topic Re: incomplete in General Topics

incomplete

oitspa — Thu, 27 Sep 2012 19:33:37 GMT

Hello,

I need urgent help. I dont know why but from one moment during the day is one website unreachable from our internal network(only this website). There was no change in configuration PA500, no changes in web server configuration. From outside of company is website reachable without problem. What I see in log is for this session application:incomplete.

I tried different computers, restart PA but no change, website still unreachable.

I dont know what I can do more. Please, help.

Thank you very much

Re: incomplete

ppatel — Thu, 27 Sep 2012 19:58:11 GMT

Incomplete means that either the three way tcp handshake did NOT complete or the three way tcp handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the paloalto device creates a session for that syn, but the server never sends a syn ack in response back to the client, then that session would be seen as incomplete.

Regards

Parth

Re: incomplete

oitspa — Thu, 27 Sep 2012 20:06:28 GMT

OK, it is clear but what can I do to solve it? We didnt change PA configuration and also web server configuration. Websites are from outside of company reachable?

Re: incomplete

ppatel — Thu, 27 Sep 2012 20:07:21 GMT

Do packet captures on the firewall at the transmit, receive and drop stage.

https://live.paloaltonetworks.com/docs/DOC-1653

You would be able to point out the root cause.

If the server is not responding most likely the receive/ transmit stage will send out SYN but not receive SYN-ACKs.

Let me know if that helps.

Regards

Parth

Re: incomplete

sdurga — Thu, 27 Sep 2012 20:12:12 GMT

Also check your threat logs if you are seeing any drops there. Which website is this ?

Re: incomplete

oitspa — Thu, 27 Sep 2012 20:13:28 GMT

www.spapiestany.sk

Re: incomplete

sdurga — Thu, 27 Sep 2012 21:53:59 GMT

I have tried accessing this behind my firewall. It is not blocked as virus or through URL filtering. In your case you might need to do a packet capture and see what is failing.

Re: incomplete

acamacho — Thu, 27 Sep 2012 22:11:44 GMT

You can also try and open up a security policy and specify the source IP of the test host pc.

Create an any any policy without any scan profiles as well.

Move the policy to the top.

If this works then review the existing policy to see if the application or scan profiles might be preventing the traffic from being identified.

If this still does not work you might want to call into support or your local reseller for assistance.

Thank you

Re: incomplete

oitspa — Fri, 28 Sep 2012 07:35:29 GMT

Hello Parth,

I tried to collect more details by capturing and enclosing result files. I am not sure where is the problem...

Re: incomplete

ppatel — Fri, 28 Sep 2012 08:30:59 GMT

Hi,

It appears that a RST-ACK is sent by the the client 62.112.193.167.

Can you just once again confirm the issue

" From outside of company is website reachable without problem"

Are you having issues accessing website from inside or outside? It appears that there is no translation in the pcaps.

Is your purpose trying to access the website from inside with a public ip-address?

Regards

Parth

Re: incomplete

oitspa — Fri, 28 Sep 2012 08:38:40 GMT

Hi,

confirm - from outside of company is everything OK. You can try www.spapiestany.sk

We have issue to access the website only from internal network, behind the PA. (company network - PA - public internet)

Re: incomplete

ppatel — Fri, 28 Sep 2012 09:15:57 GMT

If you want to access the website from the internal zone (say trust zone having private ip-addressees) to a web server that is physical located inside but you want to access using the public ip-address, you need to configure a U-Turn NAT rule.

https://live.paloaltonetworks.com/docs/DOC-1678

Let me know if this helps.

If it is an urgent issue and you are still unable to access the website from inside please contact support.

Regards

Parth

Re: incomplete

oitspa — Fri, 28 Sep 2012 09:20:17 GMT

hello,

it is probably misunderstanding, web server is not inside of our network (not physically located in internal network). Web server is outside of our company and also country.

Re: incomplete

ppatel — Fri, 28 Sep 2012 09:29:59 GMT

So your security rules should look like the following:-

SECURITY:-

Source zone: Trust

Destination Zone: Untrust

Source address: Any

Destination address: -website public ip-address

Action : Allow

NAT :--

Source zone:- Trust

Destination Zone :- Untrust

Source address Any

Destination address :- Website public ip-address

Source translation : type:- Dynamic ip and port ; interface : Public facing interface

Destination translation: None

Regards

Parth

Re: incomplete

ppatel — Fri, 28 Sep 2012 10:00:25 GMT

Also I tested in the lab and as expected the the traffic just went fine and I was able to access the website from inside.

The three way hand shake starts with the an internal ip-address 10.101.100.108.

However in your case a SYN is received from the server (i.e 62.112.193.167) which should not be the case. see below:-

Try clearing all the sessions on the firewall pertaining to ip 62.112.193.167

From the CLI,

admin@Lab-59-PA-500> clear session all filter source 62.112.193.167

admin@Lab-59-PA-500> clear session all filter destination 62.112.193.167

admin@Lab-59-PA-500> clear session all filter source <test -pc ip-address>

Test it now.

Regards

Parth

Re: incomplete

oitspa — Fri, 28 Sep 2012 11:19:12 GMT

hello Parth,

I tried to clear all sessions but final result is the same, website is not accessible from internal network.

I am enclosing last capture outputs.