Palo alto website issue - Virtual wire

Reply
Highlighted

Palo alto website issue - Virtual wire

HI Guys,

 

Customer has deployed Palo alto firewall in virtual wire mode between Cisco Meraki Gateway and Cisco meraki coreswitch.

 

We are seeing a issue where the website is not loading in first attempt. For example if we are seeing visiting website XYZ.com for first time in network it shows an error "This Site can't be reached the connection was reset" and immediatelty with in a second. This error appears may be for 2 seconds in screen not much more that mentioned.

 

Initially I thought this could be his internal DNS issue in PC, So I tried changing DNS to 8.8.8.8 and tried browsing new sites no luck and then while seeing drop counter I have seen drops for "url request pkt " and "flow tcp non syn" then I set tcp non syn lookup to false and configured timeout for url request lookup to 60 seconds but the issue is still not resolved.

 

This issue happens with all the users as per customer, While in capturing im seeing lot of TCP retransmission sent for PSH ACK from source to destination.

 

This issue looks strange also for your knowledged there is security profiles attached the policy i removed all for testing purpose which also not resolved the issue.

 

@reaper Your valuable comments will add more value to this issue.

 

Regards

Venky

Highlighted
Cyber Elite

Thanks for the info you have.

 

At this time, take small steps to troubleshoot.

Removing the security profiles are good, but not the source of the issue, based on responses you provided.

 

Turn off any DoS Policy and also remove your Zone Protection Profile from the zones, and test.

 

Something within Content Inspection appears to be causing the issue.

Help the community: Like helpful comments and mark solutions
Highlighted

Dos profile disabled and zone protection configured only for alert.

 

Cyber Elite

As I mentioned, please remove the Zone protection profile and test again.

 

The alert functionality is for Port Scans and Host Sweeps.

 

If you are seeing drops, then it is the ZPP that could be root cause.

 

Remove ZPP, test, and then report back to us.  :P

 

Thank you.

Help the community: Like helpful comments and mark solutions
Highlighted

Zone protection will not help here why because I’m not seeing any drops related to zone protection in global counter.

 

if I have seen zone protection drop counter I would have disabled it and tried 

 

Highlighted
Cyber Elite

Hello again

 

Your comment in your orginal post was

 

I have seen drops for "url request pkt " and "flow tcp non syn" then I set tcp non syn lookup to fals.

 

Part of ZPP includes

 

Reject Non-SYN TCP: Determines whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

  • global—Use system-wide setting that is assigned through the CLI.
  • yes—Reject non-SYN TCP traffic.
  • no—Accept non-SYN TCP traffic.

 

This why I am requesting that you just test removing ZPP for 5 minutes to see if this helps.

As I mentioned, it just small logical troubleshooting steps.

 

You could also run a tech support FW and open an offical ticket with TAC.

 

We want to assist you as much as possible.

 

For me personally, I have seen and experienced this issue, both as a Pro Service consultant and instructor of 8 years on PANW hardware. This is why I am attempting to assist you to rule out or confirm ZPP.  I have other steps that could be done, but wanted to get the easy ones out of the way initially.

 

Thank you.

 

Help the community: Like helpful comments and mark solutions
Highlighted

Ok I’ll check your opinion 

Highlighted
Cyber Elite

Which software version you are running?

Do you have ssl decryption enabled?

MP
Highlighted

Model PA-850 pan os 8.1.8

 

ssl decryption not enabled

 

regards

venky

Highlighted

Hi @SteveCantwell 

 

Zone protection is not applied to the zones.

 

Regards

Venky

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!