topic Re: Unable to access a site, please try for me in General Topics

Unable to access a site, please try for me

nicolap — Wed, 08 Jun 2016 12:33:52 GMT

I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?

https://www.spcconnect.com/

Re: Unable to access a site, please try for me

Transporter — Wed, 08 Jun 2016 12:34:48 GMT

Hi,

Able:

Re: Unable to access a site, please try for me

kiwi — Wed, 08 Jun 2016 15:40:08 GMT

Hi,

The site seems to be using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

Support for this suite was added in PAN-OS 7.1 :

Please check the following article :

PAN-OS-7-1-Supported-ciphers

Seeing that you are already using 7.1 ... are you using SSL decryption ? Have you tried disabling it for the site as a test ?

-Cheers.

Re: Unable to access a site, please try for me

nicolap — Wed, 08 Jun 2016 15:45:58 GMT

Obviously i defined 3 rules for my pc originating IP at the top to exit anywhere, to not decrypt, to not captive portal

I have PAN OS 7.1.2

😞

Re: Unable to access a site, please try for me

Transporter — Wed, 08 Jun 2016 16:15:01 GMT

Hi,

Did you try to do PCAP on the Palo and client site?

What error do you get on the screen when trying to access this particular site. Did you try with different a web browser?

Cheers

Re: Unable to access a site, please try for me

kiwi — Wed, 08 Jun 2016 16:15:56 GMT

I'd recommend setting up a filter with your originating IP address and check the global counters for drops. I'm guessing you will find some counters that could explain the behaviour :

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CLI/ta-p/57496

Re: Unable to access a site, please try for me

nicolap — Wed, 08 Jun 2016 16:20:38 GMT

A strange thing

I have a Policy Forwarding that for some LAN ip outbound traffic doesnt go via WAN interface but is sent to a machine connected in DMZ and that machine is connected to internet with a software firewall

These routed machines can access this site normally

Only machines that goes out through palo alto doesnt work

Re: Unable to access a site, please try for me

nicolap — Wed, 08 Jun 2016 16:32:42 GMT

First image in log of conversation sending to machine in dmz that works

Se second is using PA WAN that dont work

@nicolap wrote:

I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?

https://www.spcconnect.com/

Re: Unable to access a site, please try for me

kiwi — Thu, 09 Jun 2016 07:03:44 GMT

Hi,

The application in the non-working scenario is 'incomplete'.

Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application.

For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.

I'd recommend to take PCAPs to confirm traffic is leaving the firewall on the correct egress interface and also take PCAPs on the destination server to verify if the packet reaches it and is returned correctly.

Cheers,

-Kim.

Re: Unable to access a site, please try for me

Transporter — Thu, 09 Jun 2016 10:14:17 GMT

Hi,

Also try to run just simple ping from Palo to the client and the web-site. Also source ping from the appropriate egress interface.

Cheers,

Re: Unable to access a site, please try for me

nicolap — Tue, 14 Jun 2016 14:41:46 GMT

It was very difficuolt to solve
I changed WAN IP of my PA and it works, i suppose that the website have banned my source ip, at now i am asking why

thx

Nicola