- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-08-2016 05:33 AM
I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?
https://www.spcconnect.com/
06-14-2016 07:41 AM
It was very difficuolt to solve
I changed WAN IP of my PA and it works, i suppose that the website have banned my source ip, at now i am asking why
thx
Nicola
06-08-2016 08:38 AM - edited 06-08-2016 08:40 AM
Hi,
The site seems to be using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
Support for this suite was added in PAN-OS 7.1 :
Please check the following article :
Seeing that you are already using 7.1 ... are you using SSL decryption ? Have you tried disabling it for the site as a test ?
-Cheers.
06-08-2016 08:45 AM
Obviously i defined 3 rules for my pc originating IP at the top to exit anywhere, to not decrypt, to not captive portal
I have PAN OS 7.1.2
😞
06-08-2016 09:15 AM
Hi,
Did you try to do PCAP on the Palo and client site?
What error do you get on the screen when trying to access this particular site. Did you try with different a web browser?
Cheers
06-08-2016 09:15 AM
I'd recommend setting up a filter with your originating IP address and check the global counters for drops. I'm guessing you will find some counters that could explain the behaviour :
06-08-2016 09:20 AM
A strange thing
I have a Policy Forwarding that for some LAN ip outbound traffic doesnt go via WAN interface but is sent to a machine connected in DMZ and that machine is connected to internet with a software firewall
These routed machines can access this site normally
Only machines that goes out through palo alto doesnt work
06-08-2016 09:32 AM
First image in log of conversation sending to machine in dmz that works
Se second is using PA WAN that dont work
@nicolap wrote:
I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?
https://www.spcconnect.com/
06-09-2016 12:03 AM
Hi,
The application in the non-working scenario is 'incomplete'.
Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application.
For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.
I'd recommend to take PCAPs to confirm traffic is leaving the firewall on the correct egress interface and also take PCAPs on the destination server to verify if the packet reaches it and is returned correctly.
Cheers,
-Kim.
06-09-2016 03:14 AM
Hi,
Also try to run just simple ping from Palo to the client and the web-site. Also source ping from the appropriate egress interface.
Cheers,
06-14-2016 07:41 AM
It was very difficuolt to solve
I changed WAN IP of my PA and it works, i suppose that the website have banned my source ip, at now i am asking why
thx
Nicola
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!