https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-esp-port-50-traffic-even-when-ike-phase-1-is-not-up/m-p/597589#M3727 <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>We are running into an issue, where we have 2 Palo Firewalls and we are trying toe establish S@S VPN between them. Both the tunnels are behind NAT devices and we do have NAT-T Enabled.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><BR /><SPAN>We can see in IKE MGR.logs that the initiator is trying to reach out on 4500 after initial Port 500 traffic.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><BR /><SPAN>The issue we see is that there is "IPSEC-ESP" port 50 traffic even though the phase-1 is not coming up on Session Browser and if we try to clear the traffic the session ID changes but this traffic does not get cleared.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><BR /><SPAN>The issue this causes is that even if we clear VPN ike-sa and ipsec-sa tunnels from the firewall we are not seeing port 500 traffic being generated again when we try to initiate the tunnel using "test VPN" command.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>The only time we are trying to generate this traffic again is by rebooting the firewall completely. We are running PanOS-11.1.4-h2 on the firewall.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Initially, we had a "Tunnel Monitoring" set. However, we cleared this, deleted the tunnel, and recreated we still see "IPSEC-ESP" port 50 traffic but no port 500 traffic was generated after a few initial packets.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Has anyone faced this issue? We do not see any timeouts or any other stating why the tunnel is not coming up.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr">&nbsp;</P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>&nbsp;</SPAN></P> Wed, 11 Sep 2024 21:53:54 GMT UtkarshKumar 2024-09-11T21:53:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-esp-port-50-traffic-even-when-ike-phase-1-is-not-up/m-p/597589#M3727 <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>We are running into an issue, where we have 2 Palo Firewalls and we are trying toe establish S@S VPN between them. Both the tunnels are behind NAT devices and we do have NAT-T Enabled.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><BR /><SPAN>We can see in IKE MGR.logs that the initiator is trying to reach out on 4500 after initial Port 500 traffic.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><BR /><SPAN>The issue we see is that there is "IPSEC-ESP" port 50 traffic even though the phase-1 is not coming up on Session Browser and if we try to clear the traffic the session ID changes but this traffic does not get cleared.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><BR /><SPAN>The issue this causes is that even if we clear VPN ike-sa and ipsec-sa tunnels from the firewall we are not seeing port 500 traffic being generated again when we try to initiate the tunnel using "test VPN" command.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>The only time we are trying to generate this traffic again is by rebooting the firewall completely. We are running PanOS-11.1.4-h2 on the firewall.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Initially, we had a "Tunnel Monitoring" set. However, we cleared this, deleted the tunnel, and recreated we still see "IPSEC-ESP" port 50 traffic but no port 500 traffic was generated after a few initial packets.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Has anyone faced this issue? We do not see any timeouts or any other stating why the tunnel is not coming up.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr">&nbsp;</P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>&nbsp;</SPAN></P> Wed, 11 Sep 2024 21:53:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-esp-port-50-traffic-even-when-ike-phase-1-is-not-up/m-p/597589#M3727 UtkarshKumar 2024-09-11T21:53:54Z