12-16-2016 07:44 AM
I have a WSUS server. I have a Site to Site VPN from a PA-3020 at a hosting facility to a Cisco ASA on my corporate network. The PA-3020 is running 7.1.4. When I try to run updates from the servers in the hosting facility, it shows as ms-update in the Traffic Log. The Session End Reason is “tcp-rst-from-server”. I am allowing all traffic on the tunnel and can web browse at port 80 and ping the WSUS server.
Is there something else I need to do to allow Windows Updates across the tunnel?
12-16-2016 08:00 AM
Hi,
Logs suggests that the server is reseting the connection. Session is created so no problem here. PCAP might help a bit. Any deny logs?
Thx,
Myky
12-16-2016 08:03 AM
I am not getting any denies.
12-16-2016 08:13 AM - edited 12-16-2016 08:46 AM
Hi,
Did it ever work? Any threat profiles applied to the policy?ms-updates depends on ssl but as you said you allowing any traffic so that is should not be an issue. Even more sssion is created. Clearly the server sent a TCP reset to the client but why ....
Thx,
Myky
12-16-2016 08:35 AM
I'm with @TranceforLife, I don't think your issue is going to be the firewall here, it would more likely be something on the actual server that is blocking the traffic. Can you verify that traffic is allowed on the WSUS server and it isn't being stopped there.
12-16-2016 12:14 PM - edited 12-16-2016 01:18 PM
I added a binding to the default web page for 8020. I can browse the server locally on that port, but get the same error trying to browse from a workstation on the remote network. I can browse the WSUS server on port 80 from the remote network. I can ping it as well. I have not setup any threat profiles yet. I am going to install wireshark on the WSUS server.
12-19-2016 10:57 AM
I have not installed Wireshark yet. I did stop the default website and bind port 80 to the WSUS site. I was able to coonect to the WSUS server on port 80 from the remote servers. I do not know why it does not work on 8530 yet.
12-20-2016 12:25 PM
Any chance that the WSUS server is using ports seen as https and that you have decryption configured? I've had interesting issues with Windows Updates and decrytion in the past, both internally and external.
Also if you're using applciation-default in your ruleset, make sure that the ports are matching up to whats in the app-id that it's being identified as on the Palo Alto side.
Just some thoughts...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
