This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi Guys We have a really strange situation since the last upgrade of our PALO ALTO (ACTIVE ACTIVE HA) firewalls. From time to time, randomly some users report printers offline (there is a print server). The architecture is like this:

|USERS|==>|Router1|==>|PA1|==>|ROUTER2|==>|SRX2|==>PrintSERVER The upgrade was done only on the Palo Alto Fw. Facts observed: - massive amount of "tcp spurious retransmission" followed by (RST,ACK )from the server - the issue is coming during the 3way Handshake (client sending a SYN , server-spourious, server sending the (RST,ACK) ) - is around the same hour - is just the printing server (not http flow, as we have a web server on the same machine-VM actually) - the other type of traffic is not affected - I have traces on the Server and also on the PA - routing wise -nothing is changed during the ISSUE (traceroute) - on the server side we don't see too manny logs related with the issue (2,3 when we have normally 30 users complaining) - on the Print server we don't see a massive number of connection during that hour that can cause somehow the communication to crush - there is no increasing in the latency dring that hour (same 6 ms RTT) - routing wise , the traffic is not asymmetric (interface wise it is sometimes as we have a portchannel between PA and routing devices) I would appreciate if I can have any thoughts from you, that can help me to solve this issue. Regards! server side captures:

alt text

alt text

asked 28 Jul '17, 00:59

mariusG's gravatar image

mariusG
6112
accept rate: 0%


In your situation, I would capture at both sides of the Palo Alto simultaneously until the issue happens and compare the traces. And if this would show that some packets didn't make it to the other side at all or got modified in a destructive way, I would open a support case with Palo Alto.

permanent link

answered 28 Jul '17, 01:37

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thanks mate!! I've done a capture on the PaloAlto FW and there are packets that are dropped. I've open the ticket to the provider to see where is the issue. What I cannot explain is the fact that is random...is coming and going so in 10 min you have to be ready to capture what is necessary ! I will let you know about the result! Thanks!

(31 Jul '17, 22:25) mariusG

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(31 Jul '17, 22:41) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×16
×7
×1
×1

question asked: 28 Jul '17, 00:59

question was seen: 492 times

last updated: 31 Jul '17, 22:41

p​o​w​e​r​e​d by O​S​Q​A