tcp_drop_out_of_wnd

Reply
L1 Bithead

tcp_drop_out_of_wnd

Hi,

on PanOS 4.0 I have to disable "tcp_drop_out_of_wnd" check with this command :

>configuration
>set deviceconfig setting tcp drop-out-of-wnd no
>commit

How to disable "tcp_drop_out_of_wnd" check on PanOS 4.1 (4.1.5) ??

Thanks,

Regards.

Not applicable

Re: tcp_drop_out_of_wnd

set deviceconfig setting tcp asymmetric-path bypass

A question, are you disabling this because of RDP or SMB (nfs) performance problems?  I havent read anything about others having that problem.  But when i disabled tcp_drop_out_of_win this solved my issue.  Just wondering if this is a bug with PANFW.

L1 Bithead

Re: tcp_drop_out_of_wnd

Thanks for the reply.

No I disable tcp_drop_out_of_wnd because some http (only http, not in ftp) download break.

This is totally random, ticket is open on PaloAlto support since 1 month.

Maybe it's because (I think, Palo Alto don't give any solution or suggestion) I have a special network architecture :

            Internet

                 |

            Vsys 1

             /   |    \

           /     |     \

         /       |      \

  Vsys2  Vsys3  Vsys4

I think intervsys routing don't like tcp_drop_out_of_wnd check.

L3 Networker

Re: tcp_drop_out_of_wnd

We had to use this same command to address some issues on our network with HTTP traffic as well. Still not a 100% clear on why, but it definitely made a difference.  I was told the new command in 4.1 combines a couple tweaks that were separate commands in previous versions. I was told this turns off actions for TCP sliding window tracking errors as well as disables TCP sequence number check for FIN/RST. We also had problems with the tcp non-syn reject.


Highlighted
L0 Member

Re: tcp_drop_out_of_wnd

We had to run this command when having issues with rsh to systems that took longer then need be to respond.We also used it with bypass-exceed to prevent premature tcp timeout issues.

PAN>configure
PAN#set deviceconfig setting tcp drop-out-of-wnd no
PAN#set deviceconfig setting tcp bypass-exceed-oo-queue yes

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!