11-04-2019 12:56 AM
This is the expected behaviour when the destination host does not reply to the specific session initiation.
Let's say that you see traffic going from host A to host B, passing through the firewall: A -> Fw -> B. The firewall is allowing the traffic from A to B (Action: allow), but no reply is going back from B to A, so the firewall can't see some "real" application and is telling you that it hasn't got enough data (Application Protocol: incomplete) and the session is being terminated for timeout (Reason: aged-out). Talking about causes, there might be many, but the most probable is that B does not expose the service A is asking for, and B's local firewall (not the PAN, the OS one) is set up not to reply for closed ports (IIRC this should be the default for Windows). To sum it up: A asks for a service, Fw lets the request pass, B drops it.
There might be other causes, asymmetrical routing being the worst one I'd say, i.e. B's reply for an open service goes on a different path, and this messes up things badly. Without further details we can't tell you more.
