what is the meaning of "tcp client reset via TCP responding rst" output in global counter
cancel
Showing results for 
Search instead for 
Did you mean: 

what is the meaning of "tcp client reset via TCP responding rst" output in global counter

L3 Networker

We are not able to connect VPN hosted in vpn_dmz zone.

We have deployed third party vpn in vpn_dmz zone and configured inbound nat for same.

Its old setup , all of sudden we are unable to connect vpn intermittently.

 

did pcap for vpn public ip , showing below counter after running "show counter global filter packet-filter yes delta yes severity drop" command

tcp client reset via TCP responding rst:

3 REPLIES 3

Cyber Elite
Cyber Elite

Howdy

 

I would interpret this to mean that the Srv side of the VPN reset the connection,and  likewise, the client side reset its side of the TCP connection.  But I think you are getting perhaps a little too deep in analysis.

 

What is the current status of your VPN?  It is up or not?

If it is not up, run a "clear vpn flow", followed by "test vpn ike-sa", then "test vpn ipsec-sa", and then look at your System Logs for the output on the responses to these commands.  One side needs to initiate the vpn, and the other side needs to respond.  What do you see in your logs.

 

Presuming that ipsec and ike are allowed by a security policy, you should get some response/details about what is going on.

Can you get the remote (non PAN) to initiate the VPN and you again at logs on your PANW FW.

 

I do not personally think it is necessary to look at global counters.  If packets are going to be dropped,you would see the session in the Session Browser or the Traffic Logs.

 

Thanks

Help the community: Like helpful comments and mark solutions

@SteveCantwell 

We have deployed F5 vpn , we were unable  to connect sslvpn intermittently. This issue happened first time.

In traffic logs , session end reason for some logs were tcp-fin and for some it was tcp-rst-frm-client

Hi there

Again, we are getting closer. 

 

Instead of looking at traffic logs, let's see why your VPN is not being established.

Could you copy/paste the logs from your System logs, with a "subtype eq vpn"

 

We would normally expect Phase1 (ike) and phase2 (IPsec) to be negotiated and those negotiations logs are found in System.

 

tcp-fin means that the session closed by a FIN packet.  Unless you can provide visual information, it may be hard to explain what/why/how this is not working as expected.

 

Thanks

 

 

 

 

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!