Palo Alto Decryption "Out of firewall resources: memory"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto Decryption "Out of firewall resources: memory"

L2 Linker

Hello, 

 

Wondering if anyone has encountered the error on the subject line under Decryption logs? We seem to be experiencing an "outage" with outbound traffic (Web pages don't load, slow internet, etc) here are some recent changes:

 

  • We migrate over from PA3220 to PA3420s
  • We migrate from PA3220 10.1.x to 10.2.4-h3 on the PA3420s
  • Both firewalls where managed by Panorama, so we just added them to the same Device Group (same security polices) and we cloned the Templates and made some slight modifications mostly just verbiage
  • One thing to note, we enabled Jumbo frame on the PA3420s but we did not set the MTU on all interfaces, recently we did set all interfaces to 1500MTU but the issue still persists

 

The main issue is we see in the decryption logs "Out of firewall resources: memory" and all network traffic outbound to the internet is slow or unresponsive. 

 

Wondering if anyone has experience similar issues?

1 REPLY 1

Cyber Elite
Cyber Elite

@AlbertHernandez,

This would indicate a system resource issue, but you said that you've set MTU back to 1500 across the board correct? Off hand, there's not a single metric that you should see decreased on the PA-3420 compared to your PA-3220 that you swapped out so this shouldn't be an issue unless you've also pulled more traffic onto the box.

Outside of looking at system resources and seeing if you don't have something consuming an abnormal amount of resources, I'd try just tossing a restart at things if you haven't already.

 

Outside of that I really have to ask, why are you deploying a new piece of hardware with an outdated version of PAN-OS? 10.2.6 is the preferred release and that's what I would recommend installing on newly deployed hardware. I'd start planning to apply the update regardless of encountering any sort of issue that you're presently having, but TAC will likely have you upgrade anyway. 

  • 882 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!