For a few weeks now, we have been experiencing sporadic issues with some applications that do not load correctly or at all. We have also had sporadic issues with downloads that freeze and eventually fail. This isn't isolated to a browser issue. We have primarily noticed issues associated with "amazonaws" related IP addresses. On the firewall, we see "incomplete" in the application and zero (0) bytes received. We have reached out to our ISP for assistance and they haven't been able to find any issues on the Internet. We have also not been able to reproduce the issues on our Internet when we bypass the firewall. The TAC engineer assisting us is also stumped as he sees that traffic just stops being received from the server and the TCP session eventually times out.
We don't believe it is a policy issue because we don't see any traffic/applications being blocked. There doesn't appear to be a performance issue with the firewall as the management CPU is low.
We suspected it was related to our public IP addresses but those IP addresses work fine when using them on the outside switch.
We currently have our dynamic PAT configured to translate the entire 10.0.0.0/8 subnet to a pool of several public IP addresses. Is there a caveat with running our PAT in this configuration?
Our firewall is running version 9.0.9-h1 which our Palo Alto rep is saying is a stable version. We have an active/passive configuration of two PA5260 appliances.
Has anyone had an issue similar to this? What were some of the items you did to resolve this?
My guess would point to a routing issue. Here is why, you mentioned the application was incomplete (this just means that there were not enough packets from the firewall to see what type of application it was) however in my experience this points to routing. You say its sporadic, maybe there is a dynamic routing protocol on your networking that could be 'flapping'? When I work at places that have multiple paths between locations, I always put a weight on one of the paths so I dont get asymmetric routing.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!