Firewalls in Active-Active setup does not sync the byte or packet count of a session with the peer.
7247
Created On 06/27/23 12:41 PM - Last Modified 04/22/24 05:48 AM
Symptom
The customer has Active-Active set up and when they check the session id details on the active-primary firewall. They see a good amount of bytes or packet count in both the S2C and C2S.
FW01(active-primary)> show session id 1584692
Session 1584692
c2s flow:
source: 10.41.231.61 [ABC]
dst: 10.27.17.1
proto: 6
sport: 51253 dport: 3365
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
qos node: ethernet1/10, qos member N/A Qid 0
offload: Yes
s2c flow:
source: 10.27.17.1 [CDE]
dst: 10.41.231.61
proto: 6
sport: 3365 dport: 51253
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
qos node: ethernet1/9, qos member N/A Qid 0
offload: Yes
Slot : 1
DP : 0
index(local): : 1584692
start time : Tue Mar 7 08:58:49 2023
timeout : 3600 sec
time to live : 3589 sec
total byte count(c2s) : 114777 >>>>>>>>>>>>>>>>>>
total byte count(s2c) : 287531 >>>>>>>>>>>>>>>>>>>
layer7 packet count(c2s) : 293
layer7 packet count(s2c) : 604
vsys : vsys1
application : outlook-web-online
rule : Agence_ACL
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
session owner is HA A/A local device : True
session setup locally HA A/A : True
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
session terminate tunnel : False
captive portal session : False
ingress interface : ethernet1/9
egress interface : ethernet1/10
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd proc changed
end-reason : unknown
But when they filter the same session based on the source, destination ( ip and ports), they don't see these values populated on the active-secondary firewall.
FW02(active-secondary)> show session id 1332211
Session 1332211
c2s flow:
source: 10.41.231.61 [ABC]
dst: 10.27.17.1
proto: 6
sport: 51253 dport: 3365
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
offload: Yes
s2c flow:
source: 10.27.17.1 [CDE]
dst: 10.41.231.61
proto: 6
sport: 3365 dport: 51253
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
offload: Yes
Slot : 1
DP : 0
index(local): : 1332211
start time : Tue Mar 7 08:58:47 2023 >>>>>>>>>>>>>>>>
timeout : 3600 sec
time to live : 3569 sec
total byte count(c2s) : 0 >>>>>>>>>>>>>>>>>>>
total byte count(s2c) : 0 >>>>>>>>>>>>>>>>>>>
layer7 packet count(c2s) : 0 >>>>>>>>>>>>>>>>>>>
layer7 packet count(s2c) : 0 >>>>>>>>>>>>>>>>>>>
vsys : vsys1
application : outlook-web-online
session to be logged at end : True
session in session ager : True
session updated by HA peer : True
session owner is HA A/A local device : False
session setup locally HA A/A : False
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
session terminate tunnel : False
captive portal session : False
ingress interface : ethernet1/9
egress interface : ethernet1/10
session QoS rule : N/A (class 4)
end-reason : unknown
Environment
- All PAN-OS version
Cause
This is an expected behaviour where we don't sync the bytes or packet count in Active-Active setup.
These values are synced in Active-passive set up.
Resolution
This is by design limitation behaviour in active-active setup.
Additional Information
Some times you will notice that S2C and C2S only one have non-zero value on both the firewalls. These could be due to asymmetric routing in the customer environment.