A very weird issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

A very weird issue

L4 Transporter

I have LinuxA (redhat 6.10) and LinuxB (CentOS 7.9) sitting in ZoneA accessing LinuxC (Ubuntu 20.x) sitting in ZoneB on http port without any NAT, jut routing and we have firewall rule to allow tcp port 80 (application ANY) for LinuxA and LinuB to communicate with LinuxC on tcp port 80.  The PAN firewall is PA-5250 running PANOS 9.1.10

 

From LinuxA, I use "curl -v -k http://LinuxC/rancid, I see the PAN firewall accepting the three way handshake, but after that it drops on the "get" as seen below:

GET /rancid HTTP/1.1

User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

Host: LinuxC

Accept: */*

 

Everything is working fine from LinuxB without any issues as seen below:

GET /rancid HTTP/1.1
User-Agent: curl/7.29.0
Host: LinuxC
Accept: */*

HTTP/1.1 301 Moved Permanently
Date: Fri, 17 Sep 2021 19:42:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://LinuxC/rancid/
Content-Length: 319
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://LinuxC/rancid/">here</a>.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at LinuxC Port 80</address>
</body></html>

 

any ideas anyone?

2 REPLIES 2

L2 Linker

Hello @dtran, If you see the traffic being allowed in the firewall, I would recommend going through the steps of this article and see if Palo lists a reason as to why its dropping the connection. These steps have been helpful many times before in my troubleshooting.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

Network Administrator

L4 Transporter

Hi

 

I assume no Filtering profiles (TP,AV,URL,...) are attached to this traffic policy.

Check the traffic log for LinuxA->LinuxC:

1. Session end reason - is it incomplete, tcp-reset-from-xxxx, web-browsing?

2. Open this log's detailed log view and check the details pane. Note number of packets send and received. Zero (0) packets received will point you to a situation where packets are not returned from LinuxC towards LinuxA.

3. Perform a Packet capture as @bafergel pointed out in the article he attached. This will allow you to see what is received and transmitted and also (possibly) dropped by the firewall.

 

Shai

  • 2330 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!