03-10-2014 03:35 AM
hey
i have a client that connects to a remote site using GP, and that site have s2s vpn to my site,
we have problems connecting to a server in that site, we can i cannot see and drops in the traffic or threat logs,
i have put filter on the ips and used tha show global couters shows this drops:
Global counters:
Elapsed time since last sampling: 5.880 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_fwd_zonechange 1 0 drop flow forward Packets dropped: forwarded to different zone
--------------------------------------------------------------------------------
Total counters shown: 1
--------------------------------------------------------------------------------
i dont understand this drop error, but i have checked routes and have only one route to each direction and the s2s vpn is steady and up
pings between the client and server works fine
please help
thanks
03-11-2014 04:13 AM
Minow,
Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter.
Craig Stancill | Technical Support Engineer
Shift Time : 05:00 – 14:00 GMT
Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799
Palo Alto Networks | 3300 Olcott Street | Santa Clara, CA 95054-3005, USA
03-10-2014 03:45 AM
i can see the SYN from the client to the server and then i can see the SYN-ACK from the server to the client on the stages: receive, firewall and drop on my paloalto
on the drop it is the same packets of the SYN-ACK (comparing the firewall and the drop pcaps
03-10-2014 09:24 AM
Hello Minow,
Could you please confirm whether outgoing SYN packet and incoming SYN-ACK packet is being received by the same physical interface and zone.It's looking like a assymetric routing situation. For testing perpose you can enable "assmetric-path-bypass= YES" "TCP non-syn reject=NO".
Thanks
03-11-2014 01:55 AM
yes i will try
but how can i see on which interface every packet received from and sent to
03-11-2014 01:55 AM
the weird thing is that there is only one route to the client and one route to the server
03-11-2014 04:13 AM
Minow,
Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter.
Craig Stancill | Technical Support Engineer
Shift Time : 05:00 – 14:00 GMT
Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799
Palo Alto Networks | 3300 Olcott Street | Santa Clara, CA 95054-3005, USA
03-11-2014 04:57 AM
hi minow,
please try the command:
- test security-policy-match source xxx destination xxx protocol xxx show-all yes
- test security-policy-match source xxx destination xxx protocol xxx from xxx to xxx show-all yes (
protocol: for example 80 is the right number for http
from: source zone
to: destination zone
the result will show which rule is taken. I guess there is a mismatch between interface and zones.
Regards Klaus
03-11-2014 06:47 AM
kdd this is awesome! I just added these commands to our internal wiki
03-11-2014 09:10 AM
ericgearhart i like it too because it keeps a lot short
03-12-2014 12:17 AM
i will check and update by the way... protocol should be 6 for tcp, and add destination-port 80 for http
thanks
03-20-2014 12:59 AM
It PBR policy routing ACK to a different zone.
thanks
03-20-2014 08:41 AM
Hello minow,
There is this doc where it explains taking packet level logs known as flow basic. This would give details results if there is a drop at what stage what is the reason and so on to understand.
Packet Based Troubleshooting - Configuring Packet Captures and Debug Logs
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
