Apply the filters from 'Monitor > Packet Capture'
Filters:
The Client IP would be any test machine you have available and the server would preferably be any server you have control/access to, but otherwise you can use any known static address.
Please make sure you are logging the CLI session.
If possible, please also install Wireshark on the Server and Test Client so that packets can be captured at these locations as well.
We would then need to run through the following:
> show clock > set session offload no > debug dataplane packet-diag clear log log > debug dataplane packet-diag clear filter-marked-session all > debug dataplane packet-diag set log feature flow basic > debug dataplane packet-diag set log feature proxy basic > debug dataplane packet-diag set log feature ssl basic > debug dataplane packet-diag set log on
4. Prepare the following commands to run while replicating issue.
> show counter global filter packet-filter yes delta yes > show session all filter source source 10.1.1.1destination 10.2.2.2 > show session id [id of impacted ssl session]
5. Turn packet captures on (for firewall and client/server) and replicate the issue while running both commands (step 4) every 10 seconds. This should be done for no more than a minute at most.
6. Disable session offloading and flow, and aggregate logs:
> debug dataplane packet-diag set log off > set session offload yes > debug dataplane packet-diag aggregate-logs
(this is important as without this the TSF will not contain the pan_packet_diag.log)
7. Turn off packet captures and generate a fresh Tech Support File.
Apply a source address filter to the traffic log and a time filter for just before the test session. Export these via the button at the top right. Please also gather a screenshot of a couple of the detail log views for the denied traffic.
Collect the following information and upload this to the SFTP server: