Downloads over HTTPS fails hitting the default CTD loop limit with session end-reason: resources-unavailable and tracker stage l7proc: ctd pkt loop

Downloads over HTTPS fails hitting the default CTD loop limit with session end-reason: resources-unavailable and tracker stage l7proc: ctd pkt loop

15090
Created On 03/15/22 00:27 AM - Last Modified 02/22/24 07:03 AM


Symptom


  • During the packet processing of a compressed PDF Zip file, CTD reaches the max number of loops configured by default, which triggers counter ctd-pkt-proc-loop and the session ends with resources-unavailable message.
  • Looking at session details on CLI can see ctd pkt loop and end-reason resources-unavailable
admin@palfws01-bnep> show session id 2702 
*
*
*
        application                          : web-browsing  
        nat-rule                             : Test(vsys1)
        layer7 processing                    : completed
        URL filtering enabled                : True
        URL category                         : government, low-risk
        ingress interface                    : ethernet1/3
        egress interface                     : ethernet1/1
        session QoS rule                     : N/A (class 4)
      " tracker stage l7proc                 : ctd pkt loop"
      " end-reason                           : resources-unavailable"

 

Environment


  • Palo Alto Firewall
  • PAN-OS versions 9.1.0-9.1.7, or 10.0.4

Cause


  • Palo Alto Networks made improvements (9.1.8, 10.1.0, and above versions) introducing 2 tiers (depending on packet length) a Low tier and a High tier with default values of 1024 for low loops and 4096 for high loops, which are good enough for most of the customers.
  • Typically packets that are larger will probably need more loops to finish processing in such scenarios these can be increased to a max value of 8190 without causing adverse impacts on Dataplane resource utilization
  • Starting on versions (11.1.0, 11.0.3, 11.0.2, 10.2.5, 10.1.10, and 9.1.17) loops can be increased to a maximum of 65535.

Resolution


Upgrade to 9.1.8, 10.0.5 or higher to resolve PAN-156891

Workaround
  1. Increase the number of CTD loops to the maximum allowed (8190), to finish processing the packet buffers using the following operational mode commands available on PAN-OS 9.1.8 and above.
> set system setting ctd pkt-proc-loop-low 8190
> set system setting ctd pkt-proc-loop-high 8190
  1. 2. From versions 11.1.0, 11.0.3, 11.0.2, 10.2.5, 10.1.10, and 9.1.17 and above it will also be possible to increase the number of CTP loops to the new maximum value of 65535. 
> set system setting ctd pkt-proc-loop-low 65535
> set system setting ctd pkt-proc-loop-high 65535
         2. Verify new loop values using the following command.
> show system setting ctd state | match loop

Additional Information


In 8.1.x releases, the packets are bypassed by default when a high compression ratio was detected and after 9.1.x releases, the packets are dropped by default when a high compression ratio is detected, but the behavior can be changed to bypass with the following command: 
> configure
# set deviceconfig setting session resource-limit-behavior bypass
# commit
# exit
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNNICA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language