https://live.paloaltonetworks.com/t5/general-topics/strange-packet-drop/m-p/193847#M58074 <P>Hello,</P><P>In the logs there is the one that says 'Incomplete' for the application. This happens for several reasons, but in my experience, it is 95% of the time a routing issue between the hosts. Could be asymmetric routing or something else.</P><P>&nbsp;</P><P>Hope that helps.</P> Thu, 04 Jan 2018 15:11:19 GMT OtakarKlier 2018-01-04T15:11:19Z https://live.paloaltonetworks.com/t5/general-topics/strange-packet-drop/m-p/193804#M58067 <P>Hello guys,</P><P>&nbsp;</P><P>I have a PA820 in active/passive mode who has a strange behaviour. I have created a rule that permits that traffic but the device drops it. I see "allow"in the logs, but with a capture I can clearly see the SYN in the dropped section and not "syn/ack" and "ack".</P><P>&nbsp;</P><P>I have also tried to put an "any/any" rules, it matches but the behaviour is the same,</P><P>I have put "any" in the Application and Services fields and also disabled any antivirus check.</P><P>&nbsp;</P><P>Any idea?</P><P>Attached the two images.</P><P>&nbsp;</P><P>Thanks</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PA_log_forum.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13126i66D67AB1594C6F0F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PA_log_forum.png" alt="PA_log_forum.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PA_rule_forum.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13127i3C4257BB483E75E0/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PA_rule_forum.png" alt="PA_rule_forum.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 04 Jan 2018 10:46:01 GMT https://live.paloaltonetworks.com/t5/general-topics/strange-packet-drop/m-p/193804#M58067 Shye80 2018-01-04T10:46:01Z https://live.paloaltonetworks.com/t5/general-topics/strange-packet-drop/m-p/193847#M58074 <P>Hello,</P><P>In the logs there is the one that says 'Incomplete' for the application. This happens for several reasons, but in my experience, it is 95% of the time a routing issue between the hosts. Could be asymmetric routing or something else.</P><P>&nbsp;</P><P>Hope that helps.</P> Thu, 04 Jan 2018 15:11:19 GMT https://live.paloaltonetworks.com/t5/general-topics/strange-packet-drop/m-p/193847#M58074 OtakarKlier 2018-01-04T15:11:19Z https://live.paloaltonetworks.com/t5/general-topics/strange-packet-drop/m-p/193864#M58077 <P>'incomplete' in the application means the initial syn packet was allowed to pass through the firewall, but a returning ack was never seen.</P> <P>This could be a routing issue as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a> mentions, NAT not being applied properly or the remote host simply not responding to your connection (due to it being down our out of resources,...)</P> <P>&nbsp;</P> <P>best way to troubleshoot is to verify if NAT is applied in the egress stage packetcapture and traceroute to verify your packets are following an appropriate route</P> Thu, 04 Jan 2018 15:52:11 GMT https://live.paloaltonetworks.com/t5/general-topics/strange-packet-drop/m-p/193864#M58077 reaper 2018-01-04T15:52:11Z