Hello community I got a issue that I would like your assistance on

Showing results for 
Search instead for 
Did you mean: 

Hello community I got a issue that I would like your assistance on

Not applicable

Hello community I got a issue that I would like your assistance on:

PAN is passing traffic but its failing to reach the destination point, PAN isn't receiving traffic from destination .customer asked to keep ticket open so, he can check is the destination firewall was blocking all in/out traffic


L7 Applicator

Hello Sir,

Could you please check if the destination is having a valid route to send back the traffic to PAN firewall..?

1. Is the destination is reachable from PAN firewall ( egress interface)...?


L5 Sessionator

To verify if traffic is transmitted or received by the PA device, you can set up packet captures. If you are not familiar with how to do that, you can follow below link.


Basically the idea is to set up transmit stage captures to see if packet was transmitted from DP and receive stage captures to see if you received a response from destination host.


L4 Transporter

For an issue like this I usually turn to the cli.

Show session all


ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])


33435   ping           ACTIVE  FLOW[35072]/WIFI/1  ([35072])

vsys1                           [54795]/WIFI  ([54795])

40067   yahoo-im-base  ACTIVE  FLOW  NS[50093]/LAN/6  ([60813])

vsys1                           [5050]/WAN  ([5050])

34800   ping           ACTIVE  FLOW[35072]/WIFI/1  ([35072])

vsys1                           [57355]/WIFI  ([57355])

33387   itunes-base    ACTIVE  FLOW  NS[56226]/WIFI/6  ([7110])

vsys1                           [443]/WAN  ([443])

28973   skype          ACTIVE  PRED  NS[0]/WIFI/6  ([0])

vsys1                           [15813]/WAN  ([15813])

34305   skype          ACTIVE  PRED  NS[0]/WIFI/6  ([0])

vsys1                           [443]/WAN  ([443])

33491   ssl            ACTIVE  FLOW  NS[50378]/LAN/6  ([44601])

vsys1                           [443]/WAN  ([443])

If I was testing with PING I could filter by IP address or by application.

Every session shown above has a session ID number.

Looking at the first session.......

skrall@PA-200> show session id 33435

Session           33435

        c2s flow:

                source: [WIFI]


                proto:       1

                sport:       35072           dport:      54795

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source: [WIFI]


                proto:       1

                sport:       54795           dport:      35072

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/2, qos member N/A Qid -2

        start time                    : Thu Jan  2 19:47:43 2014

        timeout                       : 6 sec

        total byte count(c2s)         : 82

        total byte count(s2c)         : 82

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : ping

        rule                          : Internal zones

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : True

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/2

        session QoS rule              : PING (class 5)


This shows that the traffic entered the box on ethernet1/2 and exited the box on ethernet1/2.

This also shows the Security rule used is "Internal zones",  there is a QOS rule named "PING" and if NAT was involved, it would display the name of the NAT rule processing the traffic.

It also shows 1 packet in the C2S (Client to server) direction and 1 packet in the S2C direction.

All of these are clues as to the nature of the problem or proof that the traffic has entered or left the box.

Steve Krall

Thank you all for your help

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!