https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323876#M82730 <P>Agreed with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;.</P><P>Most of the time session shows incomplete when there is no reply back from server side. Routing issues mostly causes this.&nbsp;</P> Mon, 20 Apr 2020 17:51:06 GMT Vikashh 2020-04-20T17:51:06Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323806#M82715 <P>Hi everybody,</P><P><BR />Adding a bidirectionnal NAT rule for an ssl web server and the according security rule, connections from outside are dropped as "Incomplete". Traffic capture show that first SYN packet received is directly rejected by PA with a RST response. What does it mean ?</P><P><BR />Regards.</P> Mon, 20 Apr 2020 10:26:41 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323806#M82715 rodjeur68 2020-04-20T10:26:41Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323815#M82716 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138783">@rodjeur68</a>,</P><P>&nbsp;</P><P>As session is incomplete, there is no response/reply from destination end.</P><P>Please check few configurations like,</P><P>&nbsp;</P><P>1. Routing for destination server</P><P>2. If service is up and running on the server.</P><P>&nbsp;</P><P>Mayur</P> Mon, 20 Apr 2020 11:33:22 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323815#M82716 SutareMayur 2020-04-20T11:33:22Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323817#M82717 <P>Thx for the response.</P><P>* There's no routing issue: server can access Internet via the PA using the NAT IP address</P><P>* service is up and running, accessible from internal networks</P> Mon, 20 Apr 2020 11:54:29 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323817#M82717 rodjeur68 2020-04-20T11:54:29Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323819#M82718 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138783">@rodjeur68</a>,</P><P>&nbsp;</P><P>Are you seeing issues with inbound or outbound traffic?</P><P>&nbsp;</P><P>Mayur</P> Mon, 20 Apr 2020 12:27:07 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323819#M82718 SutareMayur 2020-04-20T12:27:07Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323822#M82720 <P>Globally ? Not at all.</P><P>&nbsp;</P><P>Rodjeur68</P> Mon, 20 Apr 2020 12:35:34 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323822#M82720 rodjeur68 2020-04-20T12:35:34Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323848#M82722 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138783">@rodjeur68</a>,</P><P>&nbsp;</P><P>Is it possible to share traffic logs for affected traffic? Also is it app-id based security policy ?</P><P>&nbsp;</P><P>As you said in your post, you have bi-directional NAT and you are facing issues with connections from outside on one ssl web server. You are trying to externalize web-server probably on 443 port. As session is seems to be incomplete, just check if web-service is running on server that you want to externalize. Check if you are able to telnet internal server on web-service port from LAN. As you are seeing incomplete session, most of the time it happens when there is no response from the server. That's why i asked to check reverse routing for web server subnet on firewall and application running status on web server.</P><P>&nbsp;</P><P>Mayur</P> Mon, 20 Apr 2020 15:47:17 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323848#M82722 SutareMayur 2020-04-20T15:47:17Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323876#M82730 <P>Agreed with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;.</P><P>Most of the time session shows incomplete when there is no reply back from server side. Routing issues mostly causes this.&nbsp;</P> Mon, 20 Apr 2020 17:51:06 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/323876#M82730 Vikashh 2020-04-20T17:51:06Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/324004#M82753 <P>Hi everybody,</P><P><BR />Thanks for your time. As I mentionned in a previous post, I think we don't have any issue with routing and service is up and running:</P><P>* I can ping server from appliance</P><P>* show routing route gives a correct route for my internal subnet</P><P>* from server, I'm able to browse Internet using the external NAT IP choosen for service</P><P>* from internals subnets, I can access the https service on the server (nginx)</P><P><BR />When I capture the traffic I can see RST tcp packet immediatly send by PA on external interface and nothing on the internal interface.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-04-21_10h19_39.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25281i4B3ED087C0D1373B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-04-21_10h19_39.png" alt="2020-04-21_10h19_39.png" /></span></P> Tue, 21 Apr 2020 08:23:19 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/324004#M82753 rodjeur68 2020-04-21T08:23:19Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/324181#M82775 <P>It is always safer to create 2 NAT policies for DNAT and SNAT than bi-direcitonal.</P><P>If you check bi-directional NAT rule in cli you can see that for DNAT source zone will be "any".</P><P>&nbsp;</P><P>For your TCP RST problem. Most likely your security policy is incorrect.</P><P>Are you using pre-nat IP and post-nat zone in security policy?</P> Wed, 22 Apr 2020 03:16:19 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/324181#M82775 Raido_Rattameister 2020-04-22T03:16:19Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/324241#M82787 <P>Hi,</P><P><BR />Thank you very much for your advice on NAT rules.</P><P>After another check of our configuration, it seems that another host in the same NML subnet not crossing the Palo appliance was using the same IP address ... Everything works as expected now, sorry for the time spent on this obvious problem.</P><P>&nbsp;</P><P>Rodjeur68</P> Wed, 22 Apr 2020 10:37:50 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/324241#M82787 rodjeur68 2020-04-22T10:37:50Z https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/374074#M89016 <P>Hi, can you elaborate a little more about the "<SPAN>It is always safer to create 2 NAT policies for DNAT and SNAT than bi-direcitonal"</SPAN></P><P>&nbsp;</P><P><SPAN>I do have most of mine NAT rule is currently provisioned bi-directional and we are seeing issue with client server session reset. So, I searched and see this thread but do not understand about the statement you metioned. Thanks much for your help and if you could help and give a sample practical NAT rule using two separates policies instead of one as you said.</SPAN></P> Sun, 13 Dec 2020 21:06:46 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-sending-tcp-rst-for-a-nat-rule/m-p/374074#M89016 BrianNg2020 2020-12-13T21:06:46Z