PAN-OS 8.1.0 SMB Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN-OS 8.1.0 SMB Issues

L5 Sessionator

Hello all,

 

Please be advised, there is a current issue with PAN-OS 8.1 which seems to break anything SMB related, e.g. mapped network drives. Sessions have an end reason of "resources-unavailable" and go into state "Discard" in the session table.

 

Upon speaking with a TAC engineer, this is a known issue and they are working towards a fix.

 

Edit: This is now resolved in PAN-OS 8.1.1 under BugID:

 

PAN-94445
Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable

 

Thanks,

Luke.

 

32 REPLIES 32

@SamKear,

It was noticed during testing and we all pretty much chopped it up to the SMBv3 improvements that allow additional threat detection and file identification capabilities that were added into 8.1. I think we were all just under the impression that it wasn't something that would make it into the actual release. 

I agree. SMB is a core service and breaking it is a show-stopper. We use our firewalls as our LAN routers, and this issue resulted in intermittent collapse of SMB across our LAN subnets and across our IPSEC tunnels, totally disrupting our network operations. We discovered that we could temporarily "reset" SMB by forcing an active-passive firewall failover. SMB would work again for a few days until the next recurrence.

 

We did the application-override but it was useless since we do not apply any policies on our internal routing (intrazone).

 

When we learned that ther wasn't going to be a hot fix and that the next version of PAN-OS 8.1.1 would not be until the end of April, we decided to roll back all of our firewalls to 8.0.8. 

 

It was also surprising that Palo Alto did not bother to respond to our ticket on this issue. 

I hope this issue has caused an internal investigation to be opened into how a critical bug made it into a GA release, so hopefully it will never happen again.

Is there a sample of how ya'all did the App-override and made it work?

This is what we tried, but it didn't work since our issues were with the Virtual Router for internal routing.

 

SMB Application Override

Policies / Application Override

  Add
    General
      Name: SMB L7 Inspect Exclude
      Description: To improve SMB performance, Layer 7 inspection is excluded.
    Source
      Source Zone: L3-trust
      Source Address: Any
    Destination
      Destination Zone: L3-trust
      Destination Address: Any
    Protocol/Application
      TCP
      Port 445,139
      Application: ms-ds-smb

Thanks for the reply.  I was hoping there was a way to avoid having to do 2 override policies.  Ugh.  Glad PA was asleep at the wheel on this one.

Our experience (which we have shared with Palo Alto tech support) is that the SMB issue is in the Virtual Router itself separate from the policy applications. For us it would run normally for days until something would be triggered that killed routing of SMB on our internal LAN (no policies are applied, so there really is nothing to override). The simplest way we found to restore routing was to suspend the active firewall (triggering a failover to the passive firewall in our HA active/passive configuration). We could then make the first firewall functional again and everything would work normally until the next intermittent SMB failure.

 

In the absense of a hotfix, we rolled back to 8.0.8.

 

We had tried the application override trusting guidance from Palo Alto, but it has no effect on the virtual router problem.

 

For anyone who cares:  The application override did address the issue for us.  In our case it was a straight firewalling issue over a IPSEC tunnel.  So we never had the abovementioned issues with the Virtual router.

 

I did put in a call to PA TAC, to make sure I got the App Override put in there properly (I havent done a lot of that).  When I spoke to the TAC representative about the general bugginess of 8.1.0 the response was effectively "its your own fault for installing firmware that we released to you."  Which was comforting.

 

Nothing like "Lets get the plane in the sky and try to fix it before it hits the ground"

L0 Member

I also had this issue. I resolved the issue by first creating a custom application then creating an application overide using the custom application.

L2 Linker

Ran into the same problem, creating an application override solved the problem.

Policies > Application Override

 

Source: Clients

Destination: File Server

Protocol/Application

TCP 139, 445

Application: ms-ds-smbv3

 

Software Version8.1.0
VM License

VM-100

L1 Bithead

I experienced this issue as well with a pair of 3050's in HA.  It's unacceptable Palo Alto would not notify its customers of the issue. 

L3 Networker

Based on PAN code quality trends over 7.0, 7.1, and 8.0, I have been waiting for PAN TAC to recommend an image for production use before trying it anywhere outside the lab. That has been usually around X.X.5 or X.X.6. Even then, tread with significant caution when deploying.

 

As folks have found out, using X.X.uhoh (X.X.0) releases outside a test environment is just begging for trouble. 

 

Save your sanity and remaining hair. Wait for TAC recommended images.

L4 Transporter

8.1.1 is now available and includes the fix for this issue (among many others) Someone play with it and report back 😉

There are 7 pages of "Addressed Issues".  Talk about a mess.

PAN-94445
Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable.
  • 24390 Views
  • 32 replies
  • 5 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!