Customer has deployed Palo alto firewall in virtual wire mode between Cisco Meraki Gateway and Cisco meraki coreswitch.
We are seeing a issue where the website is not loading in first attempt. For example if we are seeing visiting website XYZ.com for first time in network it shows an error "This Site can't be reached the connection was reset" and immediatelty with in a second. This error appears may be for 2 seconds in screen not much more that mentioned.
Initially I thought this could be his internal DNS issue in PC, So I tried changing DNS to 18.104.22.168 and tried browsing new sites no luck and then while seeing drop counter I have seen drops for "url request pkt " and "flow tcp non syn" then I set tcp non syn lookup to false and configured timeout for url request lookup to 60 seconds but the issue is still not resolved.
This issue happens with all the users as per customer, While in capturing im seeing lot of TCP retransmission sent for PSH ACK from source to destination.
This issue looks strange also for your knowledged there is security profiles attached the policy i removed all for testing purpose which also not resolved the issue.
@reaper Your valuable comments will add more value to this issue.
Thanks for the info you have.
At this time, take small steps to troubleshoot.
Removing the security profiles are good, but not the source of the issue, based on responses you provided.
Turn off any DoS Policy and also remove your Zone Protection Profile from the zones, and test.
Something within Content Inspection appears to be causing the issue.
As I mentioned, please remove the Zone protection profile and test again.
The alert functionality is for Port Scans and Host Sweeps.
If you are seeing drops, then it is the ZPP that could be root cause.
Remove ZPP, test, and then report back to us. :P
Zone protection will not help here why because I’m not seeing any drops related to zone protection in global counter.
if I have seen zone protection drop counter I would have disabled it and tried
Your comment in your orginal post was
I have seen drops for "url request pkt " and "flow tcp non syn" then I set tcp non syn lookup to fals.
Part of ZPP includes
Reject Non-SYN TCP: Determines whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:
This why I am requesting that you just test removing ZPP for 5 minutes to see if this helps.
As I mentioned, it just small logical troubleshooting steps.
You could also run a tech support FW and open an offical ticket with TAC.
We want to assist you as much as possible.
For me personally, I have seen and experienced this issue, both as a Pro Service consultant and instructor of 8 years on PANW hardware. This is why I am attempting to assist you to rule out or confirm ZPP. I have other steps that could be done, but wanted to get the easy ones out of the way initially.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!