All incoming TCP connections blocked for 5 minutes at random times.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

All incoming TCP connections blocked for 5 minutes at random times.

L2 Linker

At random times all TCP connections from the Internet are blocked (all ports and all IPs) for incoming traffic only.  Websites, mail servers etc are not accessible from the Internet.  UDP and ICMP are not affected.  What could be causing this?

21 REPLIES 21

Have you tried increasing the thresholds under SYN Flood Protection then?  How high is your firewall on resource utilization?  I'm wondering if you might be able to use SYN Cookies instead of Random Early Drop action?   Note that I have not tried this myself.

 

I'm also thinking that you might want to setup SNMP monitoring the DoS counters on the firewall.  I recently tried to configure this, but have not had success yet.

This article might help.  I've been meaning to read it myself and figure out how to setup snmp monitoring for DoS.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOKCA0

I have increased the threshold from 100 to 500 under Reconnaissance per your suggestion.  Will see if that makes a difference.

I did not mean the threshold under Reconnaissance Protection.  I mean the threshold under Flood Protection.  The defaults are 10,000 fro Alarm Rate and Activate, and 40,000 for maximum connections/sec.

Those are already pretty high.  Alarm and active reates are 59,000.  Maximum connections at 100,000.

Capture.PNG

 

Example of SNMP monitoring.  That being said, it is painful / somewhat manual to setup.

L2 Linker

Thanks to all who responded.  I was finally able to resolve this problem by by changing zone protection for Untrust from SYN Cookies to Random Early Drop.  

  • 10599 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!