Technical Tip : Network Control Manager Server List panel takes a long time to load
Description
The Server List Panel in the Dashboard of the Network Control Manager (NCM) Administration UI takes an extremely long time to load.The following may also exhibit the same behavior:
- License Key Dashboard panel
- Hosts > Host View
In order to populate the UI, the tomcat-admin service in the NCM makes session calls to the pods. If there are communication issues between the NCM and any of the managed pods, the sessions created between the NCM and the pods hang, causing the UI behavior.
Scope
Version 8.x
Solution
Workaround: To clear the behavior, restart the tomcat-admin service. This will establish new connections to the pods. In the NCM CLI type:
service tomcat-admin restart
Note: The behavior will return if the communication between NCM and the pods continues to be interrupted.
Solution: Check firewalls for any packet filtering between the NCM and pods.
For required ports that must be allowed for communication, refer to the Open Ports reference manual in the Fortinet Document Library.
Palo Alto Firewalls
It is possible that firewall rules are not blocking, but the firewall is still dropping some packets. The following Palo Alto knowledgebase article provides information regarding a function called Asymmetric Routing Check. This function drops TCP packets Palo Alto receives that are out of order. The commands referenced below were sourced from this article:
Packets are Dropped Due to TCP Reassembly
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhsCAC
It is possible that firewall rules are not blocking, but the firewall is still dropping some packets. The following Palo Alto knowledgebase article provides information regarding a function called Asymmetric Routing Check. This function drops TCP packets Palo Alto receives that are out of order. The commands referenced below were sourced from this article:
Packets are Dropped Due to TCP Reassembly
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhsCAC
Note: Palo Alto may require login to access.
1. Check counters for evidence of out-of-sync TCP packets being dropped (refer to the knowledgebase article for instructions). As of this writing, the counters do not provide dropped packet source or destination IP address information.
2. If packets are dropping, verify if Palo Alto is configured to drop asymmetric tcp traffic. The following example shows the Asymmetric Routing Check is enabled:
> show running tcp state | match asymmetric
session with asymmetric path : drop packet
3. Customers have found disabling the Asymmetric Routing Check function improved communication between the NCM and managed pods.
Palo Alto UI method: Located in Zone Protection Profiles -> Packet Based Attack Protection -> TCP Drop
Palo Alto CLI command:
> configure
# set deviceconfig setting tcp asymmetric-path bypass
# commit
Refer to the knowledgebase article for additional details.
Palo Alto CLI command:
> configure
# set deviceconfig setting tcp asymmetric-path bypass
# commit
Refer to the knowledgebase article for additional details.