PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Reply
Highlighted
L4 Transporter

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

It's a global setting so any asymmetric traffic would be affected. 

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Ah okay, but this global setting shouldn't be included in the config file that i exported from the old PA3050 ? 

 

 

L4 Transporter

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

It’s probably included but I don’t know for sure.
L7 Applicator

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

@SamerKiwan ,

So the configuration on your 3050 and your PA-3220 is going to be different in a few ways. Things I would verify:

1) On the PA-3220 are you using interfaces 17 through 20, and if so have you actually verified the interface is set to the proper speed if you are using SFP instead of SFP+? 

2) Importing a configuration like that can cause some issues if things don't 100% import properly. I would pull the PA-3050 and the PA-3220 configurations and verify that they are actually similar by running a compare. 

3) What do you see on the logs when you are attempting to browse? Resets or age-out responses? 

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Okay, Thank you very much for your responses. I will check and update you.

 

 

 

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

1) i am using ports 1-12
2) I didnt compare through config audit i will do so
3)i see resets, but all actions are allowed..
L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

@rmfalconer what is the setting exact name of the asymetric routing ? below is my session settings

 

Session setup
TCP - reject non-SYN first packet: False
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

@BPry I checked configuration syntax its exactly the same.. :S any other suggestions ? 

L4 Transporter

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

The setting that shows that asymmetry is permitted is "TCP - reject non-SYN first packet: False"

Is this on both firewalls?

 

Are you absolutely sure that this is a setting you want enabled? It's definitely not best practice to enable. Do you know why you have flows bypassing the firewall?

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

For sure no i don't keep such setting, but i did that for testing purpose it was "True" i put it "False" to check if issue will get resolved but it didn't. Is it possible that A10 device makes such issue? maybe its SFPs are not compatible with the new PA ethernet ports? 

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!