Does anybody know if existing sessions can be updated when there is a routing table change, or if there is a way to clear sessions? I'm hoping for something analagous to the Session Rematch feature when policies change.
My problem is that I have an existing session that becomes hung when the routing table changes. The routing table updates when our primary link goes down so traffic will follow the backup link. New sessions work properly, but the existing sessions do not.
I believe part of my issue is that I have a particular session that is UDP, and always uses the same source and destination ports. This means any new traffic continues to match the existing session. Further compounding the problem is that this is SIP traffic, so the session timeout is 60 minutes.
> Clearing session will clear out everything and the new session will use the other active gateway
> A feature called TCP midstream-connection-pickup would have helped your situation but I don't believe that on Paloalto we have that feature, Once I saw this feature on Cyberoam firewall (again a linux based OS)
> I think with root access this can be done, but again I am presuming
Have you verified that firewall stops passing traffic towards new route (take packet capture for example)?
Maybe application at destination does not map changed source IP to existing session.
You can't just suddenly change endpoint ip's without application level to be aware of that.
Thanks for the replies.
Clearing the session did fix the issue. I was hoping to find a way to make this automatic.
For confirmation, the PaloAlto at the other end of the backup link did not have a session for the traffic. This leads me to believe the traffic never reaches the destination after the route change. The source and destination IPs do not change.
From reviewing documentation, because the source IP, destination IP, source port, destination port, protocol, and ingress interface do not change the session stays in the Fastpath and forwarding lookup never reoccurs.
Have you configured the same zone on both outgoing interfaces? If not the firewall will drop the packets
The firewall session's table is based among other things on source and destination zones (not physical interfaces) if the destination zone changed the packets will be dropped (as it broke the ecisting session). There is a Global counter for it but I don't remember it at the top of my head (something lime pkt_flow_zone_change)
You can check the global counters and see if the packets are being dropped.
Before and after the issue,
> show counter global filter delta yes | match drop
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!