ION not forwarding traffic for a specific UDP flow

ION not forwarding traffic for a specific UDP flow

1590
Created On 04/11/24 11:16 AM - Last Modified 06/04/25 23:24 PM


Symptom


  • Forwarding of UDP-based (or non-tcp) application flows stopped although the flow exist in the ION's flow table .
  • This happened after an event such as a VPN or a Circuit flap.
  • TCP flows are forwarded and working as expected.

Environment


  • Prisma SD-WAN
  • ION devices

Cause


  • When there is an event like a link/vpn failure or circuit flap, the ON device switches the flow's path.
  • Since the source machine is constantly sending traffic, the session never times out.
  • The ION device does not have the chance to recalculate the path once original Path is recovered.
  • Additionally, for UDP, it's not possible to track the status of the connection (as it is in TCP), therefore on the ION device the UDP flow is alive as long as there's one-way traffic.

Resolution


  1. Using the following command, check the flow. The output shows that the selected path-id is not the expected one:
inspect flow brief srcv4=<IP1> dstv4=<IP2>
  1. Check the Path using the path-id retrieved in the previous command:
inspect flow brief srcv4=<IP1> dstv4=<IP2>
  1. Clear ongoing UDP flows related to these two hosts:

clear flows srcv4=<IP1> dstv4=<IP2> prot=17
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrL7CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail