Not updating low traffic session status with hw offload enabled

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Not updating low traffic session status with hw offload enabled

L3 Networker

PA-32xx series with 10.1.9 (issue showed up after upgrade)

There is long-lasting SSH session where only something like keepalive is sent every 5 minutes or so. With hardware offload enabled, this traffic is not registered in the dataplane (session stats are not increasing even though there is traffic for that session) and subsequently TTL is not reset and session breaks after hour (TCP timeout).

If HW offload is disabled - everything works as expected, each keepalive resets TCP session TTL.

it looks like the same behavior was seen on other "low traffic" sessions, but SSH is the most obvious one.

Currently there is TAC case open and under research, but I have a feeling this may be wider issue, so maybe there's already feedback on this?

1 accepted solution

Accepted Solutions

L3 Networker

For future generations - issue PAN-216314. Long story short - there are two ways DP is registering offloaded traffic counters - traffic and time based (Disable Firewall offloading traffic) and time based mechanism was disabled after the upgrade.

When running "debug dataplane internal pdt fe100 csr rd name sem_ctrl" in case of this issue value was 

  [    8] ctr_scan_dis                =          1 (0x1)

... but it should be 0.

Can be changed via "debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0".

There is no interruption in traffic, has to be done on each HA node.

Use at your own risk.

 

View solution in original post

3 REPLIES 3

L6 Presenter

You may not  see it as it is offloaded but have you checked if you create a new service just to change the timeout for example to 4/3 minutes what happens?

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMbvCAG

 

Also test application overide:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0

L3 Networker

For future generations - issue PAN-216314. Long story short - there are two ways DP is registering offloaded traffic counters - traffic and time based (Disable Firewall offloading traffic) and time based mechanism was disabled after the upgrade.

When running "debug dataplane internal pdt fe100 csr rd name sem_ctrl" in case of this issue value was 

  [    8] ctr_scan_dis                =          1 (0x1)

... but it should be 0.

Can be changed via "debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0".

There is no interruption in traffic, has to be done on each HA node.

Use at your own risk.

 

L0 Member

Hello, did the TAC give you any solution?

  • 1 accepted solution
  • 2188 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!