Palo Alto not loading certain valid sites, why?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto not loading certain valid sites, why?

L4 Transporter

Having another issue with these things (ready to throw them out the window in all honesty). 


Seems as though a couple sites simply won't load when routed through a pair of HA-3020s.  Of course Palo Alto support does a packet capture and sees no drops so immediately not their fault.  But I know it is because I can route that specific traffic out another gateway on the same public network the PAs sit on and it works without issue.  Packet captures from the client side show alot of TCP re-transmissions when the traffic is routed through the PAs, when its routed through an ASA I see 0 re-transmits.  PA wants to point the finger at the ISP but I highly doubt our ISP is having an issue routing two completely different website/IPs back to a single IP on the same /26 network.  No SSL decryption.  


Nothing in the logging on the Palo Alto shows any block/drop or deny.  Has anyone seen anything like this before? 


L6 Presenter

Your problem statement is a bit confusing.  Can you clarify a bit more, adding in architecture information as well as the websites in question which aren't working?

Yeah sorry, just frustated with PA so more of a vent post.  Hopefully this helps:


I have a pair HA active/passive 3020s and users behind them are unable to access a couple sites.  If I add a static route for those sites on my core (cat6k) and make the next hop an ASA (on the same public network as my 3020s) the sites load without issue. 


Lets say the ASA has an IP of and the PAs have and the only thing in front of them both is an L2 DMZ switch.  When routing the traffic through the PAs I see a lot of tcp retransmissions, when I route it through the ASA I don't see any of those.  I would understand if it was an ISP issue to my entire /26 but its clearly not.  Only an issue when traffic is routed through the PAs.  


One of the sites is and you can see part of the captures below, ASA on top and PA on the bottom.  



Thanks for the clarification.  


I might not fully get it yet so bear with me.  The 3020s would these be "perimeter" firewalls, where really the next hop beyond them is an ISP or is there another set of firewalls beyond the 3020s?


If the 3020s are perimeter devices, the PA IP address of is that your public hide / NAT address?  If so you'll want to make sure that the "object" entry for that IP is a /32.  While the might be a part of a /26 network in order to use the .4 as your NAT it needs to be a /32 object in the firewall.



Yes perimeter FWs, nothing allowing or denying traffic in front of them, next hop is one of my ISPs.  And I thought I was doing many to 1 NAT using object   You are saying I should change that object to If I do that is it going to complain about my default route being in a /26 and the outside/untrust IP being a /32?  Right now my outside/untrust ae1 and my outbound NAT statement both use the 'outside interface' object 


For outbound NAT I am doing:


Dynamic IP and Port
Interface Address
outside object (

Which appears to be right because my public IP shows a 




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!