Hi Experts, we have a lot (I mean a LOT :-)) of non-syn-tcp traffic on our PA5220 cluster. The PA is in an enterprise company. Are we sure that the non-syn-tcp means that there is an asymmetric flow? Let me give you an example: 1) Host A sends a SYN to Host B passing through PA 2) PA recognize it properly and establish a sessione in its session table 3) Host B receive that SYN and start the standard comunication. Host A has its timeout idle session at 3 hours; Host B has its timeout idle session at 3 hours; Palo Alto has ita timeoute idle TCP session at 1 hour. After 1.5 hour the host A send a TCP Keep-Alive but on the PA the the session doesn't exist anymore... the timeout was expired. So, that flow will be recognized as non-syn-tcp. But it is not an Asymmetric Flow. Anyway, do you know if there is some other situation where the non-syn-tcp not mean Asymmetric Routing? Bye!
... View more