This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

what is the meaning of "tcp client reset via TCP responding rst" output in global counter

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

what is the meaning of "tcp client reset via TCP responding rst" output in global counter

Deepak_K
L3 Networker

‎03-23-2021 08:44 AM

We are not able to connect VPN hosted in vpn_dmz zone.

We have deployed third party vpn in vpn_dmz zone and configured inbound nat for same.

Its old setup , all of sudden we are unable to connect vpn intermittently.

 

did pcap for vpn public ip , showing below counter after running "show counter global filter packet-filter yes delta yes severity drop" command

tcp client reset via TCP responding rst:

0 Likes Likes
3 REPLIES 3

S.Cantwell
Cyber Elite
Cyber Elite

‎03-23-2021 10:12 AM

Howdy

 

I would interpret this to mean that the Srv side of the VPN reset the connection,and  likewise, the client side reset its side of the TCP connection.  But I think you are getting perhaps a little too deep in analysis.

 

What is the current status of your VPN?  It is up or not?

If it is not up, run a "clear vpn flow", followed by "test vpn ike-sa", then "test vpn ipsec-sa", and then look at your System Logs for the output on the responses to these commands.  One side needs to initiate the vpn, and the other side needs to respond.  What do you see in your logs.

 

Presuming that ipsec and ike are allowed by a security policy, you should get some response/details about what is going on.

Can you get the remote (non PAN) to initiate the VPN and you again at logs on your PANW FW.

 

I do not personally think it is necessary to look at global counters.  If packets are going to be dropped,you would see the session in the Session Browser or the Traffic Logs.

 

Thanks

Help the community: Like helpful comments and mark solutions
0 Likes Likes

Deepak_K
L3 Networker
In response to S.Cantwell

‎03-23-2021 11:12 AM

@S.Cantwell 

We have deployed F5 vpn , we were unable  to connect sslvpn intermittently. This issue happened first time.

In traffic logs , session end reason for some logs were tcp-fin and for some it was tcp-rst-frm-client

0 Likes Likes

S.Cantwell
Cyber Elite
Cyber Elite
In response to Deepak_K

‎03-23-2021 11:28 AM

Hi there

Again, we are getting closer.  😛

 

Instead of looking at traffic logs, let's see why your VPN is not being established.

Could you copy/paste the logs from your System logs, with a "subtype eq vpn"

 

We would normally expect Phase1 (ike) and phase2 (IPsec) to be negotiated and those negotiations logs are found in System.

 

tcp-fin means that the session closed by a FIN packet.  Unless you can provide visual information, it may be hard to explain what/why/how this is not working as expected.

 

Thanks

 

 

 

 

Help the community: Like helpful comments and mark solutions
0 Likes Likes
  • 3291 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks