Who Me Too'd this topic

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Who Me Too'd this topic

L1 Bithead

SYN ACK RST Loop on inside and SYN ACK only - source port re-use - hung session

I have had this happen twice so far, I am wondering how others have solved for it.

 

Host A -> Palo Alto -> Host B

 

Host A, cycles through its source ports frequently - every couple of minutes.

Host B has long  or no TCP keep alive timers.

 

Host A:src port X connects to Host B on port 443.

Host A has an issue, reboots, lost power, app crashes, etc.  But it does NOT close the session.  Host B shows the connection in the netstat.  

 

Host A:src port X tries to connect to host B on port 443.  Host B responds with an ACK, this is per RFC.  That ACK is passed back to host A, Host A responds to the ACK with a RST.  The firewall drops the reset, and the connection is stuck.  Every time the host cycles through that source port it never clears.

 

Looking on the firewall on the A side, all I see is

Syn ->

<- ACK

RST->

For like 6 tries from the host on this source port, then is moves on until it gets back around to this port and it does it again and again.  No way to clear it.

 

On the B side, I see this

Syn ->

<- ACK

No reset, the firewall is eating the reset.

 

I tried putting a deny rule in with reset in both directions, but it only resets on the A side.

Clearing the session in the session table does not work.

 

I have tried to spoof reset packets and they are not getting through the firewall.

 

The only thing I have been able to do is have the server guy either clear the session or reboot it if they dont have the capabliity to clear a stale session.  Ask them to turn on keepalives to try to prevent, but this does not seem right.  

 

This site shows exactly what is happening.

https://serverfault.com/questions/733681/server-sends-ack-in-response-to-syn-causing-a-reset-in-tcp-...

 

So, I am reaching out to the Live forum for help. 

 

Is there a way to generate a reset from the palo alto in this scenerio (an hping3 type command?)

Is there a way to allow that reset from host A through the firewall (maybe turn off state inspection).  Can you turn off state inspection for just one src/dst pair?

 

Thanks

Who Me Too'd this topic