I have the following scenario: a pair of PA 5220 (running pan os 8.1.10) in an ACTIVE / ACTIVE Setup (session owner 1st Packter - session setup 1st Packet) -We have been running Active / Active since roughtly 2 Years now without any significant problems.
However tftp (PXE Boot) session in an asymmetric scenario do not get properly synched (first packet flows through the Primary Firewall; reply (due to our routing setup) flows back via the secondary FW unit - the session which was initiated by going through the Primary FIrewall is no where to be seen on the Secondary Firewall). TCP traffic (also asymmetric) via both Primary and Secondary Firewall works without any issue.
I was wondering if this is a known issue / limitation or if I have some sort of misconfiguration on our side.
Any suggestion would be greatly appreciated.
I can provide additional infos / schematics if needed.
Thanks in advance
Just seeking confirmation on session setup.
IP Modulo, IP Hash, or Primary Device.
(Definitely do NOT recommend primary device...)
So when you wrote "(session owner 1st Packter - session setup 1st Packet) ", I am looking to determine what you have.
If you truly have Primary Device for Session Setup, then this explains why you are not seeing a session in the Secondary-Active FW.
Please confirm and advise.
thank you for your Feedback.
As I wrote, we are currently using "First Packet" for both Session Owner as well as Session Setup.
Do you believe the Problem that we are seeing with tftp is due to this ?
Please note that we haven't seen so far such issues in our asymmetric Routing Scenario with other traffic / application types (mostly TCP based) ...
If an Active/Active FW is setup with Session Owner AND Session Setup as 1st packet, then this is very comparable to a traditional Active/Passive setup where the ACTIVE FW is responsible for establishing the slowpath (session setup) and fastpath (security analysis) of a flow through the FW.
TFTP is a UDP protocol, so there is no reason why the 2nd FW would see any packets from the 1st FW (in the original post, this was due to the routing. With TCP, it is a connection-oriented protocol, yet with UDP, it is "spray and pray". So, if the session has not been fully setup on the 1st FW, then the 2nd FW will not see the session. It is best to probably use a TCP client for tftp is needed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!