02-25-2014 07:42 AM
Ok need some help. I have a 1-to-1 NAT that is not working. Monitor-Traffic shows the Application as incomplete.
02-25-2014 09:34 AM
As per above screenshot, i hope you have configured Many-to-one Destination NAT. Could you please let me know, the address object "TEST PC RDP Private x.x.x). is a subnet or a single IP address...?
Could you please enable below mentioned option on traffic logs for better understanding:
02-25-2014 09:51 AM
Adding one more information here:
Incomplete in the application field:
Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.
So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete.
FYI: KB article-Incomplete, Insufficient data and Not-applicable in the application field
02-28-2014 11:04 AM
I have the same issue as the OP. I hope someone has an answer. I'll keep an eye on this thread.
I don't know your configuration but I'm running a PA-VM on Esxi 5.5 with Promiscuous mode accepted on the vswitches in esxi.
Also tried PANOS 5.0.11 and PANOS 6.0 both has same results.
02-28-2014 11:18 AM
I was able to get mine to work. My issue was not paying attention. When i created the address object i put the correct IP in the description but fat-fingered that actual IP. So at a glance it looked correct. Below are some pics of my working 1-to-1 NAT. If you click the image it will enlarge.
02-28-2014 11:28 AM
I hope this helps. I know some may look odd where you see destination as WAN but i did verify with my PA rep that it is correct.
02-28-2014 11:30 AM
Sorry forgot one image
03-01-2014 08:57 AM
I had the NAT and security policy already setup exactly the same way, according to the student books
Also checked the objects and the ip-addresses all are good.
I have even added an extra NIC to the ESXi server and set the eth1/2 port to the new interface (promiscuous mode accept) so that the management interface and the data interface eth1/2 are on seperate nics but the same LAN.
But it still gives an incomplete.
It has something to do with the PA, because I have a PFSense firewall running on a different external IP address and the static NAT rules on that are working perfect.
I was planning to replace my PFSense for the VM-PA also to get some more hand-on experience as we are placing some PA's in the network at my work, but if I don't get the NAT working then I'll stick to PFsense.
03-01-2014 06:53 PM
Hello StefanvanHattum ,
If you are facing any problem with your PA-VM and could not identify the root cause of the issue, please open a ticket with PAN support and let us know what a good time would be to get together and continue to work on the network. Our number one priority is to ensure that everything is running smoothly at your site, and, minimize any business impact, the problem caused.
03-02-2014 09:18 AM
I ahve created a case at support.
Mind you that this is not impacting any business, this is just a test setup at home for learning purposes.
And I was planning to replace my PFSense, but I don't think I'm going to do that as there is no good way to get Xbox live to work
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!