PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

L2 Linker

Dear experts,

 

I am moving from PA3050 to PA3220. I did export the current configurations from the old PA3050 and imported to the new PA3220, i committed successfully, but when i migrate cables from old device to the new one i get random issue! like some zones are not reachable, like i have ping to internet and telnet and traceroute but i can't browse!, like i can't ping some destinations. WEIRD! its the SAME configuration and OS versions are the same on both devices plus, i did download and install latest content version on both devices before moving the exporting the config file.xml.

 

NOTE: when i move to old PA3050 all work properly!

 

One more thing, we have A10 (SSL Interception) connected to PA from external side and StormShield (AS core firewall).

 

 

REALLY WOULD APPRECIATE YOUR HELP. 

24 REPLIES 24

L5 Sessionator

Maybe asymmetric routing? Traffic like ping doesn't need a 3-way handshake to work through the PA but internet browsing would. Maybe the syn-ack isn't going through the PA?

Did anything else change when you moved to the new firewall?

Is there anything in the logs showing this traffic dropping?

NO, i checked through all dvices, no single drop in any.. plus i cleared ARP in PA and in neighbor devices and still not working, i noticed that i can't ping from PA interface to the other end which is a switch. i have no idea why would this happen... 

 

 

What do the ARP entries on the PA and switch show for each other? Are they correct?

Its showing the correct ARP, PA MAC address matching the correct IP. On the other hand, why would be an asymetric routing if nothing changed in the network except changing the device.? that's the point here.. whenever i switch cable to the old device all work properly.

 

 

Is there asymmetry in your network? There is a setting on the PA to bypass the dropping of traffic where the full handshake isn't seen. Was that set on the old firewall?

If you do 'show session info' ,there's a section for Session Setup that will tell you the current value of this setting. Default is True, meaning it will drop the traffic. If it's set to False, then the full handshake isn't needed to permit traffic.

You mean its a setting in the Zone protection? I created a zone protection.. -->Packet based attack protection-->"reject non SYN TCP" i put it to "NO" and the Asymmetric Path to "Bypass"

 

 

Is that correct?

No, it's a command line entry. At the CLI, you enter 'show session info'. Then look for the section called 'Session setup'.

Ah i didn't, but i will check this and get back to you. One more thing, would this affect the other zones as well ? i mean would this affect the DMZ zone ? or only this would affect internet connectivity.?

 

 

Ah i didn't, but i will check this and get back to you. One more thing, would this affect the other zones as well ? i mean would this affect the DMZ zone ? or only this would affect internet connectivity.?

 

It's a global setting so any asymmetric traffic would be affected. 

Ah okay, but this global setting shouldn't be included in the config file that i exported from the old PA3050 ? 

 

 

It’s probably included but I don’t know for sure.

Cyber Elite
Cyber Elite

@SamerKiwan ,

So the configuration on your 3050 and your PA-3220 is going to be different in a few ways. Things I would verify:

1) On the PA-3220 are you using interfaces 17 through 20, and if so have you actually verified the interface is set to the proper speed if you are using SFP instead of SFP+? 

2) Importing a configuration like that can cause some issues if things don't 100% import properly. I would pull the PA-3050 and the PA-3220 configurations and verify that they are actually similar by running a compare. 

3) What do you see on the logs when you are attempting to browse? Resets or age-out responses? 

Okay, Thank you very much for your responses. I will check and update you.

 

 

 

  • 11912 Views
  • 24 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!