This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

palo alto interrupting web server traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

palo alto interrupting web server traffic

sib2017
L4 Transporter

‎03-06-2017 11:09 AM

Hi,

 

I have web server , in some computers website load properly and  some  not loading properly .

I suspect pa is interrupting  

 

Please advise 

0 Likes Likes
10 REPLIES 10

TranceforLife
L6 Presenter

‎03-06-2017 11:32 AM - edited ‎03-07-2017 07:35 AM

Hi @sib2017

 

What is actually happening? How is your policy looks like (profiles) etc. Traffic logs for the affected users? What I am usually doing (not always possible in the production) is taking one of the affected users/PCs and creating a "clear" test policy without anything purely from source to the destination permit any any (no profiles) and see what is happening. Same issue? Removing test policy and checking the client-server side only :0 as this is not PA issue.

0 Likes Likes

bradk14
L3 Networker

‎03-06-2017 02:40 PM - edited ‎03-06-2017 02:41 PM

your issue is very vague. if you are talking about the same website on multiple computers, the first thing to check is to see if each computer is hitting the same rule for the same website in the traffic log. if so, you should also look at the reason for the session end, if it's a tcp-fin or timed out or a reset of some sort. also consider the threat log if you have a threat prevention policy in place. you also need to consider if all computers are using the same browser/version.

 

there are many places something like this could go wrong, but unless your rules are applied subjectively/unevenly, the firewall is probably the least likely source of the issue.

0 Likes Likes

sib2017
L4 Transporter
In response to TranceforLife

‎03-07-2017 07:30 AM

Hi,

The server is 192.168.10.100:2048

and the client is  : 192.168.2.25

 

Here is the  capture -rx from the pa 

 

pa.JPG

 

Sometimes can access the port 2048 .That is the syptom.  sometimes cannot  .

In my capture there  are tcp port numbers resued ,multiple retransmsiion and tcp previous segment not captured  .

These are indicating to any problems 

Thank you 

0 Likes Likes

TranceforLife
L6 Presenter
In response to sib2017

‎03-07-2017 07:35 AM - edited ‎03-07-2017 07:36 AM

What can you see in the traffic logs when accessing this server? How the PA identifies this port TCP 2048 under which application? How is your security policy looks like?

0 Likes Likes

sib2017
L4 Transporter
In response to TranceforLife

‎03-07-2017 09:56 AM

Hi,

 

As per the screenshot there is  SYN-ACK and corresponding (5 and 6) and finally client sent an ACK (11 and 12) 

so the server listening on port 2048 , is'nt it ?

 

Thanks

0 Likes Likes

gwesson
L7 Applicator
In response to sib2017

‎03-07-2017 10:06 AM

A couple things could help clear it up if you can repost the screenshot:

 

  • Remove or hide the SNR and Rate columns in Wireshark.
  • Reduce the sizes of the IP columns to expand the other columns that have "..." so we can see the full data.
  • I assume the "delta" column is delta time between displayed frames, but expanding that field could help (or change your time display format to "Seconds since previous displayed packet".
  • Grab a packet capture of a working client to compare the flow.

 

It looks like we see two sets of three-way handshakes here, both on destination port 2048. Both handshakes are complete, and there seems to be an exchange of data (client sends PSH flags on frames 11-12, 13-14, and 15-16; the server sends a reply in frames 17-18).

 

If the traffic is known to Wireshark, you can also decode it as the known traffic (if it's TLS for example, right-click on any frame and choose Decode As..., and specify port 2048 to be whatever the actual traffic is).

sib2017
L4 Transporter
In response to gwesson

‎03-07-2017 11:28 AM

Hi gwesson

Thank you for the  reply  . 

I have adjusted the view as you said . And  i did decode as 'ssl' 

 

pa.JPG

 

Sorry for the incenvenience 

Thanks

0 Likes Likes

TranceforLife
L6 Presenter
In response to sib2017

‎03-07-2017 11:39 AM - edited ‎03-07-2017 01:07 PM

Hi,

 

Yes, correct. The server is listening on TCP 2048 port (no doubt) but same time we can see SSL traffic to the same server. But what l am trying to understand is how is the PA seeing this traffic and how it is identifying? Under which application. This all info is under Monitoring tab on PA.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to TranceforLife

‎03-07-2017 01:02 PM

@TranceforLife is bringing up a really good point. If the only information that your giving is a wireshark it doesn't actually tell us what the Palo Alto itself is seeing. Knowing what your security policy for the traffic looks like, how the Palo Alto is seeing the termination, all of that other good information.

0 Likes Likes

sib2017
L4 Transporter
In response to TranceforLife

‎03-07-2017 11:21 PM

Hi,

Unfortunately  i Changed this port from 2048 to 80 and all the logs were over written .

When i change the app to port 80 , its seems working fine .There is some few old logs  (Rules are same ) 

 

pa2.png

 

And there are some records shows session end reason is unknown 

 

Thanks

0 Likes Likes
  • 5703 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks