PA sending TCP RST for a NAT rule

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA sending TCP RST for a NAT rule

L1 Bithead

Hi everybody,

Adding a bidirectionnal NAT rule for an ssl web server and the according security rule, connections from outside are dropped as "Incomplete". Traffic capture show that first SYN packet received is directly rejected by PA with a RST response. What does it mean ?





Is it possible to share traffic logs for affected traffic? Also is it app-id based security policy ?


As you said in your post, you have bi-directional NAT and you are facing issues with connections from outside on one ssl web server. You are trying to externalize web-server probably on 443 port. As session is seems to be incomplete, just check if web-service is running on server that you want to externalize. Check if you are able to telnet internal server on web-service port from LAN. As you are seeing incomplete session, most of the time it happens when there is no response from the server. That's why i asked to check reverse routing for web server subnet on firewall and application running status on web server.




Agreed with @SutareMayur .

Most of the time session shows incomplete when there is no reply back from server side. Routing issues mostly causes this. 

Hi everybody,

Thanks for your time. As I mentionned in a previous post, I think we don't have any issue with routing and service is up and running:

* I can ping server from appliance

* show routing route gives a correct route for my internal subnet

* from server, I'm able to browse Internet using the external NAT IP choosen for service

* from internals subnets, I can access the https service on the server (nginx)

When I capture the traffic I can see RST tcp packet immediatly send by PA on external interface and nothing on the internal interface.2020-04-21_10h19_39.png

It is always safer to create 2 NAT policies for DNAT and SNAT than bi-direcitonal.

If you check bi-directional NAT rule in cli you can see that for DNAT source zone will be "any".


For your TCP RST problem. Most likely your security policy is incorrect.

Are you using pre-nat IP and post-nat zone in security policy?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011


Thank you very much for your advice on NAT rules.

After another check of our configuration, it seems that another host in the same NML subnet not crossing the Palo appliance was using the same IP address ... Everything works as expected now, sorry for the time spent on this obvious problem.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!