Showing results for 
Show  only  | Search instead for 
Did you mean: 


L1 Bithead


  We have a problem on the equipment pa-5020.
when we look at the log traffic, the session ends with incomplete response
Then I looked in and saw the following wireshark log.
SYN      -              VCOM-tunnel Seq = 0 win = 8192 len = 0 mss = 1460 ws = 256 = 1 sack_perm=1

ACK      -              VCOM-tunnel Seq = 0 ack=1 win=17920 len-0 mss=8960 sack_perm=1 ws=1024

Software "schlumberger - ProSource 2012" does not work.



L6 Presenter

Hello Vcom,

Based on provided information There might be an assymetric routing issue, or issue on source or destination.

Its not possible to come to conclusion on provided information. To be more precise please provide enlarge snapshot of traffic log.


Hardik Shah

L7 Applicator

I agree with Hardik that frequently incomplete handshakes are the result of asymmetrical routing.

Please run a trace route on both the source and destination towards each other and see if the path is the same.

You can also use the pcap utility to capture more detailed information on the issue.

How to Capture Traffic (PCAP) Hitting a Specific Rule

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hello NTC user,

In the beginning of log there is a magnifying glass, please click on it and provide us output. Based on output, it would be very easy to provide root cause.


Hardik Shah

Hello NTCUser,

The attached pcap only has a single HTTP get request. ( SRC- DST: Could you please share a few more details about the traffic logs.

> You may try to check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.

>  If there is a session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.

> You can enable FLOW BASIC feature to ensure that the SYN-ACK is not received by the PAN FW:

> debug dataplane packet-diag clear all

> debug dataplane packet-diag set filter match source  IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION

> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination  IP_ADD_OF_THE_TESTING_PC

> debug dataplane packet-diag set log feature flow basic

> debug dataplane packet-diag set log feature tcp all

> debug dataplane packet-diag set filter on

> debug dataplane packet-diag set log on

~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse the destination ~~~~~~~~~~~~~~~~~~~~~~~~~

> debug dataplane packet-diag set log off

> debug dataplane packet-diag aggregate-logs

> less mp-log pan_packetdiag_log.log

For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands

Hope this helps.

The situation you have seems very odd.  The logs clearly show many successful sessions on the same hosts and port and you have this one session where only the initial http get request is present without any complete tcp handshake.

Obviously, the rest of the sessions worked as expected and completed and this odd session is indeed incomplete.

Is there a chance of any of the following:

Congestion on the server where it might not respond to some requests

Congestion on the link to the server where requests may be dropped

On the client side what is the behavior for this type of failed session?  Is the next successful session just a retry of the previous incomplete one?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

on the client side page does not open and ends with infinite loading.

but in the local network  site open and available.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!