tcp_drop_out_of_wnd

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

tcp_drop_out_of_wnd

L1 Bithead

Hi,

on PanOS 4.0 I have to disable "tcp_drop_out_of_wnd" check with this command :

>configuration
>set deviceconfig setting tcp drop-out-of-wnd no
>commit

How to disable "tcp_drop_out_of_wnd" check on PanOS 4.1 (4.1.5) ??

Thanks,

Regards.

4 REPLIES 4

Not applicable

set deviceconfig setting tcp asymmetric-path bypass

A question, are you disabling this because of RDP or SMB (nfs) performance problems?  I havent read anything about others having that problem.  But when i disabled tcp_drop_out_of_win this solved my issue.  Just wondering if this is a bug with PANFW.

Thanks for the reply.

No I disable tcp_drop_out_of_wnd because some http (only http, not in ftp) download break.

This is totally random, ticket is open on PaloAlto support since 1 month.

Maybe it's because (I think, Palo Alto don't give any solution or suggestion) I have a special network architecture :

            Internet

                 |

            Vsys 1

             /   |    \

           /     |     \

         /       |      \

  Vsys2  Vsys3  Vsys4

I think intervsys routing don't like tcp_drop_out_of_wnd check.

We had to use this same command to address some issues on our network with HTTP traffic as well. Still not a 100% clear on why, but it definitely made a difference.  I was told the new command in 4.1 combines a couple tweaks that were separate commands in previous versions. I was told this turns off actions for TCP sliding window tracking errors as well as disables TCP sequence number check for FIN/RST. We also had problems with the tcp non-syn reject.


We had to run this command when having issues with rsh to systems that took longer then need be to respond.We also used it with bypass-exceed to prevent premature tcp timeout issues.

PAN>configure
PAN#set deviceconfig setting tcp drop-out-of-wnd no
PAN#set deviceconfig setting tcp bypass-exceed-oo-queue yes

  • 5153 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!