Unable to access a site, please try for me

Reply
Highlighted
L1 Bithead

Unable to access a site, please try for me

I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?

https://www.spcconnect.com/

 


Accepted Solutions
Highlighted
L1 Bithead

Re: Unable to access a site, please try for me

It was very difficuolt to solve
I changed WAN IP of my PA and it works, i suppose that the website have banned my source ip, at now i am asking why

thx

Nicola

View solution in original post


All Replies
Highlighted
L3 Networker

Re: Unable to access a site, please try for me

Hi,

 

Able:

 

able.PNG

Highlighted
Community Team Member

Re: Unable to access a site, please try for me

Hi,

 

The site seems to be using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.  

Support for this suite was added in PAN-OS 7.1 :

 

Please check the following article :

PAN-OS-7-1-Supported-ciphers

 

 

 Seeing that you are already using 7.1 ... are you using SSL decryption ? Have you tried disabling it for the site as a test ?

 

-Cheers.

Highlighted
L1 Bithead

Re: Unable to access a site, please try for me

Obviously i defined 3 rules for my pc originating IP at the top to exit anywhere, to not decrypt, to not captive portal

I have PAN OS 7.1.2

:-(

 

Highlighted
L3 Networker

Re: Unable to access a site, please try for me

Hi,

 

Did you try to do PCAP on the Palo and client site?

What error do you get on the screen when trying to access this particular site. Did you try with different a web browser?

 

 

Cheers

Highlighted
Community Team Member

Re: Unable to access a site, please try for me

I'd recommend setting up a filter with your originating IP address and check the global counters for drops.  I'm guessing you will find some counters that could explain the behaviour :

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CL...

 

 

 

Highlighted
L1 Bithead

Re: Unable to access a site, please try for me

A strange thing

I have a Policy Forwarding that for some LAN ip outbound traffic doesnt go via WAN interface but is sent to a machine connected in DMZ and that machine is connected to internet with a software firewall

These routed machines can access this site normally

Only machines that goes out through palo alto doesnt work

 

 

Highlighted
L1 Bithead

Re: Unable to access a site, please try for me

First image in log of conversation sending to machine in dmz that works

Se second is using PA WAN that dont work1.PNG

 

 

2.PNG


@nicolap wrote:

I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?

https://www.spcconnect.com/

 


 

Highlighted
Community Team Member

Re: Unable to access a site, please try for me

Hi,

 

The application in the non-working scenario is 'incomplete'.

 

Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application

 

For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.

 

I'd recommend to take PCAPs to confirm traffic is leaving the firewall on the correct egress interface and also take PCAPs on the destination server to verify if the packet reaches it and is returned correctly.

 

Cheers,

-Kim.

 

 

Highlighted
L3 Networker

Re: Unable to access a site, please try for me

Hi,

 

Also try to run just simple ping from Palo to the client and the web-site. Also source ping from the appropriate egress interface.

 

Cheers,

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!