I am hitting an issue where sessions are ending for the reason "aged-out". Go figure the problem doesn't present itself readily when I have Support on the line. The Setup: I have two ISPs. One (I'll call it SummitNet) is an asymmetrical 30Mbps up / 100Mbps down link. This link handles our business traffic to sister campuses as well as the incoming Internet traffic to our public facing servers. At the moment it is also the primary ISP for our clients. There is no NAT in place on this link as all the servers and clients have public addresses. The second (Charter) is a symmetrical gigabit link. Because all but one of our public IP ranges are leased from another campus, we cannot simply change the existing advertised routes. For this reason, I'm attempting to use PBF to send all new sessions from our clients out a NAT interface on this link. The intention is to set the PBF rule for Symmetric Return so my servers can continue to reply to inbound Internet traffic on the SummitNet link without having to setup an inbound NAT on the Charter link. My virtual router (I'm only using one) is set with the SummitNet default route having a metric of 10 and the Charter default route having a metric of 11. With the setup out of the way, now I can present the problem. I'm going to use YouTube streaming video as the example in these scenerios as it has been the most consistent in replicating the problem. When I hook my workstation directly to the upstream Charter router, traffic flows as expected and YouTube plays high quality fine. With my workstation back behind the firewall sending requests out the SummitNet link, YouTube plays fine with both decrypt and no-decrypt test scenerios. If I send my traffic out the Charter link with the no-decrypt scenerio, YouTube still plays fine. However, if I enable decryption on the Charter link, YouTube begins to drop quality of playback and eventually halts for buffering. When it does this, I see the following results in the Traffic monitor log: As you can see in the screenshot, a number of packets are exchanged in the session before the age-out occurs. The firewall is a PA-3020. The Charter link is basically idle as I only am testing a couple client machines on it at a time. Does anyone have any ideas as to why this may be occuring?
... View more