incomplete

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

incomplete

L2 Linker

Hello,

I need urgent help. I dont know why but from one moment during the day is one website unreachable from our internal network(only this website). There was no change in configuration PA500, no changes in web server configuration. From outside of company is website reachable without problem. What I see in log is for this session application:incomplete.

I tried different computers, restart PA but no change, website still unreachable.

I dont know what I can do more. Please, help.

Thank you very much

15 REPLIES 15

L4 Transporter

Incomplete means that either the three way tcp handshake did NOT complete or the three way tcp handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the paloalto device creates a session for that syn, but the server never sends a syn ack in response back to the client, then that session would be seen as incomplete.

Regards

Parth

OK, it is clear but what can I do to solve it? We didnt change PA configuration and also web server configuration. Websites are from outside of company reachable?

L4 Transporter

Do packet captures on the firewall at the transmit, receive and drop stage.

https://live.paloaltonetworks.com/docs/DOC-1653

You would be able to point out the root cause.

If the server is not responding most likely the receive/ transmit stage will send out SYN but not receive SYN-ACKs.

Let me know if that helps.

Regards

Parth

Also check your threat logs if you are seeing any drops there. Which website is this ?

I have tried accessing this behind my firewall. It is not blocked as virus or through URL filtering. In your case you might need to do a packet capture and see what is failing.

You can also try and open up a security policy and specify the source IP of the test host pc.

Create an any any policy without any scan profiles as well.

Move the policy to the top.

If this works then review the existing policy to see if the application or scan profiles might be preventing the traffic from being identified.

If this still does not work you might want to call into support or your local reseller for assistance.

Thank you

Hello Parth,

I tried to collect more details by capturing and enclosing result files. I am not sure where is the problem...

Hi,

It appears that a RST-ACK is sent by the the client 62.112.193.167.

pcap-1.PNG

Can  you just once again confirm the issue

" From outside of company is website reachable without problem"

Are you having issues accessing website from inside or outside? It appears that there is no translation in the pcaps.

Is your purpose trying to access the website from inside with a public ip-address?

Regards

Parth

Hi,

confirm - from outside of company is everything OK. You can try www.spapiestany.sk

We have issue to access the website only from internal network, behind the PA.  (company network - PA - public internet)

If you want to access the website from the internal zone (say trust zone having private ip-addressees) to a web server that is physical located inside but you want to access using the public ip-address, you need to configure a U-Turn NAT rule.

https://live.paloaltonetworks.com/docs/DOC-1678

Let me know if this helps.

If it is an urgent issue and you are still unable to access the website from inside please contact support.

Regards

Parth

hello,

it is probably misunderstanding, web server is not inside of our network (not physically located in internal network). Web server is outside of our company and also country.

So your security rules should look like the following:-

SECURITY:-

Source zone: Trust

Destination Zone: Untrust

Source address: Any

Destination address: -website public ip-address

Action : Allow

NAT :--

Source zone:-  Trust

Destination Zone :- Untrust

Source address Any

Destination address :- Website public ip-address

Source translation  :  type:- Dynamic ip and port ;  interface : Public facing interface

Destination translation: None

Regards

Parth

Also I tested in the lab and as expected the the traffic just went fine and I was able to access the website from inside.

pcap3.PNG

The three way hand shake starts with the an internal ip-address 10.101.100.108.

However in your case a SYN is received from the server (i.e 62.112.193.167) which should not be the case. see below:-

pcap-2.PNG

Try clearing all the sessions on the firewall pertaining to ip  62.112.193.167

From the CLI,

admin@Lab-59-PA-500> clear session all filter source 62.112.193.167

admin@Lab-59-PA-500> clear session all filter destination 62.112.193.167

admin@Lab-59-PA-500> clear session all filter source <test -pc ip-address>

Test it now.

Regards

Parth

  • 6844 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!