This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

why drop rst packet

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

why drop rst packet

Felixcao
L3 Networker

‎11-26-2023 11:32 PM

The customer is capturing packets on the firewall.

Check the files in the receive stage and find that the firewall has dropped the rst message sent by the client in the session.

receive.jpgdrop.jpgPlease refer to the screenshot for the file reference. Can someone tell me why the pa-firewall dropped this rst packet

0 Likes Likes
7 REPLIES 7

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎11-26-2023 11:46 PM

Hi @Felixcao ,

 

Check the global counters. The following link explain how to sue packet capture filter for the global counters - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

 

Once you follow the steps from the link, what is the output?

0 Likes Likes

Felixcao
L3 Networker

‎11-26-2023 11:49 PM

[2023/11/24 11:21:39] admin01@5260-02(active-secondary)> show counter global filter packet-filter yes delta yes
[2023/11/24 11:21:39]
[2023/11/24 11:21:39] Global counters:
[2023/11/24 11:21:39] Elapsed time since last sampling: 3.448 seconds
[2023/11/24 11:21:39]
[2023/11/24 11:21:39] --------------------------------------------------------------------------------
[2023/11/24 11:21:39] Total counters shown: 0
[2023/11/24 11:21:39] --------------------------------------------------------------------------------
[2023/11/24 11:21:39]
[2023/11/24 11:22:03] admin01@5260-02(active-secondary)> show counter global filter packet-filter yes delta yes
[2023/11/24 11:22:03]
[2023/11/24 11:22:03] Global counters:
[2023/11/24 11:22:03] Elapsed time since last sampling: 0.127 seconds
[2023/11/24 11:22:03]
[2023/11/24 11:22:03] --------------------------------------------------------------------------------
[2023/11/24 11:22:03] Total counters shown: 0
[2023/11/24 11:22:03] --------------------------------------------------------------------------------
[2023/11/24 11:22:03]
[2023/11/24 11:22:09] admin01@5260-02(active-secondary)> show counter global filter packet-filter yes delta yes
[2023/11/24 11:22:09]
[2023/11/24 11:22:09] Global counters:
[2023/11/24 11:22:09] Elapsed time since last sampling: 1.924 seconds

no any counter global output.

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to Felixcao

‎11-26-2023 11:56 PM

Hi @Felixcao ,

 

The command will return only information in real-time (no historical data). Which means you need to setup the capture and reproduce the issue by generating traffic that is matching your filters.

 

The lack of any counters means that there is no session that is currently passing over the firewall that is matching your filter.

It looks like you are running active-active, so either the traffic is not matching your filter, or you are capturing on the wrong firewall, or just there is no traffic

0 Likes Likes

Felixcao
L3 Networker
In response to aleksandar.astardzhiev

‎11-27-2023 01:58 AM

Hi, Aleksandar:

Thank you very much for your enthusiastic reply.

The lack of any counters means that there is no session that is currently passing over the firewall that is matching your filter.
--------There should be no problem. After turning off the packet capture stop filtering condition, output a count of global traffic

It looks like you are running active-active, so either the traffic is not matching your filter, or you are capturing on the wrong firewall, or just there is no traffic

--------Yes, actvie active mode. The customer confirmed that the operation was done on the correct wall

0 Likes Likes

Felixcao
L3 Networker
In response to Felixcao

‎11-27-2023 10:52 PM

From counter global output, suspect root cause is tcp_drop_out_of_wnd  ?

[2023/11/27 18:21:33] admin01@5260-02(active-secondary)> show counter global filter packet-filter yes delta yes
[2023/11/27 18:21:34]
[2023/11/27 18:21:34] Global counters:
[2023/11/27 18:21:34] Elapsed time since last sampling: 0.744 seconds
[2023/11/27 18:21:34]
[2023/11/27 18:21:34] name value rate severity category aspect description
[2023/11/27 18:21:34] --------------------------------------------------------------------------------
[2023/11/27 18:21:34] pkt_outstanding 13 17 info packet pktproc Outstanding packet to be transmitted
[2023/11/27 18:21:34] pkt_alloc 14 18 info packet resource Packets allocated
[2023/11/27 18:21:34] session_allocated 1 1 info session resource Sessions allocated
[2023/11/27 18:21:34] session_installed 1 1 info session resource Sessions installed
[2023/11/27 18:21:34] flow_np_pkt_xmt 10 13 info flow offload Packets transmitted to offload processor
[2023/11/27 18:21:34] flow_host_pkt_xmt 10 13 info flow mgmt Packets transmitted to control plane
[2023/11/27 18:21:34] flow_host_vardata_rate_limit_ok 10 13 info flow mgmt Host vardata not sent: rate limit ok
[2023/11/27 18:21:34] flow_fpga_rcv_fastpath 2 2 info flow offload fpga packets for fastpath received
[2023/11/27 18:21:34] flow_fpp_sess_bind_notify 1 1 info flow offload Sess bind notification to FPP
[2023/11/27 18:21:34] appid_override 1 1 info appid pktproc Application identified by override rule
[2023/11/27 18:21:34] tcp_drop_out_of_wnd 1 1 warn tcp resource out-of-window packets dropped
[2023/11/27 18:21:34] ha_msg_sent 3 4 info ha system HA: messages sent
[2023/11/27 18:21:34] ha_session_setup_msg_sent 1 1 info ha pktproc HA: session setup messages sent
[2023/11/27 18:21:34] ha_session_update_msg_sent 1 1 info ha pktproc HA: session update messages sent
[2023/11/27 18:21:35] ha_aa_session_setup_msg_sent 1 1 info ha pktproc HA: A/A session setup messages sent
[2023/11/27 18:21:35] ha_aa_session_setup_local 1 1 info ha aa Active/Active: setup session on local device
[2023/11/27 18:21:35] --------------------------------------------------------------------------------
[2023/11/27 18:21:35] Total counters shown: 16

0 Likes Likes

Felixcao
L3 Networker

‎11-28-2023 07:20 PM

After discussing the business model with the customer, it is believed that the reason for the Firewall to discard RST messages is Challenge ACK。

Refer to this kb:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBJCAY。

>configure
              #set deviceconfig setting tcp allow-challenge-ack yes
              #commit
              #exit
              >

However, the customer has a question, what are the risks to the firewall when executing this cli?

how to respone this question ?

0 Likes Likes

jamessciortino
L1 Bithead
In response to Felixcao

‎04-21-2024 03:40 PM

Did this fix the issue? The article you provided is for RSTs when the sequence ID is different. Your sequence ID's are the same.

Does anyone remember laughter?
0 Likes Likes
  • 1734 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks