https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240180#M68816 <P>Add&nbsp;filter.</P><P>Assuming that website IP is 1.1.1.1</P><P>Monitor &gt; Packet Capture</P><P>&nbsp;</P><P>Enable filter.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="filter.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17570iF0D2EFCE0B1E40A6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="filter.JPG" alt="filter.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Go to cli and run command.</P><P>&gt; show counter global filter delta yes packet-filter yes</P><P>&nbsp;</P><P>Try to visit website and run command again.</P><P>&gt; show counter global filter delta yes packet-filter yes</P><P>&nbsp;</P><P>Do you see any where severity is drop?</P> Fri, 16 Nov 2018 19:18:26 GMT Raido_Rattameister 2018-11-16T19:18:26Z https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/239972#M68742 <P>Hi community,&nbsp;</P><P>i am trying to access a website from LAN side of palo alto, even though correct policy is configured, tcp handshake was not complete. after packet capture i am able to find below points</P><UL><LI>&nbsp;client sending syn packet</LI><LI>but i am not able to get syn-ack packet from server,</LI><LI>able to see&nbsp;one ack packets from server</LI><LI>server is using 3-way handshake only</LI><LI>server is sending syn-ack, but tcp window-scaling option is not available.</LI></UL><P>i have seen firewall will drop packet if window scaling information is not available in syn packet. can anybody tell whether i am hitting on same issue, if yes, how to solve it in palo alto</P> Thu, 15 Nov 2018 14:20:43 GMT https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/239972#M68742 Abdul_Razaq 2018-11-15T14:20:43Z https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240022#M68752 <P>Hello,</P><P>Was the pcap performed from the PAN or from the client? I honestly suspect a routing issue since you are not getting any ack's.</P><P>&nbsp;</P><P>Hope that helps.</P> Thu, 15 Nov 2018 17:42:56 GMT https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240022#M68752 OtakarKlier 2018-11-15T17:42:56Z https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240092#M68772 <P>Hi klier,</P><P>No routing issue is involved, i am able to acces other sites, only this particular site is is not accessible. when i bypass firewall, i was getting syn-ack packet in my PC. when i access through firewall, firewall is dropping that particular packet.</P><P>for other sites, bypassing firewall or accessing through doesn't make any difference.</P> Fri, 16 Nov 2018 05:58:26 GMT https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240092#M68772 Abdul_Razaq 2018-11-16T05:58:26Z https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240180#M68816 <P>Add&nbsp;filter.</P><P>Assuming that website IP is 1.1.1.1</P><P>Monitor &gt; Packet Capture</P><P>&nbsp;</P><P>Enable filter.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="filter.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17570iF0D2EFCE0B1E40A6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="filter.JPG" alt="filter.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Go to cli and run command.</P><P>&gt; show counter global filter delta yes packet-filter yes</P><P>&nbsp;</P><P>Try to visit website and run command again.</P><P>&gt; show counter global filter delta yes packet-filter yes</P><P>&nbsp;</P><P>Do you see any where severity is drop?</P> Fri, 16 Nov 2018 19:18:26 GMT https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240180#M68816 Raido_Rattameister 2018-11-16T19:18:26Z https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240221#M68851 <P>Hi Radio,</P><P>&nbsp;</P><P>Thanks for your input.</P><P>the counter was increasing in my case because of out-of-window packets. after putting '<SPAN>set deviceconfig setting tcp asymmetric-path bypass' command, the website is accessible. it solved my issue. but it does look like an workaround only as the command is designed for assymetric routing. as of my understanding, in my case,</SPAN><SPAN>&nbsp;definitly the issue is not assymetric but because of firewall doesnt have window information.</SPAN></P><P>&nbsp;</P><P><SPAN>if i put this command, will i get any security risk as replay attack?</SPAN></P> Sat, 17 Nov 2018 07:15:42 GMT https://live.paloaltonetworks.com/t5/general-topics/syn-without-window-scale-option/m-p/240221#M68851 Abdul_Razaq 2018-11-17T07:15:42Z