topic Re: Aged-out issue in General Topics

Aged-out issue

itsuki.h1991 — Thu, 29 Jun 2017 04:24:20 GMT

Hi,

I have configured PA on Azure but it is unable to ping to PA.

It always shows that "aged-out" as error message.

Once I ping to proxy-server on Azure, the log is shown on PA but it is aged out and could not get the response.

I did set up Static route and everything.

I have set up as below.

PC->Azure(PA)-Azure(Proxy server)-Intenet

Can anybody please help me to solve this issue?

Re: Aged-out issue

TranceforLife — Wed, 28 Jun 2017 06:56:08 GMT

Ping always shows in the traffic logs as "aged-out" in the session end reason column. This is because it doesn't have any TCP/UDP port. Are you pinging PA interface?

Re: Aged-out issue

itsuki.h1991 — Wed, 28 Jun 2017 07:35:54 GMT

I understand that, but apart from ping, all of the "application" column shows as "Incompelete."

i did ping to the interface of PA and the proxy servers on Azure, but both of them are failed.

Re: Aged-out issue

BPry — Wed, 28 Jun 2017 14:13:30 GMT

@itsuki.h1991,

It sounds like something wasn't configured correctly but we would need to know a lot more information then what you have displayed to actually point you in the right direction.

What does your interface configuration look like?

Did you follow any of the guides to configure this setup?

What does your routing look like, and can you reach a website and it's simply showing as incomplete or do you not actually resolve things properly?

Re: Aged-out issue

itsuki.h1991 — Wed, 28 Jun 2017 23:42:22 GMT

I have set up as below..

Even i choose DHCP, the interface got correct IP address i expected.

I followed guide regarding PA on VM but the detail is not written much.

No i cant reach any website, it is failed and shows as "Incomplete".

I set up routing table as well but it seems it is not working at all. Regardless i set the routing table or not, the result is completely same.

Re: Aged-out issue

TranceforLife — Thu, 29 Jun 2017 06:40:06 GMT

Can Palo reach the internet?

Re: Aged-out issue

itsuki.h1991 — Thu, 29 Jun 2017 06:43:49 GMT

no it cant access internet...

Re: Aged-out issue

TranceforLife — Thu, 29 Jun 2017 06:54:54 GMT

What is your default gateway on PA. Can you ping that ip? Can Palo resolve cisco.com website?

Re: Aged-out issue

itsuki.h1991 — Thu, 29 Jun 2017 08:18:15 GMT

Do you mean MGT default gateway? it is 172.28.194.4, and ping is unreachable. but i can ping to management port and trust and untrust interface now.

Re: Aged-out issue

TranceforLife — Thu, 29 Jun 2017 08:27:10 GMT

PA uses mgmt port (by default) for all own communication (means initiated by the device itself). You have to have a default route (at least if you are not using any dynamic protocol) for all your traffic which is traversing device (client traffic):

So when you SSHed into the device and pinging let's say 8.8.8.8, you by default, using your mgmt default gateway in order to get to the Google public DNS. All your client's traffic is routed through the firewall based on the virtual router attached to the zone (as well as routing table in the VR).

Re: Aged-out issue

itsuki.h1991 — Thu, 29 Jun 2017 08:38:15 GMT

Yes i did set up the default gateway..

but all of the result is "aged-out" and application is recognised as "incomplete".

Re: Aged-out issue

TranceforLife — Thu, 29 Jun 2017 09:18:26 GMT

So can you ping your default gateway on the WAN?

Can you add columns bytes set/bytes received in the monitoring TAB. Then you can check if you receive some data back once the session is initiated. Incomplete means not enough data fro the PA in the session to determine which application is in use. Aged-out for TCP most of the time no 3-way handshake completed (routing issue, asymmetric routing, another firewall on the way etc):

SSH into the box and source the traffic from the internal PA source ip address. In my case see below:

> ping source 192.168.163.1 host cisco.com

After, check the logs. Especially bytes received column.

Re: Aged-out issue

itsuki.h1991 — Wed, 05 Jul 2017 02:48:05 GMT

Hi sorry for the late reply.

I could not find the "bytes sent" and "byetes receive" on the monitor tab.

However I could ping from the internal IP of PA to cisco.com and it shows on the monitor tab.

but now it still shows that "incomplete" on the application column.

Could you help me to solve to access the website through PA?