01-04-2018 02:46 AM
I have a PA820 in active/passive mode who has a strange behaviour. I have created a rule that permits that traffic but the device drops it. I see "allow"in the logs, but with a capture I can clearly see the SYN in the dropped section and not "syn/ack" and "ack".
I have also tried to put an "any/any" rules, it matches but the behaviour is the same,
I have put "any" in the Application and Services fields and also disabled any antivirus check.
Attached the two images.
01-04-2018 07:11 AM
In the logs there is the one that says 'Incomplete' for the application. This happens for several reasons, but in my experience, it is 95% of the time a routing issue between the hosts. Could be asymmetric routing or something else.
Hope that helps.
01-04-2018 07:52 AM
'incomplete' in the application means the initial syn packet was allowed to pass through the firewall, but a returning ack was never seen.
This could be a routing issue as @OtakarKlier mentions, NAT not being applied properly or the remote host simply not responding to your connection (due to it being down our out of resources,...)
best way to troubleshoot is to verify if NAT is applied in the egress stage packetcapture and traceroute to verify your packets are following an appropriate route
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!