As captioned in subject, would like to get some clarity on the tcp-rst-from-client and tcp-rst-from-server session end reasons on monitor traffic.
Even with successful communication between User's source IP and Dst IP, we are seeing tcp-rst-from-client , which is raising some queries for me personally. Are both these reasons are normal , If not, then how to distinguish whether this reason is due to some communication problem.
Googled this also, but probably i am not able to reach the most relevant available information article. Thought better to take advise here on community.
@Jimmy20, Normally these are the session end reasons. Now depending on the type like TCP-RST-FROM-CLIENT or TCP-RST-FROM-SERVER, it tells you who is sending TCP reset and session gets terminated. It does not mean that firewall is blocking the traffic. It means session got created between client-to-server but it got terminated from any of the end (client or server) and depending on who sent the TCP reset, you will see session end result under traffic logs. And once the session is terminated, it is getting reestablish with new traffic request and thats why not seeing as such problems with the traffic flow.
If you want to know more about it, you can take packet capture on the firewall.
Thanks for reply, What you replied is known to me. But i was searching for - '"Can we consider communication between source and dest if session end reason is TCP-RST-FROM-CLIENT or TCS-RST-FROM-SERVER , bçoz as i mentioned in initial post i can see TCP-RST-FROM-CLIENT for a succesful transaction even, However it shuld be '"tcp-fin" or something except TCP-RST-FROM-CLIENT. if it is reseted by client or server why it is considered as sucessfull.
TCP RST flag may be sent by either of the end (client/server) because of fatal error. So if you take example of TCP RST flag, client trying to connect server on port which is unavailable at that moment on the server.
Now for successful connections without any issues from either of the end, you will see TCP-FIN flag.
Now in case, for a moment particular server went unavailable then RST will happen and user even don't know about this situation and initiated new request again And at that time may be that server became available and after that connection was successful. So In this case, if you compare sessions, you will find RST for first session and 2nd should be TCP-FIN. So like this, there are multiple situations where you will see such logs.
Just wanted to let you know that I have created a blog for this:
Does anyone really have a solution for this? So far, I have not seen any concrete solution. I put a device that communicates with an online server with no problem. I insert the PA FW between that line of traffic, all of a sudden, we get tcp-rst from the server or vice-versa. What causes the problem and do we solve it is what everyone is seeking as a guide or repsonse. I think most technical people understand how tcp works.
Palo don't send those resets. Palo only observes that either side sent TCP RST to close connection.
To your claim "I think most technical people understand how tcp works" I would reply that "except developers who think that it is easier to end session with TCP RST compared to 4way handshake" 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!