01-02-2014 03:16 AM
Hello community I got a issue that I would like your assistance on:
PAN is passing traffic but its failing to reach the destination point, PAN isn't receiving traffic from destination .customer asked to keep ticket open so, he can check is the destination firewall was blocking all in/out traffic
01-02-2014 11:33 AM
Hello Sir,
Could you please check if the destination is having a valid route to send back the traffic to PAN firewall..?
1. Is the destination is reachable from PAN firewall ( egress interface)...?
Thanks
01-02-2014 01:49 PM
To verify if traffic is transmitted or received by the PA device, you can set up packet captures. If you are not familiar with how to do that, you can follow below link.
https://live.paloaltonetworks.com/docs/DOC-2542
Basically the idea is to set up transmit stage captures to see if packet was transmitted from DP and receive stage captures to see if you received a response from destination host.
-Richard
01-02-2014 07:57 PM
For an issue like this I usually turn to the cli.
Show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
33435 ping ACTIVE FLOW 172.17.17.200[35072]/WIFI/1 (172.17.17.200[35072])
vsys1 172.17.17.1[54795]/WIFI (172.17.17.1[54795])
40067 yahoo-im-base ACTIVE FLOW NS 10.10.10.205[50093]/LAN/6 (76.126.244.102[60813])
vsys1 66.196.121.20[5050]/WAN (66.196.121.20[5050])
34800 ping ACTIVE FLOW 172.17.17.200[35072]/WIFI/1 (172.17.17.200[35072])
vsys1 172.17.17.1[57355]/WIFI (172.17.17.1[57355])
33387 itunes-base ACTIVE FLOW NS 172.17.17.202[56226]/WIFI/6 (76.126.244.102[7110])
vsys1 17.154.66.73[443]/WAN (17.154.66.73[443])
28973 skype ACTIVE PRED NS 0.0.0.0[0]/WIFI/6 (0.0.0.0[0])
vsys1 182.160.35.109[15813]/WAN (182.160.35.109[15813])
34305 skype ACTIVE PRED NS 0.0.0.0[0]/WIFI/6 (0.0.0.0[0])
vsys1 68.98.113.45[443]/WAN (68.98.113.45[443])
33491 ssl ACTIVE FLOW NS 10.10.10.205[50378]/LAN/6 (76.126.244.102[44601])
vsys1 64.74.220.36[443]/WAN (64.74.220.36[443])
If I was testing with PING I could filter by IP address or by application.
Every session shown above has a session ID number.
Looking at the first session.......
skrall@PA-200> show session id 33435
Session 33435
c2s flow:
source: 172.17.17.200 [WIFI]
dst: 172.17.17.1
proto: 1
sport: 35072 dport: 54795
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 172.17.17.1 [WIFI]
dst: 172.17.17.200
proto: 1
sport: 54795 dport: 35072
state: INIT type: FLOW
src user: unknown
dst user: unknown
qos node: ethernet1/2, qos member N/A Qid -2
start time : Thu Jan 2 19:47:43 2014
timeout : 6 sec
total byte count(c2s) : 82
total byte count(s2c) : 82
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 1
vsys : vsys1
application : ping
rule : Internal zones
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/2
session QoS rule : PING (class 5)
skrall@PA-200>
This shows that the traffic entered the box on ethernet1/2 and exited the box on ethernet1/2.
This also shows the Security rule used is "Internal zones", there is a QOS rule named "PING" and if NAT was involved, it would display the name of the NAT rule processing the traffic.
It also shows 1 packet in the C2S (Client to server) direction and 1 packet in the S2C direction.
All of these are clues as to the nature of the problem or proof that the traffic has entered or left the box.
Steve Krall
01-29-2014 03:45 AM
Thank you all for your help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
