03-12-2013 10:09 PM
Hi folks.
I'm tearing my hair out with this one, so I'm hoping that someone can point me in the right direction.
We have an installation of the Unreal Streaming Media server running in our DMZ off our Palo Alto firewall. This server is used as a central access point for both receiving and distributing streamed audio and video for business purposes over the internet and internally.
This server is receives streams from another Unreal (http://www.umediaserver.net) product, and is played out by another of their products.
I've had to put in an application override to get this working, because it's not an app that the PAN recognises - so I've stuck it in for the two ports concerned, and applied rules accordingly.
The problem comes when we actually try to USE it.
We can connect the source (encoder) to the streaming server no problems - for exactly 30 seconds.
Then the connection drops. And stays down for another 30 seconds. Then reconnects (it tries to reconnect automatically) for another 30 seconds. Then drops again.
I KNOW this is a firewall issue - I can stream perfectly well INSIDE my network (across different segments, so it's not a routing issue either). There's got to be SOMETHING in the firewall which is breaking this connection so consistently - but I can't figure out what the heck it is!
(As a test, I have completely removed ALL access restrictions on the device in the DMZ - dangerous, yes, I know - and the problem STILL exists).
Can someone point out to me something - anything - which might be causing this 30 second disconnect? It's far too regular to be a random issue - and the 30 seconds sound like some timer somewhere or another, but I damn well can;t figure out WHAT is causing it.
Anyone who points out a solution and is in Sydney I owe a beer to!
Thanks.
04-15-2013 02:52 PM
Yup, that was what was doing my head in - I have an any/any rule with absolutely *no* restrictions from my admin PC, and it was *still* failing.
Replacing this with the custom port and service rule worked, but I *also* had to disable/remove the app override to stop the app filter detecting the traffic and classifying it under my custom app.
Something is really weird with the timeouts and the way this particular program suite works.
And no, the only in-line filtering I'm doing is web classification and virus checking - I don't need (rather, the business doesn't want) file blocking of any of the other fancy stuff.
04-15-2013 05:51 PM
Does this sound an awful lot like the issue you were seeing with app overrides?
| 48994 | High | 4.1.11 | Session setup timeouts in 10 seconds when using app-override with offloading | TCP sessions time out after 10 seconds | TCP sessions that matched an application override policy were being closed after a few seconds and the packets were being dropped because the application override was being invoked too early in the handshake process, causing the TCP timeout to be set too low. | Disable offloading using CLI command "set session offload no" | 5.0.3, 4.1.11-h2 , 4.1.12 |
04-15-2013 05:57 PM
Not sure what is meant by "offloading", but the results sure sound like what I was experiencing. Although I'm running 4.1.11-h1, not 4.11.1-h2, but I'm guessing what you listed is in that as well.
Which begs the question - why didn't the support guys pick it up quicker? I dunno - you'd think they would know their own known bugs better.
Anyway, it's working now, and I'm not going to stuff with it for a bit. 🙂
04-16-2013 10:10 AM
I just randomly stumbled on that one when I was going over the "big bugs" list, and saw the description on it. It'd be neat if you could try the workaround at some point, but I completely understand the desire to leave it alone because "it just works right now"
04-16-2013 07:22 PM
Yeah, I can't risk breaking it again - if it's not working, it costs us money (we have to stick a media server on AWS somewhere), so my boss would be unimpressed if I broke it again just to check s theory. 🙂
04-16-2013 10:24 PM
And you dont have a testing environment available? 😉
04-17-2013 03:03 PM
Yeah, right. At $15k a pop or thereabouts, I was lucky to get the second 2020 for a HA pair! There's no freakin' way I'm going to have one to just play with! 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
