SSH/SSL Packet Count Low for Large Data Transfer
9616
Created On 09/26/18 13:55 PM - Last Modified 06/02/20 23:16 PM
Symptom
A log event shows 1+ gigabytes transferred, but only 8 packets.
Resolution
By default, once the Palo Alto Networks firewall identifies an application using the first few initial packets, it uses the Fast Path through the hardware chip to send data. When the firewall uses Fast Path for an SSH or SSL application, it doesn't keep track of the packets because they are encrypted. It counts the bytes, though, which is why there are only 6 or 8 packets for gigabytes of data.
Use the following command to turn off session offload. Every packet will then be sent to the SlowPath and counted.
> set session offload no
Note: Setting no session offload may lower throughput performance by 15% or more. It should always be used with caution and revert back to on when troubleshooting is done.
Additional Information
For information about the Fast Path and Slow Path, see: Packet Flow in PAN-OS