Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Issue after Internet Upgrade

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issue after Internet Upgrade

L0 Member

We recently installed a new 300/300 circuit and MIS router at my workplace.  No IPs have been changed, but since the upgrade we cannot ping internet addresses, and our latency and speed results from speedtest.net are horrific (like 1000+ and less than 1/1 at times.)  Strangley, the network isn't crippled, but it should be performing faster than it is.

 

My question to the PA's pros out there is could our Palo Alto be causing the issue?  My boss thinks it is our web proxy since there's been no increase in web traffic throughput, but when I add a rule in the PA to allow my IP to ping, icmp, and tracerout to anywhere I can ping internet addresses again.  If i change that rule to allow any traffic from my IP, our speedtest results are as you would expect.  Low latency and close to the 300/300.

 

Neither the proxy nor the firewall is doing any sort of QoS or traffic shaping (that i could find, and i've looked extensively) and we've confirmed with our ISP and LEC no issues on their equipment.  I just find it very very odd that we've lost the ability to ping internet addresses since the upgrade, otherwise I'd be looking for a bottleneck.  It seems to me like something is blocking traffic, and the network has to search for a different path to get to the destination and back to the source so there's higher latency.  The fact that adding in that rule to allow my traffic through the PA makes me wonder if it is something there.

 

Edit:  This is a 2 PA5020 set up in active/passive mode.  Another note:  during off hours performance is much better.  I get speedtests of 30-40ms and 150/150.  Still not as good as an IP that's explicitly allowed through the firewall though.

 

Thanks in advance for any help

3 REPLIES 3

L3 Networker
Are the physical links between the firewall and the ISP router ok? (speed, errors, etc.) Did you try to ping an external host from the firewall CLI? What about the ping time with the first external host (you'll probably have a point to point link from the external interface on the firewall and your ISP router)? Is there any policy based forwarding in place which might need to be adapted for the new ISP? Any dynamic routing outside the firewall?

...just what I'd check, on top of my mind.

i'd also try to do a packetcapture and see if you are experiencing a lot of fragmentation or 'odd' mss sizes

 

a couple usefull commands:

 

> show counter global filter aspect forward
> show counter global filter aspect ipfrag
> show counter global filter aspect session
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

It turns out Palo Alto can treat speedtest application traffic differently than other 8080 traffic, so I think what was basically happening is the speedtest couldn't connect because it was blocked by the PA and then started trying to use http or https which got mangled by the proxies.  It still doesn't explain why I can't ping internet sites all of a sudden, but we're getting closer to the solution.  thanks for your replies

  • 2329 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!