- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-25-2019 10:33 PM
Hi Team
We have PA 220 firewall with 8.1.5 PAN os version.
We have tried to reach one particular website but its not reachable. When we checked the traffic logs that application was shown as "incomplete" and the end session reason was aged-out.
Note : Same website can be reached by external network.
For testing purpose, we have created one security policy on the top as below
After that also particular we are getting the same error "application incomplete" in the traffic logs.
We have took the packet capture and its received only RX and Firewall files. No drops and tranmit packet we are not found
As per the packet capture logs, Its send syn packets only. No SYN-ACK packets we are not received.
How to fix the issue? Please help us
Regards
Mohammed Asik
07-25-2019 11:43 PM
If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself
one thing you can check is to verify that outbound NAT is being applied properly, so the server has the right IP to reply to
next, you could try traceroute to see if you are able to get to the server IP (there could be a routing or peering issue at the ISP level, or your IP could have been blacklisted on the server)
07-26-2019 04:20 AM
Hi Reaper
If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself
Answer : For your information, I can able to reach the same website from the external network (outside network). Through the palo alto firewall only I couldn't access the website.
Need to check with ISP side aslo and let you know.
Regards
Mohammed Asik
07-29-2019 07:19 AM - edited 07-29-2019 07:21 AM
@MohammedAsik wrote:Hi Reaper
If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself
Answer : For your information, I can able to reach the same website from the external network (outside network). Through the palo alto firewall only I couldn't access the website.
Need to check with ISP side aslo and let you know.
Regards
Mohammed Asik
<edit> @reaper already came up with all my cool ideas.
07-29-2019 12:49 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!