Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-15-2018 01:21 PM - edited 05-03-2018 07:34 AM
Hello all,
Please be advised, there is a current issue with PAN-OS 8.1 which seems to break anything SMB related, e.g. mapped network drives. Sessions have an end reason of "resources-unavailable" and go into state "Discard" in the session table.
Upon speaking with a TAC engineer, this is a known issue and they are working towards a fix.
Edit: This is now resolved in PAN-OS 8.1.1 under BugID:
PAN-94445 | Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable |
Thanks,
Luke.
03-20-2018 01:29 PM
TAC suggest to create an application override policy as workaround or downgrade to 8.0.X PANOS version.
Jacopo
05-02-2018 11:53 PM
PAN-94445 | Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable. |
03-20-2018 01:29 PM
TAC suggest to create an application override policy as workaround or downgrade to 8.0.X PANOS version.
Jacopo
03-21-2018 06:43 AM
Did you try the Application Override or did you downgrade?
03-21-2018 07:04 AM
Applicaton Override does the trick.
03-21-2018 07:14 AM
I didn't have time to mess around on Sunday when this was discovered, so we downgraded. Thankfully that went smoothly.
03-21-2018 08:03 AM
Thanks for the info, I was just about to deploy 8.1 to one firewall 🙂
03-21-2018 08:05 AM
Ended up doing a downgrade too, went back to 8.0.8. I so wanted the hit counter 😞
Does anyone know if there is an Issue ID for this problem?
03-22-2018 07:21 AM
03-22-2018 09:05 AM
We just had a day's outage due to this issue. Palo Alto *really* should have pulled the update and warned people who have installed it.
03-22-2018 09:18 AM
So far I've had no issues with 8.1 och PA-220, not that much traffic passing through it though...
On a couple of PA-850 the only option was to do a downgrade, no SMB traffic worked as intended.
Could it be related to certian hardware platforms? What platforms have you experienced problems on?
03-22-2018 10:44 AM
03-22-2018 03:21 PM
We have a pair of PA-5060s, and were seriously affected. Everyone using SMB was unable to do any work for 8 hours.
03-26-2018 02:54 AM
Re: Application Override to resolve PAN OS 8.1.0 SMB Issues
Does this apply to environments where the Palo Alto firewall provides routing to the local LAN and IPSEC tunnels to remote LANs on internal trusted interfaces where no Security or NAT policies are programmed?
If so, which applications need to be overridden to work-around this bug?
This is a devastating issue when it occurs.
Our work-sround has been to switch the active and passive roles of 2 PA-500 firewalls to reset the routing. This restores LAN and IPSEC tunnel routing for SMB but only works until the problem returns.
03-26-2018 06:16 AM
The problem should be fixed with 8.1.1 which is scheduled to be released by the end of April. The issue ID is PAN-93016.
Thanks.
Jacopo
04-02-2018 10:39 AM
We ran into this issue as well. I'm really surprised this wasn't noticed during testing. Creating the application override solved the problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
