TFTP Predict/Child sessions are logged with the wrong interface in the traffic logs and session table
6033
Created On 08/14/23 09:01 AM - Last Modified 04/22/24 04:47 AM
Symptom
TFTP Predict sessions are logged with the wrong interface in the traffic logs and session table
- In an asymmetric routing environment, when a TFTP session is created from a source(10.2.2.1) through an incorrect interface(eth1), the predict session is built based on the incoming interface of the parent, and the child session inherits the predict session.
- The child session for destination (10.2.2.1) shows the egress interface as eth1 based on the predict session, but forwards packets based on the routing table fib entry.
admin@PA-VM> test routing fib-lookup ip 10.2.2.1 virtual-router default -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: default destination: 10.2.2.1 result: via 10.193.1.2 interface ethernet1/2, source 10.193.1.1, metric 10 -------------------------------------------------------------------------------- admin@PA-VM> show session all -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 131 tftp ACTIVE PRED 10.1.2.2[0]/L3-Trust/17 (10.1.2.2[0]) vsys1 10.2.2.1[55477]/L3-Untrust (10.2.2.1[55477]) 130 tftp ACTIVE FLOW 10.2.2.1[55477]/L3-Untrust/17 (10.2.2.1[55477]) vsys1 10.1.2.2[69]/L3-Trust (10.1.2.2[69]) 132 tftp ACTIVE FLOW 10.1.2.2[10288]/L3-Trust/17 (10.1.2.2[10288]) vsys1 10.2.2.1[55477]/L3-Untrust (10.2.2.1[55477]) admin@PA-VM> show session id 132 Session 132 c2s flow: source: 10.1.2.2 [L3-Trust] dst: 10.2.2.1 proto: 17 sport: 10288 dport: 55477 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 10.2.2.1 [L3-Untrust] dst: 10.1.2.2 proto: 17 sport: 55477 dport: 10288 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Fri Jul 14 06:10:18 2023 timeout : 30 sec time to live : 21 sec total byte count(c2s) : 67 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys1 application : tftp rule : all service timeout override(index) : False session to be logged at end : True session in session ager : True session updated by HA peer : False layer7 processing : enabled ctd version : 1 URL filtering enabled : False session via prediction : True use parent's policy : True parent session : 130 <==Parent session refresh parent session : True session via syn-cookies : False session terminated on host : False session traverses tunnel : False session terminate tunnel : False captive portal session : False ingress interface : ethernet1/3 egress interface : ethernet1/1 <==egress interface as per parent session QoS rule : N/A (class 4) end-reason : unknown admin@PA-VM> show session id 131 Session 131 c2s flow: source: 10.1.2.2 [L3-Trust] dst: 10.2.2.1 proto: 17 sport: 0 dport: 55477 state: ACTIVE type: PRED src user: unknown dst user: unknown s2c flow: source: 10.2.2.1 [L3-Untrust] dst: 10.1.2.2 proto: 17 sport: 55477 dport: 0 state: OPENING type: PRED src user: unknown dst user: unknown start time : Fri Jul 14 06:10:08 2023 timeout : 180 sec time to live : 137 sec total byte count(c2s) : 0 total byte count(s2c) : 0 layer7 packet count(c2s) : 0 layer7 packet count(s2c) : 0 vsys : vsys1 application : tftp rule : all service timeout override(index) : False session to be logged at end : False session in session ager : True session updated by HA peer : False parent session : 130 <==== prediction triggered by : client single-use prediction : False prediction was matched : True end-reason : unknown admin@PA-VM> show session id 130 Session 130 c2s flow: source: 10.2.2.1 [L3-Untrust] dst: 10.1.2.2 proto: 17 sport: 55477 dport: 69 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 10.1.2.2 [L3-Trust] dst: 10.2.2.1 proto: 17 sport: 69 dport: 55477 state: INIT type: FLOW src user: unknown dst user: unknown start time : Fri Jul 14 06:10:08 2023 timeout : 30 sec total byte count(c2s) : 92 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys1 application : tftp rule : all service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False layer7 processing : enabled URL filtering enabled : False session via syn-cookies : False session terminated on host : False session traverses tunnel : False session terminate tunnel : False captive portal session : False ingress interface : ethernet1/1 <==initiated from interface not in routing table egress interface : ethernet1/3 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out
Environment
- PaloAlto firewall
- Asymmetric routing
- TFTP sessions creating predict.
Cause
ALG/SIP predicted child session does not support asymmetric route and logging issues on the child session egress interface.
Resolution
Though the expectation is that the session table and the traffic logs get the updated egress interface, it does not happen as ALG/SIP predicted child session does not support asymmetric route and logging issues on the child session egress interface.
This is an expected behaviour at this point. If there is a need to change this particular behaviour, please work with the accounts team to file an enhancement request.