https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442929#M100160 <P>Changing the NAT statement solved the issue.&nbsp; &nbsp;The Source Translation type had originally been set to "Dynamic IP" and changing it to "Dynamic IP and Port" solved the issue.</P> Fri, 22 Oct 2021 14:49:18 GMT rswinter 2021-10-22T14:49:18Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442334#M100083 <P>Hey All,&nbsp; We're having a problem in adding new traffic to an existing VPN Tunnel.</P><P>&nbsp;</P><P>We've had a VPN tunnel up for a few years working just fine, but now we are trying to put traffic from a different interface into the Tunnel and the PA is dropping the packets (found them in Traffic Capture).&nbsp; The VPN is out to the Internet on Eth1/1 and the original ingress traffic to the firewall is on Eth1/5.&nbsp; All traffic is Natted to a local IP address before entering the tunnel, so no update to the ProxyIDs should be necessary for the new traffic.&nbsp; &nbsp;The new traffic (and Zone) has been added to the Security Policy and the NAT policy and in the logs it shows it's being natted and allowed, but no traffic passes, and I see it in the Drop file in a packet capture.&nbsp;</P><P>&nbsp;</P><P>My concern is that either the VPN can't be used for traffic coming from two different interfaces, or that the new traffic coming from a sub interface on Eth1/1 (same physical interface, but different zone and sub interface as outbound VPN tunnel) is not allowed..</P><P>&nbsp;</P><P>Any thoughts/suggestions?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>-Stephen</P> Wed, 20 Oct 2021 17:03:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442334#M100083 rswinter 2021-10-20T17:03:42Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442695#M100128 <P>you can use the filter you set for the packetcapture to inspect global counters:</P> <P>&nbsp;</P> <P>show counter global filter delta yes packet-filter yes</P> <P>&nbsp;</P> <P>this will tell you why packets are discarded, most likely a zone issue: the NAT source used for traffic into the tunnel, to which zone does it belong? are you accounting for u-turn zones?</P> <P>you may need to set up Policy Based Forwarding with symmetric return</P> Thu, 21 Oct 2021 21:28:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442695#M100128 reaper 2021-10-21T21:28:06Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442701#M100131 <P>Thanks for the reply.&nbsp; We have determined it's a NAT issue due to one of the settings, only showing one NAT available.&nbsp; I have a maintenance window tomorrow morning to make a change suggested by PA support, so we'll see if that fixes the issue.</P><P>&nbsp;</P><P>The Source NAT doesn't have a zone, as it's a fake/virtual address only in the PA itself..&nbsp; We'll see if the NAT policy change fixes things and go from there...</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>-Stephen</P> Thu, 21 Oct 2021 21:55:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442701#M100131 rswinter 2021-10-21T21:55:01Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442929#M100160 <P>Changing the NAT statement solved the issue.&nbsp; &nbsp;The Source Translation type had originally been set to "Dynamic IP" and changing it to "Dynamic IP and Port" solved the issue.</P> Fri, 22 Oct 2021 14:49:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ingress-traffic-from-two-different-interfaces-not/m-p/442929#M100160 rswinter 2021-10-22T14:49:18Z