PA sending TCP RST for a NAT rule

Reply
Highlighted
L1 Bithead

PA sending TCP RST for a NAT rule

Hi everybody,


Adding a bidirectionnal NAT rule for an ssl web server and the according security rule, connections from outside are dropped as "Incomplete". Traffic capture show that first SYN packet received is directly rejected by PA with a RST response. What does it mean ?


Regards.


Accepted Solutions
Highlighted
L1 Bithead

Hi,


Thank you very much for your advice on NAT rules.

After another check of our configuration, it seems that another host in the same NML subnet not crossing the Palo appliance was using the same IP address ... Everything works as expected now, sorry for the time spent on this obvious problem.

 

Rodjeur68

View solution in original post


All Replies
Highlighted
L6 Presenter

@rodjeur68,

 

As session is incomplete, there is no response/reply from destination end.

Please check few configurations like,

 

1. Routing for destination server

2. If service is up and running on the server.

 

Mayur



Mayur
Highlighted
L1 Bithead

Thx for the response.

* There's no routing issue: server can access Internet via the PA using the NAT IP address

* service is up and running, accessible from internal networks

Highlighted
L6 Presenter

@rodjeur68,

 

Are you seeing issues with inbound or outbound traffic?

 

Mayur



Mayur
Highlighted
L1 Bithead

Globally ? Not at all.

 

Rodjeur68

Highlighted
L6 Presenter

@rodjeur68,

 

Is it possible to share traffic logs for affected traffic? Also is it app-id based security policy ?

 

As you said in your post, you have bi-directional NAT and you are facing issues with connections from outside on one ssl web server. You are trying to externalize web-server probably on 443 port. As session is seems to be incomplete, just check if web-service is running on server that you want to externalize. Check if you are able to telnet internal server on web-service port from LAN. As you are seeing incomplete session, most of the time it happens when there is no response from the server. That's why i asked to check reverse routing for web server subnet on firewall and application running status on web server.

 

Mayur



Mayur
Highlighted
L2 Linker

Agreed with @SutareMayur .

Most of the time session shows incomplete when there is no reply back from server side. Routing issues mostly causes this. 

Highlighted
L1 Bithead

Hi everybody,


Thanks for your time. As I mentionned in a previous post, I think we don't have any issue with routing and service is up and running:

* I can ping server from appliance

* show routing route gives a correct route for my internal subnet

* from server, I'm able to browse Internet using the external NAT IP choosen for service

* from internals subnets, I can access the https service on the server (nginx)


When I capture the traffic I can see RST tcp packet immediatly send by PA on external interface and nothing on the internal interface.2020-04-21_10h19_39.png

Highlighted
L7 Applicator

It is always safer to create 2 NAT policies for DNAT and SNAT than bi-direcitonal.

If you check bi-directional NAT rule in cli you can see that for DNAT source zone will be "any".

 

For your TCP RST problem. Most likely your security policy is incorrect.

Are you using pre-nat IP and post-nat zone in security policy?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L1 Bithead

Hi,


Thank you very much for your advice on NAT rules.

After another check of our configuration, it seems that another host in the same NML subnet not crossing the Palo appliance was using the same IP address ... Everything works as expected now, sorry for the time spent on this obvious problem.

 

Rodjeur68

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!