We have a problem on the equipment pa-5020.
when we look at the log traffic, the session ends with incomplete response
Then I looked in and saw the following wireshark log.
SYN - VCOM-tunnel Seq = 0 win = 8192 len = 0 mss = 1460 ws = 256 = 1 sack_perm=1
ACK - VCOM-tunnel Seq = 0 ack=1 win=17920 len-0 mss=8960 sack_perm=1 ws=1024
Software "schlumberger - ProSource 2012" does not work.
Based on provided information There might be an assymetric routing issue, or issue on source or destination.
Its not possible to come to conclusion on provided information. To be more precise please provide enlarge snapshot of traffic log.
I agree with Hardik that frequently incomplete handshakes are the result of asymmetrical routing.
Please run a trace route on both the source and destination towards each other and see if the path is the same.
You can also use the pcap utility to capture more detailed information on the issue.
Hello NTC user,
In the beginning of log there is a magnifying glass, please click on it and provide us output. Based on output, it would be very easy to provide root cause.
The attached pcap only has a single HTTP get request. ( SRC-192.168.220.128 DST:10.72.50.133). Could you please share a few more details about the traffic logs.
> You may try to check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.
> If there is a session exist for the same traffic, then please apply CLI command PAN> show session id XYZ >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.
> You can enable FLOW BASIC feature to ensure that the SYN-ACK is not received by the PAN FW:
> debug dataplane packet-diag clear all
> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION
> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination IP_ADD_OF_THE_TESTING_PC
> debug dataplane packet-diag set log feature flow basic
> debug dataplane packet-diag set log feature tcp all
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set log on
~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse the destination ~~~~~~~~~~~~~~~~~~~~~~~~~
> debug dataplane packet-diag set log off
> debug dataplane packet-diag aggregate-logs
> less mp-log pan_packetdiag_log.log
For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands
Hope this helps.
The situation you have seems very odd. The logs clearly show many successful sessions on the same hosts and port and you have this one session where only the initial http get request is present without any complete tcp handshake.
Obviously, the rest of the sessions worked as expected and completed and this odd session is indeed incomplete.
Is there a chance of any of the following:
Congestion on the server where it might not respond to some requests
Congestion on the link to the server where requests may be dropped
On the client side what is the behavior for this type of failed session? Is the next successful session just a retry of the previous incomplete one?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!