Fragmented packets received on Aggregated Interfaces are silently dropped due to reassembly failure.

Fragmented packets received on Aggregated Interfaces are silently dropped due to reassembly failure.

4466
Created On 06/01/23 10:03 AM - Last Modified 06/15/24 01:42 AM


Symptom


  • Aggregated Interface(AE) has members on multiple slots.
  • The peering device sends fragments of the same IP packet across different AE members.
  • These fragments land on different slots and cannot be reassembled.
  • Packets are silently dropped due to reassembly failure.

Environment


  • PAN-OS 8.1, 9.0, 9.1 and 10.0
  • Multi-slot firewalls (PA-7050/PA-7050b, PA-7080/PA-7080b, PA-5450)
 

Cause


  • On multi-slot systems running Pan-OS 8.1, 9.0, 9.1, or 10.0,  a fragmented IP packet can only be reassembled if all its fragments are received by the same slot.
Example:
  • In the below scenario, fragment 1&3 are received on ethernet1/1 which belongs to slot1 and fragment 2&4 are seen on ethernet2/1 which belongs to slot2.
    • Prior to the Pan-OS 10.1 :
      • Fragment Handling on the multi-slot firewall
      • There was no mechanism for DP in one slot to send fragments to a DP in another slot.
        Fragments of the same IP packet received on different slots are eventually dropped.
image.png


 

 
 

Resolution


  1. From Pan-OS 10.1, a new mechanism is implemented to reassemble all fragments of a single IP packet, regardless of the slot on which the fragments are received. 
  2. In Pan-OS 10.1, fragments of the same packet, received on different slots, are internally forwarded to a designated DP ("reassembly-owner"). 
  3. If the DP that receives the fragments is not the reassembly-owner, it sends the fragments to the reassembly-owner. The reassembly-owner may be on the same or on a different slot.
 

image.png

New Fragment Handling on the multi-slot firewall from Pan-OS 10.1
 

  • The default setting on PA-7000 series running Pan-OS 10.1 is Self which is the fragment handling behavior prior to the Pan-OS 10.1.
admin@firewall> show ae-frag redistribution-policy
Reassemble Owner Policy: Self

  • After upgrading to Pan-OS 10.1, run the below command to enable the new way of handling fragments.

admin@firewall> set ae-frag redistribution-policy
> fixed   select a fixed DP
> hash    distribution based on hash
> self    DP which received the frag

admin@firewall> set ae-frag redistribution-policy hash
  • hash: Use this method to assign a reassembly owner and handle the fragmented packets
  • fixed: enables selecting one particular dataplane in the system to handle ALL fragments that arrive at the firewall. This is used for troubleshooting purposes only!
  • Self: this is the fragment handling behavior prior to the Pan-OS 10.1
  • On PA-5450 firewall, the new way is the only way of handling fragments, there is no option to enable the pre-10.1 behavior.

Additional Information


Aggregate Group Members on Multiple Cards
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bpraCAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail