Fortunately we didn't upgrade to 7.X on any of our firewalls (thanks to the community's responses on how much it sucks)...ok it doesn't suck but it's been riddled with problems.
To me it seems this issue has been big enough that an off-cycle patch should have done and Palo should have spent engineering time 24x7 until these issues had been fixed. The cost of support 6-figures+ to have this large of a problem with a "wait for our patch cycle" mentality blows my mind.
I asked for an update on my ticket and received the following back. I'd like to see the fix sooner, but it is what it is I guess.
Working with the engineering team I have been able to confirm the root cause of the issue is the result of Bug 85091. The resolution for this issue is currently scheduled for release in the 6.1.8 and 7.0.4 software update.
The new software versions are expected to be released the Week of November 16, 2015 for 6.1.8 and the Week of December 7, 2015 for 7.0.4.
Is anybody running 6.1.x having this problem? I hadn't heard of it occuring in the 6.x line until the PA response stating it'll be fixed in 6.1.8. I'm concerned that once again they've missed the root cause.
Hi all- I’m Nathan, with Support Management at Palo Alto Networks. As was posted earlier, we’re sorry for frustration caused by this issue. The support response details posted above are correct. 6.1.8 is planned for release later this week (16-Nov) and 7.04 will be available during the week of 21-Dec (please note the date, as it is different than what was posted earlier). Both of these releases resolve this issue.
There may be additional options available, but support would prefer to discuss these individually to ensure they meet your individual needs and timeliness. I’ve reached out to some of the members on this discussion via phone/email to provide some options related to this issue. While we recommend upgrading when the releases become available, there may also be a workaround option for those that require an immediate fix. The workaround has been tested by our QA group, which is why we would like to have a live debug session for those that are having trouble implementing the workaround. For those I’ve contacted that need to pursue this path, please get back to me and I will make sure you get help from Support to discuss all options.
Note: if there are others experiencing this issue who have not created a support case, please contact Palo Alto Networks support (https://www.paloaltonetworks.com/company/contact-us.html). We’re happy to help get this resolved for you.
There really isn't (from what I've been told and discovered after implementing the work-around). They're recommending people configure some DoS rules against SSL. This will extend the interval between the issue happening and traffic halting but not fix it.
Yes, it hasn't fixed the problem for me, but it's made the freezes much less often to several pay day rather than every 45 minutes as I was seeing prior. I've been able to turn decryption back on, and my users are dealing with the pain right now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!