<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic IPSec Dynamic Peer VPN, failure to send traffic over attached tunnel interface in Next-Generation Firewall Discussions</title>
    <link>https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-dynamic-peer-vpn-failure-to-send-traffic-over-attached/m-p/1257886#M7006</link>
    <description>&lt;P&gt;Is anyone aware of a known issue with sending traffic over an IPSec tunnel interface when using multiple dynamic peers with FQDN (host) peer identification?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I have multiple existing branch locations connected to the PA with IKEv2 IPSec tunnels using dynamic FQDN (host) peer identification from Cisco branch routers. Up to now it has worked fine, no problems re-establishing traffic after outages/reboots. After adding a new IPSec yesterday for a new branch, an old branch location broke overnight (forced new IKE key after upstream router reboot, IKE/IPSec rekey worked fine up till then). The correct IPSec gateway/tunnel comes up immediately (phase 1/2 complete normally, no errors), but the attached tunnel will not pass traffic. Both sides show outbound packets but no inbound packets received over the IPSec tunnel. I believe the PaloAlto is dropping the traffic in both directions on the tunnel (or trying to send through the wrong tunnel), but nothing shows as dropped or misrouted in logging.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;FONT size="3"&gt;I was unable to get the failed site to pass traffic until I disabled the new branch IKE/IPSec. Both IKE gateways have unique FQDNs. Among all the branch locations, the only difference is that the failing location is set as Passive/NAT as it is behind a CGN.&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;mp_log ikemgr.log shows the initial connection as matching the new branch setup (expected as Branch_07 is the first available dynamic peer match), followed by switching to the expected Branch_22 setup and tunnel based on received FQDN and attaching to the correct tunnel:&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT size="2"&gt;: received IKE request xx.xx.xx.xx[37512] to xx.xx.xx.xx[500], &lt;FONT color="#FF0000"&gt;found IKE gateway Branch_07&lt;/FONT&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; &lt;FONT color="#FF0000"&gt;gateway Branch_07&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;&amp;nbsp; ====&amp;gt; Initiated SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] SPI:xxx:zzz SN:49662 &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: xx.xx.xx.xx[37512] - xx.xx.xx.xx[500]:0x555555zzz&lt;FONT color="#FF0000"&gt; received ID_I (type fqdn [abc.def.ghi]) matches IKE gateway Branch_22&lt;/FONT&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;:&lt;FONT color="#FF0000"&gt; [IKE SA hashtbl update] from 2 to 10 (new gw: Branch_22)&lt;/FONT&gt;.&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: xx.xx.xx.xx[500] - xx.xx.xx.xx[37512]:yyy authentication result: success&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; &lt;FONT color="#FF0000"&gt;gateway Branch_22&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;&amp;nbsp; ====&amp;gt; Initiated SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] message id:0x00000001 parent SN:49662 &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IPSEC KEY INSTALLATION SUCCEEDED; &lt;FONT color="#FF0000"&gt;tunnel Branch_22&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;====&amp;gt; Installed SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] SPI:yyy/zzz lifetime 3600 Sec lifesize unlimited &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IKEv2 IKE SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; &lt;FONT color="#FF0000"&gt;gateway Branch_22&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;&amp;nbsp; ====&amp;gt; Established SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] SPI:yyy:zzz SN:49662 lifetime 28800 Sec &amp;lt;====&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Wed, 01 Jul 2026 23:46:46 GMT</pubDate>
    <dc:creator>Adrian_Jensen</dc:creator>
    <dc:date>2026-07-01T23:46:46Z</dc:date>
    <item>
      <title>IPSec Dynamic Peer VPN, failure to send traffic over attached tunnel interface</title>
      <link>https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-dynamic-peer-vpn-failure-to-send-traffic-over-attached/m-p/1257886#M7006</link>
      <description>&lt;P&gt;Is anyone aware of a known issue with sending traffic over an IPSec tunnel interface when using multiple dynamic peers with FQDN (host) peer identification?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I have multiple existing branch locations connected to the PA with IKEv2 IPSec tunnels using dynamic FQDN (host) peer identification from Cisco branch routers. Up to now it has worked fine, no problems re-establishing traffic after outages/reboots. After adding a new IPSec yesterday for a new branch, an old branch location broke overnight (forced new IKE key after upstream router reboot, IKE/IPSec rekey worked fine up till then). The correct IPSec gateway/tunnel comes up immediately (phase 1/2 complete normally, no errors), but the attached tunnel will not pass traffic. Both sides show outbound packets but no inbound packets received over the IPSec tunnel. I believe the PaloAlto is dropping the traffic in both directions on the tunnel (or trying to send through the wrong tunnel), but nothing shows as dropped or misrouted in logging.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;FONT size="3"&gt;I was unable to get the failed site to pass traffic until I disabled the new branch IKE/IPSec. Both IKE gateways have unique FQDNs. Among all the branch locations, the only difference is that the failing location is set as Passive/NAT as it is behind a CGN.&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;mp_log ikemgr.log shows the initial connection as matching the new branch setup (expected as Branch_07 is the first available dynamic peer match), followed by switching to the expected Branch_22 setup and tunnel based on received FQDN and attaching to the correct tunnel:&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT size="2"&gt;: received IKE request xx.xx.xx.xx[37512] to xx.xx.xx.xx[500], &lt;FONT color="#FF0000"&gt;found IKE gateway Branch_07&lt;/FONT&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; &lt;FONT color="#FF0000"&gt;gateway Branch_07&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;&amp;nbsp; ====&amp;gt; Initiated SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] SPI:xxx:zzz SN:49662 &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: xx.xx.xx.xx[37512] - xx.xx.xx.xx[500]:0x555555zzz&lt;FONT color="#FF0000"&gt; received ID_I (type fqdn [abc.def.ghi]) matches IKE gateway Branch_22&lt;/FONT&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;:&lt;FONT color="#FF0000"&gt; [IKE SA hashtbl update] from 2 to 10 (new gw: Branch_22)&lt;/FONT&gt;.&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: xx.xx.xx.xx[500] - xx.xx.xx.xx[37512]:yyy authentication result: success&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IKEv2 CHILD SA NEGOTIATION STARTED AS RESPONDER, non-rekey; &lt;FONT color="#FF0000"&gt;gateway Branch_22&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;&amp;nbsp; ====&amp;gt; Initiated SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] message id:0x00000001 parent SN:49662 &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IPSEC KEY INSTALLATION SUCCEEDED; &lt;FONT color="#FF0000"&gt;tunnel Branch_22&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;====&amp;gt; Installed SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] SPI:yyy/zzz lifetime 3600 Sec lifesize unlimited &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;...&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;: ====&amp;gt; IKEv2 IKE SA NEGOTIATION SUCCEEDED AS RESPONDER, non-rekey; &lt;FONT color="#FF0000"&gt;gateway Branch_22&lt;/FONT&gt; &amp;lt;====&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;&amp;nbsp; ====&amp;gt; Established SA: xx.xx.xx.xx[500]-xx.xx.xx.xx[37512] SPI:yyy:zzz SN:49662 lifetime 28800 Sec &amp;lt;====&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 01 Jul 2026 23:46:46 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/next-generation-firewall/ipsec-dynamic-peer-vpn-failure-to-send-traffic-over-attached/m-p/1257886#M7006</guid>
      <dc:creator>Adrian_Jensen</dc:creator>
      <dc:date>2026-07-01T23:46:46Z</dc:date>
    </item>
  </channel>
</rss>

