Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-11-2018 06:31 AM
Hi, we have an HA pair of M-100 Panoramas which were running fine until we attempted to upgrade the memory to 32GB to be able to run version 8.1.3. The passive Panorama went fine but the active would not boot after the memory was upped so a replacement was sent. The box was swapped and config applied then memory installed and upgraded to 8.1.3.
First problem was that none of the managed firewalls could connect to the new active Panorama, the Panorama sent TCP resets, while on the phone to tech support all the firewalls suddenly were able to connect to the replaced Panorama this happened with no intervention and was around 2-3 hours since the Panorama was fully reconfigured so this is very odd.
Anyhow the issue we have now is all the managed firewalls now connect to this Panorama for anywhere between 3 and 10 minutes then disconnect for 30 seconds and reconnect, every single firewall. Their connections to the other passive Panorama are fine.
A TCPDUMP on a firewall mgmt interface shows all going well then the Panorama replorts TCP zero window size to the firewall then for a minute or so TCP keepalives are sent from the firewall and the Panorama replies with TCP zero window size, soon after the Panorama sends a FIN immediately follow by a TCP window size ACK of 357120 and the session is closed down.
Does anyone have any ideas? Panorama system resources seem fine, no network interface counter issues and nothing immediately obvious in system logs.
Thanks.
09-12-2018 02:02 PM
The vast majority of the time the TCP window falls to zero is because of memory on the receiving end of the data transmission. Since you've stated the Panorama resources are ok, there may be something else in path causing it.
If you take the tcpdump capture simultaneously on Panorama and on your firewall, you could compare the frames to ensure that the data packets the firewall is sending are actually making it to Panorama. If everything looks the same from the Panorama-based packet capture, then I'd recommend getting a support case opened so technical support can take a look.
If the data is not making it to Panorama (or you're seeing the IP TTL at a different value than you would expect), there may be something between the devices doing something like proxying the traffic.
09-13-2018 06:42 AM
Thanks for the reply, the captures at both ends are identical so nothing happening to the sessions.
We do have a Palo support ticket open it is just thought I'd see if anyone else encountered this before but will run with the ticket.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
