https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393072#M90974 <P>Howdy</P> <P>&nbsp;</P> <P>I would interpret this to mean that the Srv side of the VPN reset the connection,and&nbsp; likewise, the client side reset its side of the TCP connection.&nbsp; But I think you are getting perhaps a little too deep in analysis.</P> <P>&nbsp;</P> <P>What is the current status of your VPN?&nbsp; It is up or not?</P> <P>If it is not up, run a "clear vpn flow", followed by "test vpn ike-sa", then "test vpn ipsec-sa", and then look at your System Logs for the output on the responses to these commands.&nbsp; One side needs to initiate the vpn, and the other side needs to respond.&nbsp; What do you see in your logs.</P> <P>&nbsp;</P> <P>Presuming that ipsec and ike are allowed by a security policy, you should get some response/details about what is going on.</P> <P>Can you get the remote (non PAN) to initiate the VPN and you again at logs on your PANW FW.</P> <P>&nbsp;</P> <P>I do not personally think it is necessary to look at global counters.&nbsp; If packets are going to be dropped,you would see the session in the Session Browser or the Traffic Logs.</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 23 Mar 2021 17:12:10 GMT S.Cantwell 2021-03-23T17:12:10Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393009#M90966 <P>We are not able to connect VPN hosted in vpn_dmz zone.</P><P>We have deployed third party vpn in vpn_dmz zone and configured inbound nat for same.</P><P>Its old setup , all of sudden we are unable to connect vpn intermittently.</P><P>&nbsp;</P><P>did pcap for vpn public ip , showing below counter after running "show counter global filter packet-filter yes delta yes severity drop" command</P><P>tcp client reset via TCP responding rst:</P> Tue, 23 Mar 2021 15:44:48 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393009#M90966 Deepak_K 2021-03-23T15:44:48Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393072#M90974 <P>Howdy</P> <P>&nbsp;</P> <P>I would interpret this to mean that the Srv side of the VPN reset the connection,and&nbsp; likewise, the client side reset its side of the TCP connection.&nbsp; But I think you are getting perhaps a little too deep in analysis.</P> <P>&nbsp;</P> <P>What is the current status of your VPN?&nbsp; It is up or not?</P> <P>If it is not up, run a "clear vpn flow", followed by "test vpn ike-sa", then "test vpn ipsec-sa", and then look at your System Logs for the output on the responses to these commands.&nbsp; One side needs to initiate the vpn, and the other side needs to respond.&nbsp; What do you see in your logs.</P> <P>&nbsp;</P> <P>Presuming that ipsec and ike are allowed by a security policy, you should get some response/details about what is going on.</P> <P>Can you get the remote (non PAN) to initiate the VPN and you again at logs on your PANW FW.</P> <P>&nbsp;</P> <P>I do not personally think it is necessary to look at global counters.&nbsp; If packets are going to be dropped,you would see the session in the Session Browser or the Traffic Logs.</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 23 Mar 2021 17:12:10 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393072#M90974 S.Cantwell 2021-03-23T17:12:10Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393090#M90979 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113304">@S.Cantwell</a>&nbsp;</P><P>We have deployed F5 vpn , we were unable&nbsp; to connect sslvpn intermittently. This issue happened first time.</P><P>In traffic logs , session end reason for some logs were tcp-fin and for some it was tcp-rst-frm-client</P> Tue, 23 Mar 2021 18:12:46 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393090#M90979 Deepak_K 2021-03-23T18:12:46Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393091#M90980 <P>Hi there</P> <P>Again, we are getting closer.&nbsp; <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> <P>&nbsp;</P> <P>Instead of looking at traffic logs, let's see why your VPN is not being established.</P> <P>Could you copy/paste the logs from your System logs, with a "subtype eq vpn"</P> <P>&nbsp;</P> <P>We would normally expect Phase1 (ike) and phase2 (IPsec) to be negotiated and those negotiations logs are found in System.</P> <P>&nbsp;</P> <P>tcp-fin means that the session closed by a FIN packet.&nbsp; Unless you can provide visual information, it may be hard to explain what/why/how this is not working as expected.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 23 Mar 2021 18:28:06 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-meaning-of-quot-tcp-client-reset-via-tcp-responding/m-p/393091#M90980 S.Cantwell 2021-03-23T18:28:06Z