That's not surprising behaviour on a PaloAlto unit, they are still very young in the market and my colleagues have had issues with NAT and proxy arp in the recent past. Chris Campbell --------------------- On 9 Feb 2010, at 22:31, "Andrey Gordon" <andrey.gordon@gmail.com> wrote:
By changing my outbound IP address to a different one (i suspect effectively resetting sessions) the problem was solved. So, after that I set it back to the original source NAT. And the sites open up just fine still. It really behaves like a NAT table exhaustion, but the firewall only reports 13000 sessions in progress for all the NAT addresses on that firewall. I'm thinking memory leak or something. We only put that device in place this winter break and this is the second time this is happening. Last time was about 2-3 weeks ago.
Seems to be fixed for now and the f/w dude is opening a ticket with the f/w vendor.
----- Andrey Gordon [andrey.gordon@gmail.com]