10-10-2020 05:29 AM
Hi Experts,
I have the following situation. I'm running an A/A HA Cluster based on 2 5220 PA Appliances (PAN OS vers 9.0.x)
Occasionally (following a failover event) we noticed that some of our Long Lived sessions (NFS + Oracle DB Sessions) active across the cluster do not seem to be properly handled at session table level cluster wide any longer - meaning connectivity is broken and our NFS share, for example, get stuck hanging ...
I already have a case by Palo Alto for examining and debugging this issue.
One "workaround" that I had to implement so far when such session table inconsistency arise is to identify and manually clear the affected sessions in the firewall sesssion table on both sides of the cluster.
Nevertheless I noticed that, by doing this, the firewall do not send either a RST or a FIN to either the client or the server side.
Is there any way to have the firewall (I would assume the Session Owner, in the case of an HA Cluster) send a RST or a FIN to client and/or server side of the connection ? I have searched through this forum as well as through the PAN OS doc but haven't been able to identify until now such option .... which would greately help us recovering our NFS mounts ...
Thank you.
10-11-2020 11:47 AM
Hi,
Unfortunately, you can not make the firewall send a rst, the Firewall only send RST when a threat is detected.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
