Throughput issues when traversing through Firewall in OCI

Throughput issues when traversing through Firewall in OCI

9638
Created On 02/13/20 15:44 PM - Last Modified 04/04/20 00:07 AM


Symptom


  • When traffic between OCI instances traverse through the firewall we either see throughput issues or the traffic stops traversing completely.
  • Perform PAN-OS traffic troubleshooting to identify the traffic flow and see if packets are received on PA-VM
  • Perform packet captures on the firewall based on configured filters to see if any packets are captured. In this case, TCP connection is being reset due to timeout.
  • Monitor Global counters to see if the packets are getting dropped.
show counter global filter delta yes packet-filter yes   
  • In this case, packets are exceeding configured MTU

Environment


  • Platform: VM-Series Firewall
  • PAN-OS / Plugin Version:  Any
  • Deployment: Any

Cause


  • PA-VM interfaces are being set to use MTU of 1500 whereas OCI spins up VM instances in jumbo mode by default.
  • By default, OCI Compute instances use an MTU of 9000
    https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Troubleshoot/connectionhang.html

Resolution


  • Enable Jumbo Frames on the Firewall. 
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVaCAK
                                                                                                                                                                 

Additional Information



 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POfpCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail