A weird high latency ping issue with PaloAlto running version 8.1.15 hotfix 3

Reply
L2 Linker

A weird high latency ping issue with PaloAlto running version 8.1.15 hotfix 3

I have this really weird issue and I don't know how to solve it. I noticed it when I first migrating from Checkpoint over to PaloAlto while doing verification in my Development environment.

 

- A PAN 5050 running 8.1.15 hotfix 3.  I have a CentOS host (LinuxB) behind the PAN and another CentOS host (LinuxA) outside the PAN.  FW rule is any any allow between these two host and the rule is at the top of the rulebase and nothing else.  The PAN firewall is managed by Panorama,  The interface on the PAN is VLAN tagging on a single physical interface,

 

- I do a 100 ping from LinuxA to LinuxB, the average RTT is 1.4ms.  The Linux machines and PAN are connected to the same L2 Cisco 3750 switch.  My background prior to PAN is Cisco so I am very familiar with Cisco products. 

 

- I took out the PAN firewall and put in either a Cisco ASA or IOS router, using the same cable and switchport that I use on the PAN firewall.  When I do 100 ping from LinuxA to LinuxB, the average RTT is 0.9ms, almost a 50% improvement in latency.

 

I go back and check the latency in my production environment regarding ping (we use open source smokeping tool to monitor our network/firewall devices) before the cutover from Checkpoint to PAN and I also notice the same thing. 

 

I want to upgrade the PAN 5050 to 8.1.17 and test again; unfortunately, we ran out of support on the device so I could no longer download 8.1.17 for the 5050 but I don't think it would have made any differences.

 

Thoughts?

Cyber Elite

@dtran 

 

Does your ping rule has security profiles attached to it?

Other thing i can say is for application ping do a test without any security profile to see if it make any difference.

 

Also try ping from PA CLI by using source IP and see any difference.

 

Regards

MP
L2 Linker

"

Does your ping rule has security profiles attached to it?

Other thing i can say is for application ping do a test without any security profile to see if it make any difference."

 

No ping rule does NOT have any security profiles attached to it.

L0 Member

How did you check the connectivity between the mgmt interface and the internet? 

L2 Linker

latency_between_PAN_and_non_PAN.png

L2 Linker

as you can see in the graph, the high latency is ping across PAN firewall while low latency is across non PAN firewall.  The endpoints are the same, L2 switchport is the same.  The only difference is the firewall.

Cyber Elite

@dtran,

ICMP traffic is never fast tracked, and while a 50% increase sounds bad your talking about roughly a .5ms difference. What happens if you actually try testing with legitimate traffic (websites, DB calls, ect)? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!