Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
07-20-2022 08:35 AM
Hi Folks,
We had recently configured an IPSec tunnel between the PA and the Cisco Meraki firewall.
The PA firewall is located in India and the Cisco firewall is located in USA.
We are trying to upload an file from an Linux host located behind the PA firewall to an server located behind the Cisco firewall using wget http option from linux machine.
While uploading we are getting an speed of only 200 kbps. Our ISP bandwidth is 200 Mbps.
Upon taking global counter we could see that the firewall is dropping the packet with the below counter
tcp_drop_packet 2 0 warn tcp pktproc packets dropped because of failure in tcp reassembly
tcp_exceed_flow_seg_limit 2 0 warn tcp resource packets dropped due to the limitation on tcp out-of-order queue size
We had changed the MTU on the tunnel interface but no luck. After allowing the out-of-order TCP packets using the below command the speed had increased an bit.
> config
# set deviceconfig setting tcp bypass-exceed-oo-queue <yes|no>
# commit
https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClWK
Is this an issue with the firewall or issue with the host.
Thanks in advance.
08-23-2022 02:07 AM
Hi Folks,
We are having only two ISP each with 100 Mbps bandwidth each. We are using only one ISP interface as primary. Upon checking the below command we had identified the throughput is measuring upto 130-150 Mbps.
> show system statistics session
After load-balancing the traffic between two ISP's the upload/download speed via the tunnel interface had increased.
07-20-2022 11:07 AM
Hello,
Was the MTU changed on both sides of the tunnel?
Regards,
07-20-2022 10:54 PM
Hi @OtakarKlier
Yes we had tried to ping the server on the peer end with the do-not fragment bit enabled and configured the supported MTU value on both side of the tunnel interfaces.
07-21-2022 03:23 PM
How stable of a connection do you have between sites outside of the tunnel? If your getting so many out of order packets that it's causing issues and the MTU is correct, are you experiencing a larger amount of packet loss between the two nodes themselves?
08-23-2022 02:07 AM
Hi Folks,
We are having only two ISP each with 100 Mbps bandwidth each. We are using only one ISP interface as primary. Upon checking the below command we had identified the throughput is measuring upto 130-150 Mbps.
> show system statistics session
After load-balancing the traffic between two ISP's the upload/download speed via the tunnel interface had increased.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
