Session moves from ACTIVE to DISCARD in middle of download once zone protection enabled.

cancel
Showing results for 
Search instead for 
Did you mean: 

Session moves from ACTIVE to DISCARD in middle of download once zone protection enabled.

L4 Transporter

Hi Community,

I am seeing the below behaviour in my PA-850 running on 9.1.4. Security policy is allowed for traffic.

Scenario-1, without zone protection in internet zone - Everything works fin

 

Scenario -2,

Having zone protection with pretty much all options enabled for 'IP Drop' and TCP drop' and other options as well. Applied it on internet zone.

Everything works fine like browsing, streaming etc.. but once I start downloading a big file, after downloading some part, the session will move from Active to discard and the download will simply hung. There is no application shift(connection is over ssl and policy allows every app).

when checked for global counters, I can see the following counter increasing,

  • packets dropped because of failure in tcp reassembly
  • packets dropped due to the limitation on tcp out-of-order queue size

Even though the drops are there, not sure why the session should move to discard state.

After the session hungs, I can see the counter "packet buffer pointer inconsistent" as well. Once I remove zone-protection, everything works fine ( i have tested iso download from releases.ubuntu.com).

What are the reasons the session moves from active to discard? I can't see any threat logs.

buffer protection is not enabled in global.

 

----counter-----

show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 3.72 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_outstanding 4026 1310 info packet pktproc Outstanding packet to be transmitted
pkt_alloc 5 1 info packet resource Packets allocated
pkt_inconsist 2101 683 info packet pktproc Packet buffer pointer inconsistent
session_freed 28 9 info session resource Sessions freed
flow_fwd_drop_noxmit 120 39 info flow forward Packet dropped at forwarding: noxmit
flow_qos_pkt_enque 2094 681 info flow qos Packet enqueued to QoS module
flow_dos_ag_buckets_upd 1 0 info flow dos Updated aggregate buckets for aging
flow_pppoe_encap_pkts 3868 1259 info flow pktproc Total packets encapsulated with PPPoE header
flow_host_pkt_xmt 5 1 info flow mgmt Packets transmitted to control plane
appid_unknown_fini_empty 11 3 info appid pktproc The number of unknown applications because of no data
nat_dynamic_port_release 5 1 info nat resource The total number of dynamic_ip_port NAT release called
dfa_sw 2132 694 info dfa pktproc The total number of dfa match using software
tcp_drop_packet 7 2 warn tcp pktproc packets dropped because of failure in tcp reassembly
tcp_pkt_queued 4294967233 1398101312 info tcp resource The number of out of order packets queued in tcp
tcp_case_2 24 7 info tcp pktproc tcp reassembly case 2
tcp_exceed_flow_seg_limit 7 2 warn tcp resource packets dropped due to the limitation on tcp out-of-order queue size
aho_sw_offload 2015 655 info aho pktproc The total number of software aho offload
ctd_pscan_sw 2132 694 info ctd pktproc The total usage of software for pscan
ctd_pkt_slowpath 2132 694 info ctd pktproc Packets processed by slowpath
log_traffic_cnt 28 9 info log system Number of traffic logs
--------------------------------------------------------------------------------

 

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @BPry /community,

 

I was able to identify the cause as 'discard-overlapping-tcp-segment-mismatch', it was causing the session to be in a discard state.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@Abdul_Razaq,

Sounds like PBP is being activated. I'm guessing that if you run show running resource-monitor ingress-backlogs your ISO download will be taking max buffer. You could easily test this by just disabling PBP at the zone level and trying again. 

Hi @BPry 

 

I suspected the same before, but Packet buffer protection is not enabled at the global level. As well as I disabled the same in zone level. I cannot see any threat logs for the session as well. show running resource-monitor ingress-backlogs was mot showing any session consuming more buffer

Hi @BPry ,

 

I can see the below output for 'show zone-protection'. Is any of these is capable of putting a session to discard from active instead of dropping packet?

 

--------------

IPv(4/6) Filter:
discard-ip-spoof: enabled: yes, packet dropped: 0
tcp-reject-non-syn: enabled: yes, (global), packet dropped: 413
tcp-timestamp: enabled: yes, packets modified: 0
discard-tcp-syn-with-data: enabled: yes, packet dropped: 0
discard-tcp-synack-with-data: enabled: yes, packet dropped: 0
strip-tcp-fast-open-and-data: enabled: yes, packet stripped: 21
IPv4 packet filter:
discard-icmp-ping-zero-id: enabled: yes, packet dropped: 0
discard-icmp-frag: enabled: yes, packet dropped: 0
discard-icmp-large-packet: enabled: yes, packet dropped: 0
discard-icmp-error: enabled: yes, packet dropped: 87
suppress-icmp-timeexceeded: enabled: yes, packet dropped: 0
suppress-icmp-needfrag: enabled: yes, packet dropped: 0
discard-malformed-option: enabled: yes, packet dropped: 0
discard-overlapping-tcp-segment-mismatch: enabled: yes, packet dropped: 4
strict-ip-check: enabled: yes, packet dropped: 0
discard-tcp-split-handshake: enabled: yes, packet dropped: 0
IPv6 packet filter:
routing-header-0: enabled: yes, packet dropped: 0
routing-header-1: enabled: yes, packet dropped: 0
routing-header-4-252: enabled: yes, packet dropped: 0
routing-header-255: enabled: yes, packet dropped: 0
redirect: enabled: yes
dest-unreach: enabled: yes
pkt-too-big: enabled: yes
time-exceeded: enabled: yes
param-problem: enabled: yes
----------------------

Thanks in advance.

Hi @BPry /community,

 

I was able to identify the cause as 'discard-overlapping-tcp-segment-mismatch', it was causing the session to be in a discard state.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!