Seeson end reason aged out

Reply
Highlighted
L3 Networker

Seeson end reason aged out

HI friends,

 

We have created interzone rule looks like below

 

<entry name="Rule1>
<profile-setting>
<profiles>
<url-filtering>
<member>default</member>
</url-filtering>
<virus>
<member>default</member>
</virus>
<spyware>
<member>Sinkhole</member>
</spyware>
<vulnerability>
<member>VP Profile</member>
</vulnerability>
<file-blocking>
<member>Wildfire</member>
</file-blocking>
</profiles>
</profile-setting>
<to>
<member>A</member><member>B</member>
</to>
<from>
<member>A</member> <member>B</member> <member>c</member>
</from>
<source>
<member>*.*.*.*</member><member>*.*.*.*</member><member>*.*.*.*</member><member>*.*.*.*</member>
</source>
<destination>
<member>*.*.*.*</member><member>*.*.*.*</member><member>*.*.*.*</member>

</destination>

<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>icmp</member>
<member>nagios</member>
<member>ntp</member>
<member>ping</member>
<member>snmp</member>
<member>snmp-trap</member>
</application>

 

the rule is triggering perfectly but it's showing aged out and in application field it showing insufficient-data custumer saying he is not getting respone can anyboady help how to solve this??

 

and i have checked ping from FW CLI to detination in above rule it's successfull and getting response but still in firewall it's showing aged out????? is this someting PAN needs to worry about??

 

Kindly suggest 

Kotresha
ACE
Highlighted
L7 Applicator

To make the rule truly interzone you'd need to set the type to interzone also:

<rule-type>interzone</rule-type>

 

The rule itself looks ok, but the behavior you're reporting sounds like there might be a network issue. if you look into the details of the traffic logs, can you see packets reported in both directions ?

insufficient data is usually reported when there is asymmetric flow which ping will not report as request and reply are independent, but will impact TCP severely

 

You can set up packetcaptures to make sure packets are going out and being received as expected. Some more details like traffic log and a topology could be helpful too

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L3 Networker

Hi thanks for the response,

 

yeah we have included that interzone rule but forgot to mention here.

we checked PCAP also but found that no response and traffic details also bytes received is showing 0.

 

 

Kotresha
ACE
Highlighted
L7 Applicator

if packets are leaving the firewall as expected but none are returning, the next step is to go check at the remote end if packets are being received properly and where the reply is going

 

is the source IP part of a NAT policy, does the host have a route for it, does the next hop router have proper routing for it etc

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L3 Networker

How can we confirm it's leaving the firewall??

Kotresha
ACE
Highlighted
Community Team Member

Hi,

 

You can perform PCAPs on the firewall in 4 different stages :

 

-receive

-transmit

-drop

-firewall

 

The transmit stage is what the firewall sends out.

 

Check the following article on how to configure PCAPs :

 

Getting-Started-Packet-Capture

 

Hope it helps,

-Kim

Highlighted
L7 Applicator

a good indication is if the traffic log contains a 'packet sent' count. you should be able to use thelog details to ascertain if NAT is being applied by looking at the 'NAT Source IP' column

 

for some more info regarding packetcaptures (these will also help identify 'sent' and 'received' packets), please check out this article: Getting Started: Packet Capture

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L3 Networker

NAT IP is not applied for this and can packet sent count is 1 can be considered for succeful leaving of firewall?

 

Kotresha
ACE
Highlighted
L7 Applicator

yes

 

the SYN packet goes out and then an ACK needs to come back, if the ACK is never returned the session will timeout waiting for reply

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L3 Networker

But i can see IP protocol as UDP, i dont think in this case we receive ACK.

Kotresha
ACE
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!