Panorama zero window size

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama zero window size

L0 Member

Hi, we have an HA pair of M-100 Panoramas which were running fine until we attempted to upgrade the memory to 32GB to be able to run version 8.1.3. The passive Panorama went fine but the active would not boot after the memory was upped so a replacement was sent. The box was swapped and config applied then memory installed and upgraded to 8.1.3.

First problem was that none of the managed firewalls could connect to the new active Panorama, the Panorama sent TCP resets, while on the phone to tech support all the firewalls suddenly were able to connect to the replaced Panorama this happened with no intervention and was around 2-3 hours since the Panorama was fully reconfigured so this is very odd.

 

Anyhow the issue we have now is all the managed firewalls now connect to this Panorama for anywhere between 3 and 10 minutes then disconnect for 30 seconds and reconnect, every single firewall. Their connections to the other passive Panorama are fine.

A TCPDUMP on a firewall mgmt interface shows all going well then the Panorama replorts TCP zero window size to the firewall then for a minute or so TCP keepalives are sent from the firewall and the Panorama replies with TCP zero window size, soon after the Panorama sends a FIN immediately follow by a TCP window size ACK of 357120 and the session is closed down.

Does anyone have any ideas? Panorama system resources seem fine, no network interface counter issues and nothing immediately obvious in system logs.

Thanks.

2 REPLIES 2

L7 Applicator

The vast majority of the time the TCP window falls to zero is because of memory on the receiving end of the data transmission. Since you've stated the Panorama resources are ok, there may be something else in path causing it.

 

If you take the tcpdump capture simultaneously on Panorama and on your firewall, you could compare the frames to ensure that the data packets the firewall is sending are actually making it to Panorama. If everything looks the same from the Panorama-based packet capture, then I'd recommend getting a support case opened so technical support can take a look.

 

If the data is not making it to Panorama (or you're seeing the IP TTL at a different value than you would expect), there may be something between the devices doing something like proxying the traffic.

Thanks for the reply, the captures at both ends are identical so nothing happening to the sessions.

We do have a Palo support ticket open it is just thought I'd see if anyone else encountered this before but will run with the ticket.

  • 2912 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!