set deviceconfig setting tcp asymmetric-path bypass
A question, are you disabling this because of RDP or SMB (nfs) performance problems? I havent read anything about others having that problem. But when i disabled tcp_drop_out_of_win this solved my issue. Just wondering if this is a bug with PANFW.
Thanks for the reply.
No I disable tcp_drop_out_of_wnd because some http (only http, not in ftp) download break.
This is totally random, ticket is open on PaloAlto support since 1 month.
Maybe it's because (I think, Palo Alto don't give any solution or suggestion) I have a special network architecture :
/ | \
/ | \
/ | \
Vsys2 Vsys3 Vsys4
I think intervsys routing don't like tcp_drop_out_of_wnd check.
We had to use this same command to address some issues on our network with HTTP traffic as well. Still not a 100% clear on why, but it definitely made a difference. I was told the new command in 4.1 combines a couple tweaks that were separate commands in previous versions. I was told this turns off actions for TCP sliding window tracking errors as well as disables TCP sequence number check for FIN/RST. We also had problems with the tcp non-syn reject.
We had to run this command when having issues with rsh to systems that took longer then need be to respond.We also used it with bypass-exceed to prevent premature tcp timeout issues.
PAN#set deviceconfig setting tcp drop-out-of-wnd no
PAN#set deviceconfig setting tcp bypass-exceed-oo-queue yes
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!