Application failure through firewall when jumbo frames are enabled

Application failure through firewall when jumbo frames are enabled

19740
Created On 08/31/20 22:01 PM - Last Modified 10/08/20 01:27 AM


Symptom


 
  • You will observe that a large number of sessions will go to *DISCARD* state with the application showing as unknown-tcp
  • The session tracker for the session will show the status "appid stop lookup"
session QoS rule : N/A (class 4)
tracker stage firewall : appid stop lookup
end-reason : unknown
  • DP-Monitor logs show the counter appid_post_pkt_queued with the value 4300 which is what is assigned to the appid queue with jumbo frames enabled.
2020-08-30 11:01:56 :appid_post_pkt_queued 4300 0
2020-08-30 11:11:56 :appid_post_pkt_queued 4300 0
2020-08-30 11:21:56 :appid_post_pkt_queued 4300 0
2020-08-30 11:31:56 :appid_post_pkt_queued 4300 0
2020-08-30 11:41:56 :appid_post_pkt_queued 4300 0

Environment


  • PanOS 9.0.9-h1
  • PA-5220
  • Jumbo frames enabled

Cause


  • Enabling jumbo frames on a firewall reduces the appid queue size from 65536 to 4096. 
  • unknown-tcp traffic in a customer's environment will cause the appid queue to be quickly filled up
  • Once the appid queue limit is hit the default action is drop.

Resolution


Upgrade to PanOS version 9.0.10 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAZMCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language