i created a policy to allow 1099 and 9002 for many servers. but it is working for few servers only not for all and few 1099 is working but not 9002.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

i created a policy to allow 1099 and 9002 for many servers. but it is working for few servers only not for all and few 1099 is working but not 9002.

L2 Linker

i created a policy to allow 1099 and 9002 for many servers. but it is working for few servers only not for all and few 1099 is working but not 9002.

8 REPLIES 8

L7 Applicator

Hello vsingh,

Could you please share a screenshot of your FW policy and custom service here. You may also check for traffic Logs Monitor > Logs > Traffic, if the traffic is getting dropped by any other reason.

Thanks

L7 Applicator

Hello Vsingh,

You may follow below mentioned  troubleshooting steps to narrow down the problem:

Please check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.


>  If there is a session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.

verify the global counters, if a specific "DRP" counter is increasing rapidly. The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc.  ( It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.)

For more information, you can follow the DOC What is the Significance of Global Counters?

                                                                    Packet Capture, Debug Flow-basic and Counter Commands

Hope this helps.

Thanks

Hi,

In the logs it is showing as incomplete but not able to understand why it is working for few servers and not for others.

I did locally telnet from server itself.. Telnet localhost 9002 and telnet localhost 1099.. it is not happening.

but on working servers it is happening.

Hello Vsingh,

Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application.


Reference DOC: Incomplete, Insufficient data and Not-applicable in the application field

Thanks

That is ok. but my concern here is why it is accessible from few servers only not others while policy is allowed for all.

L6 Presenter

That is not a firewall issue in my opinion.

if it works for one, it should work for all.

an example,

I had the same problem with different ports.Then we found that, ISP was blocking the response for specific ip addresses.it is maybe something like that.

That can be a software ips or etc also.Not only reason will be Isp.

Have you checked that the servers where it is working are using the security policy you created and the traffic is not using another way?

You can filter the traffic log for a special policy so you only see the traffic that is allowed or denied by this rule.

Hi Vsingh,

In case of "incomplete" its definately not a firewall issue. Firewall is sending packets, but no response from server. Please check servers if they configured to allow traffic on those port.

Another possibility is after firewall there might be IPS or Proxy which is blocking this traffic. Bottom line is its a post firewall issue.

Regards,

Hardik Shah

  • 3784 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!