Hi All, I do have a server that is running on the TCP port 2048 but connection in intermittent for the clients. Traffic between the server and the client is traversing through the firewall (Palo Alto). Below the pcap from the Palo (capturing the client-server session) but it doesn't tell me much. Does anyone have an idea what is going on> Thanks all, Myky asked 08 Mar '17, 03:48  Myky edited 08 Mar '17, 03:50 |
One Answer:
As you only provided a picture of the packets, nothing much can be said about the real issue with any certainty. However, it sure looks like the SSL ClientHello of 192.168.2.25 is not accepted by 192.168.10.100 and this server sends back an SSL alert, the alert is probably giving you the reason for not accepting the ClientHello, but to be able to tell this, we would need to look at the full data. Can you provide the capture file through CloudShark, Dropbox, GoogleDrive or any other sharing mechanism? My bet is that the server has restricted the use of SSL protocols and SSL ciphers to a list of non-vulnerable ones and the Client is not using a supported SSL version or does not offer a supported SSL cipher. answered 12 Mar '17, 16:28  SYN-bit ♦♦ Thanks guys. Changing the web server to the default port solved the problem. Don't know why! (22 Mar '17, 09:56) Myky |
I doubt capturing on the Palo Alto is a good idea - you obviously captured identical packets twice, probably on two firewall interfaces at the same time (incoming/outgoing?).
Troubleshooting connection problems is better performed by capturing with an additional capture device (e.g. a laptop using a SPAN port), because any device in the communication path may be causing the problem. If you capture on them, they may obfuscate what is happening.
This means that any capture result you work with may lead to wrong results, because the capture process is biased.
Thanks Jasper. l will give a go.