NFS sessions undecided after fail-over

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

NFS sessions undecided after fail-over

L4 Transporter

Situation:

NFS Client src:828 dst: 2049 --> PAN 7050 HA Cluster --> NFS Server (NFS Session is up and connected without issue)

 

Palo alto cluster fail-over occurs (upgrade/issue - doesn't matter)

 

NFS Client src:828 dst:2049 -->PAN (Session is marked as "undecided" and dropping the syn packets)

The timer continues to reset on the session on PAN since the client continues to send syn packets which are dropped. This keeps the session opened until the session is manually cleared by engineers on the PAN cluster.

 

Is anyone else experiencing this? We haven't seen this occur on any other apps except NFS and seemed to start around 8.1.7.

 

7 REPLIES 7

L1 Bithead

I am having the same issue with PA-5220 and latest available version PANOS 9.1.10

Yeah experiencing the same issue. Did you get the root cause ?

 

Dinesh

L1 Bithead

Hello guys

 

Did you resolve this issue? I have experienced the same situation and apparently, we have a problem with NFS reuse sessions, it seems to be a native function on recent Linux Distros like says on the following article:

 

https://www.suse.com/support/kb/doc/?id=000019722

 

On PAN-OS what can I do? The only chance would be an App-Override? 

The only way we were able to resolve this was through a custom app / app-override policy. This allowed us to artificially adjust the timers on the sessions for this particular traffic.

Here it is almost 4 years later and no change except a work-around. I had mentioned the idea of a FR to have the NFS signature updated to accommodate this Linux change but no success has been seen yet.

I am agree with you,

 

Palo Alto has a bad performance with chatty protocols as NFS. In the past I made benchmarks with NFS app-override having best performance but this shouldn´t be the right way.. I am hoping for better chatty protocols recognition by Palo Alto. 

 

Kings regards, Jorge Goya.

Hey Gun-Slinger, we are running into the same issue on our 3220 which just got upgraded from 9.1.13h1 to 10.1.9-h1. Can you share the details of the custom appid ?

Hey @PktBlocker , sure see below

GunSlinger_0-1687537632192.png 

GunSlinger_1-1687537642592.png

GunSlinger_4-1687537772290.png

 

GunSlinger_3-1687537671465.png

 

 

  • 4878 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!