enabled</P> Thu, 01 Jul 2021 10:24:51 GMT https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416463#M93426 livewire 2021-07-01T10:24:51Z https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416464#M93427 <P>See the other things I mentioned.</P> Thu, 01 Jul 2021 10:32:10 GMT https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416464#M93427 NikolayDimitrov 2021-07-01T10:32:10Z https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416466#M93428 <P>We will try for enchancement request. Also we are testing by lowering time out</P> Thu, 01 Jul 2021 10:42:30 GMT https://live.paloaltonetworks.com/t5/general-topics/session-timer-getting-reset-for-new-syn-packet/m-p/416466#M93428 livewire 2021-07-01T10:42:30Z