03-15-2018 01:21 PM - edited 05-03-2018 07:34 AM
Hello all,
Please be advised, there is a current issue with PAN-OS 8.1 which seems to break anything SMB related, e.g. mapped network drives. Sessions have an end reason of "resources-unavailable" and go into state "Discard" in the session table.
Upon speaking with a TAC engineer, this is a known issue and they are working towards a fix.
Edit: This is now resolved in PAN-OS 8.1.1 under BugID:
PAN-94445 | Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable |
Thanks,
Luke.
04-02-2018 11:57 AM
It was noticed during testing and we all pretty much chopped it up to the SMBv3 improvements that allow additional threat detection and file identification capabilities that were added into 8.1. I think we were all just under the impression that it wasn't something that would make it into the actual release.
04-02-2018 11:58 AM
I agree. SMB is a core service and breaking it is a show-stopper. We use our firewalls as our LAN routers, and this issue resulted in intermittent collapse of SMB across our LAN subnets and across our IPSEC tunnels, totally disrupting our network operations. We discovered that we could temporarily "reset" SMB by forcing an active-passive firewall failover. SMB would work again for a few days until the next recurrence.
We did the application-override but it was useless since we do not apply any policies on our internal routing (intrazone).
When we learned that ther wasn't going to be a hot fix and that the next version of PAN-OS 8.1.1 would not be until the end of April, we decided to roll back all of our firewalls to 8.0.8.
It was also surprising that Palo Alto did not bother to respond to our ticket on this issue.
04-03-2018 03:34 AM
I hope this issue has caused an internal investigation to be opened into how a critical bug made it into a GA release, so hopefully it will never happen again.
04-10-2018 11:12 AM
Is there a sample of how ya'all did the App-override and made it work?
04-10-2018 11:24 AM
This is what we tried, but it didn't work since our issues were with the Virtual Router for internal routing.
SMB Application Override
Policies / Application Override
Add
General
Name: SMB L7 Inspect Exclude
Description: To improve SMB performance, Layer 7 inspection is excluded.
Source
Source Zone: L3-trust
Source Address: Any
Destination
Destination Zone: L3-trust
Destination Address: Any
Protocol/Application
TCP
Port 445,139
Application: ms-ds-smb
04-10-2018 11:37 AM
Thanks for the reply. I was hoping there was a way to avoid having to do 2 override policies. Ugh. Glad PA was asleep at the wheel on this one.
04-10-2018 11:47 AM
Our experience (which we have shared with Palo Alto tech support) is that the SMB issue is in the Virtual Router itself separate from the policy applications. For us it would run normally for days until something would be triggered that killed routing of SMB on our internal LAN (no policies are applied, so there really is nothing to override). The simplest way we found to restore routing was to suspend the active firewall (triggering a failover to the passive firewall in our HA active/passive configuration). We could then make the first firewall functional again and everything would work normally until the next intermittent SMB failure.
In the absense of a hotfix, we rolled back to 8.0.8.
We had tried the application override trusting guidance from Palo Alto, but it has no effect on the virtual router problem.
04-11-2018 09:52 AM
For anyone who cares: The application override did address the issue for us. In our case it was a straight firewalling issue over a IPSEC tunnel. So we never had the abovementioned issues with the Virtual router.
I did put in a call to PA TAC, to make sure I got the App Override put in there properly (I havent done a lot of that). When I spoke to the TAC representative about the general bugginess of 8.1.0 the response was effectively "its your own fault for installing firmware that we released to you." Which was comforting.
Nothing like "Lets get the plane in the sky and try to fix it before it hits the ground"
04-19-2018 09:15 AM
I also had this issue. I resolved the issue by first creating a custom application then creating an application overide using the custom application.
04-23-2018 06:49 AM
Ran into the same problem, creating an application override solved the problem.
Policies > Application Override
Source: Clients
Destination: File Server
Protocol/Application
TCP 139, 445
Application: ms-ds-smbv3
| Software Version | 8.1.0 |
| VM License | VM-100 |
05-02-2018 08:16 AM
I experienced this issue as well with a pair of 3050's in HA. It's unacceptable Palo Alto would not notify its customers of the issue.
05-02-2018 01:34 PM
Based on PAN code quality trends over 7.0, 7.1, and 8.0, I have been waiting for PAN TAC to recommend an image for production use before trying it anywhere outside the lab. That has been usually around X.X.5 or X.X.6. Even then, tread with significant caution when deploying.
As folks have found out, using X.X.uhoh (X.X.0) releases outside a test environment is just begging for trouble.
Save your sanity and remaining hair. Wait for TAC recommended images.
05-02-2018 01:34 PM
8.1.1 is now available and includes the fix for this issue (among many others) Someone play with it and report back 😉
05-02-2018 01:36 PM
There are 7 pages of "Addressed Issues". Talk about a mess.
05-02-2018 11:53 PM
PAN-94445 | Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable. |
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
