Asynchronous Security Zones?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Asynchronous Security Zones?

L1 Bithead

Is there an issue with asynchronous routing if the traffic passes through different security zones? We have our PAs setup with subinterfaces for our respective VLANs. So we have:

Eth1/3.10

Eth1/3.20

Eth1/3.30

Eth1/3.40

 

These subinterfaces connect to a trunk port on an Aruba 6300. The 6300 just has a default route configured which points to to the Palo Alto Eth1/3.10 IP address. That means Internet traffic leaving the 6300 will go through Eth1/3.10 but return traffic will go through the respective sub interface because of the connected route. This has never been an issue before when all subinterfaces were in the same security zone. I recently tried changing the security zone of Eth1/3.10 and after that change all subinterfaces except eth1/3.10 stopped connecting properly. The traffic fails despite nothing getting blocked. If I run a pcap I see the traffic leaving and returning as expected. The only error I am getting is if I 'run show counter global filter delta yes severity drop' it will have 'Packets dropped: forwarded to different zone' as one of the counters. 

 

Is there something wrong with this setup? We do not have any zone protection profile applied, and have tried even adding an allow all policy to ensure everything is allowed so I don't understand why the traffic is being dropped. Does the PA just not allow traffic to leave on one zone and return on another?

 

2 REPLIES 2

L5 Sessionator

There probably is an issue with asymmetry on zone traversal. If you look at session information, it shows c2s and s2c flows including the zones on each side. I would imagine the traffic needs to stick to these zones and not return through a different zone pair.

Why do you have subinterfaces for each vlan on the firewall? If you have a default on 10 on the core switch, why have subs for the other vlans? 

Thanks for the reply, I kind of figured that was what was going on but I can't find documentation to confirm. I have a support ticket open as well and they said the configuration is valid, but it seems like that must be incorrect. What I think it is and what you seem to be alluding to is that the return traffic has a session lookup, the session is found but has mismatched zones, and the packets are dropped. 

 

To be honest, it is mostly a holdover from the config before I started. Now we mostly keep it to stay uniform (some sites have gateway set to the PA instead of a core switch for various reasons). If we could get this configuration to work properly, we'd also filter inbound traffic to certain zones. Maybe we need to rethink it however. 

  • 796 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!