04-20-2017 09:39 PM
I recently upgraded my home PA-200 to PAN-OS 8.0.1 from 7.1.7. All seems fine, except that from two Samsung smart TVs Netflix streaming is affected. A diagnostic test on one of the TVs shows that the app is able to connect to 1 of 4 Netflix servers only. Strangely, I can stream Netflix to a Chrome browser on a Windows 10 machine without issue.
Any suggestions as to what might be causing this, or how to fix it?
04-20-2017 10:00 PM
First step is to check if you see any sessions if you go to Monitor > Traffic and use filter below?
( addr.src in 1.1.1.1 ) and ( action neq allow )
Replace 1.1.1.1 with ip of your TV.
Also run filter ( addr.src in 1.1.1.1 ) against threat and url log also.
04-20-2017 11:34 PM
I've pasted below certain fields from the traffic log of a pretty typical attempt to connect to Netflix from one of the smart TVs. Lots of TCP resets from client, though no idea why that would be happening.
The threat and URL logs are empty.
| Receive Time | Type | Threat/Content Type | Source address | Destination address | Rule | Application | Source Port | Destination Port | Flags | IP Protocol | Action | Category | Destination Country | pkts_sent | pkts_received | session_end_reason |
| 4/20/2017 23:10 | TRAFFIC | end | 192.168.2.101 | 8.8.8.8 | rule-outbound-guest | dns | 46815 | 53 | 0x400019 | udp | allow | any | United States | 16 | 16 | aged-out |
| 4/20/2017 23:10 | TRAFFIC | end | 192.168.2.101 | 74.125.28.104 | rule-outbound-guest | google-base | 52760 | 80 | 0x40001c | tcp | allow | search-engines | United States | 33 | 36 | tcp-fin |
| 4/20/2017 23:10 | TRAFFIC | end | 192.168.2.101 | 206.190.36.45 | rule-outbound-guest | web-browsing | 42024 | 80 | 0x40001c | tcp | allow | any | United States | 6 | 4 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 23.44.160.210 | rule-outbound-guest | netflix-base | 56977 | 443 | 0x400053 | tcp | allow | streaming-media | United States | 12 | 9 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 74.125.28.104 | rule-outbound-guest | google-base | 52753 | 80 | 0x40001c | tcp | allow | search-engines | United States | 33 | 36 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 206.190.36.45 | rule-outbound-guest | web-browsing | 42017 | 80 | 0x40001c | tcp | allow | any | United States | 6 | 4 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 23.44.160.210 | rule-outbound-guest | netflix-base | 56970 | 443 | 0x400053 | tcp | allow | streaming-media | United States | 11 | 8 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 206.190.36.45 | rule-outbound-guest | web-browsing | 41964 | 80 | 0x40001c | tcp | allow | any | United States | 6 | 4 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 74.125.28.104 | rule-outbound-guest | google-base | 52700 | 80 | 0x40001c | tcp | allow | search-engines | United States | 33 | 36 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 23.44.160.210 | rule-outbound-guest | netflix-base | 56917 | 443 | 0x400053 | tcp | allow | streaming-media | United States | 12 | 9 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 157.56.136.235 | rule-outbound-guest | web-browsing | 45842 | 80 | 0x40001c | tcp | allow | any | United States | 4 | 3 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 157.56.136.235 | rule-outbound-guest | web-browsing | 45843 | 80 | 0x40001c | tcp | allow | any | United States | 6 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 23.60.74.112 | rule-outbound-guest | web-browsing | 36748 | 80 | 0x40001c | tcp | allow | any | United States | 5 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 192.99.20.185 | rule-outbound-guest | web-browsing | 49949 | 80 | 0x40001c | tcp | allow | any | Canada | 6 | 3 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 175.41.134.166 | rule-outbound-guest | ssl | 55517 | 443 | 0x400053 | tcp | allow | any | Singapore | 30 | 26 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 34175 | 443 | 0x40001a | tcp | allow | any | United States | 9 | 8 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46773 | 80 | 0x40001c | tcp | allow | any | United States | 5 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46779 | 80 | 0x40001c | tcp | allow | any | United States | 5 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46765 | 80 | 0x40001c | tcp | allow | any | United States | 5 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46732 | 80 | 0x40001c | tcp | allow | any | United States | 5 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 54.192.143.51 | rule-outbound-guest | web-browsing | 57982 | 80 | 0x40001c | tcp | allow | any | United States | 8 | 8 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 