We have reports of certain users not being able to access our public website but majority of users are able to. The traffic log shows that the application is incomplete. Packet capture reveals the 3-way handshake does not complete and the session times out. The same person who is NOT able to access the public website is able to access another website of ours that is hosted on another IP address but on the same firewall. The difference between the two sites are as follows: Different external IPs but same subnet Different internal Zones (1 server is on DMZ; not working and 1 server is on the Trust zone; working) Different gateways, different switches The DMZ's gateway is the firewall while the server on the trust side's gateway is a core switch Has anyone seen something like this before? Again, it works for 99% of the users but there are a number of users that are not able to get to the website for some reason. We initially thought it could be a routing issue with the ISP that we use since majority of the users who reported the issue belongs to the same ISP that we use. HOWEVER, we did find a user who uses the same ISP and IS ABLE to browse. NAT is a regular destination NAT Untrust to Untrust Src IP: Any Dst IP: Public IP of server Destination translation IP: DMZ IP of the server Policy is a regular allow inbound policy allow access to website Zone: Untrust to DMZ Src IP: Any Dst IP: External IP of DMZ server Some other info that might help. There are two ISPs but only one is used and the other is a backup in case the other one is down. I'm using PBF to achieve this as per the PBF doc/KB. There is a zone protection profile and enabled all of them. I removed it temporarily but it didn't help. I tried to do a static bi-directional NAT as a test but it didn't seem to help Any help would be appreciated!
... View more