Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About ms.jzam
About ms.jzam
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
08-22-2018
13Posts
3Likes
0Solutions
Aug 22, 2018Last Visited
User
Activity
User
Profile
Latest posts by ms.jzam
| Subject | Views | Posted |
|---|---|---|
| 14700 | 04-04-2018 10:02 PM | |
| 533 | 02-09-2018 01:52 PM | |
| 1402 | 02-02-2018 08:53 AM | |
| 1409 | 02-02-2018 08:05 AM | |
| 1416 | 02-02-2018 07:35 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 | 04-04-2018 10:02 PM | |
| 1 | 01-30-2018 08:59 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 16 | |||
| 1 | |||
| 1 | |||
| 2 | |||
| 6 |
User Badges
Public Statistics
| Date Registered | 08-01-2017 02:22 PM |
| Date Last Visited | 08-22-2018 12:04 PM |
| Total Messages Posted | 41 |
| Total Likes Received | 3 |
02-09-2018
01:52 PM
I had a case open, once the issue was resolved they closed the ticket.
... View more
02-02-2018
08:53 AM
@BPry I tried to find a DM feature, don't think there is one. Happy to continue over email.
... View more
02-02-2018
08:05 AM
@BPry Happy to provide more detailed configuration for any attempts at duplicating the issue. What would be needed?
... View more
02-02-2018
07:35 AM
Ok that's two confirmations on fixing the issue. I think this deserves to be bumped until we can sniff out a solid understanding of what's happening here. BUMP!
... View more
02-01-2018
09:40 AM
@jdprovine Anything new on this?
... View more
01-30-2018
10:04 AM
@BrianRa yes it was because of Panorama! Thanks!
... View more
01-30-2018
09:35 AM
@BrianRa ran the commands as you indicate but received no output: (active)>
(active)> set cli config-output-format set
(active)> configure
Entering configuration mode
[edit]
(active)# show network profiles zone-protection-profile
<name> <name>
| Pipe through a command
<Enter> Finish input
(active)# show network profiles zone-protection-profile
set network profiles zone-protection-profile
[edit]
(active)# show network profiles zone-protection-profile ZP_DEFAULT_OUT
[edit]
(active)#
... View more
01-30-2018
08:59 AM
1 Kudo
@jdprovine I would reccommend taking the same steps that I did in order to get a clue as to the cause. Include your VPN tunnel network/interface in a packet capture filter, and also your WAN interface where the VPN traffic is coming into. clear logs and packet filter debug dataplane packet-diag clear all debug dataplane packet-diag clear log log enable debug debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on debug dataplane packet-diag set log off debug dataplane packet-diag aggregate-logs review logs less dp-log pan_packet_diag.log clear your vpn tunnels and see if interesting traffic reestablishes them clear vpn ike-sa clear vpn ipsec-sa check and configure your packet filter debug dataplane packet-diag show setting *was easier for me to configure the packet filter in the WEB-UI check for vpn sesssions show session all filter source X destination X show vpn flow *pay attention for encap and decap byte increase check the details of the specific traffic session show session id X show results of the packet filter show counter global filter packet-filter yes delta yes There is probably a better order to running these commands, but this is everything I used to try and get to a resolution.
... View more
01-30-2018
08:02 AM
@jdprovine Let us know what you find! If it does fix the issue, that's a much better place to be than disabling the whole ZP policy. Hopefully we can get some progress on understanding the root cause behind the issue.
... View more
01-24-2018
02:11 PM
@BPry IKE Gateway Local IP Address 216.1.x.x Peer IPA 199.79.x.x IPSec Tunnel used Proxy ID which was Local 172.16.2x.x (Internal Server IP of 10.x.x.x was NATd) Remote 128.1.2xx.x
... View more
01-24-2018
01:25 PM
We have been working with TAC to find the cause of this issue where FTP client could no longer upload to external companies FTP server over the VPN tunnel. After many days, we started a packet filter on the Public Internet (WAN) interface, which is a different zone from the tunnel interface, and were still seeing drops due to "flow_dos_pf_strictip". We had previously disabled the zone_protection policy that was applied to the tunnel interface zone, and even though we did not see drops, the uploads were failing. When we finally did that packet filter on the WAN interface we saw the drops again due to the same reason "flow_dos_pf_strictip" and decided to remove the zone protection policy from the WAN interface. BOOM! FTP uploads succeed. Combing through the policy I saw the strict ip check option and removed it, then pushed the policy overwriting our revert. Everything still good. We couldn't find the configuration change that put that feature in place (wish that function worked better in the Palo, or just knew how to use it better!) and reading the KB pages for that feature, I'm not sure why it was causing our traffic to be dropped. Any help would be very much appreciated!
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
