Tunnel traffic gets dropped when "Enforce Symmetric Return" is enabled in PBF Rule after upgrading firewall to 11.0.0.
7301
Created On 06/26/23 07:46 AM - Last Modified 11/12/24 22:44 PM
Symptom
- GP Users are unable to access internet when traffic passes through the firewall.
- This issue is not limited to only GP Tunnel, it can happen to any tunnel traffic including IPSec and GRE VPNs.
- The PBF rule is configured with "Enforce Symmetric Return" option enabled and with next hop as ISP IP address and interface selected as firewall's external interface.
- The ping to 8.8.8.8 from the GP User fails with "Request Time Out"
- From below "show session id" logs, there's no "Symmetric Return Mac" for "s2c" flow and hence the s2c flow does not get installed.
admin@PaloAlto> show session id 7xx
Session 7xx
c2s flow:
source: 10.x.x.x [SSLVPN]
dst: 8.8.8.8
proto: 1
sport: 1 dport: 104
state: INIT type: FLOW
src user: test
dst user: unknown
pbf rule: Test-pbf
s2c flow:
source: 8.8.8.8 [UNTRUST]
dst: 10.x.x.x
proto: 1
sport: 104 dport: 1
state: INIT type: FLOW
src user: unknown
dst user: test
pbf rule: Test-pbf
symmetric return mac: ***N/A***. >>>> No Symmetric Return MAC available
......(Output Omitted).......
- Firewall drops the return traffic by incrementing the global counter "flow_tunnel_encap_err":
admin@PaloAlto> show counter global filter delta yes packet-filter yes severity drop
Global counters:
Elapsed time since last sampling: 4.792 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_tunnel_encap_err 1 0 drop flow tunnel Packet dropped: tunnel encapsulation error
Note: To get specific drop counters, "Packet Capture Filters" Must be applied and enabled. Refer to Getting Started - Packet Capture.
- From cli the output of "show pbf return-mac all" has no entries.
admin@PaloAlto> show pbf return-mac all
current pbf configuation version: 2
total return nexthop addresses : 0
index pbf id ver hw address ip address
return mac egress port
--------------------------------------------------------------------------------
maximum of ipv4 return mac entries supported : 1500
total ipv4 return mac entries in table : 0
total ipv4 return mac entries shown : 0
status: s - static, c - complete, e - expiring, i - incomplete
pbf rule id ip address hw address port status ttl
--------------------------------------------------------------------------------
maximum of ipv6 return mac entries supported : 1500
total ipv6 return mac entries in table : 0
total ipv6 return mac entries shown : 0
status: s - static, c - complete, e - expiring, i - incomplete
pbf rule id ip address hw address status
--------------------------------------------------------------------------------Environment
- Palo Alto Firewalls
- PAN-OS 11.0.0
- PBF rule configured with Enforce Symmetric Return Enabled.
- GP, IPSec or GRE VPNs.
Cause
- Software Issue
Resolution
- The issue has been addressed under PAN-220921 in PAN-OS 11.0.2h1 and 11.0.3
- Upgrade to the above coder or newer versions will resolve the issue.