My first post here and first of all, l want to say hello to everyone and of cause to Tom!
PAN-OS 8.1.10-h1
We have a weird issue where F5 keep shifting UDP packets for a given flow and sends them toward PA.
Below the clean and expected flow sent from the client:
It looks like, PA is doing it's best to receive, apply NAT and send packets in the correct order but still fails. Not all packets are sent in exactly the same order (based on the client-side capture above):
Checking the KB below, it looks like they all should be sent in the correct order:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWeCAK
Does this mean PA is doing best efforts or that feature is broken?
Thanks,
myky
I see, thanks Tom!
Under normal circumstances, the network device should not shuffle packets. Just trying to understand why they arrive out-of-order in the first place.
I haven't seen this before, hence some doubts.
My assumption that for the given flow sender will be incrementing initially chosen IP ID by 1 for every packet (fragmented will have the same IP ID).
Hello guys,
Just wonder if l am applying the correct logic for UDP in this case.
Packets are not fragmented but sent in a specific order with equally increment IP IDs.
Now, just wondering if this is even relevant. 🤔
Thanks,
myky
More things to test: check packet buffer usage Show running resource-monitor If the buffer is filling up, see if packet buffer protection is enabled on your zones. See if disabling that helps (disable zone protection while you're at it)
i don't know, i'm hoping the global counters point that out
don't forget to check the software pools, maybe you're depleting them because the packets are so scrambled
debug dataplane pool statistics
@myky so glad to see you here! welcome! :D
Have you tried to trace the global counters for this session? do you happen to know the relative time between the 26629 cluster and the 26648 cluster? it could be that the palo is handling frames of packets and reordering them but the distance between some is too large to properly reorder the entire chain
the global counters may shed some light on that if the packets on the 'fringe' of the firewall's capability/buffer might get discarded every so often