Incomplete means 3 way handshake didn't complete.   How many packets sent/received? Usually this is when a SYN is sent but the other side isn't listening or a reply isn't getting back.   Are you sure it's matching the right NAT rule?   What is the session end reason? ... View more

@Joshan_Lakhani if it's now showing on the pcap that suggests it's failing before the firewall.   Check the local machine's firewall/other security software, and any other devices in between which could be preventing connectivity.   Also as a sanity check, have a look at the gateway settings and ensure IPSec mode is enabled. ... View more

@MickBall Based on past experience this is an "issue" in GP 5.2.5 (Which Joshan is using). I believe it is related to the improved error messages, so a lot of people are suddenly getting this warning thinking it's a new issue, but IPSec never likely worked in the first place.   Features Introduced in GlobalProtect App 5.2 (paloaltonetworks.com)   Improved Connectivity Error Messages for the GlobalProtect App ( GlobalProtect app 5.2.5 and later releases ) To enable a better user experience, the GlobalProtect app is now updated to display improved connectivity error messages. With this change, the GlobalProtect app can now provide friendly, informative connectivity error messages to help end users resolve issues on their endpoint themselves to reduce support calls to their Help Desk professional.   - DM ... View more

Not applicable is because the firewall does not waste resources trying to identify it when it's already matched the deny rule.   Are you sure the rule is set up correctly? When NAT is involved, the security rule should be to the pre-NAT IP, but the post-NAT zone.   - DM ... View more

There is a KB article which suggests this is unsupported behaviour:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleBCAS   When you open an RDP session, an IP to user mapping is generated for the local machine, but with the admin account you authenticated with.   Since an IP is associated with only a single user, it must remove the previous mapping.   The KB itself recommends authenticating on the RDP connection by using the same account you are logged in with locally, and then using privilege escalation to perform admin tasks.   Anyway, when this happens you can lock and unlock the machine, which will generate the correct event on the domain controller to get your 'local' mapping back.   - DM ... View more

This KB might help. Basically 4 packets or 2000 bytes are allowed for the appid engine to try to identify the app.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIgCAK   - DM ... View more

Hello,   This message means you have connected via SSL instead of IPsec, which is typically slower.   Check that you have a rule allowing the application ipsec-esp-udp and ensure that the client side / nothing else is blocking access to the gateway on UDP/4501   Check the traffic logs on the gateway for port 4501 to see if this is being denied on the firewall side (if you log everything anyway).   - DM ... View more

Hello,   Please check if your certificate adheres to these requirements: https://support.apple.com/en-us/HT210176   - DM ... View more