topic Re: why firewall drop server hello message in General Topics

why firewall drop server hello message

bit_byte — Fri, 31 Jul 2020 09:13:32 GMT

network flow

Lan Network -->Firewall A----->switch -->-Firewall B ---->Internet-------->Database server

We are facing issue to connect database server from our lan network.

We took packet capture on Firewall A and firewall B .

When we initiate traffic from LAN network to database server:

Firewall B ; We are getting client Hello and server hello message on Firewall B

Firewall A: Only client hello message we got means server hello message drop by firewall A

that why we could not able to connect with database server.

We are not using any decryption and proxy we have checked counter value also we did not get any drop.

traffic monitor logs session end reason: TCP-rst by client

@ MP18

@ Vsys_remo

@ Reaper

Re: why firewall drop server hello message

Remo — Fri, 31 Jul 2020 20:49:02 GMT

Hi @bit_byte

Is the assumption correct, that both firewalls are paloalto firewalls?

Anyway, when you say "Firewall A: Only client hello message we got means server hello message drop by firewall A", does this really mean the server hello is dropped by firewall A or isn't there any server hello on firewall A which would mean that the server hello is dropped by firewall B.

Re: why firewall drop server hello message

bit_byte — Sat, 01 Aug 2020 08:09:19 GMT

@Remo

Yes, both firewalls are PA.

We have already bypass firewall A and we did the test from the switch then we can able to connect with the database server.

That means Lan pc did not get server hello that why TLS connection would not able to establish.

Re: why firewall drop server hello message

Remo — Sat, 01 Aug 2020 08:25:58 GMT

@bit_byte So when you did a packet capture, was the server hello in the drop stage of the capture? How does the session look like in the traffic log? Did you try a packet log debug via cli and checked the global counters when testing the connection?

Re: why firewall drop server hello message

MP18 — Sun, 02 Aug 2020 16:17:11 GMT

@bit_byte

Are both firewalls have same model and same PAN OS?

Check the security policy on Firewall A and B and compare them?

Make sure they are similar in security profiles.

Look for threat logs in Firewall A if any traffic is denied there?

When you did packet capture do you see any drops on firewall A and B?

Use this command test security policy on both Firewall A and B

Also as Remo mentioned when you do the pcap check global counters on both Firewalls and look for drops?

Regards

Re: why firewall drop server hello message

Kanthanathan — Fri, 27 Aug 2021 01:57:16 GMT

Hi @bit_byte

Did you solve this problem. We are facing similar issue.

Our environment

client->palo alto->f5 reverseproxy->webapp server

Observation

We could notice that the f5 is receiving client-hello and it is responding with server hello. A PCap at the PA shows that the server hello is recd. But a packet capture at the client shows no server-hello message. There is no specific change we did in the environment and suddenly this issue has cropped up.

When we bypassed firewall and routed the traffic directly from Client to f5, the web page loads properly.

Regards

Kanthanathan