topic Google Cloud VPN IKE-SA-INIT packets being dropped in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/google-cloud-vpn-ike-sa-init-packets-being-dropped/m-p/508975#M229 <P>I built a site-to-site VPN between GCP and a PA3250, which is not working. Surely, I'm missing something.</P> <P>&nbsp;</P> <P>The GCP vpn points to the same interface and IP that other VPNs successfully use on the Palo.</P> <P>&nbsp;</P> <P>I added a Sec policy to allow the GCP IP and the Palo IP to set up Phase 1. However, the Palo drops the inbound IKE-SA-INIT packets. They are getting caught by the INTRAZONE Default rule.</P> <P>&nbsp;</P> <P>I've verified the IP addresses, the IKE paramters, the PSK, and the Sec policy. In fact I've rebuilt this a few times by completely deleting everything on the GCP side and the related configs in the Palo.</P> <P>&nbsp;</P> <P>To test I set up a VPN from the same GCP project to a different PA3250 with a different IP address and that tunnel works flawlessly.</P> <P>&nbsp;</P> <P>Everytime I've rebuilt the VPNs I get a different public IP from GCP. So, it's not an issue with their IP addresses.</P> <P>&nbsp;</P> <P>What appears to be happening, but I can't verify is that the PA3250 with the issue Policy Denies the packets and just drops all subsequent packets from that address. Like it's cached somewhere. As a test I deleted the VPN config from both sides before leaving yesterday. I created them from scratch this morning, about 14 hours later, with the same results. The first packet gets denied and nothing else.</P> <P>&nbsp;</P> <P>When I run test vpn ike-sa gateway ******** from the cli, a packet capture shows that the outbound packet from the Palo gets dropped.</P> <P>&nbsp;</P> <P>I've scoured both PA3250s for the difference, but only come up with the Palo IP address.</P> <P>&nbsp;</P> <P>Suggestions?</P> Thu, 14 Jul 2022 16:22:53 GMT qdimclark 2022-07-14T16:22:53Z Google Cloud VPN IKE-SA-INIT packets being dropped https://live.paloaltonetworks.com/t5/next-generation-firewall/google-cloud-vpn-ike-sa-init-packets-being-dropped/m-p/508975#M229 <P>I built a site-to-site VPN between GCP and a PA3250, which is not working. Surely, I'm missing something.</P> <P>&nbsp;</P> <P>The GCP vpn points to the same interface and IP that other VPNs successfully use on the Palo.</P> <P>&nbsp;</P> <P>I added a Sec policy to allow the GCP IP and the Palo IP to set up Phase 1. However, the Palo drops the inbound IKE-SA-INIT packets. They are getting caught by the INTRAZONE Default rule.</P> <P>&nbsp;</P> <P>I've verified the IP addresses, the IKE paramters, the PSK, and the Sec policy. In fact I've rebuilt this a few times by completely deleting everything on the GCP side and the related configs in the Palo.</P> <P>&nbsp;</P> <P>To test I set up a VPN from the same GCP project to a different PA3250 with a different IP address and that tunnel works flawlessly.</P> <P>&nbsp;</P> <P>Everytime I've rebuilt the VPNs I get a different public IP from GCP. So, it's not an issue with their IP addresses.</P> <P>&nbsp;</P> <P>What appears to be happening, but I can't verify is that the PA3250 with the issue Policy Denies the packets and just drops all subsequent packets from that address. Like it's cached somewhere. As a test I deleted the VPN config from both sides before leaving yesterday. I created them from scratch this morning, about 14 hours later, with the same results. The first packet gets denied and nothing else.</P> <P>&nbsp;</P> <P>When I run test vpn ike-sa gateway ******** from the cli, a packet capture shows that the outbound packet from the Palo gets dropped.</P> <P>&nbsp;</P> <P>I've scoured both PA3250s for the difference, but only come up with the Palo IP address.</P> <P>&nbsp;</P> <P>Suggestions?</P> Thu, 14 Jul 2022 16:22:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/google-cloud-vpn-ike-sa-init-packets-being-dropped/m-p/508975#M229 qdimclark 2022-07-14T16:22:53Z