PA time out accessing web

Reply
L4 Transporter

PA time out accessing web

Hi,

 

We have a PA in 8.0.4 version and we cant access to this web https://www.metromadrid.es. The only web is not working is this.

We tried to create a rule permitting all traffic, without any profile, but its not working. We see the session like allowed, packets sent and received, but browser stuck loading and web is not showed.

 

nuevo.JPG

 

this is the session created:

sessio1.JPG 

session 2.JPG

 

This is the pcap

 

pcap.JPGpcap2.JPG

 

 

 

Do you see any strange behaviour in this web https://www.metromadrid.es ?  

 

 

 

L6 Presenter

Re: PA time out accessing web

Yes, it is not accessible here in UK. from the PCAP we can see the missing 3-way handshake and constant re-transmit of the SYN packets. Most likely web server is down.

 

EDIT:

 

hmm l think it is UP now:

 

SS.PNG

L4 Transporter

Re: PA time out accessing web

Server is UP, we can access from another PA. 

Yes, its seems like 3-way is not done but in session details we see packets sent and received. 

 

capnuevo.JPG

 

I thought that could be a problem of our ISP with that web or in the server side but a colleague told me that if he accessed using his iphone worked with IOS 9 and 10. Quite strange.....

 

L6 Presenter

Re: PA time out accessing web

Get another PCAP. l want to see SYN,ACK from the server arriving at the PA  eth1/2

L4 Transporter

Re: PA time out accessing web

I add a pcap. i tried first with chrome (not working) and then with Firefox and now its working. If i use chrome after start session with firefox, its also working with chrome. Its like if the session is started with https is not working in both browsers, but if i start the session with http://metromadrid.es in Firefox the session is established. After being established the web is wowking in both browsers. What could be cause this problem???

 

 

This is the Firewall.pcap.

 

mozilla.JPG

L6 Presenter

Re: PA time out accessing web

Thi is a bit confusing now. New tab in the web browser = new session for Palo. It doesn't matter Chrome or Firefox first, for Palo it is a new session. Did you try to test from the different client/PC?

L4 Transporter

Re: PA time out accessing web

Yes, all devices going through this PA have the same behavior. 

 

With firefox i try: https://www.metromadrid.es/ and it doesnt work, then i try http://metromadrid.es and it works. 

I go to "session browser", i close all sessions to web server, i try with chrome or firefow and its working with both.

I dont find any pattern

Im trying to find any different between http request from our browsers. Maybe http get or connect are different.

Quite weird.

L6 Presenter

Re: PA time out accessing web

Is your policy configure with "any application " "any services" and without the security profiles attached. If not then worth to test.

L4 Transporter

Re: PA time out accessing web

i did that. Even i created a custom app with "http-get=metromadrid.es" but it doesnt work because threeway is not done when its not working....

I disabled DSRI, deleted zone protection in untrust interface... i dont know what more i can do :S

Quite weird.....i dont have any idea whats happening

L6 Presenter

Re: PA time out accessing web

Hmmmm.. Any intermediate devices before or after the FW that could potentially interfere with this session?

Can you post successful and failed https session output using the "magnifying glass" option (eg):

 

MG.PNG

 

It is hard to prove but l doubt it is PA issue :D lets see

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!