- This topic is empty.
issues after Palo-Alto firewall installation
-
Darren GMarch 11, 2016 09:16:47 PM
since we put a Palo-Alto “intelligent” firewall in our target site, i’m seeing a huge number of site disconnect events followed within seconds of a reconnect message. the issue is almost certainly with the firewall config but wondering if any one has seen an issue like this before. my network guy is stumped.
e.g.
<span style=”color: #000000; font-family: Calibri;”>Alert turned on at 3/11/2016 3:07:45 PM: The Zerto Virtual Manager is not connected to site Madison (ip redacted).</span>
and a similar slew from the vra’s
Darren GMarch 11, 2016 09:19:29 PMI should add that other than all the “spam” (52 messages per event) it doesn’t appear to be having any negative effect of rpo or causing sync issues….yet.
Junichi SMarch 11, 2016 09:22:08 PMThe ZVMs keep an open connection with a keep alive interval (1o minutes by default). It sounds like your firewall is closing this which is causing the issue.
Simplest answer is to allow all traffic between Zerto components or change the firewall settings to not close the connections. Thanks,
Joshua
Darren GMarch 11, 2016 10:38:00 PMThanks Joshua
It APPEARS it may be an issue between how the cisco at the source side and the Palo-alto on the target side decide the tunnel should be up for the VPN. I’ll share any specifics if they are available.
Chris SMay 16, 2017 07:57:22 PMSteven – Curious, did you ever run this down? I ask because I just put in a Palo Alto firewall in one of my datacenters and now I’m getting sporadic site disconnects between ZVM’s. Clearly it’s the change in firewall, but I haven’t yet figured out how to resolve it.
Darren GMay 16, 2017 08:25:40 PMNot 100%. when we got to a PA – PA config for our tunnel, my network engineer and PA support did some tweaking to get it stable but I don’t know what they did and he doesn’t share well. getting off a split 5530 – PA helped, or forced the hand at least.
Chris SMay 16, 2017 08:35:33 PMThanks for the reply. If you ever get your guy to share, I’d be interested in hearing the resolution. If you ever login to the PA support portal and pull the information on the ticket resolution, I’d be happy to read it. 🙂 Thanks again.
Darren GMay 16, 2017 09:38:48 PMOk, just talked to Andy. He says to the best of his recollection, in the session timeouts section, he set tcp to 3600 seconds to keep the tunnel alive. Palo-Alto mentioned that they were seeing the tunnel shutdown, then re-initiate. He did this AFTER the second palo went into place so it looks like my thoughts that it was pa-pa are not accurate.
Chris SMay 16, 2017 09:40:03 PMCool, thanks for the info.
Alessandro BOctober 19, 2017 10:18:23 AMHi All, I’ve the same problem, ZVM and VRAs are in the same subnet… how it possible that PaloAlto “close” the connection between IP of the same VLAN/subnet?
thanks in advance
WORKAROUD: I need to reeboot every night the VRA (four)
The forum ‘General Discussion’ is closed to new topics and replies.