Session End reason & Application Status

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Session End reason & Application Status

L0 Member

I would like to know about Palo Alto firewall Session End reason, why we are getting those reasons & how we can resolve the issue.

 

For example:

tcp-rst-from-client—> it mean the client sent a TCP reset to the server.

tcp-rst-from-server—> it mean the server sent a TCP reset to the client.

Aged-Out -> Session Time out

 

But I am looking for the solution how we can resolve that issue

 

 

 

Simillarly I would like to know about Application status:

 

What exactly mean by "Incomplete", "Unknow" & so on... How we can resolve these issue.

 

Your help would be greatly appreciated.

 

 

5 REPLIES 5

L6 Presenter

For session end reason you don't have to do anything on PA (unless it's actually denied by PA). And reset (either by server or client) is a normal ending of TCP session. Session time out is also a normal occurence for non TCP sessions. So no action is needed there, these are just helpful info PA provides. 

 

Incomplete means TCP 3 way handhsake didn't finish. It can be either routing issue or just destination server not listening on that port.

 

Unknown-tcp (or -udp) means there is some traffic passing through FW but PA can't recognise the application. These are the cases you should investigate; what is at source IP, which service is listening at destination IP, maybe do a packet capture for this traffic...

Idea is to identify the traffic as you don't want any unknown traffic in your network. Once you identify it and find the reason you can either block it or tell PA how to identify it (by Application Override or with custom application signature).

 

 

 

 

Incomplete could also mean that the tcp handshake did finish and then the server resets the connection right after that handshake

.

If I have a ping between client and server, that means I have routing. Is there anything else I have to look at it?

@Diyar.m,

 

Ping uses ICMP. Normally tcp-rst-from-server or tcp-rst-from-client is related TCP sessions traveling via firewall. Its just showing what was the reason for end of session. As already stated by @santonic It is not palo alto who is doing anything to the session unless it block anything explicitly. Such TCP RST flags are indication of the TCP session end from any side (client/server).

 

@ndeshmukh,

 

Incomplete in the Application Field - It means either TCP 3 way handshake between client and server is not completed or the handshake did completed but there was no data to consider or recognize it as a application.

 

e.g. For Client TCP Sync, there is not ACK from the server end, it shows incomplete. If you do normal telnet on TCP port and you get the black screen, it means handshake was completed. Such normal telnet sessions also Palo alto will recognize it as incomplete as just handshake got completed but there was no application data after it.

 

Insufficient - it means there is not enough data packets to identify it as a application.

 

More details on such application status can be found at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

@Diyar.m 

Ping (ICMP) will survive asymmetric routing, but TCP won't.

  • 30351 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!