I got the following scenario.
client -> Paloalto -> Server:1234
The client initiates a tcp session to server always using the same source port and same sequence number (verified in packet capture). The session time out is the default 60 minutes.
The client sometimes looses network coverage and initiates a new sync (with same source port and sequence number). But on the firewall the previous session exists and this syn packet is causing the session timer to reset. So the session is never timing out and the capture on firewall is showing that it is dropping all the new syn packets.
We ended up having to clear the sessions manually on firewall for the client to be able to connect.
We did open ticket with support and were told that client is not following RFC (they need to stop using same source port and sequence number). But as usual the client is saying that this application is working at other sites and it is firewall issue.
Looking for some pointers on this.
As the Palo Alto Tac did not help you may need to open a request for enhancement with you local palo alto contact.
Still you can on your own check what is the exact error with global counters or flow basic as described in:
You then can check if there is option to stop the palo alto protection that drops your tcp sync packets:
Also a small workaround is to set a smaller TCP timeout :
To prevent SYN flood attacks, and to preserve mygiftcardsite memory, the BIG-IP system can prevent new connections by sending a TCP RST packet to the client with a TCP RST packet when the connection reaches the idle session timeout. The BIG-IP LTM system resets TCP connections after sending eight.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!