TCP reset packets being dropped

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TCP reset packets being dropped

L0 Member

Hello Everyone,

 

I have TCP reset packets being dropped in the Palo when they are sent from tcp-rst-from-server or tcp-rst-from-client. I've taken a pcap to verify the traffic is being dropped. I've put in a ticket with support and their solution was to change the TCP Drop configuration in Zone Protection Profile to not reject Non-SYN TCP. I tested that change and had TCP rest packets were still being dropped, verified with another pcap. 

 

I've reviewed the traffic in the monitor log and I can see traffic with tcp-rst-from-server and tcp-rst-from-client both having actions as allow. 

 

I am at a loss as to what else to check or change. If someone has a potential solution, please let me know.

 

Thanks

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

What does it say at the "Log Subtype" column header?

 

This sometimes tells a better story. Also clicking on the magnifying glass to expand the session traffic helps as well.

 

Hope that helps.

Hi,

The 'Log Subtype' says 'end'. When I review the detailed log view, everything looks similar to other traffic. 

Cyber Elite
Cyber Elite

Hello,

I forgot to ask which logs you are looking at. I typically look at the Unified logs rather than the Traffic logs. The unified logs have the traffic, URL, and Threat logs rolled into it. Makes it easier to correlate traffic data. Also check the session flow data, CLI only, to see if it reveals anything significant.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0

 

Regards,

  • 2870 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!