Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-28-2019 02:07 AM - edited 02-28-2019 06:54 AM
Dear experts,
I am moving from PA3050 to PA3220. I did export the current configurations from the old PA3050 and imported to the new PA3220, i committed successfully, but when i migrate cables from old device to the new one i get random issue! like some zones are not reachable, like i have ping to internet and telnet and traceroute but i can't browse!, like i can't ping some destinations. WEIRD! its the SAME configuration and OS versions are the same on both devices plus, i did download and install latest content version on both devices before moving the exporting the config file.xml.
NOTE: when i move to old PA3050 all work properly!
One more thing, we have A10 (SSL Interception) connected to PA from external side and StormShield (AS core firewall).
REALLY WOULD APPRECIATE YOUR HELP.
02-28-2019 10:24 AM
03-04-2019 12:23 AM
@rmfalconer what is the setting exact name of the asymetric routing ? below is my session settings
Session setup
TCP - reject non-SYN first packet: False
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps
03-04-2019 12:39 AM
@BPry I checked configuration syntax its exactly the same.. :S any other suggestions ?
03-04-2019 11:50 AM
The setting that shows that asymmetry is permitted is "TCP - reject non-SYN first packet: False"
Is this on both firewalls?
Are you absolutely sure that this is a setting you want enabled? It's definitely not best practice to enable. Do you know why you have flows bypassing the firewall?
03-04-2019 12:11 PM
For sure no i don't keep such setting, but i did that for testing purpose it was "True" i put it "False" to check if issue will get resolved but it didn't. Is it possible that A10 device makes such issue? maybe its SFPs are not compatible with the new PA ethernet ports?
03-04-2019 03:08 PM
So both old and new firewall are set to True?
I think you said you're using the copper interfaces on the PA? Do they connect directly to the A10? SFPs on another device shouldn't matter for the connection to the PA.
03-04-2019 04:21 PM
If you havent figured this inbox me and I can help you.
03-05-2019 08:36 AM
Yes on both devices its True.
Palo Alto Copper interfaces are connecting to the A10 device (using SFPs Fiber to Copper).
03-05-2019 08:51 AM
Yes, please i would appreciate if you can help with this.. but i didn't know how to inbox your from here -_-
03-08-2019 03:33 AM
Dears,
This is to inform that this issue has been finally solved ! there was a static ARP on the core firewall interface. We put dynamic and ll worked properly.
Thank you all.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
