Packets are Dropped Due to TCP Reassembly

Packets are Dropped Due to TCP Reassembly

192668
Created On 09/25/18 20:34 PM - Last Modified 03/21/24 07:54 AM


Symptom


Packets are getting dropped due to TCP reassembly.

Environment


  • Any Firewall

Cause


This will normally happen if there is asymmetric routing in the network. For example, if a SYN packet goes through the Palo Alto Networks firewall, but SYN-ACK never goes through the firewall and the firewall receives an ACK. The firewall will drop the packets because of a failure in the TCP reassembly.

 

In order to confirm, run packet captures and check the global counter. For more information on packet captures, see: Getting Started: Packet Capture

reassembly-global.PNG

 

As shown below, in the counters see that the packets are getting dropped due to TCP reassembly. Captures show it is receiving a SYN packet and an ACK packet, but never receives a SYN ACK:

receive-reassembly.PNG

Resolution


Option 1: Apply as a Global Setting on the firewall.

Use the following command to configure the firewall to bypass asymmetric routing globally.

> configure

# set deviceconfig setting tcp asymmetric-path bypass

# commit

 

The changes can be reverted back with the following:

> configure

# delete deviceconfig setting tcp asymmetric-path

# commit

 

Use the following command to check the current action on asymmetric traffic:

> show running tcp state | match asymmetric

session with asymmetric path            : drop packet

 

Option 2: Apply asymmetric-routing-bypass to specific zones

users can narrow down bypass asymmetric routing just for traffic going to a specific destination Zone by creating a Zone Protection Profile.

  1. Go to Network > Zone Protection Profile.
  2. Add a new Profile and give it a name.
  3. Go to the Packet Based Attack Protection tab and, on the pulldown menu, select the following:
    Reject Non-SYN TCP: No
    Asymmetric Path: Bypass
    Screen Shot 2014-11-14 at 12.03.49 PM.png  
  4. Go to the destination Zone in question, and assign the Zone Protection Profile.
    Screen Shot 2014-11-14 at 12.04.27 PM.png
  5. Commit your changes.

Note: If traffic spans two Security Zones, the Zone Protection Profile keys the Destination zone. Apply the Zone protection profile to one zone or both, depending on if asymmetric traffic is required. It can be initiated unidirectionally and applied to the Destination Zone only, or bi-directionally and applied to both Zones.

 

owner: ashaikh
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhsCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language