PAN (Palo Alto) firewalls and flapping Cisco WLC data/control paths

Just yesterday we migrated to a (Palo Alto Networks) PAN-5050 firewall in active-passive configuration. After that we experienced problems with flapping control and data paths between our foreign and anchor WLCs (Wireless LAN Controller). In this article I will describe a possible solution for flapping data/control paths in a Palo Alto / Checkpoint firewall environment. Scroll down to ‘Solution’ to skip preamble.

Our set up: We have four Cisco 4402 Series WLCs which are located in remote affiliates. These ‘foreign WLCs’ set up etherchannels to an ‘anchor WLC’, which is located in one of our DMZs.

After changing our firewall from Cisco to PAN we experienced flapping data and control paths. Investigation led to assumption that the direction of initialization was somehow related to the flapping. Cisco´s documentation says that the WLC with the lower MAC-Address is initializing the etherchannel. This is leading to the first conclusion:

  • It´s important to know which side is initiating the etherchannel. As a result you may want to implement bidirectional rules for easier handling. Otherwise make sure that your firewall rules match the traffic flow.

The goal of this first step was to make sure that no more packages are dropped. As with PAN-OS 5.0.3 and AppVer 365-1733 (03/26/13) the Application were detected correctly (etherip and cisco-wlc-mobility). Only one thing seems a little bit weird: The traffic log says that etherip is using Port 0 (I´m not sure about that one). However, we were still experiencing flapping paths.

PAN_values

In the second step we changed the values for the timeouts on application level (on the PAN you can set customized values for TCP/UDP timeouts under Objects > Applications tab). Unfortunately the paths still didn´t stop flapping.

SOLUTION: After that we changed the default values for the session timeouts (you´ll find them under Device > Setup > Session Tab in PAN-OS) and rebooted the foreign as well as the Anchor WLCs and all Data and Control Paths seem to work fine. In the picture you will find the values which worked for me.

As to my surprise this behavior/problem doesn´t seem to be Palo Alto specific. In fact I found a topic on the Cisco Support forums where someone is having the same problems with a Checkpoint firewall. So this fix might be a general fix for problems with WLC data or control paths.

Advertisements

About sitweak
Monitoring, Network, Firewall, Mobile Security. I´m totally into that stuff!

2 Responses to PAN (Palo Alto) firewalls and flapping Cisco WLC data/control paths

  1. Anonymous says:

    Nice article and thank you for sharing! I implemented a new pair of 5050’s and encountered the same scenario with a Cisco 5508 and 4402 WLC. The mobility path would not establish between the two WLCs (mping to requests were failing). The Palo ended up having some stale sessions between the two WLCs, and after deleting and rebuilding the mobility groups on each WLC, rebooting the WLCs, and clearing the stale sessions between the two on the Palo, the control path established and the WLANs off the anchor worked again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: