https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526238#M738 <P>Just make your Palo Alto the VPN responder so you can see more details in the GUI System logs:</P> <P>&nbsp;</P> <DIV class="page-body"><LABEL style="background: #fef1e3; color: #f95147; text-align: center; font-weight: 500;"> </LABEL> <DIV class="container1"> <DIV class="slds-scope"> <DIV id="content1" class="content1"> <H1 class="slds-text-heading_large">How to make Palo Alto Networks firewalls Responder-only in an IPSec tunnel</H1> </DIV> </DIV> </DIV> </DIV> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Also maybe the other&nbsp; firewall is using policy based VPN:</P> <P>&nbsp;</P> <H1 class="slds-text-heading_large">Proxy-ID for VPNs Between Palo Alto Networks and Firewalls with Policy-based VPNs</H1> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK</A></P> Sat, 07 Jan 2023 17:28:00 GMT nikoolayy1 2023-01-07T17:28:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526060#M736 <P>Hi,</P> <P>We have multiple S2S VPN with many vendors but facing issue with Fortinet.&nbsp;</P> <P>&nbsp;</P> <P>On our side we observe Phase 2 tunnel is up and packets are going out through Tunnel interface but no reply. Other party saying no issue on their end but once we restart that Phase 2 Proxy id, it starts working.</P> <P>Just to inform you that we have multiple Proxy ids. all Proxy ids Tunnels comes up different time and face issue at different time so need to restart only that proxy id tunnel.</P> <P>Kindly let me know how to troubleshoot it either issue is at our end or their end.</P> Thu, 05 Jan 2023 22:47:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526060#M736 ISG-JHAH 2023-01-05T22:47:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526238#M738 <P>Just make your Palo Alto the VPN responder so you can see more details in the GUI System logs:</P> <P>&nbsp;</P> <DIV class="page-body"><LABEL style="background: #fef1e3; color: #f95147; text-align: center; font-weight: 500;"> </LABEL> <DIV class="container1"> <DIV class="slds-scope"> <DIV id="content1" class="content1"> <H1 class="slds-text-heading_large">How to make Palo Alto Networks firewalls Responder-only in an IPSec tunnel</H1> </DIV> </DIV> </DIV> </DIV> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMZCA0</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Also maybe the other&nbsp; firewall is using policy based VPN:</P> <P>&nbsp;</P> <H1 class="slds-text-heading_large">Proxy-ID for VPNs Between Palo Alto Networks and Firewalls with Policy-based VPNs</H1> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK</A></P> Sat, 07 Jan 2023 17:28:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526238#M738 nikoolayy1 2023-01-07T17:28:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526279#M740 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85350">@ISG-JHAH</a>&nbsp;</P> <P>&nbsp;</P> <P>Are you checking the status of the IPSec from GUI? The status of the Phase-2 will stay UP (Green on GUI) as long as even 1 proxy ID is UP among all in Phase-2 tunnels. <BR />Please check if the status of the proxy-ID is indeed UP? To check the status, run the below command from the CLI.</P> <P>&nbsp;</P> <P><STRONG>show vpn tunnel name &lt;name-of-proxy-id&gt;</STRONG><BR />You will get information like LOCAL PROXY ID, REMOTE PROXY ID, ports etc in output.</P> <P>&nbsp;</P> <P>The VPN logs generated as responder gives more information as suggested by<BR />You can review the system logs and ikemgr logs, during the issue time frame.</P> <P>&nbsp;</P> <P>You can also refer to the below KBs:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC" target="_blank" rel="noopener nofollow noreferrer">How to Troubleshoot IPSec VPN connectivity issues</A>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO" target="_blank" rel="noopener nofollow noreferrer">IKEv1 VPN error logs - Troubleshooting</A>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh5CAC" target="_blank" rel="noopener nofollow noreferrer">IPSec and Tunneling Resource list on Configuring and Troubleshooting</A>&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 09 Jan 2023 06:59:02 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526279#M740 Arnesh 2023-01-09T06:59:02Z https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526365#M741 <P>Yes as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/253055">@Arnesh</a> mentioned if needed enable debug for extra info. This is also a usefull link: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS</A></P> Mon, 09 Jan 2023 17:30:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/vpn-phase-2-tunnel-stuck/m-p/526365#M741 nikoolayy1 2023-01-09T17:30:54Z