https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-rst-from-client/m-p/544516#M1376 <P>Hi Friends,</P> <P>&nbsp;</P> <P>We have a requirement we have cloud server Oracle cloud</P> <P>When ever user from LAN tries to access the resources over the cloud user is able to login but unable to access any resources.</P> <P>While checking in logs it is showing tcp-rst-from-client.</P> <P>I am attaching the screenshot and session flow for reference.</P> <P>I am also attaching the wire shark screenshot for reference.</P> <P>&nbsp;</P> <P>I have tried by changing the tcp settings</P> <P>Asymmetric Path to bypass.</P> <P>&nbsp;</P> <P>Session Flow.</P> <P>Session 125186</P> <P>c2s flow:<BR />source: 10.30.20.91 [Trust]<BR />dst: 10.30.22.100<BR />proto: 6<BR />sport: 50463 dport: 443<BR />state: INIT type: FLOW<BR />src user: unknown<BR />dst user: unknown<BR />qos node: tunnel.44, qos member N/A Qid 0</P> <P>s2c flow:<BR />source: 10.30.22.100 [Untrust]<BR />dst: 10.30.20.91<BR />proto: 6<BR />sport: 443 dport: 50463<BR />state: INIT type: FLOW<BR />src user: unknown<BR />dst user: unknown<BR />qos node: ae1, qos member N/A Qid 0</P> <P>start time : Thu Jun 1 18:26:47 2023<BR />timeout : 30 sec<BR />total byte count(c2s) : 18951<BR />total byte count(s2c) : 23013<BR />layer7 packet count(c2s) : 41<BR />layer7 packet count(s2c) : 38<BR />vsys : vsys1<BR />application : ssl<BR />rule : Test Vinay<BR />service timeout override(index) : False<BR />session to be logged at end : True<BR />session in session ager : False<BR />session updated by HA peer : False<BR />layer7 processing : completed<BR />URL filtering enabled : True<BR />URL category : not-resolved<BR />session via syn-cookies : False<BR />session terminated on host : False<BR />session traverses tunnel : True<BR />session terminate tunnel : False<BR />captive portal session : False<BR />ingress interface : ae1<BR />egress interface : tunnel.44<BR />session QoS rule : N/A (class 4)<BR />tracker stage firewall : TCP RST - client<BR />tracker stage l7proc : ctd decoder done<BR />end-reason : tcp-rst-from-client</P> <P>&nbsp;</P> <P>Can you help me what might be the resolution for this.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Satya Kalyan.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (207).png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50615iEA8B22E18DD633C5/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot (207).png" alt="Screenshot (207).png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (209).png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50616i07B0934E888857E1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot (209).png" alt="Screenshot (209).png" /></span>&nbsp;</P> Fri, 02 Jun 2023 07:41:33 GMT Satyak 2023-06-02T07:41:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-rst-from-client/m-p/544516#M1376 <P>Hi Friends,</P> <P>&nbsp;</P> <P>We have a requirement we have cloud server Oracle cloud</P> <P>When ever user from LAN tries to access the resources over the cloud user is able to login but unable to access any resources.</P> <P>While checking in logs it is showing tcp-rst-from-client.</P> <P>I am attaching the screenshot and session flow for reference.</P> <P>I am also attaching the wire shark screenshot for reference.</P> <P>&nbsp;</P> <P>I have tried by changing the tcp settings</P> <P>Asymmetric Path to bypass.</P> <P>&nbsp;</P> <P>Session Flow.</P> <P>Session 125186</P> <P>c2s flow:<BR />source: 10.30.20.91 [Trust]<BR />dst: 10.30.22.100<BR />proto: 6<BR />sport: 50463 dport: 443<BR />state: INIT type: FLOW<BR />src user: unknown<BR />dst user: unknown<BR />qos node: tunnel.44, qos member N/A Qid 0</P> <P>s2c flow:<BR />source: 10.30.22.100 [Untrust]<BR />dst: 10.30.20.91<BR />proto: 6<BR />sport: 443 dport: 50463<BR />state: INIT type: FLOW<BR />src user: unknown<BR />dst user: unknown<BR />qos node: ae1, qos member N/A Qid 0</P> <P>start time : Thu Jun 1 18:26:47 2023<BR />timeout : 30 sec<BR />total byte count(c2s) : 18951<BR />total byte count(s2c) : 23013<BR />layer7 packet count(c2s) : 41<BR />layer7 packet count(s2c) : 38<BR />vsys : vsys1<BR />application : ssl<BR />rule : Test Vinay<BR />service timeout override(index) : False<BR />session to be logged at end : True<BR />session in session ager : False<BR />session updated by HA peer : False<BR />layer7 processing : completed<BR />URL filtering enabled : True<BR />URL category : not-resolved<BR />session via syn-cookies : False<BR />session terminated on host : False<BR />session traverses tunnel : True<BR />session terminate tunnel : False<BR />captive portal session : False<BR />ingress interface : ae1<BR />egress interface : tunnel.44<BR />session QoS rule : N/A (class 4)<BR />tracker stage firewall : TCP RST - client<BR />tracker stage l7proc : ctd decoder done<BR />end-reason : tcp-rst-from-client</P> <P>&nbsp;</P> <P>Can you help me what might be the resolution for this.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Satya Kalyan.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (207).png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50615iEA8B22E18DD633C5/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot (207).png" alt="Screenshot (207).png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (209).png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50616i07B0934E888857E1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot (209).png" alt="Screenshot (209).png" /></span>&nbsp;</P> Fri, 02 Jun 2023 07:41:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-rst-from-client/m-p/544516#M1376 Satyak 2023-06-02T07:41:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-rst-from-client/m-p/544518#M1377 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223445">@Satyak</a>&nbsp; - few points to note here</P> <P>1) Assuming that your connectivity from On-Prem to Cloud is via IPSec&nbsp; &amp; do you have firewall rules allowed from the firewall on cloud to the Onprem Subnets?</P> <P>2)Is it only the few users or all the users facing the problem?</P> <P>3) Try to induce a catch all policy to for further troubleshooting</P> <P>&nbsp;</P> <P>Lets wait for more senior members to comment as well</P> Fri, 02 Jun 2023 07:59:02 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-rst-from-client/m-p/544518#M1377 ToughGuy_PAN 2023-06-02T07:59:02Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-rst-from-client/m-p/544540#M1380 <P>Yes ipsec tunnel is created and rule is also created.</P> <P>everyone from LAN is effected</P> Fri, 02 Jun 2023 10:26:37 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-rst-from-client/m-p/544540#M1380 Satyak 2023-06-02T10:26:37Z