09-27-2012 12:33 PM
Hello,
I need urgent help. I dont know why but from one moment during the day is one website unreachable from our internal network(only this website). There was no change in configuration PA500, no changes in web server configuration. From outside of company is website reachable without problem. What I see in log is for this session application:incomplete.
I tried different computers, restart PA but no change, website still unreachable.
I dont know what I can do more. Please, help.
Thank you very much
09-27-2012 12:58 PM
Incomplete means that either the three way tcp handshake did NOT complete or the three way tcp handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.
So to explain a little clearer, if a client sends a server a syn and the paloalto device creates a session for that syn, but the server never sends a syn ack in response back to the client, then that session would be seen as incomplete.
Regards
Parth
09-27-2012 01:06 PM
OK, it is clear but what can I do to solve it? We didnt change PA configuration and also web server configuration. Websites are from outside of company reachable?
09-27-2012 01:07 PM
Do packet captures on the firewall at the transmit, receive and drop stage.
https://live.paloaltonetworks.com/docs/DOC-1653
You would be able to point out the root cause.
If the server is not responding most likely the receive/ transmit stage will send out SYN but not receive SYN-ACKs.
Let me know if that helps.
Regards
Parth
09-27-2012 01:12 PM
Also check your threat logs if you are seeing any drops there. Which website is this ?
09-27-2012 02:53 PM
I have tried accessing this behind my firewall. It is not blocked as virus or through URL filtering. In your case you might need to do a packet capture and see what is failing.
09-27-2012 03:11 PM
You can also try and open up a security policy and specify the source IP of the test host pc.
Create an any any policy without any scan profiles as well.
Move the policy to the top.
If this works then review the existing policy to see if the application or scan profiles might be preventing the traffic from being identified.
If this still does not work you might want to call into support or your local reseller for assistance.
Thank you
09-28-2012 01:30 AM
Hi,
It appears that a RST-ACK is sent by the the client 62.112.193.167.
Can you just once again confirm the issue
" From outside of company is website reachable without problem"
Are you having issues accessing website from inside or outside? It appears that there is no translation in the pcaps.
Is your purpose trying to access the website from inside with a public ip-address?
Regards
Parth
09-28-2012 01:38 AM
Hi,
confirm - from outside of company is everything OK. You can try www.spapiestany.sk
We have issue to access the website only from internal network, behind the PA. (company network - PA - public internet)
09-28-2012 02:15 AM
If you want to access the website from the internal zone (say trust zone having private ip-addressees) to a web server that is physical located inside but you want to access using the public ip-address, you need to configure a U-Turn NAT rule.
https://live.paloaltonetworks.com/docs/DOC-1678
Let me know if this helps.
If it is an urgent issue and you are still unable to access the website from inside please contact support.
Regards
Parth
09-28-2012 02:20 AM
hello,
it is probably misunderstanding, web server is not inside of our network (not physically located in internal network). Web server is outside of our company and also country.
09-28-2012 02:29 AM
So your security rules should look like the following:-
SECURITY:-
Source zone: Trust
Destination Zone: Untrust
Source address: Any
Destination address: -website public ip-address
Action : Allow
NAT :--
Source zone:- Trust
Destination Zone :- Untrust
Source address Any
Destination address :- Website public ip-address
Source translation : type:- Dynamic ip and port ; interface : Public facing interface
Destination translation: None
Regards
Parth
09-28-2012 03:00 AM
Also I tested in the lab and as expected the the traffic just went fine and I was able to access the website from inside.
The three way hand shake starts with the an internal ip-address 10.101.100.108.
However in your case a SYN is received from the server (i.e 62.112.193.167) which should not be the case. see below:-
Try clearing all the sessions on the firewall pertaining to ip 62.112.193.167
From the CLI,
admin@Lab-59-PA-500> clear session all filter source 62.112.193.167
admin@Lab-59-PA-500> clear session all filter destination 62.112.193.167
admin@Lab-59-PA-500> clear session all filter source <test -pc ip-address>
Test it now.
Regards
Parth
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
