I've been researching this for a while now and I've also opened a case on the issue. Basically we just moved off of our Cisco ASA platform and on to our Palo Alto and I've run into a snag with gaming devices. We're a university with quite a few on-campus students and they understandably want to be able to use their entertainment devices on the network. This all seemed to work fine with the ASA... each building had a single public IP address for NAT and the ASA used Port Address Translation and the gaming devices showed they were behind a "Type 2" or "Moderate" NAT.
My new config is an Active/Active deployment and I've set up four public IP addresses for each building using DIPP. Gaming devices, as well as some PC game and voice applications, now show they're behing a "Type 3" or "Strict" NAT. Certain game and voice functionality will not work in this environment.
I know Palo Alto's first suggestion is Static NAT which is a bit problematic when we're talking about hundreds of devices. Sure, it's possible but it's a bit of a management headache. I'd love to just give them all public IPs and move away from NAT but we simply don't have enough IPv4.
I'm curious how others have resolved this?
you might want to give dynamic IP a shot (sans port)
this method maintains the original source port of the client, which comes in handy with gaming consoles
it may a bit more demanding on your pool, but if you have 4 IP's that should help (you can always oversubscribe a little AND there's a dipp backup) : Tutorial: Network Address Translation
can I ask for the reason Active/Active is being used? (it's only really good to 'fix' asymmetric routing, for all other scenarios it usually simply decreases capacity and increases complexity)
Having setup housing networks with PA devices I've always setup different floors with one public IP address a piece, obviously this would need to be modified to fit what you are allocated, and then setting them up with a dynamic-ip-and-port policy to match there network range. This would be even easier if you do things on a per building basis like you are, and I've never run into any issues with it at all.
I would be curios to know why an active active configuration was used as well; some people when moving from an existing ASA active active configuration that just keep the same basic setup, even when it doesn't really make sense from a Palo Alto perspective. I would investigate if you actually need to be doing this, more than likely you don't and would benefit the same from an active passive configuration.
Thanks for the reply so far guys.
The active/active deployment was originally chosen by our previous network admin and I continued on the deployment after they left. We have dual-homed 10gig connectivity from our provider and our traffic can take either connection going out depending on the route. We're not using even a single full 10gig connection yet so it probably doesn't really matter at this time but the idea was to have the capacity for the full 20gig use if needed down the line. Of course if we have a failed piece of hardware at some point it may result in degraded service but probably only if we're utilizing over 10gig of bandwidth at that time. So far everything seems OK with the deployment other than that the way I'm currently advertising our NAT IP addresses are just an OSPF export rule facing our edge router so each firewall sees a route to the other one. This hasn't seemed to effect incoming traffic though.
I've been testing with my PS4 and, so far, the only way I've gotten a Type 2 is to set it's NAT to a Dynamic IP pool. The DIPP pool gives it Type 3 Strict every time. The current rule I'm testing is a reserved DHCP address for the PS4 and it is NATed with a DIPP pool of a single public IP. Even with this I'm getting Type 3.
BPry, if you've gotten this to work with DIPP is the thought that it might be something to do with the Active/Active? My DIPP NAT rules are configured with the same 4 IP addresses for each PAN box for complete failover (i.e. no dropped incoming packets in case of a single firewall outage since both firewalls have the same NAT rules with all of the 4 IPs per building).
I've been thinking that our UDP session timeout on the ASA was modified to be much longer than the default on the PAN boxes (30 seconds) or that perhaps Cisco's implementation of PAT was a bit more sticky a far as what ports each device got each time it established a new session.
I don't believe this is a UDP timeout problem... this is likely an Application-Layer Gateway issue. In order to excape from the most restrictive NAT modes, most of gaming consoles require that the NAT device support UPNP or be configured with static NAT.
The main problem is that UPNP is an extremely insecure protocol and is not supported today by Palo Alto Networks firewalls. This is a good thing(tm), generally speaking, as the environment is more secure... but can be somewhat problematic for users in your type of environment.
Have you had this problem with XBox? My understanding is that Palo Alto Networks modified the "teredo" App-ID (which is required for the XBox-Live App-ID to function properly) and added an Application-Layer Gateway (ALG) with the goal of making XBox-Live compatible with DIPP NAT.
If XBox is working in moderate-NAT mode using standard DIPP NAT, then I'd open a feature request and/or Application request to have them do something similar for the Playstation-Network App-ID signature.
So far we've gotten complaints for XBox, PS4, and some gaming applications/platforms on PC. I'd have to look to see if we've gotten any tickets for Nintendo platforms.
Completely agree about UPNP but I'm pretty certain the Cisco ASA 5580 we previously had deployed didn't supported UPNP either (it would be very strange if it had). While I had not personally tested a gaming platform on campus beforehand, the complaints only started after we deployed the Palo Alto.
I'll make sure we get our hands on an XBox so we can test internally with that as well.
@BPry Yesterday when I was working on it (i.e. playing a game... sometimes I love my job) I had the session browser open on one of the firewalls and I saw active sessions for SIP and some other protocols. Since we just put this thing in place I'm still learning now that we have real traffic passing through and I'm relying on my training course I took a year ago.
@jvalentine I'm going to have someone look into this today. I know we've gotten complaints about Strict NAT on the XBox Live App but that is actually running on a PC. I just browsed the tickets I have and most of them for XBox are talking about disconnects during online games (which may or may not be related) and I haven't found one that specifically mentions the NAT type.
@jvalentine I received a few reports back today from Xbox One users and, apparently, their devices are actually showing Type 1 Open NAT which surprised me. If you're correct and there is an ALG in effect then the issue I've been describing may be related only to the XBox Live PC application, various PC games and game platforms that utilize voice chat, and the PS4 consoles.
Apparently the tickets I've been getting for XBox consoles are about getting disconnected from games and party chat... still might be a NAT problem or perhaps a session timeout. I'm trying to get ahold of an XBox One to continue testing and I'll be sure to try to find the session state information for the PS4 tomorrow.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!