• This topic is empty.

issues after Palo-Alto firewall installation

  • Steven K
    March 11, 2016 09:16:47 PM

    since we put a Palo-Alto “intelligent” firewall in our target site, i’m seeing a huge number of site disconnect events followed within seconds of a reconnect message. the issue is almost certainly with the firewall config but wondering if any one has seen an issue like this before. my network guy is stumped.

    e.g.

    <span style=”color: #000000; font-family: Calibri;”>Alert turned on at 3/11/2016 3:07:45 PM: The Zerto Virtual Manager is not connected to site Madison (ip redacted).</span>

    and a similar slew from the vra’s

     

    Steven K
    March 11, 2016 09:19:29 PM

    I should add that other than all the “spam” (52 messages per event) it doesn’t appear to be having any negative effect of rpo or causing sync issues….yet.

    Joshua S
    March 11, 2016 09:22:08 PM

    The ZVMs keep an open connection with a keep alive interval (1o minutes by default). It sounds like your firewall is closing this which is causing the issue.

    Simplest answer is to allow all traffic between Zerto components or change the firewall settings to not close the connections. Thanks,

    Joshua

    Steven K
    March 11, 2016 10:38:00 PM

    Thanks Joshua

    It APPEARS it may be an issue between how the cisco at the source side and the Palo-alto on the target side decide the tunnel should be up for the VPN. I’ll share any specifics if they are available.

    Matthew C
    May 16, 2017 07:57:22 PM

    Steven – Curious, did you ever run this down? I ask because I just put in a Palo Alto firewall in one of my datacenters and now I’m getting sporadic site disconnects between ZVM’s. Clearly it’s the change in firewall, but I haven’t yet figured out how to resolve it.

    Steven K
    May 16, 2017 08:25:40 PM

    Not 100%. when we got to a PA – PA config for our tunnel, my network engineer and PA support did some tweaking to get it stable but I don’t know what they did and he doesn’t share well. getting off a split 5530 – PA helped, or forced the hand at least.

    Matthew C
    May 16, 2017 08:35:33 PM

    Thanks for the reply. If you ever get your guy to share, I’d be interested in hearing the resolution. If you ever login to the PA support portal and pull the information on the ticket resolution, I’d be happy to read it. 🙂 Thanks again.

    Steven K
    May 16, 2017 09:38:48 PM

    Ok, just talked to Andy. He says to the best of his recollection, in the session timeouts section, he set tcp to 3600 seconds to keep the tunnel alive. Palo-Alto mentioned that they were seeing the tunnel shutdown, then re-initiate. He did this AFTER the second palo went into place so it looks like my thoughts that it was pa-pa are not accurate.

    Matthew C
    May 16, 2017 09:40:03 PM

    Cool, thanks for the info.

    Alessandro B
    October 19, 2017 10:18:23 AM

    Hi All, I’ve the same problem, ZVM and VRAs  are in the same subnet… how it possible that PaloAlto “close” the connection between IP of the same VLAN/subnet?

    thanks in advance

    WORKAROUD: I need to reeboot every night the VRA (four)

You must be logged in to create new topics. Click here to login