PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Reply
L2 Linker

PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Dear experts,

 

I am moving from PA3050 to PA3220. I did export the current configurations from the old PA3050 and imported to the new PA3220, i committed successfully, but when i migrate cables from old device to the new one i get random issue! like some zones are not reachable, like i have ping to internet and telnet and traceroute but i can't browse!, like i can't ping some destinations. WEIRD! its the SAME configuration and OS versions are the same on both devices plus, i did download and install latest content version on both devices before moving the exporting the config file.xml.

 

NOTE: when i move to old PA3050 all work properly!

 

One more thing, we have A10 (SSL Interception) connected to PA from external side and StormShield (AS core firewall).

 

 

REALLY WOULD APPRECIATE YOUR HELP. 

Tags (4)
L4 Transporter

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Maybe asymmetric routing? Traffic like ping doesn't need a 3-way handshake to work through the PA but internet browsing would. Maybe the syn-ack isn't going through the PA?

Did anything else change when you moved to the new firewall?

Is there anything in the logs showing this traffic dropping?

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

NO, i checked through all dvices, no single drop in any.. plus i cleared ARP in PA and in neighbor devices and still not working, i noticed that i can't ping from PA interface to the other end which is a switch. i have no idea why would this happen... 

 

 

L4 Transporter

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

What do the ARP entries on the PA and switch show for each other? Are they correct?

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Its showing the correct ARP, PA MAC address matching the correct IP. On the other hand, why would be an asymetric routing if nothing changed in the network except changing the device.? that's the point here.. whenever i switch cable to the old device all work properly.

 

 

L4 Transporter

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Is there asymmetry in your network? There is a setting on the PA to bypass the dropping of traffic where the full handshake isn't seen. Was that set on the old firewall?

If you do 'show session info' ,there's a section for Session Setup that will tell you the current value of this setting. Default is True, meaning it will drop the traffic. If it's set to False, then the full handshake isn't needed to permit traffic.

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

You mean its a setting in the Zone protection? I created a zone protection.. -->Packet based attack protection-->"reject non SYN TCP" i put it to "NO" and the Asymmetric Path to "Bypass"

 

 

Is that correct?

L4 Transporter

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

No, it's a command line entry. At the CLI, you enter 'show session info'. Then look for the section called 'Session setup'.

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Ah i didn't, but i will check this and get back to you. One more thing, would this affect the other zones as well ? i mean would this affect the DMZ zone ? or only this would affect internet connectivity.?

 

 

L2 Linker

Re: PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

Ah i didn't, but i will check this and get back to you. One more thing, would this affect the other zones as well ? i mean would this affect the DMZ zone ? or only this would affect internet connectivity.?

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!