- This topic has 9 replies, 4 voices, and was last updated November 12, 2018 by Alessandro B.
issues after Palo-Alto firewall installation
You must be logged in to create new topics.
Click here to login
since we put a Palo-Alto “intelligent” firewall in our target site, i’m seeing a huge number of site disconnect events followed within seconds of a reconnect message. the issue is almost certainly with the firewall config but wondering if any one has seen an issue like this before. my network guy is stumped.
e.g.
<span style=”color: #000000; font-family: Calibri;”>Alert turned on at 3/11/2016 3:07:45 PM: The Zerto Virtual Manager is not connected to site Madison (ip redacted).</span>
and a similar slew from the vra’s
I should add that other than all the “spam” (52 messages per event) it doesn’t appear to be having any negative effect of rpo or causing sync issues….yet.
The ZVMs keep an open connection with a keep alive interval (1o minutes by default). It sounds like your firewall is closing this which is causing the issue.
Simplest answer is to allow all traffic between Zerto components or change the firewall settings to not close the connections. Thanks,
Joshua
Thanks Joshua
It APPEARS it may be an issue between how the cisco at the source side and the Palo-alto on the target side decide the tunnel should be up for the VPN. I’ll share any specifics if they are available.
Steven – Curious, did you ever run this down? I ask because I just put in a Palo Alto firewall in one of my datacenters and now I’m getting sporadic site disconnects between ZVM’s. Clearly it’s the change in firewall, but I haven’t yet figured out how to resolve it.
Not 100%. when we got to a PA – PA config for our tunnel, my network engineer and PA support did some tweaking to get it stable but I don’t know what they did and he doesn’t share well. getting off a split 5530 – PA helped, or forced the hand at least.
Thanks for the reply. If you ever get your guy to share, I’d be interested in hearing the resolution. If you ever login to the PA support portal and pull the information on the ticket resolution, I’d be happy to read it. 🙂 Thanks again.
Ok, just talked to Andy. He says to the best of his recollection, in the session timeouts section, he set tcp to 3600 seconds to keep the tunnel alive. Palo-Alto mentioned that they were seeing the tunnel shutdown, then re-initiate. He did this AFTER the second palo went into place so it looks like my thoughts that it was pa-pa are not accurate.
Cool, thanks for the info.
Hi All, I’ve the same problem, ZVM and VRAs are in the same subnet… how it possible that PaloAlto “close” the connection between IP of the same VLAN/subnet?
thanks in advance
WORKAROUD: I need to reeboot every night the VRA (four)