PAN OS Session Table Clearing -> no RST/FIN Connection sent out ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN OS Session Table Clearing -> no RST/FIN Connection sent out ?

L1 Bithead

Hi Experts,

 

I have the following situation. I'm running an A/A HA Cluster based on 2 5220 PA Appliances (PAN OS vers 9.0.x)

 

Occasionally (following a failover event) we noticed that some of our Long Lived sessions (NFS + Oracle DB Sessions) active across the cluster do not seem to be properly handled at session table level cluster wide any longer - meaning connectivity is broken and our NFS share, for example, get stuck hanging ...

 

I already have a case by Palo Alto for examining and debugging this issue.

 

One "workaround" that I had to implement so far when such session table inconsistency arise is to identify and manually clear the affected sessions in the firewall sesssion table on both sides of the cluster.

 

Nevertheless I noticed that, by doing this, the firewall do not send either a RST or a FIN to either the client or the server side.

 

Is there any way to have the firewall (I would assume the Session Owner, in the case of an HA Cluster) send a RST or a FIN to client and/or server side of the connection ? I have searched through this forum as well as through the PAN OS doc but haven't been able to identify until now such option .... which would greately help us recovering our NFS mounts ...

 

Thank you.

1 REPLY 1

L4 Transporter

Hi,

 

Unfortunately, you can not make the firewall send a rst, the Firewall only send RST when a threat is detected.

  • 2006 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!