PA time out accessing web

Server is UP, we can access from another PA. 

Yes, its seems like 3-way is not done but in session details we see packets sent and received. 

I thought that could be a problem of our ISP with that web or in the server side but a colleague told me that if he accessed using his iphone worked with IOS 9 and 10. Quite strange.....

Get another PCAP. l want to see SYN,ACK from the server arriving at the PA  eth1/2

I add a pcap. i tried first with chrome (not working) and then with Firefox and now its working. If i use chrome after start session with firefox, its also working with chrome. Its like if the session is started with https is not working in both browsers, but if i start the session with http://metromadrid.es in Firefox the session is established. After being established the web is wowking in both browsers. What could be cause this problem???

This is the Firewall.pcap.

Thi is a bit confusing now. New tab in the web browser = new session for Palo. It doesn't matter Chrome or Firefox first, for Palo it is a new session. Did you try to test from the different client/PC?

Yes, all devices going through this PA have the same behavior. 

With firefox i try: https://www.metromadrid.es/ and it doesnt work, then i try http://metromadrid.es and it works. 

I go to "session browser", i close all sessions to web server, i try with chrome or firefow and its working with both.

I dont find any pattern

Im trying to find any different between http request from our browsers. Maybe http get or connect are different.

Quite weird.

Is your policy configure with "any application " "any services" and without the security profiles attached. If not then worth to test.

i did that. Even i created a custom app with "http-get=metromadrid.es" but it doesnt work because threeway is not done when its not working....

I disabled DSRI, deleted zone protection in untrust interface... i dont know what more i can do :S

Quite weird.....i dont have any idea whats happening

Hmmmm.. Any intermediate devices before or after the FW that could potentially interfere with this session?

Can you post successful and failed https session output using the "magnifying glass" option (eg):

It is hard to prove but l doubt it is PA issue 😄 lets see

Yes, but if i try http://metromadrid.es in Firefox is working fine. After that i go to chrome, i go to metromadrid.es and its working too. Quite weird.....

Here screenshots and policy.

using http://metromadrid.es, there is a redirect to https and its working but only in firefox and explorer.

This is very weird. Ok let's try something else.  Lets see if PA itself can get 3-way handshake using its external (NAT IP) address;

> ssh port 443 source 188.x.x.x host 185.89.60.64

PCAP filter:

capture all stages: firewall, drop, receive and transmit. 

I think

Log detailed:

Drop pcap:

Firewall pcap:

Transmit pcap:

receive pcap:

This issue just breaks my mind 😄 l also have no ideas now.  Just for test allow only application https (SSL) and on its default port 443 "application-default", otherwise l am giving up, sorry. It is more like a guess now. Cannot understand why we don't see SYN, ACK from PA PCAPs, when you were testing from the client PC with HTTPS requests.