Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

existing session behavior when routing table changes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

existing session behavior when routing table changes

Does anybody know if existing sessions can be updated when there is a routing table change, or if there is a way to clear sessions?  I'm hoping for something analagous to the Session Rematch feature when policies change.

 

My problem is that I have an existing session that becomes hung when the routing table changes.  The routing table updates when our primary link goes down so traffic will follow the backup link.  New sessions work properly, but the existing sessions do not. 

 

I believe part of my issue is that I have a particular session that is UDP, and always uses the same source and destination ports.  This means any new traffic continues to match the existing session.  Further compounding the problem is that this is SIP traffic, so the session timeout is 60 minutes.

7 REPLIES 7

L5 Sessionator

Some time issue happens with SIP traffic. Clearing session will help. We can use the folllowing command to clear the session

 

PA> clear session all filter source <ip> destination <ip>

 

Hope this helps!

L3 Networker

> Clearing session will clear out everything and the new session will use the other active gateway

> A feature called TCP midstream-connection-pickup would have helped your situation but I don't believe that on Paloalto we have that feature, Once I saw this feature on Cyberoam firewall (again a linux based OS)

 

> I think with root access this can be done, but again I am presuming

 

Have you verified that firewall stops passing traffic towards new route (take packet capture for example)?

Maybe application at destination does not map changed source IP to existing session.

You can't just suddenly change endpoint ip's without application level to be aware of that.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks for the replies.

 

Clearing the session did fix the issue.  I was hoping to find a way to make this automatic.

 

For confirmation, the PaloAlto at the other end of the backup link did not have a session for the traffic.  This leads me to believe the traffic never reaches the destination after the route change.  The source and destination IPs do not change.

 

From reviewing documentation, because the source IP, destination IP, source port, destination port, protocol, and ingress interface do not change the session stays in the Fastpath and forwarding lookup never reoccurs.

Have you configured the same zone on both outgoing interfaces? If not the firewall will drop the packets

The firewall session's table is based among other things on source and destination zones (not physical interfaces) if the destination zone changed the packets will be dropped (as it broke the ecisting session). There is a Global counter for it but I don't remember it at the top of my head (something lime pkt_flow_zone_change)

 

 

You can check the global counters and see if the packets are being dropped.

Before and after the issue,

> show counter global filter delta yes | match drop

 

Regards,

Gerardo.

L1 Bithead

Hello,
Did you solve this? I have a similar behavior and I need to change the outgoing interface when route change because it is a UDP flow that use default route because is the first available before learn the BGP routes.

Thanks

Hi, We fixed this in our environment by creating a black hole route with 50 weight. So as soon as bgp comes in the BGP routes take preference as it has 20 weight.

Thanks, 

  • 6578 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!