I recently installed a PAN 5050 cluster in-line between my internal Cisco Wireless Controllers and the DMZ guest access mobility controller and saw the control and data paths flap constantly. I put in an application override rule (along with a number of other measures not related to PAN) and the behaviour seemed to stop. Can anyone confirm whether puting in an application override rule for UDP 16666 has definitively resolved the issue in your environment?
To PAN: Is there a proactive way to identify or confirm whether L7 inspection is causing issues with an application? (packets out of sequence, packet in/out difference auditing?)
Solved! Go to Solution.
By checking global counter and/or by making a debug packet-diag to see how packets are handled by the device, You will be able to see if there is a issue.
If you check your traffic logs, how the UDP traffic on port 16666 is seen (unknown-udp ?) ?
The cisco-wlc-mobility App-ID covers traffic for wireless lan controllers on udp/16666. If you are seeing this as unknown-udp, please open a case with technical support along with a packet capture.
Just yesterday we migrated to a PAN-5050 in active-passive configuration. After that we experienced problems with flapping control and data paths.
Our setup: 4 remote WLC, 1 centralized Anchor-WLC hosted in a DMZ.
First of all, it´s important to understand that the etherchannel is always initiated by the host with the lowest MAC-Address. As a result you may want to implement (probably) bidirectional rules for easier handling. The first goal would be to make sure that no packets are dropped by your PAN. As with PAN-OS 5.0.3 and AppVer 365-1733 (03/26/13) the Application are detected correctly (etherip and cisco-wlc-mobility) – this is a sitenote realted to the following topic: https://live.paloaltonetworks.com/message/25148#25148. Only one thing seems a little bit weird: The traffic log says that etherip is using Port 0 (I´m not sure about that one).
In the second step I changed the values for the timeouts on application level (you can set custom values for etherip and cisco-wlc-mobility in the Application Tab). Unfortunately there was no recognizable difference in the behavior.
SOLUTION: I changed the default values for the session timeouts (Device > Setup > Session Tab) and rebooted the foreign as well as the Anchor WLC. After that procedure all Data and Control Paths seem to work fine.
Additional information: It doesn´t seem like this behavior/problem is Palo Alto specific. In fact I found a topic on the Cisco Support forums where someone is having the same problems with a Checkpoint firewall.
It would be nice if someone else in this community could confirm that the described work-around is working.
I expect to put our PAN firewalls back into production in approximately 2 weeks. Please share what changes you made to the defaults to under the session tab. I will replicate your settings and report back on the results.
As some background on differences - we were previously an active-active cluster when the problem first manifested. The scheduled second attempt will be an active-passive cluster as 5.0.3.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!