New PA user and currently concerned

Reply
Highlighted
L4 Transporter

New PA user and currently concerned

Hi

 

I am a new PA user, purchased a pa-850 and 2 x PA5220's

 

Adding these to my OSPF network, i have setup a policy "network protocols" that allows OSPF.

 

But for some reason in my log, I get OSPF time out session and aged out sessions and sessions that have 0 bytes.

 

So I contact support.  after 2-3 weeks, they bring it up in their lab and I am told this is normal behaviour.

 

If its normal why do they need to lab it up, it should be in the documentation yes

 

Also for a next gen FW that doesn't understand OSPF, wow...... I am really reconsidering my choice in PA...

 

So is this standard for OSPF connections.

 

To be clear I believe the OSPF connection is okay, atleast from my other routers point of view, its just the way that the PA are logging it, I believe I haven't as yet put them into any situation where they could cause a problem ...

Highlighted
L6 Presenter

Re: New PA user and currently concerned

Hi,

 

Aged-out is fine because OSPF doesn't use TCP, it is standalone (own) protocol. Can you please post detailed (magnifying glass) log view.

Highlighted
L6 Presenter

Re: New PA user and currently concerned

Also if you will check session browser tab, and filter based on the OSFP app, what can you see. I think it is something to do with the device own session. For instance, l am running an IPSec VPN that terminates on the PA, l also cannot clear this session as well as my counters 0 bytes:

 

esp.JPG

 

EDIT: I'm not sure, though, if this is the case with OSPF

Highlighted
L7 Applicator

Re: New PA user and currently concerned

@Alex_Samad,

I'm guessing that you worked soley with level 1 TAC, which will take a while to actually accomplish much of anything and likely weren't familiar with OSPF installations. I would recommend you only let front-line support hold a case for a day, after that tell them to hand you up a tier. Personal experiance has told me that the first person you are going to get into touch with through TAC isn't going to know much about the product. Don't get me wrong, some of those guys actually are great, but Palo Alto has had to grow that team so much that a lot of them are quickly moved into tier 2 and tier 3 roles and then get passed off to other departments; sadly this means that tier 1 has decreased in recent years in their knowledge of the product. 

 

The good news is from talking with plenty of people internal to the company they are desperatly trying to stop the tier 1 hemorage of knowledge. So they are at least trying to address the issue. 

Highlighted
L7 Applicator

Re: New PA user and currently concerned

@BPry

It is possible to force a TAC case to be moved to level 2 or 3 after one day? Do you simply need to say "please move the case to the next level" or how does this has to be done? Over your SE?

Highlighted
L7 Applicator

Re: New PA user and currently concerned

@vsys_remo,

I wouldn't say it's as simple as saying 'please move the case to the next level' but more of an 'I think this needs to go to the next level, I think this is above your head' type of thing. I haven't had anybody say no at this point, although I have had to repeat it with a little more force to get the point across. I'm not sure what TACs actual protocol is to escalate a case. 

 

I wouldn't do this for a simple question after only a day but if it stretches out to a few days, or better yet it actually effects my users, I'm getting escalated one way or another. I'm not sure how TAC is actually graded as far as the individual is concerned, but I've connected with a few TAC techs that wanted to hold onto a case for far to long before I actually brought up escalating directly with them. 

Highlighted
L6 Presenter

Re: New PA user and currently concerned

I usually ask through the portal: Please, can we escalate this case :D.

But again it all depends on the actual issue and if you think that the conclusion was wrong or you need a bit more info, you can escalate. Most of the time, 98%, engineers are very good (EMEA TAC). 1,5 year working in the support I did escalate only twice.

Highlighted
L7 Applicator

Re: New PA user and currently concerned

@TranceforLife,

You said the magic words of EMEA though ;-) 

Highlighted
L6 Presenter

Re: New PA user and currently concerned

Not sure where are you based (guess US), but US TAC didn't show me a good example of the support. 

Highlighted
L4 Transporter

Re: New PA user and currently concerned

My current experience hasn't been the best.

 

OSPF - OKay I can accept that the Firewall can't undersstand OSPF in regards to policies - that seems like a major defect to me.  Why do I pay so much for a system that ....

 

as for support - I have had a Global Protect issue, that I have asked to be escaled - 3 or 4 times and I am still stuck with the same person.  Not getting any where.

 

If this had happened during my POC, I would have looked else where.

 

I have had some good experiences.

 

But a lot of them the web ex session are people randomly clicking on things, lets try this and see what happens and then lets try this.

 

Not sure if it makes me feel better to hear others are having same issues or worse !

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!