Nest Thermostat

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Nest Thermostat

L1 Bithead

Anyone running a Nest Thermostat behind a Palo Alto Networks firewall?  I am seeing an inability to connect to the nest site.  Logs show  a repating SSL on 443 with session end reason:  tcp-rst-from-client

 

Any thoughts would be appreciated.

 

Bob

9 REPLIES 9

L7 Applicator

I've got a pair of Nests at my house behind a PA-200. Almost all the connections end up with a client reset, but everything works for my Nest reporting and login. My phone can manage them just fine, and I can see all my historical data. I think that Nest is just really aggressive with TCP handling.

 

Here's a screenshot of my logs. You'll notice that everything ends with rst, but the byte sizes are significant:

nest-logs.jpg

 

Hope this helps,

Greg

Thanks for the prompt reply.

 

I have very similar logs.  Problem is it is always offline and can not be controlled.  As soon as I remove the PA-200 and switch to an old school wireless router it works fine.

 

Any thoughts on what settings to tweak, what to look for to try and figure it out?  etc.

 

Thanks

 Bob

I haven't had any issues with it connecting and being controlled. Are you doing NAT on your firewall for the Nest device? That's the only thing I can think of, as it doesn't need any inbound rules and your security rules are probably good.

Any update on this?  I am troubleshooting Nest cameras and thermostat with the same symptoms.

My solution was to throw up another AP/router with a different SSID for the Nest as well as the PS4 and other UPNP devices.  That assumes your ISP gives you more than a single external IP.

 

Hope that helps,

Bob

L3 Networker

I'm running a nest thermostat (v3) at home behind a PA-200 and haven't run into any issues or had to configure anything differently. Have you chedked the unified log to make sure any other traffic required may not be being blocked?

The problem the Nest is having (or at least mine was having), is that it is trying to use the dropcam app on a non-default port (tcp-9543). if you're using policies that use application-default to allow your nest traffic out, it won't work.

Add a rule that allows dropcam (& web-browsing) outbound using tcp-9543 (along with your regular app-default outbound rules) and you should be golden.

 

I just noticed our Nest thermostats are using tcp/9543 and are being ID'd as dropcam as well. Seems like a bad app-ID.

Hello,

 

Its 2020 and i also had the same issues of all 8 of my nest protects and 2 cameras disconnect from the nest services. They were still on my wifi networks, i could see the dns requests hitting the firewall and a single http request, but that http request never got a response from the nest cloud. I figured out that my firewall had a bad entry in its dns cache for the nest cloud. Once i disabled the dns cache option on the firewall everything came back to life. Just  thought i would post the solution here. Thanks, michael

  • 6572 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!