03-14-2023 01:13 AM
PA-32xx series with 10.1.9 (issue showed up after upgrade)
There is long-lasting SSH session where only something like keepalive is sent every 5 minutes or so. With hardware offload enabled, this traffic is not registered in the dataplane (session stats are not increasing even though there is traffic for that session) and subsequently TTL is not reset and session breaks after hour (TCP timeout).
If HW offload is disabled - everything works as expected, each keepalive resets TCP session TTL.
it looks like the same behavior was seen on other "low traffic" sessions, but SSH is the most obvious one.
Currently there is TAC case open and under research, but I have a feeling this may be wider issue, so maybe there's already feedback on this?
04-14-2023 12:17 AM
For future generations - issue PAN-216314. Long story short - there are two ways DP is registering offloaded traffic counters - traffic and time based (Disable Firewall offloading traffic) and time based mechanism was disabled after the upgrade.
When running "debug dataplane internal pdt fe100 csr rd name sem_ctrl" in case of this issue value was
[ 8] ctr_scan_dis = 1 (0x1)
... but it should be 0.
Can be changed via "debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0".
There is no interruption in traffic, has to be done on each HA node.
Use at your own risk.
03-23-2023 12:16 AM
You may not see it as it is offloaded but have you checked if you create a new service just to change the timeout for example to 4/3 minutes what happens?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMbvCAG
Also test application overide:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0
04-14-2023 12:17 AM
For future generations - issue PAN-216314. Long story short - there are two ways DP is registering offloaded traffic counters - traffic and time based (Disable Firewall offloading traffic) and time based mechanism was disabled after the upgrade.
When running "debug dataplane internal pdt fe100 csr rd name sem_ctrl" in case of this issue value was
[ 8] ctr_scan_dis = 1 (0x1)
... but it should be 0.
Can be changed via "debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0".
There is no interruption in traffic, has to be done on each HA node.
Use at your own risk.
06-01-2023 08:27 PM - edited 06-01-2023 08:29 PM
Hello, did the TAC give you any solution?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
