Recently I have come across a scenario that palo alto was dropping TCP SYN packets which have ECN and CWR bits set. upon checking the global counter, i have seen that the drop reason was 'process owner message err, no predict'. anybody have seen this?. PA doesn't support SYN packets with ECN and CWR set ?..
Once I disable this enhancement in windows using the command 'netsh int tcp set global ecncapability=disabled', the session is getting established and the thinks are working fine.