PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

Reply
L1 Bithead

PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

Hi Experts,

I have the following scenario: a pair of PA 5220 (running pan os 8.1.10) in an ACTIVE / ACTIVE Setup (session owner 1st Packter - session setup 1st Packet) -We have been running Active / Active since roughtly 2 Years now without any significant problems.

 

However tftp (PXE Boot) session in an asymmetric scenario do not get properly synched (first packet flows through the Primary Firewall; reply (due to our routing setup) flows back via the secondary FW unit - the session which was initiated by going through the Primary FIrewall is no where to be seen on the Secondary Firewall). TCP traffic (also asymmetric) via both Primary and Secondary Firewall works without any issue.

 

I was wondering if this is a known issue / limitation or if I have some sort of misconfiguration on our side.

 

Any suggestion would be greatly appreciated.

 

I can provide additional infos / schematics if needed.

 

Thanks in advance

 

 

L4 Transporter

Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

Just seeking confirmation on session setup.

 

Choices are:

IP Modulo, IP Hash, or Primary Device.

(Definitely do NOT recommend primary device...)

 

So when you wrote "(session owner 1st Packter - session setup 1st Packet) ", I am looking to determine what you have.

 

If you truly have Primary Device for Session Setup, then this explains why you are not seeing a session in the Secondary-Active FW.

 

Please confirm and advise.

Help the community: Like helpful comments and mark solutions
L1 Bithead

Re: PA 5220 (PAN OS 8.1.10) Active / Active not synching tftp traffic in asymmetric routing scenario

Hi,

 

thank you for your Feedback.

 

As I wrote, we are currently using "First Packet" for both Session Owner as well as Session Setup.

 

Do you believe the Problem that we are seeing with tftp is due to this ?

 

Please note that we haven't seen so far such issues in our asymmetric Routing Scenario with other traffic / application types (mostly TCP based) ...

 

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!