Firewall change the packet order of FIN and RESET while transmitting these packets from egress interface

Firewall change the packet order of FIN and RESET while transmitting these packets from egress interface

514
Created On 06/08/23 09:00 AM - Last Modified 09/03/25 03:18 AM


Symptom


  • Unexpected packet reordering on (FIN, ACK) and (RST, ACK) packets between “receive” and “transmit” packet capture stages
  • Checking the PCAP for the receive and transmit. the firewall receiving the packet as FIN, ACK and then RESET packet from the source

receive.png

  • But when the firewall is transmitting the packets, the order get changed.

transmit.png

 

 

Environment


  • All PAN-OS
  • All Platform

Cause


  • Palo Alto Firewall keeps the FIN packet in Queue.
  • This is done so that the FIN packet can be sent after all the data packets has been sent.
  • The above procedure does not work a RESET packet is received.
  • Consequently, FIN and RST packets could arrive in the order of FIN and RST and they could be transmitted in the order of RST and FIN.

Resolution


  1. The issue is resolved under PAN-214669
  2. Upgrade of PAN-OS to either 11.0.3, 10.2.5, 10.1.11 or  9.1.17 will fix the issue.

 

 

Additional Information


Getting Started: Packet Capture
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kI4ECAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail