11-15-2014 01:17 AM
HI all,
We have a cluster of 2xPA3050, for protection to untrusted zone. Last week we enabled the trial license for url_filtering. Since that moment we have met a special problem. We use a citrix application over ssl in the cloud. This citrix server is perfectly reachable, but after the authentication, the application seems to hang. We disabled all rules referring to url_filter categories, so there is no reference in the policy to url-filter. Nevertheless, with the license enabled, the citrix application doesn't work. There is no reference in the monitor tab/logs that something is dropped. By doing a packet capture, we only see an rst tcp reset from the other side, but nothing seems to be dropped or logged.
Anybody knows how I can troubleshoot this ? Is there a possibility that with activating the pan-db database in the licenses, without activating any rules, that there is an interception on ssl traffic ?
We have panos6.1, url_filtering, also global protect is enabled. Ssl decription is not enabled.
Thanks and greetz,
Johan
11-15-2014 01:19 AM
Hi johan.boeckx
Do you see any session in discard state for the concerned IP address, you can look at it using : show session all filter state discard source <ip-address> ?
Also can you compare the TTL value in RST packet that you are seeing with TTL that you see in any other packet from the source ?
Hope it helps !
11-15-2014 04:56 AM
HI,
Thanks for the answer. I checked the session based on the source as on the destination. Both there were no active sessions
admin@FW01CO(active)> show session all filter state discard source 10.104.0.8
No Active Sessions
admin@FW01CO(active)> show session all filter state discard source 10.104.0.8
No Active Sessions
admin@FW01CO(active)> show session all filter state discard destination 193.109.234.40
No Active Sessions
admin@FW01CO(active)> show session all filter state discard destination 193.109.234.43
No Active Sessions
11-15-2014 06:58 AM
Hello Johan,
Could you please try to clear URL cache from this PA firewall.
>clear url-cache all
>delete dymanic –url host all
Even after applying above command, issue persists, then apply below command. ( it will not impact to your production traffic)
>debug software restart device-server
Hope this helps.
11-16-2014 03:57 AM
I tried this, but didnt gave any result. I digged a bit deeper and read number of Palo alto docs regarding flow_tcp_non_syn_drop, which I had a lot. This is related to assymetric routing. Strange is that we dont have assymetric routing, but since this webside is in the cloud, the problem can have originated on the internet. Anyway, I disabled the TCP - reject non-SYN first packet: from true to false. Now,a number of applications work on this cloud based site, only not the citrix related, tunneled through ssl.Nothing is blocked through policies.
02-04-2019 04:18 AM
Just curious to know,how the problem is resolved
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
