- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-03-2016 03:04 PM - edited 08-03-2016 04:12 PM
We recently installed a new 300/300 circuit and MIS router at my workplace. No IPs have been changed, but since the upgrade we cannot ping internet addresses, and our latency and speed results from speedtest.net are horrific (like 1000+ and less than 1/1 at times.) Strangley, the network isn't crippled, but it should be performing faster than it is.
My question to the PA's pros out there is could our Palo Alto be causing the issue? My boss thinks it is our web proxy since there's been no increase in web traffic throughput, but when I add a rule in the PA to allow my IP to ping, icmp, and tracerout to anywhere I can ping internet addresses again. If i change that rule to allow any traffic from my IP, our speedtest results are as you would expect. Low latency and close to the 300/300.
Neither the proxy nor the firewall is doing any sort of QoS or traffic shaping (that i could find, and i've looked extensively) and we've confirmed with our ISP and LEC no issues on their equipment. I just find it very very odd that we've lost the ability to ping internet addresses since the upgrade, otherwise I'd be looking for a bottleneck. It seems to me like something is blocking traffic, and the network has to search for a different path to get to the destination and back to the source so there's higher latency. The fact that adding in that rule to allow my traffic through the PA makes me wonder if it is something there.
Edit: This is a 2 PA5020 set up in active/passive mode. Another note: during off hours performance is much better. I get speedtests of 30-40ms and 150/150. Still not as good as an IP that's explicitly allowed through the firewall though.
Thanks in advance for any help
08-04-2016 01:00 AM
08-04-2016 01:37 AM
i'd also try to do a packetcapture and see if you are experiencing a lot of fragmentation or 'odd' mss sizes
a couple usefull commands:
> show counter global filter aspect forward > show counter global filter aspect ipfrag > show counter global filter aspect session
08-04-2016 04:01 PM
It turns out Palo Alto can treat speedtest application traffic differently than other 8080 traffic, so I think what was basically happening is the speedtest couldn't connect because it was blocked by the PA and then started trying to use http or https which got mangled by the proxies. It still doesn't explain why I can't ping internet sites all of a sudden, but we're getting closer to the solution. thanks for your replies
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!