PANOS 9.1 know issue PAN-83610 network processor

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PANOS 9.1 know issue PAN-83610 network processor

L2 Linker

PAN-83610

In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.

 

We did a throughput test with proper test kit before device goes live, when disable the offload the throughput reading degrade significant. So I'm not going for this workaround. 

 

I'm stuck in between EOL PANOS 9.0 and upgrade consume time, I cant risk my client upgrade to 9.1 as potential hit performance issue but upgrade to 10.1 may took up to 8 hours upgrade from 9.0 to 10.1 as reboot after upgrade and connection verification each failover to new version.

 

Current client using PA 5200 series, how do I check that model network processor is running FE100, as I got the output from system state, based on the output is it that PA 5200 is running on FE100 network processor or is there another command to retrieve the network processor ? 

 

env.s1.thermal.0: { 'alarm': False, 'avg': 32.000, 'core-temp-gryphon-dp': False, 'desc': NP, 'desc-detail': NB - Temperature @ FE100[U92], 'fan-min': 50.000, 'hyst': 3.750, 'i2c-failures-count': 0, 'i2c-failures-status': False, 'ignore-fan-control': False, 'immediate-notify': False, 'max': 70.000, 'min': -5.000, 'notified-avg': 31.800, 'samples': [ 32.000, 32.000, 32.000, 32.000, 32.000, ], 'shutdown': False, 'shutdown-temp': 99.000, }

1 REPLY 1

Cyber Elite
Cyber Elite

@VLim,

So you don't have an HA pair at this site but uptime is so critical you can't have a maintenance window to actually maintain critical network security hardware? Seems like a really odd design/decision for an organization willing to spend the money on PAN hardware and subscription licensing.

 

As an FYI PAN-83610 is present literally on every release, and as I understand the bug its not something that will ever be fixed with the FE100 network processor. It's present in every release of PAN-OS, so just upgrading won't get rid of it.

I've literally never seen anyone run into an issue with this bug that actually caused any issues outside of a customer running some specialized industrial hardware over IPv6 with a poorly written control application. That isn't to say that you won't run into an issue, but I would put the risk associated with staying on an unsupported PAN-OS release far higher than the possibility that you could run into an error in the extremely rare case that the network processor resets the checksum. 

  • 2406 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!