Unable to access a site, please try for me

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to access a site, please try for me

L1 Bithead

I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?

https://www.spcconnect.com/

 

1 accepted solution

Accepted Solutions

L1 Bithead

It was very difficuolt to solve
I changed WAN IP of my PA and it works, i suppose that the website have banned my source ip, at now i am asking why

thx

Nicola

View solution in original post

10 REPLIES 10

L3 Networker

Hi,

 

Able:

 

able.PNG

Community Team Member

Hi,

 

The site seems to be using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.  

Support for this suite was added in PAN-OS 7.1 :

 

Please check the following article :

PAN-OS-7-1-Supported-ciphers

 

 

 Seeing that you are already using 7.1 ... are you using SSL decryption ? Have you tried disabling it for the site as a test ?

 

-Cheers.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Obviously i defined 3 rules for my pc originating IP at the top to exit anywhere, to not decrypt, to not captive portal

I have PAN OS 7.1.2

😞

 

Hi,

 

Did you try to do PCAP on the Palo and client site?

What error do you get on the screen when trying to access this particular site. Did you try with different a web browser?

 

 

Cheers

Community Team Member

I'd recommend setting up a filter with your originating IP address and check the global counters for drops.  I'm guessing you will find some counters that could explain the behaviour :

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CL...

 

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

A strange thing

I have a Policy Forwarding that for some LAN ip outbound traffic doesnt go via WAN interface but is sent to a machine connected in DMZ and that machine is connected to internet with a software firewall

These routed machines can access this site normally

Only machines that goes out through palo alto doesnt work

 

 

L1 Bithead

First image in log of conversation sending to machine in dmz that works

Se second is using PA WAN that dont work1.PNG

 

 

2.PNG


@nicolap wrote:

I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?

https://www.spcconnect.com/

 


 

Community Team Member

Hi,

 

The application in the non-working scenario is 'incomplete'.

 

Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application

 

For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.

 

I'd recommend to take PCAPs to confirm traffic is leaving the firewall on the correct egress interface and also take PCAPs on the destination server to verify if the packet reaches it and is returned correctly.

 

Cheers,

-Kim.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

Hi,

 

Also try to run just simple ping from Palo to the client and the web-site. Also source ping from the appropriate egress interface.

 

Cheers,

 

L1 Bithead

It was very difficuolt to solve
I changed WAN IP of my PA and it works, i suppose that the website have banned my source ip, at now i am asking why

thx

Nicola

  • 1 accepted solution
  • 4757 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!