52.4.8.109 | rule-outbound-guest | web-browsing | 49421 | 80 | 0x40001c | tcp | allow | any | United States | 5 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46729 | 80 | 0x40001c | tcp | allow | any | United States | 6 | 6 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 34137 | 443 | 0x40001a | tcp | allow | any | United States | 14 | 18 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 208.38.213.148 | rule-outbound-guest | ntp | 33464 | 123 | 0x400053 | udp | allow | any | United States | 1 | 1 | aged-out |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 34125 | 443 | 0x40001a | tcp | allow | any | United States | 9 | 8 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 34126 | 443 | 0x40001a | tcp | allow | any | United States | 9 | 8 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 34123 | 443 | 0x40001a | tcp | allow | any | United States | 12 | 11 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 98.136.189.56 | rule-outbound-guest | ssl | 41307 | 443 | 0x40001a | tcp | allow | any | United States | 10 | 11 | tcp-rst-from-client |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46567 | 80 | 0x40001c | tcp | allow | any | United States | 6 | 6 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 33814 | 443 | 0x40001c | tcp | allow | any | United States | 9 | 10 | tcp-rst-from-server |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 33827 | 443 | 0x40001c | tcp | allow | any | United States | 9 | 10 | tcp-rst-from-server |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 33796 | 443 | 0x40001c | tcp | allow | any | United States | 9 | 10 | tcp-rst-from-server |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 207.36.95.10 | rule-outbound-guest | ssl | 33797 | 443 | 0x40001c | tcp | allow | any | United States | 9 | 10 | tcp-rst-from-server |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 54.164.76.169 | rule-outbound-guest | ssl | 45748 | 443 | 0x40001c | tcp | allow | any | United States | 11 | 7 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 54.192.143.51 | rule-outbound-guest | web-browsing | 57637 | 80 | 0x40001c | tcp | allow | any | United States | 8 | 8 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46384 | 80 | 0x40001c | tcp | allow | any | United States | 5 | 5 | tcp-fin |
| 4/20/2017 23:09 | TRAFFIC | end | 192.168.2.101 | 69.192.247.46 | rule-outbound-guest | web-browsing | 46381 | 80 | 0x40001c | tcp | allow | any | United States | 6 | 5 | tcp-fin |
04-20-2017 11:56 PM
Are you decrypting traffic? Traffic and URL log don't show any blocked traffic?
What if you add Policies > Application Override rule temorarily to match if source is TV IP for traffic that goes to WAN.
Will it work then?
Be careful with app override. This will make Palo to stop at Layer 4 and will not do Layer 7 inspection and AppID.
04-21-2017 05:34 AM
During the 8.0 beta, there were a couple of issues reported with Netflix, but I don't know if they were fully addressed. The two workarounds mentioned at the time were:
1.) disabling the DNS proxy (or pointing the two netflix devices @ an external DNS server such as 8.8.8.8 and 8.8.4.4)
2.) enabling "allow http header range option" under Device / Setup / Content-ID / Content-ID Settings
Would be curious to know if either of these apply to you and if modifying them changes the behavior.
04-21-2017 06:46 PM
Thanks both for your replies and suggestions.
@jvalentine, it seems to be a DNS Proxy problem. I use DHCP on my network to assign/provide both IP and DNS to clients. On the first smart TV client, I reverted to manual IP and DNS configuration, and streaming is back on Netflix. On the second device - really an Apple TV - I manually assigned the DNS server only (keeping DHCP for local IP address assignment) and its streaming is now working too.
FWIW, I tried the "allow http header range option" setting both on and off and it seemed to have no effect in my configuration.
Solved for now!
07-22-2017 12:46 PM - edited 07-22-2017 12:47 PM
Hi,
I have had disabled the dnsproxy for my appletv for the last couple of months, which worked for me.
But then after upgrading my appletv to the latest releaes yesterday evening, Netflix suddenly stopped working.
I then enabled the "allow header range option", and Netflix worked again 🙂
So thank you for the tip!
PS.: Running 8.0.3-h4.
08-03-2017 09:19 PM
Thanks for the tips that got it working for me.
05-05-2018 05:58 AM
Just experienced this today after having setup DNS proxy on 8.1.1 in my home network.
If you enable TCP queries on your DNS proxy setup Netflix works as normal (at least it did for me with my Apple TV).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
