Unable to establish tunnel during Service Connection configuration (Details Added with Screenshot)

chinmaya.naik — Tue, 13 Jan 2026 10:32:11 GMT

Dear Community Expert Team,

This my first post in Community.

I really enjoy the Palo Alto Prisma Access SASE.

Find the below details:

Before I am going to production configuration I plan to test in my LAB environment for multiple of POC.

Requirement: Service Connection configuration

Setup:

Palo Alto NGFW hosted in GCP (Google Cloud Platform)
Strata Cloud Manager (Prisma Access)
The internet facing interface is private IP address (10.233.2.x) and that IP address NAT on the GCP.

LAB IP Address Details:

Palo Alto FW (Hosted in GCP) interface details:

Ethernet1/1 : 10.233.2.x/24

Ethernet1/2 : 10.235.2.6/24

Service Connection in Prisma Access Strata cloud manager Configuration details:

n General section:

Select - From Preferred Region

Prisma Access Location: India North PA-G

Data Traffic Source NAT: Not Enabled

Infrastructure Traffic Source NAT: Not Enabled

In Primary Tunnel:

Branch Device Type: Palo Alto Networks NGFW

NOTE: As by default when I select Palo Alto Networks NGFW then its automatically select the below Profile:

PaloAlto-Networks-IPSec-Crypto:

PaloAlto-Networks-IKE-Crypto

IKE Local Identification : None

IKE Peer Identification: IP Address >> 35.246.250.xxx

KE Passive Mode: Unchecked

Authentication: Pre-Shared Key

IKE Gateway: Branch Device Public IP Address >> Static IP >> 35.246.250.xxx

Proxy ID: Not configured

Turn on Tunnel Monitoring: Unchecked

In Routing Section:

Static Routing >> 10.35.2.0/24 (This is the Palo Alto NGFW behind Network which going to my private resources for mobile users)

After configuration I get the Service FQDN and Service IP Address (130.41.114.xxx)

Now PUSH also done and getting below:

Config show : In Sync

Now in Palo Alto NGFW hosted in GCP:

IKE Crypto parameters is same as Prisma Access configured side.

IPSec crypto parameters also same as Prisma Access configured side.

Version: IKE v2 mode

In IKE Gateway >> Local IP Address: Ethernet1/1 : 10.233.2.x

In IKE Gateway >> Authentication: Pre-Shared Key

In IKE Gateway >> Local Identification: 35.246.250.xxx (Public IP address)

In IKE Gateway >> Peer Identification: 130.41.114.xxx (Prism Access Public IP address)

In IKE Gateway >> Advanced Options >> Enable NAT Traversal

Zone created as below :

Logical Router configure as below:

QUESTION-1:

I am unable to find the Destination IP address from Prisma Access Strata Cloud Manager.

QUESTION-2:

Below is the Tunnel Down Status in NGFW (Hosted in GCP):

QUESTION - 3:

Also, I am unable to find the Prisma Access Infrastructure Subnet.

Please guide me after review my configuration details and let me known if need any additional details to established IPSec Tunnel.

Thank You in Advanced

@chinmaya.naik

topic Unable to establish tunnel during Service Connection configuration (Details Added with Screenshot) in Prisma Access Discussions

Unable to establish tunnel during Service Connection configuration (Details Added with Screenshot)