The issue here was a very odd issue. It turned out to be a bug in the Palo Alto 8.1.4 code. 2 Virtual Routers were configured in the same broadcast domains. However, traffic was being routed to the wrong virtual router from and inside device. The .3 Internet VSYS had a better route than a directly connected interface which made no sense. As a result of this, there was asymmetric routing. This was causing Remote Desktop connection to timeout out every so often which made it unusable.
Some initial troubleshooting was reviewing logs on the Palo Alto monitor tab. Running a packet trace
Monitor Tab
Running Packet trace with Palo Alto
non-SYN TCP without session match
FW-NAME(active)> show counter global filter packet-filter yes delta yes severity drop
Global counters:
Elapsed time since last sampling: 58.542 seconds
name value rate severity category aspect description
flow_tcp_non_syn_drop 5 0 drop flow session Packets dropped: non-SYN TCP without session match
Total counters shown: 1
The final solution was to split the 2 VSYS into separate subnets. This produced the result of routing correctly and consistently.
Nick H
Leave a Replay
About Me
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
