https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279563#M75724 <P>Hi Reaper</P><P>&nbsp;</P><P><SPAN>If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself</SPAN></P><P>&nbsp;</P><P><SPAN>Answer : For your information, I can able to reach the same website from the external network (outside network). Through the palo alto firewall only I couldn't access the website.</SPAN></P><P>&nbsp;</P><P><SPAN>Need to check with ISP side aslo and let you know.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards</SPAN></P><P><SPAN>Mohammed Asik</SPAN></P> Fri, 26 Jul 2019 11:20:13 GMT MohammedAsik 2019-07-26T11:20:13Z https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279508#M75714 <P>Hi Team</P><P>&nbsp;</P><P>We have PA 220 firewall with 8.1.5 PAN os version.</P><P>&nbsp;</P><P>We have tried to reach one particular website but its not reachable. When we checked the traffic logs that application was shown as "incomplete" and the end session reason was aged-out.</P><P>&nbsp;</P><P>Note : Same website can be reached by external network.</P><P>&nbsp;</P><P>For testing purpose, we have created one security policy on the top as below&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sec policy.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20790i96CE8D0B501E063E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Sec policy.PNG" alt="Sec policy.PNG" /></span></P><P>&nbsp;</P><P>After that also particular&nbsp; we are getting the same error "application incomplete" in the traffic logs.</P><P>&nbsp;</P><P>We have took the packet capture and its received only RX and Firewall files. No drops and tranmit packet we are not found</P><P>&nbsp;</P><P>As per the packet capture logs, Its send syn packets only. No SYN-ACK packets we are not received.</P><P>&nbsp;</P><P>How to fix the issue? Please help us&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Mohammed Asik</P><P>&nbsp;</P> Fri, 26 Jul 2019 05:33:53 GMT https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279508#M75714 MohammedAsik 2019-07-26T05:33:53Z https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279515#M75716 <P>hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/106720">@MohammedAsik</a>&nbsp;</P> <P>&nbsp;</P> <P>If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself</P> <P>&nbsp;</P> <P>one thing you can check is to verify that outbound NAT is being applied properly, so the server has the right IP to reply to</P> <P>next, you could try traceroute to see if you are able to get to the server IP (there could be a routing or peering issue at the ISP level, or your IP could have been blacklisted on the server)</P> <P>&nbsp;</P> Fri, 26 Jul 2019 06:43:11 GMT https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279515#M75716 reaper 2019-07-26T06:43:11Z https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279563#M75724 <P>Hi Reaper</P><P>&nbsp;</P><P><SPAN>If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself</SPAN></P><P>&nbsp;</P><P><SPAN>Answer : For your information, I can able to reach the same website from the external network (outside network). Through the palo alto firewall only I couldn't access the website.</SPAN></P><P>&nbsp;</P><P><SPAN>Need to check with ISP side aslo and let you know.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards</SPAN></P><P><SPAN>Mohammed Asik</SPAN></P> Fri, 26 Jul 2019 11:20:13 GMT https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279563#M75724 MohammedAsik 2019-07-26T11:20:13Z https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279753#M75759 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/106720">@MohammedAsik</a>&nbsp;wrote:<BR /><P>Hi Reaper</P><P>&nbsp;</P><P><SPAN>If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself</SPAN></P><P>&nbsp;</P><P><SPAN>Answer : For your information, I can able to reach the same website from the external network (outside network). Through the palo alto firewall only I couldn't access the website.</SPAN></P><P>&nbsp;</P><P><SPAN>Need to check with ISP side aslo and let you know.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards</SPAN></P><P><SPAN>Mohammed Asik</SPAN></P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>&lt;edit&gt;&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp; already came up with all my cool ideas.</P> Mon, 29 Jul 2019 14:21:02 GMT https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279753#M75759 Brandon_Wertz 2019-07-29T14:21:02Z https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279839#M75778 But wait, theres more: when you set up packet filters for packet capture, make sure you set filters in both directions and both pre- and post nat. See if the sequence numbers pan out, and verify the server isnt requesting some weird parameters the firewall wont support. For example: is there a smaller MTU somewhere? You may need to enable TCP MSS to circumvent that (if so, check if the server gets the message and is not ignoring it) Double check if outbound NAT is alright, check if the IP can independently traced to your firewall from the outside (potential arp issues on outside) Mon, 29 Jul 2019 19:49:03 GMT https://live.paloaltonetworks.com/t5/general-topics/website-getting-blocked/m-p/279839#M75778 reaper 2019-07-29T19:49:03Z