topic Weirdest thing I have seen in General Topics

Weirdest thing I have seen

scottoliver — Wed, 11 Jul 2018 19:59:58 GMT

Having a weird issue. I installed an 820. I have internet traffic being NAT'ed. My gateway is set to the Palo. My hops to the internet look like this

Windows Box ---> Palo 820 --> Cisco Pix --> Internet Provider

Pretty basic.. I have a rule in place to allow all internal to 0.0.0.0/0 443, 80..

I can get to anything google even your tube just fine. works fast no hesitation. If I go anywhere else ( MSN, Yahoo, CNN) I get nothing. Traffic drops. I cant figure this out for the life of me.

I got a pcap going to google and going to red.com (52.73.0.154)

I can get to google but not red. I cant find a difference. Any ideas would be appreciated.

Re: Weirdest thing I have seen

BPry — Wed, 11 Jul 2018 21:05:03 GMT

@scottoliver,

First thing that comes to mind would be an MTU mismatch between the Palo and the Pix?

Re: Weirdest thing I have seen

LukeBullimore — Thu, 12 Jul 2018 13:54:06 GMT

Hi @scottoliver,

If you're able to quantify a reliable source and destination IP address for a flow that isn't working, I would recommend taking a look at the global counters. This will show you what is being blocked, whether it be due to a policy deny or MTU issues like @BPry states.

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-a-specific-source-and/ta-p/65794

Thanks,

Luke.

Re: Weirdest thing I have seen

scottoliver — Thu, 12 Jul 2018 17:39:58 GMT

I did look at the counters and there were no drops. I cleared all sessions to the destination. I set up my filters to 52.73.0.154. I turned my filters on.

I ran this command to clear the counters data out. ( show counter global filter delta yes packet-filter yes severity drop ) . I turned the capture on and ran (show counter global filter delta yes packet-filter yes severity drop) again to make sure I had 0 counters...

I then iniated the connection to the above address.. I ran a local wireshark to watch the connection so I knew when it was finished. When the connection was finished I ran ( show counter global filter delta yes packet-filter yes severity drop ) again and it came back with 0 counters hit...

Looking at the PCAPS packets do not appear to be getting dropped at all.. I can zip the pcaps and upload them to my server if anyone wants to take a look at them to see if they see something I do not.

Re: Weirdest thing I have seen

scottoliver — Thu, 12 Jul 2018 17:41:03 GMT

Thinking it might be a TCP window sizing issue but not 100%

Re: Weirdest thing I have seen

hfregoso — Thu, 12 Jul 2018 20:35:25 GMT

Do you see the packet going to red.com hitting your PIX?

Is your DNS doing proper resolution for red.com?

Can you issue a show session all filter destination 52.73.0.154?

If you see the session please open it in the session browser and see the progress of the connectin.

Collecting this information will be a good start.