https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/286105#M76538 <P>Model PA-850 pan os 8.1.8</P><P>&nbsp;</P><P>ssl decryption not enabled</P><P>&nbsp;</P><P>regards</P><P>venky</P> Sat, 31 Aug 2019 16:23:28 GMT Venkatesan_radhakrishnan 2019-08-31T16:23:28Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285844#M76490 <P>HI Guys,</P><P>&nbsp;</P><P>Customer has deployed Palo alto firewall in virtual wire mode between Cisco Meraki Gateway and Cisco meraki coreswitch.</P><P>&nbsp;</P><P>We are seeing a issue where the website is not loading in first attempt. For example if we are seeing visiting website XYZ.com for first time in network it shows an error "This Site can't be reached the connection was reset" and immediatelty with in a second. This error appears may be for 2 seconds in screen not much more that mentioned.</P><P>&nbsp;</P><P>Initially I thought this could be his internal DNS issue in PC, So I tried changing DNS to 8.8.8.8 and tried browsing new sites no luck and then while seeing drop counter I have seen drops for "url request pkt " and "flow tcp non syn" then I set tcp non syn lookup to false and configured timeout for url request lookup to 60 seconds but the issue is still not resolved.</P><P>&nbsp;</P><P>This issue happens with all the users as per customer, While in capturing im seeing lot of TCP retransmission sent for PSH ACK from source to destination.</P><P>&nbsp;</P><P>This issue looks strange also for your knowledged there is security profiles attached the policy i removed all for testing purpose which also not resolved the issue.</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;Your valuable comments will add more value to this issue.</P><P>&nbsp;</P><P>Regards</P><P>Venky</P> Thu, 29 Aug 2019 19:18:46 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285844#M76490 Venkatesan_radhakrishnan 2019-08-29T19:18:46Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285855#M76493 <P>Thanks for the info you have.</P><P>&nbsp;</P><P>At this time, take small steps to troubleshoot.</P><P>Removing the security profiles are good, but not the source of the issue, based on responses you provided.</P><P>&nbsp;</P><P>Turn off any DoS Policy and also remove your Zone Protection Profile from the zones, and test.</P><P>&nbsp;</P><P>Something within Content Inspection appears to be causing the issue.</P> Thu, 29 Aug 2019 20:07:19 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285855#M76493 S.Cantwell 2019-08-29T20:07:19Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285856#M76494 <P>Dos profile disabled and zone protection configured only for alert.</P><P>&nbsp;</P> Thu, 29 Aug 2019 20:10:23 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285856#M76494 Venkatesan_radhakrishnan 2019-08-29T20:10:23Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285858#M76496 <P>As I mentioned, please remove the Zone protection profile and test again.</P><P>&nbsp;</P><P>The alert functionality is for Port Scans and Host Sweeps.</P><P>&nbsp;</P><P>If you are seeing drops, then it is the ZPP that could be root cause.</P><P>&nbsp;</P><P>Remove ZPP, test, and then report back to us.&nbsp; <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P><P>&nbsp;</P><P>Thank you.</P> Thu, 29 Aug 2019 20:13:15 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285858#M76496 S.Cantwell 2019-08-29T20:13:15Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285859#M76497 <P>Zone protection will not help here why because I’m not seeing any drops related to zone protection in global counter.</P><P>&nbsp;</P><P>if I have seen zone protection drop counter I would have disabled it and tried&nbsp;</P><P>&nbsp;</P> Thu, 29 Aug 2019 20:16:07 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285859#M76497 Venkatesan_radhakrishnan 2019-08-29T20:16:07Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285860#M76498 <P>Hello again</P><P>&nbsp;</P><P>Your comment in your orginal post was</P><P>&nbsp;</P><P>I have seen drops for "url request pkt " and <STRONG>"flow tcp non syn</STRONG>" then I set tcp non syn lookup to fals.</P><P>&nbsp;</P><P>Part of ZPP includes</P><P>&nbsp;</P><P><STRONG>Reject Non-SYN TCP:</STRONG> Determines whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:</P><UL><LI>global—Use system-wide setting that is assigned through the CLI.</LI><LI>yes—Reject non-SYN TCP traffic.</LI><LI>no—Accept non-SYN TCP traffic.</LI></UL><P>&nbsp;</P><P>This why I am requesting that you just test removing ZPP for 5 minutes to see if this helps.</P><P>As I mentioned, it just small logical troubleshooting steps.</P><P>&nbsp;</P><P>You could also run a tech support FW and open an offical ticket with TAC.</P><P>&nbsp;</P><P>We want to assist you as much as possible.</P><P>&nbsp;</P><P>For me personally, I have seen and experienced this issue, both as a Pro Service consultant and instructor of 8 years on PANW hardware. This is why I am attempting to assist you to rule out or confirm ZPP.&nbsp; I have other steps that could be done, but wanted to get the easy ones out of the way initially.</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P> Thu, 29 Aug 2019 20:23:13 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285860#M76498 S.Cantwell 2019-08-29T20:23:13Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285861#M76499 <P>Ok I’ll check your opinion&nbsp;</P> Thu, 29 Aug 2019 20:25:16 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285861#M76499 Venkatesan_radhakrishnan 2019-08-29T20:25:16Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285932#M76510 <P>Which software version you are running?</P><P>Do you have ssl decryption enabled?</P> Fri, 30 Aug 2019 05:44:10 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/285932#M76510 MP18 2019-08-30T05:44:10Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/286105#M76538 <P>Model PA-850 pan os 8.1.8</P><P>&nbsp;</P><P>ssl decryption not enabled</P><P>&nbsp;</P><P>regards</P><P>venky</P> Sat, 31 Aug 2019 16:23:28 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/286105#M76538 Venkatesan_radhakrishnan 2019-08-31T16:23:28Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/286111#M76541 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113304">@S.Cantwell</a>&nbsp;</P><P>&nbsp;</P><P>Zone protection is not applied to the zones.</P><P>&nbsp;</P><P>Regards</P><P>Venky</P> Sun, 01 Sep 2019 05:46:31 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-website-issue-virtual-wire/m-p/286111#M76541 Venkatesan_radhakrishnan 2019-09-01T05:46:31Z