For details on cookie usage on our site, read our Privacy Policy
Application Incomplete - Leading causes?
- LIVEcommunity
- Discussions
- General Topics
- Application Incomplete - Leading causes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Application Incomplete - Leading causes?
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-27-2013 01:38 PM
So im doing work on our DR site. Two diff setup scenarios are failing; NAT over a VPN and routing from one PA to another and out a VPN. I can see the rule letting the packets out so a session should start for the return trip but .. nothing.
Both scenarios show Application incomplete; what are the leading causes of this? Incomplete handshake? So maybe the other side never returns an ack on the tcp handshake? Return routing does not work?
Any inout would be appreciated as im running out of options.
thanks
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-27-2013 01:44 PM
You should take packet capture by filter both source and destinaion ip address.This will make sure you to see if there is a drop or no return.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-27-2013 01:49 PM
ok, thanks, ill try that
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-27-2013 04:35 PM
You can find the definition for incomplete here: https://live.paloaltonetworks.com/docs/DOC-1549
As for the traffic, you can also look at the sessions to see if there are any packets from server to client. You can view this data from GUI through Monitor -> Traffic logs -> Click on the magnifying glass and look for packets sent and packets received. From cli you can do: show session all filter <interesting traffic> and show session id <id>. You can also look at the global counters to see if there are any drops.
You can alos refer to these documents for troubleshooting using counters & captures:
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-27-2013 09:40 PM
Incomplete denotes a lack of a tcp handshake. Syn packets allowed but never getting a syn-ack from the destination device. Perform client pcaps and span port on switch to help determine where those syn-acks are going if in fact the server is sending them.
- Complete application traffic report for firewall rule in Panorama Discussions
- CDP Connection Issues w/HTTP application incomplete in General Topics
- Application incomplete or insufficient-data when using NNTPS in Next-Generation Firewall Discussions
- RDP connections with application incomplete in Configuration Wizard Discussions
- Source-NAT with POOL from GlobalProtect zone to subnet behind the MPLS router in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
