Downloads over HTTPS fails hitting the default CTD loop limit with session end-reason: resources-unavailable and tracker stage l7proc: ctd pkt loop
15090
Created On 03/15/22 00:27 AM - Last Modified 02/22/24 07:03 AM
Symptom
- During the packet processing of a compressed PDF Zip file, CTD reaches the max number of loops configured by default, which triggers counter ctd-pkt-proc-loop and the session ends with resources-unavailable message.
- Looking at session details on CLI can see ctd pkt loop and end-reason resources-unavailable
admin@palfws01-bnep> show session id 2702 * * * application : web-browsing nat-rule : Test(vsys1) layer7 processing : completed URL filtering enabled : True URL category : government, low-risk ingress interface : ethernet1/3 egress interface : ethernet1/1 session QoS rule : N/A (class 4) " tracker stage l7proc : ctd pkt loop" " end-reason : resources-unavailable"
Environment
- Palo Alto Firewall
- PAN-OS versions 9.1.0-9.1.7, or 10.0.4
Cause
- Palo Alto Networks made improvements (9.1.8, 10.1.0, and above versions) introducing 2 tiers (depending on packet length) a Low tier and a High tier with default values of 1024 for low loops and 4096 for high loops, which are good enough for most of the customers.
- Typically packets that are larger will probably need more loops to finish processing in such scenarios these can be increased to a max value of 8190 without causing adverse impacts on Dataplane resource utilization
- Starting on versions (11.1.0, 11.0.3, 11.0.2, 10.2.5, 10.1.10, and 9.1.17) loops can be increased to a maximum of 65535.
Resolution
Upgrade to 9.1.8, 10.0.5 or higher to resolve PAN-156891
Workaround
- Increase the number of CTD loops to the maximum allowed (8190), to finish processing the packet buffers using the following operational mode commands available on PAN-OS 9.1.8 and above.
> set system setting ctd pkt-proc-loop-low 8190 > set system setting ctd pkt-proc-loop-high 8190
- 2. From versions 11.1.0, 11.0.3, 11.0.2, 10.2.5, 10.1.10, and 9.1.17 and above it will also be possible to increase the number of CTP loops to the new maximum value of 65535.
> set system setting ctd pkt-proc-loop-low 65535 > set system setting ctd pkt-proc-loop-high 65535
2. Verify new loop values using the following command.
> show system setting ctd state | match loop
Additional Information
In 8.1.x releases, the packets are bypassed by default when a high compression ratio was detected and after 9.1.x releases, the packets are dropped by default when a high compression ratio is detected, but the behavior can be changed to bypass with the following command:
> configure # set deviceconfig setting session resource-limit-behavior bypass # commit # exit