05-23-2017 12:11 PM - edited 05-24-2017 01:57 AM
Hi,
On a new PA-3020 Firewallcluster I decided to disable the default setting "Forward segments exceeding TCP content inspection queue". Practically everything was working as it should. But onfortunately the devil is in the details. I had very few connections, specially http downloads, which where causing problems. Sometimes the same download was working, sometimes it was just somewhere between slow and really slow and sometimes the download was stopping completely.
The following is written in PaloAlto Best Practices for securing your network from layer 4 and layer 7 evasions:
05-24-2017 03:00 AM
The queue is used to enable ctd to scan across fragmentation, missing or out of order segments. If there are high amounts of these in a session, the queue for that session might get exceeded and the configured action will be taken to clear the queue.
if this happens a lot on valid sessions, it might be good to investigate the cause and try to fix that (by for example enabling TCP MSS and lowering the MTU)
05-24-2017 05:34 AM
@reaper is this max queue of 64 per session?
05-24-2017 05:42 AM
yes, each session has an individual queue; so one application may be impacted while another is not, depending on the circumstances
05-24-2017 07:15 AM
Is there cli command to get current queue length for different sessions.
Let's say top 10 sessions with biggest queue?
05-24-2017 07:21 AM
you can check the overall state of CTD
> debug dataplane show ctd memory-state
not sure if you can go as far as to check per session as that's gonna put you in a highly volatile environment
05-24-2017 09:54 AM - edited 05-24-2017 11:46 AM
All right so I will now do a deep dive into MTU/MSS troubleshooting. It remains a little strange to me (probably because of not enough knowledge about MTU/MSS), but for 1.5 month there where absolutely no complaints from the customer about connection problems. This one download, actually one website where different downloads where provided, was the only problem.
Even this troubleshooting took a while because I wasn't thinking at all that it could be related to this (also because everything else was working).
Because of no threat logs and no other blocked connections, I did the next test with disabling various settings in the zone protection profile up to disable the zone protection completely. Without success. So the next step was a "flow basic" debugging where I have seen in the counters that there where ctd_exceed_quque drops. Then the situation was pretty clear why the download was failing.
So thanks @reaper for pointing me to the right direction for the next steps in the troubleshooting process
05-24-2017 11:46 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
