topic Re: Couldn't access link "www.santander.com.ar" from global prote in General Topics

Couldn't access link "www.santander.com.ar" from global protect VPN

LEDV-TCSNetwork — Fri, 04 Sep 2020 22:01:12 GMT

Hi Experts,

Users couldn't access the link "www.santander.com.ar" from global protect VPN, this is a normal bank related link so everyone can access though outside network, In our office structure Trust-VPN & Trust-Internal both sources zone are allowed to access "www.santander.com.ar" with general policies. As per policy Trust-Internal user have access the link through "PAN-INT2EXT URL FILTER" rule but Trust-VPN couldn't access the error is below

hit policy "PAN-INT2EXT URL FILTER update" and application - incomplete and session end reason - aged out

Can anyone please help to fix the issue

Re: Couldn't access link "www.santander.com.ar" from global prote

Max.Segura — Sat, 05 Sep 2020 01:33:06 GMT

It's a bit difficult to picture this, will you be able to upload a picture with your security policies? Also, what does the Detail Log View report?

Re: Couldn't access link "www.santander.com.ar" from global prote

MP18 — Sat, 05 Sep 2020 17:33:22 GMT

I tested on my PC behind the PA i see same behaviour.

Did the PCAP no drops.

Did this ever worked?

Only way to know the exact reason is to enable debugging on the PA.

If i get time today i will do that and keep you posted.

Re: Couldn't access link "www.santander.com.ar" from global prote

MP18 — Sun, 06 Sep 2020 21:28:28 GMT

@LEDV-TCSNetwork

Tested again today saw this Global counter incremented

tcp_drop_packet 2 1 warn tcp pktproc packets dropped because of failure in tcp reassembly

do you have uplink to more than one ISP?

In PCAP today i saw fw was dropping syn ack from the server i think might be because it was receiving syn ack more than 5 secs due to this config

----->Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs

In my case i have single link to ISP and i did below changes to make it work only for testing purposes:

In Prod I do not recommend to make those changes

set deviceconfig setting tcp asymmetric-path bypass

set deviceconfig setting session tcp-reject-non-syn no

It was working fine then then i undo my change via

going to config mode

set deviceconfig setting tcp asymmetric-path drop

set deviceconfig setting session tcp-reject-non-syn yes

Since then i am able to access website fine

Regards

Re: Couldn't access link "www.santander.com.ar" from global prote

LEDV-TCSNetwork — Mon, 07 Sep 2020 08:58:38 GMT

@MP18 sorry for the late!

Thanks for your update, Actually that was in data center firewall and it's in production so i am not sure can i make the changes, we are using 7 gateways on that firewall for global protect VPN, and that issue is only for VPN users

So please confirm whether can i make the changes or not,

Re: Couldn't access link "www.santander.com.ar" from global prote

LEDV-TCSNetwork — Mon, 07 Sep 2020 09:58:37 GMT

@Max.Segura sure , I have updated with internal and VPN users logs for your reference

Re: Couldn't access link "www.santander.com.ar" from global prote

MP18 — Tue, 08 Sep 2020 21:29:28 GMT

As PA is dropping the syn ack from the server as it is taking too long.

See below link.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBJCAY

I had to make above change to make it work.

I will not recommend you above change as I do not know your environment.

For now their is no other way seems to access that website behind the PA firewall.

Regards